---
id: gk-block-mcp-media-sideload-blocked-ranges
title: "Filter - gk/block-mcp/media/sideload-blocked-ranges"
sidebar_label: "gk/block-mcp/media/sideload-blocked-ranges"
tags:
  - "2.0.0"
---

# Filter: gk/block-mcp/media/sideload-blocked-ranges

Adjust which IPv4 ranges are off-limits when sideloading from a URL.

Before fetching any remote image, the plugin resolves the host and refuses private, loopback, link-local, and other reserved IPv4 ranges — that's the SSRF guard that stops an agent from being tricked into reading your internal network or cloud metadata endpoint. Use this filter to lock things down even harder by adding a corporate CIDR you never want fetched, or — carefully — to allow a specific internal range you trust (for example, an on-LAN media server). Each entry is a `[start, end]` pair of dotted-quad strings.

## Parameters

| Name | Type | Description |
|------|------|-------------|
| $v4_ranges | `array<int,array\{0:>` | Blocked IPv4 ranges as [start, end] dotted-quad pairs. |

## Example

// Also block your office network from URL sideloads.

```php
add_filter( 'gk/block-mcp/media/sideload-blocked-ranges', function ( $ranges ) {
    $ranges[] = array( '203.0.113.0', '203.0.113.255' );
    return $ranges;
} );
```

### Since

- [2.0.0](../../since/2-0-0/)

### Source

Defined in `wordpress-plugin/gk-block-api/includes/class-media-manager.php` at line 569