WordPress, including its plugins and sometimes also the site theme – all together often creates external requests to various endpoints which results in a decreased performance while working in the WordPress admin interface. The main problem with these requests is that they are not happening in the background, but along with the page load, especially in the WordPress admin dashboard and the plugins section.
Top reasons why WordPress needs to connect to external resources involve:
- Checking for updates
- Plugins and themes “calling home” for telemetry purposes
- Content analysis by using third party APIs
- Other tasks which involve connecting to third party APIs
Official method: Block the external requests with a PHP constant
Officially there is an easy way how to deal with this problem. You just need to add this PHP constant to your WordPress configuration file:
#Blocks external requests from your WordPress site
define('WP_HTTP_BLOCK_EXTERNAL', true);
but DO NOT USE this solution just yet, because it will block each and every request to external resources which could easily disrupt functionality of your site plugins or theme you’re using.
A bit smarter approach is to add WP_HTTP_BLOCK_EXTERNAL along with the WP_ACCESSIBLE_HOSTS constant in the WordPress configuration file. In the WP_ACCESSIBLE_HOSTS you can define exclusions by adding a list of hostnames which you want to exclude from blocking.
#Blocks external requests from your WordPress site
define('WP_HTTP_BLOCK_EXTERNAL', true);
#Excludes requests with specific hostnames from being blocked
define('WP_ACCESSIBLE_HOSTS ', '*.wordpress.org', 'misc.optimizingmatters.com', 'rankmath.com');
Still that is not a satisfying solution because there may be situations when you need to allow only a few specific requests while blocking other from the same hostname. Read on to find about the recommended approach – blocking external requests by URL filtering.
Recommended method: Block the external requests with URL filtering
Method which I recommend for blocking external requests is by using a “pre_http_request” filter, with which you can filter out individual requests by looking at url patterns. Sample code you see below can be used to block the unneeded requests for both – development and production environments. DISALLOW_FILE_MODS constant is used to determine the production environment, since on it you certainly want to disallow any file modifications. However you may need to adjust this code for your individual needs.
To use this code snippet, just place it in your theme functions.php file or add it as a must-use plugin.
add_filter( 'pre_http_request', 'ltv_pre_http_request_block', 10, 3 );
function ltv_pre_http_request_block( $preempt, $args, $url ) {
$block_list = [];
//Blocks Visual Composer plugin from checking the updates
$block_list[] = 'updates.wpbakery.com';
//Blocks WordPress from getting the information about themes
$block_list[] = 'https://api.wordpress.org/themes/info/';
//Blocks external requests to WooCommerce APIs
$block_list[] = 'https://woo.com/wc-api/';
$block_list[] = 'https://woocommerce.com/wp-json/wccom/';
$block_list[] = 'https://public-api.wordpress.com/wpcom/v2/wcpay/incentives';
//Blocks Advanced Custom Fields from checking the updates
$block_list[] = 'https://connect.advancedcustomfields.com/v2/plugins/update-check';
$block_list[] = 'https://connect.advancedcustomfields.com/v2/plugins/get-info';
//Blocks requests to Freemius API
$block_list[] = 'https://api.freemius.com/v1/plugins/10461/addons/pricing.json';
//BLOCKS ADDITIONAL REQUESTS IN PRODUCTION ENVIRONMENT
if (defined('DISALLOW_FILE_MODS') && !empty(DISALLOW_FILE_MODS)) {
$block_list_dfm = [];
//Blocks various requests to WordPress API
$block_list_dfm[] = 'https://api.wordpress.org/core/version-check/';
$block_list_dfm[] = 'https://api.wordpress.org/core/browse-happy/';
$block_list_dfm[] = 'https://api.wordpress.org/core/serve-happy/';
$block_list_dfm[] = 'https://api.wordpress.org/plugins/info/';
$block_list_dfm[] = 'https://api.wordpress.org/plugins/update-check/';
//Blocks various requests to Rank Math API
$block_list_dfm[] = 'https://rankmath.com/wp-json/rankmath/v1/updateCheck2/';
$block_list_dfm[] = 'https://rankmath.com/wp-json/rankmath/v1/versionCheck/';
$block_list_dfm[] = 'https://rankmath.com/wp-json/wp/v2/posts';
//Blocks external requests made by Autoptimize plugin
$block_list_dfm[] = 'http://feeds.feedburner.com/OptimizingMattersDownloads';
$block_list_dfm[] = 'https://misc.optimizingmatters.com/autoptimize_news.html';
$block_list_dfm[] = 'https://misc.optimizingmatters.com/autoptimize_ccss_explain';
$block_list_dfm[] = 'https://misc.optimizingmatters.com/api/autoptimize_service_availablity.json';
$block_list_dfm[] = 'http://feeds.feedburner.com/futtta_autoptimize';
$block_list = array_merge($block_list, $block_list_dfm);
}
foreach($block_list as $b) {
if ( strpos( $url, $b ) !== false ) {
return new WP_Error( 'http_request_block', 'This request is blocked by site administrator' );
}
}
return $preempt;
}
Additional tweaks
While this technically is not a request blocking, these tweaks may help you to achieve additional performance improvements. To use this code snippet, just place it in your theme functions.php file or add it as a must-use plugin.
//Prevent theme update check
remove_action('admin_init', '_maybe_update_themes');
remove_action('load-themes.php', 'wp_update_themes');
//Prevent retrieve translations
add_filter('translations_api', '__return_true');
//BLOCKS ADDITIONAL STUFF IN THE PRODUCTION ENVIRONMENT
if (defined('DISALLOW_FILE_MODS') && !empty(DISALLOW_FILE_MODS)) {
//Prevents from calling wp_version_check
remove_action('admin_init', '_maybe_update_core');
//Prevent plugin update check
remove_action('load-plugins.php', 'wp_update_plugins');
remove_action('admin_init', '_maybe_update_plugins');
}
//Disable rest test call on Site Health page
add_filter( 'site_status_tests', function( $tests ) {
unset( $tests['direct']['rest_availability'] );
return $tests;
} );