How to Disable oEmbed in WordPress
To disable oEmbed in WP, you can use a special plugin Disable Embeds. But you can also do this with code. Below, we will consider the option of using code.
Disable the oEmbed route (the ability for our site to be an oEmbed provider):
By default, WP adds similar links to the HEAD part of the site:
<link rel="alternate" type="application/json+oembed" href="https://example.com/api/oembed/1.0/embed?url=https%3A%2F%2Fexample.com%2Fhandbook%2Fcodex%2Foembed" /> <link rel="alternate" type="text/xml+oembed" href="https://example.com/api/oembed/1.0/embed?url=https%3A%2F%2Fexample.com%2Fhandbook%2Fcodex%2Foembed&format=xml" />
They are needed so that other sites can determine the embedding data.
If you don't need this functionality, you can completely remove it with this code:
add_action( 'init', 'wpkama_disable_embed_route', 99 );
function wpkama_disable_embed_route(){
// Remove the REST API endpoint.
remove_action( 'rest_api_init', 'wp_oembed_register_route' );
// Remove oEmbed discovery links.
remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );
// Remove all embeds rewrite rules.
add_filter( 'rewrite_rules_array', function ( $rules ){
foreach( $rules as $rule => $rewrite ){
if( false !== strpos( $rewrite, 'embed=true' ) ){
unset( $rules[$rule] );
}
}
return $rules;
} );
}
Completely disable all embeddings in content
Disabling these hooks will completely disable the ability to embed links on a separate line in the content, as well as the operation of the [embed] shortcode.
// Remove [embed] shortcode parser remove_filter( 'the_content', [ $GLOBALS['wp_embed'], 'run_shortcode' ], 8 ); remove_filter( 'widget_text_content', [ $GLOBALS['wp_embed'], 'run_shortcode' ], 8 ); // Remove embed url parser remove_filter( 'the_content', [ $GLOBALS['wp_embed'], 'autoembed' ], 8 ); remove_filter( 'widget_text_content', [ $GLOBALS['wp_embed'], 'autoembed' ], 8 );
Disable embeddings for specific URLs (specific providers)
-
Disable embeddings for internal site links
We need embedding not to work when we specify a link to the current site on a separate line in the post:
// Remove filter of the oEmbed result before any HTTP requests are made. remove_filter( 'pre_oembed_result', 'wp_filter_pre_oembed_result', 10 );
-
Disable all unknown providers
These are providers that are not registered in WP, but they have a discovery <link> from which WP can get the embedding code. For example, such a link can be a link to another site on WordPress.
// Remove oEmbed iframes communicate JavaScript from the front-end and back-end. remove_action( 'wp_head', 'wp_oembed_add_host_js' ); // Turn off oEmbed auto discovery request for unknown URLs. add_filter( 'embed_oembed_discover', '__return_false' );
-
Disable known providers. To do this, use the function wp_oembed_remove_provider().
In this case, we will need to specify the link formats for the providers we want to disable.
add_action( 'init', 'my_remove_oembed_providers', 99 ); function my_remove_oembed_providers(){ // existing providers // print_r( _wp_oembed_get_object()->providers ); $remove_formats = [ // youtube '#https?://((m|www)\.)?youtube\.com/watch.*#i', '#https?://((m|www)\.)?youtube\.com/playlist.*#i', '#https?://youtu\.be/.*#i' ]; foreach( $remove_formats as $format ){ wp_oembed_remove_provider( $format ) } }
Mistakes you shouldn't make
In many places on the web, the following hook is added to disable providers. This should not be done! This hook is needed for security when embedding! It triggers directly when embedding, so it is better to disable embedding rather than this hook.
// Don't filter (HTML sanitize) oEmbed results. remove_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10 );
Read more about Security.