What is WordPress Application Layer? β
WordPress Application Layer sits between WordPress and your client applications.
It lets you control what data is exposed, who can access it, how it is shaped, and at what rate, while also hardening key WordPress surfaces such as login and IP access.
Beyond REST API responses, it can also drive your front-end through webhooks. WordPress events (post publish, user register, WooCommerce order, custom CRON...) can push data to your application in real time using the same schema as the REST API.
You can combine both approaches, or rely on webhooks only.
It is designed for:
- Headless WordPress architectures (Next.js, Nuxt, SvelteKit, React, Vue, mobile apps)
- Multi-application setups where multiple clients share one WordPress back-end
- Event-driven architectures fed by webhooks instead of, or alongside, pull-based REST calls
- Any site that needs security hardening across both REST API and WordPress surfaces
Understand the Architecture β
The plugin centers on REST API policy and response control, and also includes WordPress-wide protections such as global IP filtering and login hardening. Admin-authenticated requests are forwarded untouched where relevant, so normal WordPress administration workflows remain intact.
REST API request pipeline:
Incoming REST request
β
βΌ
βββββββββββββββββββββββββββ
β Global IP Filtering β β Shared blocklist: IPs, CIDRs, countries (free + Pro)
ββββββββββββββ¬βββββββββββββ
β blocked β 403
βΌ
βββββββββββββββββββββββββββ
β Application Matching β β Which application owns this request? (Pro)
ββββββββββββββ¬βββββββββββββ
β
ββββββββββββββΌβββββββββββββ
β Authentication Check β β JWT / WP App Passwords
ββββββββββββββ¬βββββββββββββ
β
ββββββββββββββΌβββββββββββββ
β IP / Rate Limiting β β Per-app IP blocks, per-user quotas, GeoIP (Pro)
ββββββββββββββ¬βββββββββββββ
β
ββββββββββββββΌβββββββββββββ
β Routes Policy β β Allowed methods, route-level rules (Pro)
ββββββββββββββ¬βββββββββββββ
β
ββββββββββββββΌβββββββββββββ
β WordPress REST API β β Native WP handler
βββββββββββββββββββββββββββ
β
ββββββββββββββΌβββββββββββββ
β Property Transforms β β Models: rename, remove, resolve, remap fields
ββββββββββββββ¬βββββββββββββ
β
REST ResponseAlongside this pipeline, webhooks and email notifications run independently of REST requests. Any WordPress event (post transitions, user actions, WooCommerce hooks, custom CRON, REST API hits) can trigger an outbound webhook and/or an email notification β scoped per application in Pro.
The flow also works in reverse: incoming webhooks let external services push events into WordPress and trigger automations directly (Pro).
Outbound (push) pipeline:
WordPress Event (post publish, order created, cron, β¦)
β
βΌ
βββββββββββββββββββββββββββ
β Automation / Trigger β β Conditions, chained actions (Pro)
ββββββββββββββ¬βββββββββββββ
β
βββββββ΄βββββββ
βΌ βΌ
ββββββββββββββ ββββββββββββββ
β Webhook β β Email β
β (push) β β Notificationβ
ββββββββββββββ ββββββββββββββIncoming (pull) pipeline: PRO
External Service (Stripe, GitHub, CRM, IoT, β¦)
β POST + HMAC signature
βΌ
βββββββββββββββββββββββββββ
β Incoming Webhook URL β β Unique endpoint per entry, signature verified
ββββββββββββββ¬βββββββββββββ
β valid β fire automation
βΌ
βββββββββββββββββββββββββββ
β Automation / Trigger β β Payload fields available in conditions & actions
ββββββββββββββ¬βββββββββββββ
β
βββββββ΄βββββββ
βΌ βΌ
ββββββββββββββ ββββββββββββββ
β Webhook β β Email β
β (push) β β Notificationβ
ββββββββββββββ ββββββββββββββExplore Free Features β
| Feature | Description |
|---|---|
| Authentication | WordPress Application Password (hardened to a single authorized user) and JWT |
| Rate Limiting | Global request quotas with configurable time windows |
| Global IP Filtering | Shared blocklist that runs before application resolution. Manual IPv4 blacklisting. Auto-blacklist from rate limit violations. Read-only GeoIP stats. CIDR ranges and country blocking require Pro |
| Routes | Enforce auth and rate limiting globally. Disable the default /users routes to prevent user enumeration |
| Properties & Models | Apply sitewide response transforms: resolve attachments, terms & authors, flatten rendered fields, remove domain from URLs. Rules apply globally across all routes β individual property control (disable, rename, remap) requires Pro |
| WordPress Security | Disable XML-RPC, comments, RSS. Secure files, security headers |
| Webhook | Single outbound webhook with event triggers |
| Hooks API | Every option exposes a WordPress filter for customisation |
Explore Pro Features β
| Feature | Description |
|---|---|
| Applications | Isolate all settings per client β auth, routes, data, webhooks |
| Global IP Filtering (Pro additions) | CIDR range support, country blocking via GeoIP, and configurable retention time on top of the free blocklist |
| Per-App IP Filtering | Application-scoped blocking layered on top of the global check (Pro only β requires Applications) |
| Collections | Enforce per-page limits and drag-and-drop sort order |
| Routes Policy | Per-route method control, user assignment, rate limiting and redirections. Safely disable any route with fine-grained per-application rules (avoids breaking unrelated plugin requests) |
| Properties & Models | Disable, rename or remap any individual property. Remove empty properties to lighten responses. Build fully custom JSON schemas from scratch β map existing fields and add new static ones |
| Automations | Event-driven workflows with conditions and chained actions |
| Multiple Webhooks | Unlimited outbound webhooks, scoped per application. Incoming webhooks let external services trigger automations via a signed endpoint |
| Email Templates | Transactional email templates with SMTP configuration, scoped per application |
| Settings Route | Schema editor for /wp/v2/settings β include ACF options pages and resolved WordPress menus, shaped with per-property control or custom schema |
| Logs | Full request history and audit trail |
Requirements β
- WordPress 6.0+
- PHP 7.4+