Disable External URL Requests

(Ananova News) January 19, 2023.

External URL requests are requests made by your website to external websites or servers. For some functionality and a better experience, there may be a need to tap into other sites or services. While these requests can be useful, they can also present a security risk if they are not properly configured or may respond slower than intended. If external sources respond slowly they might affect the website’s performance. The website is being held back by the external resources it’s trying to load.

To better enhance the security of your website, you may want to consider disabling external URL requests.

To disable external URL requests, you will need to edit your website’s wp-config.php file. Insert the following code into the file:

define(‘WP_HTTP_BLOCK_EXTERNAL’, true);

  • This will block external URL requests on your website.
public function block_request( $uri ) {
	// We don't need to block requests, because nothing is blocked.
		return false;

	$check = parse_url( $uri );
	if ( ! $check ) {
		return true;

	$home = parse_url( get_option( 'siteurl' ) );

	// Don't block requests back to ourselves by default.
	if ( 'localhost' === $check['host'] || ( isset( $home['host'] ) && $home['host'] === $check['host'] ) ) {
		 * Filters whether to block local HTTP API requests.
		 * A local request is one to `localhost` or to the same host as the site itself.
		 * @since 2.8.0
		 * @param bool $block Whether to block local requests. Default false.
		return apply_filters( 'block_local_requests', false );

	if ( ! defined( 'WP_ACCESSIBLE_HOSTS' ) ) {
		return true;

	static $accessible_hosts = null;
	static $wildcard_regex   = array();
	if ( null === $accessible_hosts ) {
		$accessible_hosts = preg_split( '|,\s*|', WP_ACCESSIBLE_HOSTS );

		if ( false !== strpos( WP_ACCESSIBLE_HOSTS, '*' ) ) {
			$wildcard_regex = array();
			foreach ( $accessible_hosts as $host ) {
				$wildcard_regex[] = str_replace( '\*', '.+', preg_quote( $host, '/' ) );
			$wildcard_regex = '/^(' . implode( '|', $wildcard_regex ) . ')$/i';

	if ( ! empty( $wildcard_regex ) ) {
		return ! preg_match( $wildcard_regex, $check['host'] );
	} else {
		return ! in_array( $check['host'], $accessible_hosts, true ); // Inverse logic, if it's in the array, then don't block it.

Courtesy: https://developer.wordpress.org/reference/classes/wp_http/block_request/

Technical experts always suggest keeping software (theme, plugins, third-party add-ons, and WordPress Core) updated and up-to-date with the latest fixes. Always use strong and unique logins and passwords to secure accounts. Hence, it is always suggested to have managed WordPress hosting, as the provider monitors website security, takes regular backups, and keeps them up.

Companies like WordPress.com have the expertise to protect hosted websites from cyber attacks, breaches, hacking, identity and access management (IAM), malware and vulnerabilities, and phishing. They take care of updating WordPress core, themes, plugins, and PHP, disabling external URL requests, and implementing SSL. They keep regular backups, which ensure business continuity. A secured website has a good online reputation, so businesses prioritise security. Every eCommerce store and business website needs protection against cyberattacks, malware, and viruses. Businesses want to protect data as well as sensitive information and thus want to ensure website functionality and online reputation. Hence, it asks for crucial security measures. Google penalises or blacklists malicious or phishing websites.