How To: Whitelist and Blacklist External Requests in WordPress

WordPress allows plugins and themes to make HTTP requests to external domains. While this is necessary for many plugins and themes to function properly, it can also pose a security risk if not managed properly.


WordPress uses the WP_HTTP_BLOCK_EXTERNAL constant to block external HTTP requests made by plugins and themes. By default, it’s set to true, which means that all external domains are blocked.

To check if this constant is set to true, you can add the following code to your wp-config.php file:

define('WP_HTTP_BLOCK_EXTERNAL', true);

If you want to allow external domains, you’ll need to set this constant to false. However, we recommend keeping it set to true and using the wp_allowed_hosts filter to allow specific hosts.

Let’s allow specific hosts (domain names)

To allow the Meow Apps domain, you can use the wp_allowed_hosts filter. Here’s an example code snippet that adds to the list of allowed hosts:

add_filter('wp_allowed_hosts', function ($allowed_hosts) {
    $allowed_hosts[] = '';
    return $allowed_hosts;

You can add this code to your theme’s functions.php file or to a custom plugin. This will add to the list of allowed hosts, while still blocking all other external domains.

If you’re using multiple Meow Apps plugins, you don’t need to add multiple filters. Just adding the filter once will allow all Meow Apps plugins to make HTTP requests to

Note that if you’re using other plugins or themes that make HTTP requests to other external domains, you’ll need to add those domains to the wp_allowed_hosts filter as well.