How do I use the ‘http_request_host_is_external’ filter

The question:

I’m having a really hard time trying to use the http_request_host_is_external filter. For some background, I’m trying to set up a separate server to handle private plugin and theme updates. The problem is that it’s on a separate server, so the WordPress wp_http_validate_url (wp-includes/http.php) function kills the request. The following are lines 481-503 of that file.

if ( $ip ) {
        $parts = array_map( 'intval', explode( '.', $ip ) );
        if ( '' === $ip
            || ( 10 === $parts[0] )
            || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] )
            || ( 192 === $parts[0] && 168 === $parts[1] )
        ) {
            // If host appears local, reject unless specifically allowed.
             * Check if HTTP request is external or not.
             * Allows to change and allow external requests for the HTTP request.
             * @since 3.6.0
             * @param bool false Whether HTTP request is external or not.
             * @param string $host IP of the requested host.
             * @param string $url URL of the requested host.
            if ( ! apply_filters( 'http_request_host_is_external', false, $host, $url ) )
                return false;

You’ll notice that there is a comment in there that mentions we should be able to apply the filter and make external requests, but what I’m trying doesn’t seem to work.

    require 'plugin_update_checker.php';
apply_filters( 'http_request_host_is_external', true, "", '' );
$MyUpdateChecker = new PluginUpdateChecker_1_3(

I thought that if I set the filter in my plugin’s main file it would take care of it, but I think the issue is that the external request is happening right in WordPress’s updater, so maybe my filter doesn’t apply?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

You can do this:

add_filter( 'http_request_host_is_external', '__return_true' );

However, note that this disables this security feature. If you know the host or url isn’t going to change and is always going to be that, you can be more secure by checking for that explicitly:

add_filter( 'http_request_host_is_external', 'allow_my_custom_host', 10, 3 );
function allow_my_custom_host( $allow, $host, $url ) {
  if ( $host == 'my-update-server' )
    $allow = true;
  return $allow;

Method 2

I’m apparently a little rusty. This took care of it for me:

add_filter( 'http_request_host_is_external', function() { return true; });

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment