wp_safe_redirect( string $location, int $status = 302, string $x_redirect_by = ‘WordPress’ ): bool

Performs a safe (local) redirect, using wp_redirect() .

Description

Checks whether the $location is using an allowed host, if it has an absolute path. A plugin can therefore set or remove allowed host(s) to or from the list.

If the host is not allowed, then the redirect defaults to wp-admin on the siteurl instead. This prevents malicious redirects which redirect to another host, but only used in a few places.

Note: wp_safe_redirect() does not exit automatically, and should almost always be followed by a call to exit;:

wp_safe_redirect( $url );
exit;

Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional in conjunction with the ‘wp_redirect’ and ‘wp_redirect_status’ filters:

if ( wp_safe_redirect( $url ) ) {
    exit;
}

Parameters

$locationstringrequired
The path or URL to redirect to.
$statusintoptional
HTTP response status code to use. Default '302' (Moved Temporarily).

Default:302

$x_redirect_bystringoptional
The application doing the redirect. Default 'WordPress'.

Default:'WordPress'

Return

bool False if the redirect was canceled, true otherwise.

Source

function wp_safe_redirect( $location, $status = 302, $x_redirect_by = 'WordPress' ) {

	// Need to look at the URL the way it will end up in wp_redirect().
	$location = wp_sanitize_redirect( $location );

	/**
	 * Filters the redirect fallback URL for when the provided redirect is not safe (local).
	 *
	 * @since 4.3.0
	 *
	 * @param string $fallback_url The fallback URL to use by default.
	 * @param int    $status       The HTTP response status code to use.
	 */
	$fallback_url = apply_filters( 'wp_safe_redirect_fallback', admin_url(), $status );

	$location = wp_validate_redirect( $location, $fallback_url );

	return wp_redirect( $location, $status, $x_redirect_by );
}

Hooks

apply_filters( ‘wp_safe_redirect_fallback’, string $fallback_url, int $status )

Filters the redirect fallback URL for when the provided redirect is not safe (local).

Changelog

VersionDescription
5.1.0The return value from wp_redirect() is now passed on, and the $x_redirect_by parameter was added.
2.3.0Introduced.

User Contributed Notes

  1. Skip to note 4 content

    As with wp_redirect, unless this is patched to perform this natively in the future, be sure to include nocache_headers(); before the wp_safe_redirect if you want to make sure the visitor’s browser doesn’t cache the redirect page result (can even happen when this is set to use a 302 redirect) which may cause the redirect to happen for longer than desired.

    For example, this can be problematic when used to redirect to a login page when trying to access protected content since the visitor can then log in to find that they’re still taken back to the login page when trying to go back to that page they were trying to go to due to the redirect having been potentially cached by their web browser (again, even with it being a 302 redirect.) Having nocache_headers(); before the redirect prevents this potential issue.

  2. Skip to note 6 content

    Just for imformation wp_safe_redirect or wp_redirect does not work from an ajax call. I think this answer can help others:

    I have used a function to redirect from a JS AJAX call. First, it sets some values to database and then tries to redirect in this way:

    if (wp_safe_redirect( $url))
    
    exit();

    But it just returns same page followed by ‘undefined’.

    I finally solved directly the redirection part in JS:

     window.location.href = url; // keeps page history

    Works also :

      window.location.replace( url ); // cleans page history

You must log in before being able to contribute a note or feedback.