InspectWP Logo
Glossary

What is oEmbed?

February 8, 2026

oEmbed is an open protocol that allows websites to display embedded content (videos, images, tweets, etc.) simply by pasting a URL. When you paste a YouTube, Twitter, or Spotify link into the WordPress editor, oEmbed automatically converts it into a rich, interactive embed — no HTML coding required.

How oEmbed Works

The oEmbed process involves three steps:

  1. Discovery — WordPress detects that a URL might support oEmbed. It looks for a <link type="application/json+oembed"> tag in the target page's HTML, or checks the URL against its list of known oEmbed providers.
  2. Request — WordPress sends an HTTP request to the provider's oEmbed endpoint, passing the URL and desired dimensions.
  3. Response — The provider returns JSON or XML containing the embed HTML (usually an iframe), title, thumbnail, and metadata.

oEmbed in WordPress

WordPress has built-in oEmbed support for dozens of services, including:

  • YouTube, Vimeo, Dailymotion
  • Twitter/X, TikTok, Instagram
  • Spotify, SoundCloud, Mixcloud
  • Reddit, Tumblr, WordPress.com
  • Flickr, Imgur, SmugMug

WordPress also acts as an oEmbed provider — other WordPress sites can embed your posts by pasting their URL.

oEmbed Discovery

By default, WordPress adds an oEmbed discovery link to every page's HTML:

<link rel="alternate" type="application/json+oembed"
      href="https://example.com/wp-json/oembed/1.0/embed?url=..." />

This tells other sites: "You can embed this page — here's how to get the embed code." While convenient, this exposes your REST API oEmbed endpoint publicly.

Security and Privacy Concerns

  • Information disclosure — The oEmbed endpoint reveals post titles, excerpts, author names, and site information to anyone who queries it.
  • SSRF risk — oEmbed discovery involves WordPress making outbound HTTP requests to fetch embed data. Malicious URLs could potentially exploit this for Server-Side Request Forgery (SSRF).
  • Third-party data loading — Each embedded service loads its own scripts, cookies, and tracking from external servers — relevant for GDPR compliance.
  • Attack surface — The oEmbed REST endpoint adds to your site's publicly accessible API surface.

Disabling oEmbed Discovery

If you don't want other sites to embed your content, you can disable oEmbed discovery:

// Disable oEmbed discovery links
remove_action('wp_head', 'wp_oembed_add_discovery_links');

// Disable oEmbed REST API endpoint
add_filter('embed_oembed_discover', '__return_false');

How InspectWP Helps

InspectWP detects whether oEmbed discovery is enabled on your WordPress site by checking for the oEmbed link tag in your page's HTML. If it's enabled and you don't need it, you can disable it to reduce your site's public information exposure.

Previous article

What is Google Consent Mode?

Next article

What is WP-Cron?

Related Articles

Custom Login Page Styling

Enable WordPress Debug Log Safely

Replace WP-Cron with a Real Cron Job

View all articles

Check your WordPress site now

InspectWP analyzes your WordPress site for security issues, SEO problems, GDPR compliance, and performance — for free.

Analyze your site free