WordPress rest_url Example: Build REST Endpoint URLs Safely

Last reviewed: May 5, 2026

Hardcoding a REST API base URL looks harmless until the site moves behind a different host, a multisite edge case appears, or a reverse proxy changes how the canonical REST root is resolved. rest_url() is the supported helper for building WordPress REST endpoint URLs without guessing the API base by string concatenation.

This guide shows how to form REST URLs safely and why the returned value should still be escaped for its final output context.

Build the endpoint URL through WordPress

<?php
$endpoint = rest_url( 'vulnwp/v1/reports' );

wp_add_inline_script(
	'vulnwp-dashboard',
	'window.vulnwpApi = ' . wp_json_encode(
		array(
			'reportsEndpoint' => esc_url_raw( $endpoint ),
		)
	) . ';',
	'before'
);

This is safer than stitching together home_url(), /wp-json/, and route fragments manually.

Remember that rest_url() returns an unescaped URL

The code reference explicitly notes that the returned value is not escaped. That means the helper solves canonical URL formation, not output sanitization. Escape it when the final destination is HTML, JSON, or another output channel.

Use route strings, not fully assembled URLs

The function expects a REST path such as vulnwp/v1/reports. If the code already has a full URL in hand and then tries to pass it through rest_url(), it is solving the wrong problem.

Keep API URL generation near the API consumer

When a script, dashboard widget, or headless integration needs the endpoint, generate the route close to that usage point. This keeps the contract easier to read and reduces magic constants hiding elsewhere in the plugin.

Common mistakes

• Manually concatenating the REST base URL. This is fragile across hosting and site configuration changes.
• Skipping output escaping. Canonical formation and output safety are separate steps.
• Passing a full URL instead of a route. The helper expects a REST path.
• Duplicating the same API root logic across files. One clear helper call is easier to maintain.

Production checklist

• Use rest_url() or get_rest_url() instead of string building.
• Escape the returned URL for its final output context.
• Keep route generation close to the code that consumes the endpoint.
• Test the final URL on production-like hosts and proxies.
• Review headless integrations after domain or reverse-proxy changes.

Related reading

Pair this with the wp_localize_script guide when the URL crosses into JavaScript, and with the register_rest_route article when the route itself is being registered.

References and further reading

• WordPress Code Reference: rest_url()
• WordPress Code Reference: get_rest_url()
• WordPress REST API Handbook