Using WordPress ‘http_request_reject_unsafe_urls’ PHP filter

The http_request_reject_unsafe_urls WordPress PHP Filter allows you to control if URLs should be passed through the wp_http_validate_url() function during an HTTP request.

Usage

add_filter('http_request_reject_unsafe_urls', 'your_custom_function', 10, 2);

function your_custom_function($pass_url, $url) {
    // your custom code here
    return $pass_url;
}

Parameters

  • $pass_url (bool): Whether to pass URLs through wp_http_validate_url(). Default is false.
  • $url (string): The request URL.

More information

See WordPress Developer Resources: http_request_reject_unsafe_urls

Examples

Allow all URLs to pass validation

Allow all URLs to bypass the wp_http_validate_url() function.

add_filter('http_request_reject_unsafe_urls', '__return_true');

Block specific domain from passing validation

Prevent URLs from a specific domain from passing the wp_http_validate_url() function.

add_filter('http_request_reject_unsafe_urls', 'block_specific_domain', 10, 2);

function block_specific_domain($pass_url, $url) {
    if (strpos($url, 'baddomain.com') !== false) {
        return true;
    }
    return $pass_url;
}

Allow only HTTPS URLs to pass validation

Only allow URLs with HTTPS protocol to pass the wp_http_validate_url() function.

add_filter('http_request_reject_unsafe_urls', 'allow_only_https', 10, 2);

function allow_only_https($pass_url, $url) {
    if (strpos($url, 'https://') === 0) {
        return false;
    }
    return $pass_url;
}

Allow specific URL paths to pass validation

Allow only specific URL paths to pass the wp_http_validate_url() function.

add_filter('http_request_reject_unsafe_urls', 'allow_specific_url_paths', 10, 2);

function allow_specific_url_paths($pass_url, $url) {
    $allowed_paths = array('/allowed-path-1/', '/allowed-path-2/');
    $parsed_url = parse_url($url);

    if (in_array($parsed_url['path'], $allowed_paths)) {
        return false;
    }
    return $pass_url;
}

Log rejected URLs

Log rejected URLs when they fail the wp_http_validate_url() function.

add_filter('http_request_reject_unsafe_urls', 'log_rejected_urls', 10, 2);

function log_rejected_urls($pass_url, $url) {
    if ($pass_url) {
        error_log('Rejected URL: ' . $url);
    }
    return $pass_url;
}