MMPlugs Logo

Docs / Remote data sources — JSON, CSV, Google Sheets

Remote data sources — JSON, CSV, Google Sheets

Remote data sources — JSON, CSV, Google Sheets

Static tables are easy. Live data is where Pro starts to earn its keep. Three remote-source modes share the same plumbing.

JSON URL

Point MMTable at a JSON endpoint and it parses the response into rows. Useful for piping live data from any internal or third-party API.

  1. Open Pro features → Data source.
  2. Set type to JSON URL.
  3. Paste the URL.
  4. Optionally set a JSON path (dot-notation) to drill into a nested response, e.g. data.items.
  5. Save.

The response should be an array of objects (one per row) or an array of arrays. Object keys become column values; the first object's keys become headers if you toggle First row is header.

CSV URL

Same flow, but the source is a CSV file at a URL. Common pattern: link to a CSV in cloud storage, GitHub raw, or an internal export endpoint.

Google Sheets

Paste a Google Sheets share URL and MMTable auto-rewrites it to the CSV export endpoint. The sheet needs to be shared as "anyone with the link can view" — Google Sheets returns the CSV without authentication for those.

For private sheets, set up a Google Apps Script that exports to a public CSV URL, or use the JSON URL mode pointing at Google's official Sheets API with an API key embedded in the URL.

Scheduled refresh

For any remote source, you can schedule WordPress to re-fetch on a cron. Refresh schedule options: every 5 minutes, hourly, daily, weekly. The refreshed body is cached as post meta, so each page render reads from the cache rather than hitting the upstream.

Security: SSRF protection

The remote-fetch path validates every URL before it goes to wp_remote_get:

  • Only http and https schemes pass.
  • The hostname is resolved (A and AAAA records) and every returned IP is checked against a deny list that covers private/loopback ranges, link-local, IPv6 loopback, and cloud-metadata endpoints (AWS, GCP, Azure, Oracle, Alibaba).
  • HTTP redirects are NOT followed. If the upstream returns a 3xx, the fetch reports an error — by design. This blocks redirect-based SSRF bypasses.

So pointing the URL at localhost, 10.0.0.x, 169.254.169.254, or a hostname whose DNS resolves to any of those returns "URL resolves to a disallowed address" instead of fetching.

Limits

Response body is capped at 1 MB. Larger responses are rejected to avoid blowing out post meta storage. For larger feeds, page on the upstream end.

Fetch timeout is 15 seconds. Upstream APIs that respond slowly will fail rather than block the page render.