Using WordPress ‘allowed_http_origins’ PHP filter

The allowed_http_origins WordPress PHP filter allows you to change the origin types allowed for HTTP requests.


add_filter('allowed_http_origins', 'your_custom_function');
function your_custom_function($allowed_origins) {
    // your custom code here
    return $allowed_origins;


  • $allowed_origins (string[]): Array of default allowed HTTP origins.
    • stringNon-secure URL for admin origin.
    • stringSecure URL for admin origin.
    • stringNon-secure URL for home origin.
    • stringSecure URL for home origin.

More information

See WordPress Developer Resources: allowed_http_origins


Add a custom allowed origin

Add a custom domain to the list of allowed HTTP origins.

add_filter('allowed_http_origins', 'add_custom_allowed_origin');
function add_custom_allowed_origin($allowed_origins) {
    $allowed_origins[] = '';
    return $allowed_origins;

Allow all origins

Allow all HTTP origins for CORS requests.

add_filter('allowed_http_origins', 'allow_all_origins');
function allow_all_origins($allowed_origins) {
    return '*';

Remove a specific origin

Remove a specific origin from the list of allowed HTTP origins.

add_filter('allowed_http_origins', 'remove_specific_origin');
function remove_specific_origin($allowed_origins) {
    $index = array_search('', $allowed_origins);
    if ($index !== false) {
    return $allowed_origins;

Restrict to specific origins

Restrict allowed HTTP origins to a predefined list.

add_filter('allowed_http_origins', 'restrict_to_specific_origins');
function restrict_to_specific_origins($allowed_origins) {
    return array('', '');

Allow subdomains of the main domain

Allow all subdomains of the main domain as HTTP origins.

add_filter('allowed_http_origins', 'allow_subdomains');
function allow_subdomains($allowed_origins) {
    $main_domain = '';
    $allowed_origins[] = "https://*.{$main_domain}";
    return $allowed_origins;