Articles on: InstaWP Live

Custom Redirects in InstaWP Live

It is possible to modify some per-site request behavior on InstaWP Live (Powered by WP Cloud) via a custom-redirects.php.


Usage



While it is primarily used for custom redirects, custom-redirects.php can modify other behavior as it is prepended to any PHP script that is accessed on a Live site.


To get started, first create a custom-redirects.php file within a site’s htdocs directory. Be sure to include an opening <?php so your code can be executed.


Examples


The following are examples of code snippets that demonstrate common custom-redirects.php uses. Multiple modifications may be used at a time, given that they do not conflict.


Note that custom-redirects.php should be sparingly used, and solutions should be tested thoroughly with page and edge cache in mind.


Basic Page Redirect


if ( $_SERVER['REQUEST_URI'] == '/subdir' ) {
    header('HTTP/1.1 301 Moved Permanently');
    header('Location: /subdir-new');
    exit;
}


Add Security Headers


Note that, as of January 2024, strict-transport-security headers are set automatically and cannot be modified


header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: SAMEORIGIN');
header('Referrer-Policy: no-referrer-when-downgrade');


Site Redirect


if ( $_SERVER['HTTP_HOST'] == 'https://your-domain.site.com' && 
    $_SERVER['REQUEST_URI'] == '/' ) {
    header('HTTP/1.1 301 Moved Permanently');
    header('Location: https://externeral-url.com/news'); 
    exit;
}


Geoblocking by Country Code


In this example, we’ll restrict access via country codes (Alpha-2, ISO 3166-1 country codes via MaxMind). Specifically, this example allows requests from the United States and Canada while also permitting requests from PHP-FPM and CLI.


This is based on https://gist.github.com/JoshuaGoode/f9efd25bb46fe0dc4fe8c9c855fe4479


// Array of allowed country codes
$allowedCountries = ['US', 'CA'];

// Get the current server API
$api = php_sapi_name();
// Bypass geo checks for non-web server APIs
if ($api == 'fpm-fcgi' || $api == 'cli') {
    return; // Early exit for CLI or FPM contexts
}

// Retrieve the country code or default to blocking access
$countryCode = $_SERVER['GEOIP_COUNTRY_CODE'] ?? 'Unknown';  // Using null coalescing operator for clarity

// Block access if the country code is not allowed
if (!in_array($countryCode, $allowedCountries)) {
    header('HTTP/1.1 404 Not Found', true, 404);
    exit;
}


Basic Access Block


if ( strpos($_SERVER['REQUEST_URI'],'{file or folder name here, no curly braces}') !== false ) {
    http_response_code( 410 );
    exit;
}


Limiting Access by IP

,

/**
* The following blocks the sandbox URI to anyone who isn't on a COMPANY_EXAMPLE_1 or COMPANY_EXAMPLE_2 Proxies
* 123.456.789.101 is COMPANY_EXAMPLE_1's Proxy
* 987.654.321.000 is COMPANY_EXAMPLE_2's Proxy
*/

$ips = array('123.456.789.101','987.654.321.000');

if ( strpos($_SERVER['REQUEST_URI'],'/sandbox') !== false ) {
if ( !in_array($_SERVER['REMOTE_ADDR'],$ips) ) {
header('HTTP/1.0 403 Forbidden');
echo '403 Forbidden';
exit;
}
}


Updated on: 17/07/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!