It might not seem like it, but your WordPress website is heavily interconnected with the rest of the world. The average blog constantly makes external calls to services such as social networks, security systems for spam checking, updated lists of IP addresses, and many many more services. Even a completely “bare-bones” WordPress installation connects to external websites. For example, your blog is constantly checking for recent updates both to WordPress itself as well as the various plug-ins and themes.
One of my favorite plug-ins – Jetpack – is intimately connected with external services. Complicated features like related posts for example are processed on a third-party server without using up resources on my local machine. So we can see that a WordPress installation without any outgoing connections to the world at large will be a very sad thing indeed!
However, they can be many instances where you have WordPress installed on your local machine and you want to use it either for development of for teaching purposes without an Internet connection. We’ve talked earlier about how to install WordPress locally using the XAMPP framework. If you’re doing development work on an airplane without Internet access for example, WordPress will constantly be making external calls to third-party services via the Internet. And since these will time out, your installation will run extremely slowly – the opposite of what you expect it to be in fact!
Luckily for us, we have a convenient method to disable outgoing third-party HDTV requests via a simple wp-config.php tweak.
Blocking External Requests
Open up wp-config.php in the root of your WordPress installation, and add the following line below one of the existing “define” statements:
/** Block external requests */ define('WP_HTTP_BLOCK_EXTERNAL', true);
Over here, I’ve added it below the “DB_COLLATE” statement:
Save your changes and reload WordPress. This time, WordPress will not be making any external calls to third parties over the Internet. So for example, if you navigate to the section of your website to add a new plug-in, it simply won’t work.
This is hardly surprising. WordPress makes external calls to its own servers to get the list of plug-ins. Since we’ve disabled its ability to do that, the screen becomes nonfunctional. Other plug-ins like Jetpack stop working as well. Here’s the error message when I try and connect with the modified wp-config.php code:
On the other hand, your local WordPress installation will now be blazing fast!
Allowing Only Certain Requests
Sometimes you have access to the Internet, but you’re sitting behind a firewall that restricts outgoing requests to a specific number of whitelisted domains or IPs. In this scenario, you want to disable all external HTTP requests from WordPress except for a few that you absolutely need. The solution above is a nuclear one – it blocks everything. But there is another constant that lets a few addresses through.
So for example if we want our plug-in section to work as before while still restricting everything else, in addition to the WP_HTTP_BLOCK_EXTERNAL code we added above, open up your wp-config.php file and paste in the following:
/** Let these hosts through */ define('WP_ACCESSIBLE_HOSTS', '*.wordpress.org', '*.wordpress.com');
WP_ACCESSIBLE_HOSTS is followed by a comma separated list of domains that also accepts wildcards. In the example above, I whitelisted all requests made to wordpress.org and wordpress.com. With these two constants defined, my plug-in section now works properly as before:
Unfortunately, doing the same with Jetpack isn’t as simple because we need to whitelist a huge number of ranged IP addresses which I haven’t figured out how to accomplish with WP_ACCESSIBLE_HOSTS. Here are the IP addresses that we need to whitelist for Jetpack:
- The ones at at http://whois.arin.net/rest/org/AUTOM-93/nets
As long as we can’t specify these in wp-config.php, we’ll have to do without the Jetpack plug-in when we use the WP_HTTP_BLOCK_EXTERNAL constant to block external http requests. Other than that, it’s a neat and elegant solution for WordPress installations running without an Internet connection or behind a secure firewall.