How to enable CORS in WordPress?

BIG linden / Support Docs / How to enable CORS in WordPress?



We are trying to enable Cross-Origin Resource Sharing (CORS) on our WordPress site so we can make use of the third-party content. How do you set up CORS in WordPress? How can I customize the Access-Control-Allow-Headers property for my WordPress API?


The client is looking for information about customizing the Access-Control-Allow-Headers (CORS) property for their WordPress API and needs help setting up cross origin resource sharing, or CORS, on their WordPress website.

How to enable CORS in WordPress?

Setting up CORS in WordPress is not difficult, and can be done in a few simple steps.

You can achieve this by setting up a header CORS function, enabling it using the rest_pre_serve_request filter, and allowing multiple origins if necessary. However, they should thoroughly test whatever policy they use before deploying it on their website in order to avoid any potential issues with functionality or security.

You can easily set whatever CORS policy you want either directly on your server, or via WordPress functions.

Below is a tutorial on how to customize the Access-Control-Allow-Headers property for your WordPress REST API via your theme’s functions.php file:

Be sure to thoroughly test whatever policy you end up using though, so you don’t inadvertently deliver a broken website to the client.

How to enable CORS in WordPress

To set up Cross-Origin Resource Sharing (CORS) on your WordPress website, see below.

Time needed: 3 minutes

There are numerous options to enable CORS, but the easiest approach is to use a basic custom function. Instructions for how to enable CORS in WordPress.

  1. Use a custom function, fastest way to enable CORS in WordPress:

    function add_cors_http_header(){
    header(“Access-Control-Allow-Origin: *”);

    Be sure not to use any combinations of these ( .htaccess, header.php, api.php, functions.php ) as it will cause redirect and/or critical errors.

  2. QA the site

    Be sure to QA client sites on 2 devices, at minimum (multiple networks are preferred).

Developer preferred method for allowing multiple origins

It sounds like your use case is that you want to be able to connect a couple different data sources and enable them to talk to one another, without opening the door to the entire world.

If that’s the case, and you want to Allow Multiple Origins on your CORS policy for the WordPress API, this custom function should do the trick, with no plugins or other tools necessary.

function initCors( $value ) {
  $origin = get_http_origin();
  $allowed_origins = [ 'site1.example.com', 'site2.example.com', 'localhost:3000' ];

  if ( $origin && in_array( $origin, $allowed_origins ) ) {
    header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
    header( 'Access-Control-Allow-Methods: GET' );
    header( 'Access-Control-Allow-Credentials: true' );

  return $value;

This code is a variation of the custom functions offered by Ruben Leija on his blog post ‘How to enable CORS on your WordPress REST API’.

Additional reading

  • This recent support thread about the necessity of CORS policies in the API and potential vulnerabilities
  • Very recent vulnerability submission using JSON and the API; typical cross-origin
  • Read about enabling CORS for Bitnami – probably not a package you’re working with on our network, but still very relevant information on the general topic of enabling CORS for WordPress
  • “CORs in Action” by Monsur Hossain – available from Simon & Schuster. “CORS in Action introduces Cross-Origin Resource Sharing (CORS) from both the server and the client perspective. It starts with the basics: how to make CORS requests and how to implement CORS on the server. It then explores key details such as performance, debugging, and security.”

More articles about WordPress

More articles related to .

Capabilities related to WordPress:

Prevent attacks, regain control of your WordPress website with Enterprise security solutions.
Move your website from Wix to WordPress and get the website you need.


Get a 30 minute 1:1 consult with a BIG consultant and get a 7 page report on making digital work in your organization with key insight into paths for success and playbooks just for your unique needs.

Please understand not all requests can be met. Please contact us with any questions.