External requests initiated by a WordPress server should be considered as security-sensitive. They may contain sensitive data which is stored in
the files or in the database of the server. It’s important for the administrator of a WordPress server to understand what they contain and to which
server they are sent.
WordPress makes it possible to block external requests by setting the WP_HTTP_BLOCK_EXTERNAL option to true. It’s then
possible to authorize requests to only a few servers using another option named WP_ACCESSIBLE_HOSTS.
Ask Yourself Whether
- Your WordPress website contains code which may call external requests to servers you don’t know.
- Your WordPress website may send sensitive data to other servers.
- Your WordPress website uses a lot of plugins or themes.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- Uninstall WordPress plugins which send requests to servers you don’t know.
- Make sure that
WP_HTTP_BLOCK_EXTERNAL is defined in wp-config.php.
- Make sure that
WP_HTTP_BLOCK_EXTERNAL is set to true.
- Make sure that
WP_ACCESSIBLE_HOSTS is configured to authorize requests to the servers you trust.
Sensitive Code Example
define( 'WP_HTTP_BLOCK_EXTERNAL', false ); // Sensitive
Compliant Solution
define( 'WP_HTTP_BLOCK_EXTERNAL', true );
define( 'WP_ACCESSIBLE_HOSTS', 'api.wordpress.org' );
See
