Remove the WordPress oEmbed script library that loads on every page, adding unnecessary HTTP requests and exposing a WordPress-specific endpoint. WordPress includes an embed system that lets other sites embed your content – and lets you embed third-party content by pasting a URL. To make this work, WordPress loads a JavaScript library on every page and exposes an oEmbed discovery endpoint in your HTML header. Most sites don’t need either. Disabling them removes the script, the endpoint, and another WordPress fingerprint.
What Are WordPress Embed Scripts?
WordPress’s oEmbed system does two things. First, it lets you embed content from other sites (YouTube videos, tweets, Spotify tracks) by pasting a URL into the editor. Second, it makes your own posts embeddable on other WordPress sites by providing an oEmbed endpoint.
To support this, WordPress loads an embed JavaScript file (wp-embed.min.js) on every frontend page and adds a <link> tag in your HTML header pointing to the oEmbed discovery URL. The JavaScript handles the embed preview and interaction. The discovery link tells other WordPress sites where to request embed data for your content.
The embed script URL contains wp-includes in its path, and the oEmbed discovery endpoint uses the REST API (/wp-json/oembed/). Both are WordPress-specific signals. The script itself is typically 3–4 KB, but combined with the HTTP request, DNS resolution, and the discovery endpoint, it adds unnecessary overhead to every page load.
Why You Should Disable Embed Scripts
Embed scripts are a convenience feature that most sites don’t actively use. Here’s why disabling them matters for your hack prevention strategy:
The embed script reveals WordPress file structure. The wp-embed.min.js file loads from /wp-includes/js/, which is a default WordPress directory. Even if you’ve changed the wp-includes path, the script name itself (wp-embed) is a WordPress-specific identifier that scanners recognize.
The oEmbed discovery endpoint exposes the REST API. WordPress adds a <link rel="alternate" type="application/json+oembed"> tag in your page header. This points to your REST API endpoint, revealing your wp-json path. If you’ve already changed and hidden the REST API, this discovery link can still leak the new custom path to anyone checking the page source.
It adds unnecessary page weight. The embed script, its HTTP request, and the associated inline CSS load on every page – including pages that contain no embeds. For most business sites, blogs, and e-commerce stores, the oEmbed system isn’t used at all. Removing it reduces page weight and eliminates one more render-blocking resource.
Your existing embeds still work without it. YouTube videos, tweets, and other embedded content that you’ve already added to your posts use iframe-based embeds that don’t depend on the oEmbed JavaScript library. The library is specifically for the embed preview interaction and for making your content embeddable on other WordPress sites. Disabling it doesn’t remove embedded content from your pages.
How to Disable Embed Scripts with WP Ghost
- Go to WP Ghost > Tweaks > Hide Options.
- Switch on Hide Embed Scripts.
- Click Save to apply.
After saving, open your site in a private browser window and view the page source. Search for wp-embed and oembed – neither the script reference nor the discovery link should appear.
Note: If your site heavily relies on embeddable content being shared on other WordPress sites, consider keeping embeds enabled. For most sites, disabling is the better choice. If you want embeds to load but need better performance, consider lazy-loading embedded videos instead of disabling the feature entirely.
Frequently Asked Questions
Will my existing YouTube videos and embedded content break?
No. YouTube videos, tweets, Spotify embeds, and other third-party content already embedded in your posts use iframe-based embeds that work independently of the oEmbed JavaScript library. Disabling the embed script removes the embed preview/interaction layer and the discovery endpoint, but it doesn’t remove or break already-embedded content.
Will other WordPress sites be able to embed my content?
No – and that’s intentional. When you disable embeds, the oEmbed discovery endpoint is removed. Other WordPress sites won’t be able to auto-embed your posts by pasting the URL. If you want your content to be embeddable on other sites, keep embeds enabled. For most sites, this feature isn’t used or needed.
Does this affect the Gutenberg block editor?
The block editor’s embed blocks (YouTube, Twitter, Vimeo, etc.) continue working for adding new embeds to your content. The “Hide Embed Scripts” feature removes the frontend oEmbed library, not the admin editor’s embed functionality. You can still add embedded content in the editor normally.
Does this affect SEO?
No. The oEmbed discovery endpoint and embed JavaScript are not used by search engines for indexing or ranking. Embedded content (like YouTube videos) remains on your pages and continues to be crawled and indexed normally. Removing the embed script can slightly improve page load speed, which is a positive ranking signal.
Does WP Ghost modify WordPress core files?
No. WP Ghost deregisters the embed script and removes the oEmbed discovery link through WordPress hooks at runtime. No files are modified. Disabling the feature restores both the script and the discovery endpoint on the next page load.
Related Tutorials
Remove unnecessary scripts and WordPress fingerprints:
- Hide WordPress Emoji Icons – Remove another unnecessary script that loads on every page.
- Change the REST API Path – Secure the endpoint that oEmbed discovery exposes.
- Change the wp-includes Path – Hide the directory the embed script loads from.
- Hide the WordPress Version – Strip version parameters from all frontend assets.
- Hide from WordPress Theme Detectors – Remove all CMS detection signals.