{"id":316640,"date":"2026-05-27T12:02:14","date_gmt":"2026-05-27T12:02:14","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/hwconnector-lite-headless-wp-rest-api-cors\/"},"modified":"2026-05-27T12:00:50","modified_gmt":"2026-05-27T12:00:50","slug":"hwconnector-lite-headless-wp-rest-api-cors","status":"publish","type":"plugin","link":"https:\/\/tl.wordpress.org\/plugins\/hwconnector-lite-headless-wp-rest-api-cors\/","author":23503996,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.1","stable_tag":"1.0.1","tested":"7.0","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"HWConnector Lite \u2013 Headless REST API & CORS","header_author":"Mark Winston","header_description":"Configure ACF REST API, CORS, and custom endpoints for headless WordPress without touching functions.php. Upgrade to Pro for unlimited origins, unlimited post types, and newsletter endpoints.","assets_banners_color":"","last_updated":"2026-05-27 12:00:50","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/winstonmark.gumroad.com\/l\/dchlm","header_author_uri":"https:\/\/winstonmark.gumroad.com","rating":0,"author_block_rating":0,"active_installs":0,"downloads":61,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.1":{"tag":"1.0.1","author":"markmym","date":"2026-05-27 12:00:50"}},"upgrade_notice":{"1.0.1":"<p>Naming and prefix compliance update required for WordPress.org approval.<\/p>"},"ratings":[],"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.1"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"REST API tab \u2014 enable ACF fields in the REST API","2":"CORS tab \u2014 add your allowed frontend origin","3":"Endpoints tab \u2014 configure the contact form endpoint","4":"Security tab \u2014 disable XML-RPC and hide the WordPress version"}},"plugin_section":[],"plugin_tags":[2211,6557,141196,189854,23853],"plugin_category":[59],"plugin_contributors":[264631],"plugin_business_model":[],"class_list":["post-316640","plugin","type-plugin","status-publish","hentry","plugin_tags-acf","plugin_tags-cors","plugin_tags-headless","plugin_tags-headless-wordpress","plugin_tags-rest-api","plugin_category-utilities-and-tools","plugin_contributors-markmym","plugin_committers-markmym"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/hwconnector-lite-headless-wp-rest-api-cors.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"<!--section=description-->\n<p>Every headless WordPress project requires the same setup: expose ACF fields to the REST API, configure CORS headers for your JavaScript frontend, and register a contact form endpoint.<\/p>\n\n<p><strong>HWConnector Lite<\/strong> moves all of that out of functions.php and into a clean, tabbed admin settings page.<\/p>\n\n<h4>Features<\/h4>\n\n<p><strong>REST API Tab<\/strong>\n* Expose ACF custom fields for post, page, and one Custom Post Type to the WordPress REST API\n* No PHP required \u2014 configure through the admin dashboard<\/p>\n\n<p><strong>CORS Tab<\/strong>\n* Add one allowed frontend origin (Next.js, Astro, Nuxt, etc.) through a simple field\n* Correct headers sent for GET, POST, and OPTIONS (preflight) requests\n* Origin-matched headers \u2014 only the requesting origin is echoed back<\/p>\n\n<p><strong>Endpoints Tab<\/strong>\n* <code>POST \/wp-json\/site\/v1\/contact<\/code> \u2014 accepts name, email, message and forwards to your admin email\n* Configurable namespace and send-to email<\/p>\n\n<p><strong>Security Tab<\/strong>\n* Disable XML-RPC with one toggle (default: ON)\n* Hide WordPress version from page source and RSS (default: ON)<\/p>\n\n<h4>Pro Version<\/h4>\n\n<p><a href=\"https:\/\/winstonmark.gumroad.com\/l\/dchlm\">HWConnector Pro<\/a> unlocks:<\/p>\n\n<ul>\n<li>Unlimited CORS origins<\/li>\n<li>Unlimited Custom Post Types in the REST API<\/li>\n<li>Newsletter endpoint \u2014 <code>POST \/wp-json\/site\/v1\/newsletter<\/code> with FluentCRM integration<\/li>\n<\/ul>\n\n<h4>Who it's for<\/h4>\n\n<p>Developers building headless WordPress sites with Next.js, Astro, Nuxt, SvelteKit, or any other JavaScript frontend who want a clean, reusable setup instead of copying functions.php boilerplate on every project.