GraphQL API for WordPress

Fund package maintenance!

Installs: 4

Dependents: 0

Suggesters: 0

Security: 0

Stars: 152

Watchers: 9

Forks: 5


0.10.2 2023-02-24 13:09 UTC

This package is auto-updated.

Last update: 2023-03-24 02:47:18 UTC



GraphQL API for WordPress

Transform your WordPress site into a modern GraphQL server:

The interactive schema visualizer

This plugin is the implementation for WordPress of GraphQL by PoP, a CMS-agnostic GraphQL server in PHP.

Installing the plugin (for production)

👀 Instructions: Installing the GraphQL API for WordPress plugin.


👀 Instructions: Setting-up the development environment.

Supported PHP features

Check the list of Supported PHP features

Gutenberg JS builds

Compiled JavaScript code (such as all files under a block's build/ folder) is added to the repo, but only as compiled for production, i.e. after running npm run build.

Code compiled for development, i.e. after running npm start, cannot be commited/pushed to the repo.

Building static sites

The GraphQL API for WordPress provides safe default settings, to make "live" sites secure. However, these safe default settings are not needed when building "static" sites, where the WordPress site is not exposed to the Internet.

This is how the "safe" and "unsafe" default behaviors compare:

Feature Safe behavior Unsafe behavior
Single endpoint Disabled Enabled
“Sensitive” data fields Not added to the schema Added to the schema
Settings from wp_options Only a few predefined options are queryable All options are queryable
Meta (posts, users, comments, taxonomies) No keys are queryable All keys are queryable
Max limit to query entities (posts, users, etc) Limited Unlimited
Environment Fields No environment variables or PHP constants are queryable All environment variables and PHP constants are queryable
HTTP Request Fields No URL can be requested All URLs can be requested

In development, to enable unsafe defaults, execute:

composer enable-unsafe-defaults

On a site in production, set in wp-config.php:


Or define this same key/value as an environment variable.


GraphQL API is extensible, and ships with the following modules (organized by category):


Single EndpointExpose a single GraphQL endpoint under /graphql/, with unrestricted access
Persisted QueriesExpose predefined responses through a custom URL, akin to using GraphQL queries to publish REST endpoints
Custom EndpointsExpose different subsets of the schema for different targets, such as users (clients, employees, etc), applications (website, mobile app, etc), context (weekday, weekend, etc), and others
API HierarchyCreate a hierarchy of API endpoints extending from other endpoints, and inheriting their properties

Schema Configuration
Schema ConfigurationCustomize the schema accessible to different Custom Endpoints and Persisted Queries, by applying a custom configuration (involving namespacing, access control, cache control, and others) to the grand schema
Schema NamespacingAutomatically namespace types with a vendor/project name, to avoid naming collisions
Nested MutationsExecute mutations from any type in the schema, not only from the root
Public/Private SchemaEnable to communicate the existence of some field from the schema to certain users only (private mode) or to everyone (public mode). If disabled, fields are always available to everyone (public mode)

User Interface
Excerpt as DescriptionProvide a description of the different entities (Custom Endpoints, Persisted Queries, and others) through their excerpt

GraphiQL for Single EndpointMake a public GraphiQL client available under /graphiql/, to execute queries against the single endpoint. It requires pretty permalinks enabled
Interactive Schema for Single EndpointMake a public Interactive Schema client available under /schema/, to visualize the schema accessible through the single endpoint. It requires pretty permalinks enabled
GraphiQL for Custom EndpointsEnable custom endpoints to be attached their own GraphiQL client, to execute queries against them
Interactive Schema for Custom EndpointsEnable custom endpoints to be attached their own Interactive schema client, to visualize the custom schema subset
GraphiQL ExplorerAdd the Explorer widget to the GraphiQL client, to simplify coding the query (by point-and-clicking on the fields)

