You paste a YouTube link into a WordPress post, and it magically turns into an embedded video player. No iframes to copy, no HTML to fiddle with, just a plain URL that becomes rich media. That magic is oEmbed, an open protocol that has been baked into WordPress since version 2.9 (2009). It is convenient, mostly invisible, and (depending on your perspective) either a helpful feature or a privacy and security concern you should know about.
How the oEmbed Protocol Works Step by Step
When you paste a URL into the WordPress block editor, WordPress does not just wrap it in an iframe and hope for the best. The process has three distinct steps:
- Provider lookup: WordPress checks the URL against a hardcoded list of trusted oEmbed providers (YouTube, Vimeo, Twitter, Spotify, etc.). If the URL matches a known provider, WordPress knows where to ask for the embed code.
- API request: WordPress sends an HTTP request to the provider's oEmbed endpoint, passing the URL and the desired embed dimensions. For example, for a YouTube video, it hits something like
https://www.youtube.com/oembed?url=...&format=json. - Embed rendering: The provider responds with JSON containing the embed HTML (usually an iframe), a title, a thumbnail URL, and metadata like the author name. WordPress caches this response and renders the embed in your post.
If the URL does not match any known provider, WordPress can also attempt oEmbed discovery: it fetches the target URL and looks for a <link type="application/json+oembed"> tag in the HTML that points to an oEmbed endpoint. This is how lesser-known services can still provide embeds without being on WordPress's whitelist.
Supported oEmbed Providers in WordPress
WordPress ships with built-in support for a long list of providers. The most commonly used ones include:
- Video: YouTube, Vimeo, Dailymotion, VideoPress, TikTok
- Audio: Spotify, SoundCloud, Mixcloud
- Social: Twitter/X, Instagram, Reddit, Tumblr, Bluesky
- Images: Flickr, Imgur, SmugMug
- Other: WordPress.com posts, Speaker Deck, Crowdsignal, Pocket Casts
Plugins can add additional providers, and WordPress also lets you register custom oEmbed providers via the wp_oembed_add_provider() function.
WordPress as an oEmbed Provider: Discovery and REST API
Here is the part many people miss: WordPress does not just consume oEmbed; it also acts as a provider. By default, every WordPress site exposes an oEmbed endpoint at /wp-json/oembed/1.0/embed and adds a discovery link to every page:
<link rel="alternate" type="application/json+oembed"
href="https://example.com/wp-json/oembed/1.0/embed?url=..." />This means other WordPress sites (or any oEmbed-aware application) can embed your posts by simply pasting their URL. The embedded preview includes the post title, an excerpt, the site name, and the author, which brings us to the security and privacy side of things.
oEmbed Security Risks and Privacy Concerns
The oEmbed provider functionality has several aspects worth considering:
- Information exposure: The oEmbed endpoint returns post titles, excerpts, author display names, and site metadata to anyone who queries it. You do not need to be logged in. This can be a concern if you publish content where the author identity should not be public, or if you want to minimize the information your site exposes.
- SSRF potential: When WordPress fetches oEmbed data for URLs pasted in the editor, it makes outbound HTTP requests. In theory, a crafted URL could attempt to exploit this for Server-Side Request Forgery, making WordPress request internal resources. WordPress has safeguards against this, but the attack surface exists.
- Third-party resource loading: Every embedded service loads its own scripts, stylesheets, and tracking mechanisms from external servers. A YouTube embed loads Google's tracking scripts. A Twitter embed loads X's scripts. Each of these creates third-party requests that are relevant for GDPR compliance and can affect page load performance.
- REST API surface: The oEmbed endpoint is part of WordPress's REST API. If you are trying to minimize your site's publicly accessible API endpoints (a common security hardening step), oEmbed discovery adds to that surface.
How to Disable oEmbed in WordPress
If you do not want other sites to embed your content, or if you want to reduce your site's information exposure, you can disable the provider side without losing the ability to embed external content in your own posts:
// Remove oEmbed discovery links from HTML head
remove_action('wp_head', 'wp_oembed_add_discovery_links');
// Remove oEmbed-specific JavaScript from the frontend
remove_action('wp_head', 'wp_oembed_add_host_js');
// Disable the oEmbed REST API route
add_filter('embed_oembed_discover', '__return_false');If you also want to prevent WordPress from fetching oEmbed data for URLs you paste (e.g., to avoid outbound requests entirely), you can remove the oEmbed filter from the content:
remove_filter('pre_oembed_result', 'wp_filter_pre_oembed_result');oEmbed and GDPR: Third-Party Content Loading
From a data protection standpoint, oEmbed embeds are essentially third-party content loading. When a visitor views a page with a YouTube embed, their browser makes requests to Google's servers, transferring their IP address, cookies, and browser fingerprint data. Under GDPR, this may require prior consent.
Several WordPress plugins address this by lazy-loading embeds behind a consent click (the visitor sees a placeholder and must click to load the actual embed). This is a common approach in the German-speaking market where GDPR enforcement is particularly strict.
Check Your oEmbed Configuration with InspectWP
InspectWP checks whether your WordPress site has oEmbed discovery enabled by looking for the oEmbed link tag in your page's HTML. If it is present and you did not intend to expose your content for embedding on other sites, the report gives you a heads-up so you can decide whether to disable it.