WordPress as a Solid Foundation for Applications

Usually, people associate WordPress with a blogging platform. It’s true, but WordPress has evolved to much more than that. As part of its evolution, WordPress has received several additions and built-in features that can be used when building Web applications, such as content sanitization, validation, caching, transients, and many more.

Let’s go through some of the more advantageous systems in WordPress that many may take for granted, but can help you create a rock-solid application.


When considering the potential architecture of your application, it is important to be familiar with the toolset and data types WordPress provides, which will help you build your application.

On its own, the publishing capabilities and features provided by WordPress can prove very useful when building your application. There are a few things that you don’t need to worry about, that come with a zero-development cost to you, such as posts, pages, templates, taxonomies, users, comments, and plugin architecture, to mention a few.


Due to its plugin architecture, WordPress allows code to run standalone from the theme, which is very powerful. Some of the hooks and filters run before the theme is actually initialized, which renders some tasks suitable for plugins (such as overriding the internal authentication functions, which run before the theme is initialized).

The plugin code can live in your theme’s codebase (which makes it easier for version control and development), and then symbolic links can be created to expose them to WordPress. If your plugin should be active at all times (that is, not allowing deactivation), then you can create a symbolic link into wp-content/mu-plugins. If the plugin can be enabled/disabled (such as a maintenance mode for your application), then you can create a symbolic link into wp-content/plugins.

For example, using actions and filters, and the plugin architecture, you can implement the advertising sections of your application as a plugin. Then you can enable or disable advertising on your site by just enabling or disabling the plugin. The same goes for any feature that can be enabled/disabled at any given time.

It’s worth mentioning that, even though you have a huge amount of plugins available in the WordPress Plugins Repository, they may or may not suit the needs of your application. Even though it sounds practical to do so, it is not recommended to use a WordPress plugin on your application without making sure it has been well written and has no security issues or vulnerabilities, which could in turn expose vulnerabilities in your application.

There will come a time where you will need to decide whether or not to use a premade plugin, or to build your own plugins. There are certain situations that may justify the usage of one over the other.

Using community or commercial plugins in your application


  • Zero development needed
  • Ready to install and activate
  • Choose from thousands of plugins
  • Many plugins that handle several tasks


  • May not be updated
  • May contain security issues
  • May use bad coding practices
  • May not be compatible with your WordPress version

Building the plugins used by your application


  • Integrates perfectly with your application
  • Updates are part of application updates
  • Full control of the plugin code


  • Development effort required to implement
  • Adds maintenance load to your application
  • Avoiding security issues is your responsibility

After all, you should evaluate these advantages and disadvantages before deciding to either use a premade plugin, or building your own. If security and integration are important for you, then it is recommended to build your own plugins, otherwise you can consider plugins that have already been built for you.


WordPress provides several functions that help you strengthen the security of your application. Using these functions you can filter the content provided and remove any malicious code that could result in an XSS (Cross-Site Scripting) vulnerability. These functions have been broadly tested within WordPress itself, and are ready to use for your applications.

There are also sanitization functions that perform tasks such as sanitizing titles, escaping URLs, sanitize email addresses, to mention a few.

For reference, you can refer to wp-includes/kses.php and wp-includes/formatting.php


You get user management for free when using WordPress as a foundation for your application. Every user can have its own custom metadata, which can be targeted towards your application needs. This makes managing users relatively easy, as opposed to building your own user management system.

When it comes to authentication, if you are not satisfied with the built-in authentication provided by WordPress, you can create your own implementation by overriding the authentication functions via a plugin, using a filter.


It is very likely the permalinks and URL structure provided by WordPress may not satisfy the needs of your application. There are various ways you can go around this to create the URL structure your application needs.

Taxonomies have some flexibility in terms of how their permalinks are created. Additionally, you can use the pre_handle_404 WordPress filter to handle your custom routes, using a short-circuit approach. Leveraging the flexibility provided by this filter, you are able to create your own routes, without any limitation.

For more information, you can refer to the documentation of pre_handle_404, at https://developer.wordpress.org/reference/hooks/pre_handle_404/

AWS Integration

Hosting the images on your own server may not be the best idea if you are looking for performance. For this reason, you can integrate the Amazon Web Services PHP SDK to upload your media into Amazon S3, which will vastly increase the performance of your application.

When it comes to email, you can use the AWS PHP SDK to send email via Amazon SES.


This is one of the things that makes WordPress a good fit for applications. A complete application makes use of an API, and when it comes to that, you are set with the WordPress REST API. Using the API allows you to implement your application’s frontend in the language of your preference. It doesn’t have to be PHP.

The WordPress REST API provides a set of HTTP endpoints that let you access the data from your WordPress site in a simple JSON format, which can then be digested by your application.

A good example of an application that uses the WordPress REST API heavily is Calypso, which powers WordPress.com. The application has been built with Node.js and React, communicating to the sites via the REST API exclusively. It is living proof that you can build your application’s frontend in the language of your choice.



The information covered in this article only scratches the surface in terms of what can actually be achieved. WordPress is a very powerful platform that can be used for more than blogging and themes. There is much you can do using the functionality WordPress provides. It is just a matter of knowing the platform and leveraging its potential.

PHP is becoming faster every day, therefore, now is the perfect time to use WordPress as a foundation for your application.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s