[*]
[**]The documentation for wp_remote_post says
[**]In many cases you may be better served with
wp_safe_remote_post
[**]Looking at the source code, the only line that’s different between the two is that wp_safe_remote_post has this:
$args['reject_unsafe_urls'] = true;
[**]This article was the best explanation I found, which seems to indicate that the only time I should use wp_remote_post is when I am making a remote call to my own site.
[**]So is there ever any other situation in which I would want to use wp_remote_post or should I always stick with wp_safe_remote_post?
3 Answers
[*]
[**]So is there ever any other situation in which I would want to use wp_remote_post or should I always stick with wp_safe_remote_post?
[**]The two functions are exactly the same, except wp_safe_remote_post() sets the reject_unsafe_urls argument to true. That argument causes the URL to be passed through wp_http_validate_url() in WP_Http::request().
[**]From that function, we see that there are a few use cases where you would need to use wp_remote_post() instead of wp_safe_remote_post().
- If you are using a protocol that is not http or https.*
- If you need to pass a user or pass in the URL.
- If you are posting to the localhost.**
- If you need to use a port other than 80, 443, or 8080.
[**]It’s also possible to use the http_request_reject_unsafe_urls filter to pass URLs through wp_http_validate_url() in an HTTP request whether wp_safe_remote_post() or wp_remote_post() is called.
[**][*] If reject_unsafe_urls is not set, the URL is still passed though wp_kses_bad_protocol() and the allowed protocols are http, https, and ssl.
[**][**] It’s possible to use wp_safe_remove_post() to the localhost by using the http_request_host_is_external filter and returning a truthy value.