Using WordPress ‘http_origin’ PHP filter

The http_origin WordPress PHP Filter allows you to change the origin of an HTTP request.


add_filter('http_origin', 'your_function_name');
function your_function_name($origin) {
    // your custom code here
    return $origin;


  • $origin (string) – The original origin for the request.

More information

See WordPress Developer Resources: http_origin


Allow requests from a specific domain

To change the origin to allow requests from ““:

add_filter('http_origin', 'allow_specific_origin');
function allow_specific_origin($origin) {
    $allowed_origin = '';
    return $allowed_origin;

Allow requests from multiple domains

To allow requests from multiple domains, use an array of allowed origins:

add_filter('http_origin', 'allow_multiple_origins');
function allow_multiple_origins($origin) {
    $allowed_origins = array('', '');

    if (in_array($origin, $allowed_origins)) {
        return $origin;

Allow requests from all domains

To allow requests from all domains, return an asterisk (*) as the origin:

add_filter('http_origin', 'allow_all_origins');
function allow_all_origins($origin) {
    return '*';

Block requests from a specific domain

To block requests from a specific domain, check if the origin matches the blocked domain and return an empty string if it does:

add_filter('http_origin', 'block_specific_origin');
function block_specific_origin($origin) {
    $blocked_origin = '';

    if ($origin == $blocked_origin) {
        return '';
    return $origin;

Allow requests only from the same domain

To allow requests only from the same domain as your WordPress site, use the get_site_url function to compare the origins:

add_filter('http_origin', 'allow_same_origin');
function allow_same_origin($origin) {
    $site_origin = get_site_url(null, '', 'https');

    if ($origin == $site_origin) {
        return $origin;