Security
Control who can connect to your WordPress site’s API
Security Settings
This page helps you control which websites can connect to your WordPress API. Think of it like a guest list for your site - you decide who gets in!
What is CORS?
CORS (Cross-Origin Resource Sharing) is like a security guard for your website. It checks if other websites are allowed to ask for information from your WordPress site.
Main Settings
Enable CORS
- What it does: Turns on the security check system
- When to use it: Turn this on if other websites need to connect to your WordPress
Allow All Origins
- What it does: Lets ANY website connect to your API
- Warning: Only use this for testing! It’s like leaving your front door open
- For real websites: Turn this OFF and use the Allowed Origins list instead
Managing Allowed Origins
This is where you make your guest list of approved websites.
Adding a New Origin
- Fill in:
- Website Address (like
https://mywebsite.com) - Description (like “My Main Website” or “Mobile App Backend”)
- Website Address (like
- Click Add New Origin
Example Origins
Good examples:
https://mywebsite.comhttps://app.mycompany.comhttp://localhost:3000(for testing)
Security Tips
Keep your site safe by following these rules:
- Don’t use “Allow All Origins” on real websites
- Always use complete website addresses
- Double-check your typing
- Remove origins you don’t use anymore
- Use HTTPS whenever possible
Need Help?
If something’s not working:
- Check if CORS is turned on
- Make sure the website address is exactly right
- Look for typing mistakes
- Try testing with a simple request first
- Contact our support team
Remember: Good security is like having a strong front door - you want to know exactly who’s coming in!
Testing Your Settings
After setting up your allowed origins, you can test them like this:
If it works from your allowed website, you’re all set! If not, double-check your CORS settings.