Enable CORS
NOTE: The Approach A sections referred to below do not apply to Bitnami native installers. Users of Bitnami native installers should refer only to the Approach B sections.
Cross-Origin Resource Sharing (CORS) is a standard way of accessing resources on a domain from another domain. It is typically used from cross-domain AJAX requests, although other use cases also exist. Learn more about CORS on Wikipedia.
By default, CORS is disabled on the Bitnami WordPress stack. Follow the steps below to enable it.
Approach A: Bitnami installations using system packages
Edit the WordPress configuration file for Apache (installdir/apache2/conf/vhosts/wordpress-vhost.conf) and add the following line inside the Directory directive:
...
<Directory installdir/wordpress>
...
Header set Access-Control-Allow-Origin "*"
...
</Directory>
Enable other methods or headers for other directories (e.g installdir/wordpress/wp-admin):
...
<Directory installdir/wordpress/wp-admin>
...
Header set Access-Control-Allow-Origin "\*"
Header set Access-Control-Allow-Methods "GET, OPTIONS, POST"
Header set Access-Control-Allow-Headers "origin, x-requested-with, content-type, accept"
...
</Directory>
If the request is an OPTIONS request, the script exits with either access control headers sent, or a 403 response if the origin is not allowed. By default, only the server where the application is hosted is allowed (see installdir/wordpress/wp-includes/http.php). For other request methods, you will receive a return value.
Approach B: Self-contained Bitnami installations
Edit the WordPress configuration file for Apache (installdir/apps/wordpress/conf/httpd-app.conf) and add the following line inside the Directory directive
...
<Directory installdir/apps/wordpress/htdocs/>
...
Header set Access-Control-Allow-Origin "*"
...
</Directory>
Enable other methods or headers for other directories (e.g installdir/apps/wordpress/htdocs/wp-admin):
...
<Directory installdir/apps/wordpress/htdocs/wp-admin>
...
Header set Access-Control-Allow-Origin "\*"
Header set Access-Control-Allow-Methods "GET, OPTIONS, POST"
Header set Access-Control-Allow-Headers "origin, x-requested-with, content-type, accept"
...
</Directory>
If the request is an OPTIONS request, the script exits with either access control headers sent, or a 403 response if the origin is not allowed. By default, only the server where the application is hosted is allowed (see installdir/apps/wordpress/htdocs/wp-includes/http.php). For other request methods, you will receive a return value.