WordPress’s oEmbed system serves two purposes: it lets your site display rich embeds from external services (YouTube, Twitter, etc.) by pasting a URL into the post editor, and it lets other sites embed your content by fetching an oEmbed response from your server. For many sites, the outbound embedding is fine but the inbound side, letting others embed your content, is unnecessary and creates an endpoint that responds to external requests.
This snippet disables oEmbed comprehensively: the endpoint, the discovery links, and the HTTP headers that advertise its existence. It does not disable the ability to paste embed URLs in the editor, that uses a different mechanism.
The Code
Add this to your functions.php or a site-specific plugin. It removes oEmbed at every level where WordPress exposes it.
What Each Part Removes
The two wp_head action removals strip the <link> tags from your page source that tell oEmbed consumers where to find your endpoint and load the oEmbed JavaScript. The rest_api_init removal prevents the /wp-json/oembed/1.0/ REST API endpoint from being registered at all, direct requests to that URL will return 404. The the_content filter removal stops WordPress from automatically converting bare URLs in post content into oEmbed iframes, which is the outbound auto-embed behaviour. The rewrite rule filter removes the query-parameter-based oEmbed endpoint as a belt-and-suspenders measure.
Paste Embeds Still Work
Despite the name, pasting a YouTube URL on its own line in the block editor and having it render as a video player is handled by the block editor’s own embed block, not by the oEmbed discovery system being disabled here. Embed blocks will continue to work normally after applying this snippet.
Flush Rewrite Rules
After adding this snippet, visit Settings → Permalinks and click Save Changes to flush the rewrite rules. This ensures the oEmbed endpoint rewrite rule is removed from the active ruleset. Without flushing, the rule may persist in the cached rewrite rules until the next automatic flush.
add_action( 'init', function() {
// Remove oEmbed-related actions from wp_head
remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );
remove_action( 'wp_head', 'wp_oembed_add_host_js' );
// Remove the REST API oEmbed endpoint
remove_action( 'rest_api_init', 'wp_oembed_register_route' );
// Remove the oEmbed auto-embed filter for post content
remove_filter( 'the_content', [ $GLOBALS['wp_embed'], 'autoembed' ], 8 );
// Remove the HTTP header oEmbed discovery link
remove_action( 'template_redirect', 'rest_output_link_header', 11 );
// Disable the rewrite rule that creates the /oembed/1.0/embed endpoint
add_filter( 'rewrite_rules_array', function( $rules ) {
foreach ( $rules as $rule => $rewrite ) {
if ( strpos( $rewrite, 'oembed' ) !== false ) {
unset( $rules[ $rule ] );
}
}
return $rules;
} );
} );