Description
Every headless WordPress project requires the same setup: expose ACF fields to the REST API, configure CORS headers for your JavaScript frontend, and register a contact form endpoint.
HWConnector Lite moves all of that out of functions.php and into a clean, tabbed admin settings page.
Features
REST API Tab
* Expose ACF custom fields for post, page, and one Custom Post Type to the WordPress REST API
* No PHP required — configure through the admin dashboard
CORS Tab
* Add one allowed frontend origin (Next.js, Astro, Nuxt, etc.) through a simple field
* Correct headers sent for GET, POST, and OPTIONS (preflight) requests
* Origin-matched headers — only the requesting origin is echoed back
Endpoints Tab
* POST /wp-json/site/v1/contact — accepts name, email, message and forwards to your admin email
* Configurable namespace and send-to email
Security Tab
* Disable XML-RPC with one toggle (default: ON)
* Hide WordPress version from page source and RSS (default: ON)
Pro Version
HWConnector Pro unlocks:
- Unlimited CORS origins
- Unlimited Custom Post Types in the REST API
- Newsletter endpoint —
POST /wp-json/site/v1/newsletterwith FluentCRM integration
Who it’s for
Developers building headless WordPress sites with Next.js, Astro, Nuxt, SvelteKit, or any other JavaScript frontend who want a clean, reusable setup instead of copying functions.php boilerplate on every project.
Requirements
- WordPress 5.8+
- PHP 7.4+
- ACF (Advanced Custom Fields) — optional, required only for the REST API tab
Installation
- Upload the
headless-wp-connector-litefolder to/wp-content/plugins/ - Activate the plugin via the Plugins menu
- Go to Settings Headless Connector in your WordPress admin
- Configure each tab and save
FAQ
-
Does this work with WordPress.com?
-
No. This plugin requires self-hosted WordPress (wordpress.org).
-
Do I need ACF installed?
-
Only for the REST API feature. CORS, the contact endpoint, and security work independently.
-
The contact form endpoint isn’t sending emails. What should I check?
-
WordPress uses
wp_mail()which relies on your server’s mail configuration. On most shared hosts it works out of the box. If not, install an SMTP plugin like WP Mail SMTP and configure it with your mail provider. -
CORS headers aren’t being sent. What should I check?
-
- Confirm the origin is listed exactly as the browser sends it — including
http://orhttps://, no trailing slash - Check that no other plugin is adding conflicting
Access-Control-Allow-Originheaders
- Confirm the origin is listed exactly as the browser sends it — including
-
Endpoints return 404.
-
Go to Settings Permalinks and click Save Changes to flush WordPress rewrite rules.
-
Do I need to know PHP?
-
No. The plugin handles all the PHP. You configure everything through the admin dashboard.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“HWConnector Lite – Headless REST API & CORS” is open source software. The following people have contributed to this plugin.
Contributors
Translate “HWConnector Lite – Headless REST API & CORS” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.0.1
- Renamed plugin to remove trademark term from display name and slug
- Updated all function, class, constant, and option prefixes to meet WordPress.org guidelines (hwclite_)
- Added self as contributor to readme
- Security: added transient-based rate limiting on the contact endpoint (max 5 per IP per 10 minutes)
- Security: added input length validation on name (max 100 chars) and message (min 10, max 2000 chars)
- Security: added honeypot field to reject automated bot submissions
- Security: added explicit CRLF stripping on Reply-To header values as defence-in-depth
1.0.0
- Initial release