<\/p>\n\n<h4>Requirements<\/h4>\n\n<ul>\n<li>WordPress 5.8+<\/li>\n<li>PHP 7.4+<\/li>\n<li>ACF (Advanced Custom Fields) \u2014 optional, required only for the REST API tab<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>Upload the <code>headless-wp-connector-lite<\/code> folder to <code>\/wp-content\/plugins\/<\/code><\/li>\n<li>Activate the plugin via the <strong>Plugins<\/strong> menu<\/li>\n<li>Go to <strong>Settings \u2192 Headless Connector<\/strong> in your WordPress admin<\/li>\n<li>Configure each tab and save<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20work%20with%20wordpress.com%3F\"><h3>Does this work with WordPress.com?<\/h3><\/dt>\n<dd><p>No. This plugin requires self-hosted WordPress (wordpress.org).<\/p><\/dd>\n<dt id=\"do%20i%20need%20acf%20installed%3F\"><h3>Do I need ACF installed?<\/h3><\/dt>\n<dd><p>Only for the REST API feature. CORS, the contact endpoint, and security work independently.<\/p><\/dd>\n<dt id=\"the%20contact%20form%20endpoint%20isn%27t%20sending%20emails.%20what%20should%20i%20check%3F\"><h3>The contact form endpoint isn't sending emails. What should I check?<\/h3><\/dt>\n<dd><p>WordPress uses <code>wp_mail()<\/code> which relies on your server's mail configuration. On most shared hosts it works out of the box. If not, install an SMTP plugin like WP Mail SMTP and configure it with your mail provider.<\/p><\/dd>\n<dt id=\"cors%20headers%20aren%27t%20being%20sent.%20what%20should%20i%20check%3F\"><h3>CORS headers aren't being sent. What should I check?<\/h3><\/dt>\n<dd><ol>\n<li>Confirm the origin is listed exactly as the browser sends it \u2014 including <code>http:\/\/<\/code> or <code>https:\/\/<\/code>, no trailing slash<\/li>\n<li>Check that no other plugin is adding conflicting <code>Access-Control-Allow-Origin<\/code> headers<\/li>\n<\/ol><\/dd>\n<dt id=\"endpoints%20return%20404.\"><h3>Endpoints return 404.<\/h3><\/dt>\n<dd><p>Go to <strong>Settings \u2192 Permalinks<\/strong> and click <strong>Save Changes<\/strong> to flush WordPress rewrite rules.<\/p><\/dd>\n<dt id=\"do%20i%20need%20to%20know%20php%3F\"><h3>Do I need to know PHP?<\/h3><\/dt>\n<dd><p>No. The plugin handles all the PHP. You configure everything through the admin dashboard.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Renamed plugin to remove trademark term from display name and slug<\/li>\n<li>Updated all function, class, constant, and option prefixes to meet WordPress.org guidelines (hwclite_)<\/li>\n<li>Added self as contributor to readme<\/li>\n<li>Security: added transient-based rate limiting on the contact endpoint (max 5 per IP per 10 minutes)<\/li>\n<li>Security: added input length validation on name (max 100 chars) and message (min 10, max 2000 chars)<\/li>\n<li>Security: added honeypot field to reject automated bot submissions<\/li>\n<li>Security: added explicit CRLF stripping on Reply-To header values as defence-in-depth<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<\/ul>","raw_excerpt":"Configure ACF REST API, CORS, and a contact form endpoint for headless WordPress \u2014 all through the admin dashboard, without touching functions.php.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/316640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=316640"}],"author":[{"embeddable":true,"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/markmym"}],"wp:attachment":[{"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=316640"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=316640"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=316640"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=316640"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=316640"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/tl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=316640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}