This website uses cookies to allow us to see how the site is used. If you continue to use this site, we assume that you are okay with this. If you want to use the sites without cookies, please see our privacy policy.

Allow Cross-Origin API Requests

Web browsers do not allow websites to make cross-origin requests (requests from one domain to another) unless the target website explicitly allows these types of requests.

As a result, if you intend for the REST API on your WordPress site to be publicly available for others to use, you will need to allow cross-origin requests. You can be explicit and only allow requests from a specific domain, or you can allow requests from any domain.

This is how you’d allow it for any external domain:


add_action( 'rest_api_init', function() {
	remove_filter( 'rest_pre_serve_request', 'rest_send_cors_headers' );
	add_filter( 'rest_pre_serve_request', function( $value ) {
		header( 'Access-Control-Allow-Origin: *' );
		header( 'Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE' );
		header( 'Access-Control-Allow-Credentials: true' );

		return $value;
}, 12 );

To make this specific to a particular domain, just replace the * with the domain.


A professional WordPress developer for over a decade, Micah has worked on sites for Fortune 100 companies, has released over a dozen WordPress plugins, is a frequent speaker at WordCamps, co-organizes the WordPress Gwinnett meetup, is a co-host on the WP Square One podcast and shares his knowledge by blogging on WordPress development topics. Currently, Micah works at Bluehost as a WordPress contributor.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.