Make WP_HTTP_BLOCK_EXTERNAL more easy to use

[markoheijnen]

Currently when defining WP_HTTP_BLOCK_EXTERNAL it blocks all requests which would mean that WordPress itself becomes unusable because it then will also blocks it own requests to WordPress.org. Also oEmbeds stop working because they can't get their data.

My idea is to make an if statement like the localhost check to allow those requests. I do get that this constant is mainly for local development but would be great to have a easy way to have a semi locked down installation. So I'm curious what you guys think about this.

[nacin]

Perhaps something like ​https://github.com/norcross/airplane-mode belongs closer to core, but it's not quite related to this constant. This constant isn't designed so much for local development as it is for when WordPress is being run silently inside an intranet. WP_Http::block_request() could maybe benefit from a filter (mainly because WP_ACCESSIBLE_HOSTS is pretty lame) but it WP_ACCESSIBLE_HOSTS does already offer you some kind of control.

[callumbw95]

Hi All,

As there hasn't been much movement on this in the last 11 years I am going to mark this ticket with the close tag. However please feel free to continue the conversation further and remove this tag if there is more conversation to be had here. 😃

[pmbaldha]

The WP_ACCESSIBLE_HOSTS constant in WordPress is used to define a whitelist of hosts that are allowed to be contacted by your WordPress site, especially when the WP_HTTP_BLOCK_EXTERNAL constant is set to true.

define('WP_HTTP_BLOCK_EXTERNAL', true);
define('WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,*.yourdomain.com,external-service.com');

So, your requested feature can be achievable as described above, so I am marking the ticket as invalid and closing it.

If you (@markoheijnen) think that the closing ticket is inappropriate, You can reopen this ticket.