Removes external dependencies and enforces self-hosted resources — keeping your WordPress lean, private, and fast.
Nine targeted optimizations — all toggleable from a single settings page.
Drops the emoji detection JS and CSS WordPress loads by default, saving an extra network request on every page.
Disables WordPress's oEmbed discovery and the wp-embed script to cut external look-ups and tighten content security.
Turns off the XML-RPC endpoint entirely, closing a common attack surface used for brute-force and DDoS amplification.
Strips the default DNS-prefetch hints WordPress emits, preventing silent connections to third-party domains on page load.
Scans and optionally blocks scripts and styles loaded from external domains on the public-facing site.
Applies the same external-resource restrictions to wp-admin, keeping the dashboard free of unwanted third-party calls.
Captures the wp_head output in an output buffer, allowing fine-grained filtering of injected tags before they reach the browser.
Intercepts WordPress's HTTP API and blocks all outbound requests to non-whitelisted domains, enforcing true self-hosting.
Define allowed (whitelist) and blocked (blocklist) domains, URLs, or keywords. Rules apply to scripts, styles, HTML attributes, CSS url(), srcset images, and outbound HTTP requests — all from one settings panel.
Upload the plugin to your WordPress site and activate it from the Plugins screen.
Go to Settings → WP Self-Hosted and toggle each feature on or off to match your needs.
Your site is now free of unnecessary external calls — faster, lighter, and more private.
WP Self-Hosted is free and open-source. If it saves you time or improves your site, consider supporting its continued development.