A customer reported that she was getting an ‘insecure website’ warning. A bit of digging revealed that the ‘malicious content’ that was being identified was actually the WordPress emoji code.

This code appears on every page and surprisingly there’s no easy way to turn it off within WordPress. There is however a plugin that will suppress the unwanted code: Disable Emojis.

Or you can just add the following code to your functions.php file:

function disable_wp_emojicons() {

  // all actions related to emojis
  remove_action( 'admin_print_styles', 'print_emoji_styles' );
  remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
  remove_action( 'admin_print_scripts', 'print_emoji_detection_script' );
  remove_action( 'wp_print_styles', 'print_emoji_styles' );
  remove_filter( 'wp_mail', 'wp_staticize_emoji_for_email' );
  remove_filter( 'the_content_feed', 'wp_staticize_emoji' );
  remove_filter( 'comment_text_rss', 'wp_staticize_emoji' );

  // filter to remove TinyMCE emojis
  add_filter( 'tiny_mce_plugins', 'disable_emojicons_tinymce' );
}
add_action( 'init', 'disable_wp_emojicons' );

function disable_emojicons_tinymce( $plugins ) {
  if ( is_array( $plugins ) ) {
    return array_diff( $plugins, array( 'wpemoji' ) );
  } else {
    return array();
  }
}

  // filter to remove DNS prefetch
add_filter( 'emoji_svg_url', '__return_false' );