Considerations for self-hosted Elasticsearch setups

If you decided to host Elasticsearch in your own setup, please make sure to read the following considerations.

Public Access

Your Elasticsearch server should not be publicly accessible if you don’t have any kind of authentication method in place. Having that server open to the world means that anyone could delete, change, or hijack your content at any time.

Instant Results

The Instant Results feature relies on direct access to an API providing secure, read-only access only to Elasticsearch data that should be visible to unauthenticated visitors. A PHP Proxy plugin is available on GitHub as a starting point for self-hosted setups, but should not be considered secure or complete for production purposes. In addition, by routing the requests through PHP, there is an inherent increase in latency for results to update that is not present when using’s Instant Results API.


The autosuggest feature requires direct access from the user to your Elasticsearch server, as all requests in that functionality are done via AJAX. Although it may be tempting to simply point the autosuggest feature to your posts’ index directly, don’t do that. It will work but it is a major security risk, especially if you have Protected Content enabled.

For further explanations, check our Autosuggest article.

Managing Authentication

The ElasticPress plugin checks the connection between your website and your Elasticsearch server after all plugins are loaded but before any code from your theme is executed. That said if you need to inject any kind of authentication method in the requests sent to the ES server, that needs to happen in a plugin, rather than in your theme’s functions.php file.