Schema Type
Expose Sensitive Data in the SchemaExpose “sensitive” data elements in the GraphQL schema (such as field Root.roles, field arg Root.posts(status:), and others), which provide access to potentially private user data
Self FieldsExpose "self" fields in the GraphQL schema (such as Post.self and User.self), which can help give a particular shape to the GraphQL response
Schema Custom PostsQuery Custom Post Types
Schema PostsQuery posts, through type Post added to the schema
Schema PagesQuery pages, through type Page added to the schema
Schema UsersQuery users, through type User added to the schema
Schema User RolesQuery user roles, through type UserRole added to the schema
Schema User AvatarsQuery user avatars, through type UserAvatar added to the schema
Schema CommentsQuery comments, through type Comment added to the schema
Schema TagsBase functionality for all tags
Schema Post TagsQuery post tags, through type PostTag added to the schema
Schema CategoriesBase functionality for all categories
Schema Post CategoriesQuery post categories, through type PostCategory added to the schema
Schema MediaQuery media elements, through type Media added to the schema
Schema Custom Post MetaAdd the option field to custom posts, such as type Post
Schema User MetaAdd the option field to type User
Schema Comment MetaAdd the option field to type Comment
Schema Taxonomy MetaAdd the option field to taxonomies, such as types PostTag and PostCategory
Schema MenusQuery menus, through type Menu added to the schema
Schema SettingsFetch settings from the site
Schema MutationsModify data by executing mutations
Schema User State MutationsHave the user log-in, and be able to perform mutations
Schema Custom Post MutationsBase functionality to mutate custom posts
Schema Post MutationsExecute mutations on podyd
Schema Custom Post Media MutationsExecute mutations concerning media items on custom posts
Schema Post Media MutationsExecute mutations concerning media items on posts
Schema Post Tag MutationsAdd tags to posts
Schema Post Category MutationsAdd categories to posts
Schema Comment MutationsCreate comments


Architectural resources

PHP Architecture

Articles explaining how the plugin is "downgraded", using PHP 8.1 for development but deployable to PHP 7.1 for production:

  1. Transpiling PHP code from 8.0 to 7.x via Rector
  2. Coding in PHP 7.4 and deploying to 7.1 via Rector and GitHub Actions
  3. Tips for transpiling code from PHP 8.0 down to 7.1
  4. Including both PHP 7.1 and 8.0 code in the same plugin … or not?

Service container implementation:

Explanation of how the codebase is split into granular packages, to enable CMS-agnosticism:

  1. Abstracting WordPress Code To Reuse With Other CMSs: Concepts (Part 1)
  2. Abstracting WordPress Code To Reuse With Other CMSs: Implementation (Part 2)

Description of how the plugin is scoped:

GraphQL by PoP documentation

GraphQL API for WordPress is powered by the CMS-agnostic GraphQL server GraphQL by PoP.

Technical information on how the GraphQL server works:

Description of how a GraphQL server using server-side components works:

These articles explain the concepts, design and implementation of GraphQL by PoP:

  1. Designing a GraphQL server for optimal performance
  2. Simplifying the GraphQL data model
  3. Schema-first vs code-first development in GraphQL
  4. Speeding-up changes to the GraphQL schema
  5. Versioning fields in GraphQL
  6. GraphQL directives are underrated
  7. Treating GraphQL directives as middleware
  8. Creating an @export GraphQL directive
  9. Adding directives to the schema in code-first GraphQL servers
  10. Coding a GraphQL server in JavaScript vs. WordPress
  11. Supporting opt-in nested mutations in GraphQL
  12. HTTP caching in GraphQL


These articles explain the integration with Gutenberg (the WordPress editor).

  1. Adding a Custom Welcome Guide to the WordPress Block Editor
  2. Using Markdown and Localization in the WordPress Block Editor


PSR-1, PSR-4 and PSR-12.

To check the coding standards via PHP CodeSniffer, run:

composer check-style

To automatically fix issues, run:

composer fix-style

Release notes

Change log

Please see CHANGELOG for more information on what has changed recently.


To execute PHPUnit, run:

composer test

Static Analysis

To execute PHPStan, run:

composer analyse

Downgrading code

To visualize how Rector will downgrade the code to PHP 7.1:

composer preview-code-downgrade

Report issues

To report a bug or request a new feature please do it on the PoP monorepo issue tracker.


We welcome contributions for this package on the PoP monorepo (where the source code for this package is hosted).

Please see CONTRIBUTING and CODE_OF_CONDUCT for details.


If you discover any security related issues, please email instead of using the issue tracker.



GPLv2 or later. Please see License File for more information.