Table of Contents Overview Ultimate Auction Pro Auctions Made Easy for WooCommerce Auctions for WooCommerce…
Difference Between wp_redirect() and wp_safe_redirect() in WordPress
Table of Contents
- What is wp_redirect()?
- What is wp_safe_redirect()?
- Key Differences Between wp_redirect() and wp_safe_redirect()
- Code Examples
- Important Tips for Using Redirects
- FAQ
What is wp_redirect()?
wp_redirect() is a WordPress function used to send a user to a different URL. It works by sending a location header (like Location: https://example.com) to the browser.
This function is often used when you want to redirect users after form submissions, login actions, or other changes.
Syntax:
wp_redirect( $location, $status );
exit;
$locationis the URL you want the user to go to.$statusis optional (like 301 for permanent, 302 for temporary).- Always use
exit;after this function to stop the page from loading more code.
Example:
wp_redirect('https://example.com/new-page');
exit;
What is wp_safe_redirect()?
wp_safe_redirect() is a more secure version of wp_redirect(). It only allows redirects to internal URLs (within your own domain). This protects your website from hackers trying to send users to unsafe or malicious sites.
Syntax:
wp_safe_redirect( $location, $status );
exit;
Example:
wp_safe_redirect(home_url('/dashboard'));
exit;
This is helpful when working with redirects that use dynamic links, such as form actions or custom login redirects.
Key Differences Between wp_redirect() and wp_safe_redirect()
| Feature | wp_redirect() | wp_safe_redirect() |
|---|---|---|
| Allows external URLs? | ✅ Yes | ❌ No (only same domain) |
| Security check | ❌ No security validation | ✅ Checks if URL is safe and internal |
| Use case | For internal and external redirects | For internal redirects only |
| Risk | Can be used for phishing or open redirects | Very low, safer for most redirects |
| URL validation method | None by default | Uses wp_validate_redirect() |
| Redirects to subdomains? | ✅ Yes | ✅ Yes (if part of allowed hosts) |
| WordPress filter support | Can use allowed_redirect_hosts to filter | Uses allowed_redirect_hosts by default |
| Plugin and theme safety | Risky if external input is passed unchecked | Recommended for plugins and themes |
| Recommended for user input? | ❌ Not safe without validation | ✅ Safe for redirecting based on user actions |
| Core WordPress usage | Used where flexibility is needed | Used in admin and login redirects for security |
Code Examples
Redirect to another page using wp_redirect()
wp_redirect('https://anotherdomain.com/page');
exit;
Secure redirect using wp_safe_redirect()
wp_safe_redirect(home_url('/thank-you'));
exit;
Important Tips for Using Redirects
- Always include
exit;after the redirect function. - Never pass user input directly into the redirect URL without validating it.
- Avoid redirect loops (A → B → A).
- Use
wp_safe_redirect()by default when working within your own domain. - Only use
wp_redirect()for external links you completely trust. - Use the
allowed_redirect_hostsfilter to permit external URLs when needed.
FAQ
Is wp_safe_redirect() better than wp_redirect()?
Yes, especially for internal redirects. It adds a safety check to avoid harmful URL redirects.
Can wp_safe_redirect() be used for external links?
No, it blocks external links unless the domain is whitelisted using the allowed_redirect_hosts filter.
Why use exit; after a redirect?
To stop any other code from running after the redirect is sent. Without it, the page may continue processing or show errors.
How to allow external URLs with wp_safe_redirect()?
Use the allowed_redirect_hosts filter in your theme or plugin like this:
add_filter('allowed_redirect_hosts', function($hosts) {
$hosts[] = 'trusted-site.com';
return $hosts;
});
What happens if you forget exit; after redirect?
WordPress may keep executing more code or render a broken page.
Related Posts
This Post Has 0 Comments