How to Block External Requests in WordPress

A WordPress website can be virtually anything that you want it to be. For some kinds of functionality you might need to tap in to other sites or services as well. For example checking actual prices with a supplier, seeing what the weather is like, etc. While these kinds of interactions can allow you to bring a better experience to your visitors they can also ruin that same experience when they are responding slower than intended.

If these external sources are responding slowly, it might appear that your website is performing slow. But that’s only because it’s waiting for others to respond. While a properly implemented caching mechanism will mostly compensate for this, any uncached page will not have that benefit. In order to quickly diagnose if this is happening to your site you can temporarily block all requests going to outside sources. While it might break things on your end shortly, it will allow you to quickly determine if your website is being held back by the external resources it’s trying to load.

How can you block external requests?

Blocking external requests can be done in different gradations.The easiest of course being to bluntly just block everything. A more subtle way is to allow some hosts while blocking others. 

Blocking all external requests

Both of our gradations revolve around the same WordPress constant: WP_HTTP_BLOCK_EXTERNAL. When we set this to true in our wp-config.php file, all outgoing connections by WordPress will be blocked. This includes connections to wordpress.org, so just setting this will also break plugin updates, core updates, etc. It would be advisable to not just blindly set this constant, but to take the more granular approach. Setting this up would be done by adding the following to your wp-config.php file:

define( ‘WP_HTTP_BLOCK_EXTERNAL’, true );

Partially blocking external requests

After we’ve set the site to block all outgoing requests we can allow for access to certain hosts again. This can be achieved through the WP_ACCESSIBLE_HOSTS constant. The format of the WP_ACCESSIBLE_HOSTS constant is a comma separated list of hostnames to allow, and wildcard domains are supported by it. This would look something like this:

define( 'WP_ACCESSIBLE_HOSTS', '*.wordpress.org,www.some-api.com' ); 

Combining the two

So, whether you’re looking to block all requests, or just blocking certain hosts: now you know how it’s done. By combining the two WordPress constants WP_HTTP_BLOCK_EXTERNAL and WP_ACCESSIBLE_HOSTS you can easily configure on what hosts can be contacted by your site and what should be blocked.