Title: HWConnector Lite – Headless REST API &amp; CORS
Author: markmym
Published: <strong>May 27, 2026</strong>
Last modified: May 27, 2026

---

Search plugins

![](https://s.w.org/plugins/geopattern-icon/hwconnector-lite-headless-wp-rest-api-
cors.svg)

# HWConnector Lite – Headless REST API & CORS

 By [markmym](https://profiles.wordpress.org/markmym/)

[Download](https://downloads.wordpress.org/plugin/hwconnector-lite-headless-wp-rest-api-cors.1.0.1.zip)

 * [Details](https://wordpress.org/plugins/hwconnector-lite-headless-wp-rest-api-cors/#description)
 * [Reviews](https://wordpress.org/plugins/hwconnector-lite-headless-wp-rest-api-cors/#reviews)
 *  [Installation](https://wordpress.org/plugins/hwconnector-lite-headless-wp-rest-api-cors/#installation)
 * [Development](https://wordpress.org/plugins/hwconnector-lite-headless-wp-rest-api-cors/#developers)

 [Support](https://wordpress.org/support/plugin/hwconnector-lite-headless-wp-rest-api-cors/)

## Description

Every headless WordPress project requires the same setup: expose ACF fields to the
REST API, configure CORS headers for your JavaScript frontend, and register a contact
form endpoint.

**HWConnector Lite** moves all of that out of functions.php and into a clean, tabbed
admin settings page.

#### Features

**REST API Tab**
 * Expose ACF custom fields for post, page, and one Custom Post
Type to the WordPress REST API * No PHP required — configure through the admin dashboard

**CORS Tab**
 * Add one allowed frontend origin (Next.js, Astro, Nuxt, etc.) through
a simple field * Correct headers sent for GET, POST, and OPTIONS (preflight) requests*
Origin-matched headers — only the requesting origin is echoed back

**Endpoints Tab**
 * `POST /wp-json/site/v1/contact` — accepts name, email, message
and forwards to your admin email * Configurable namespace and send-to email

**Security Tab**
 * Disable XML-RPC with one toggle (default: ON) * Hide WordPress
version from page source and RSS (default: ON)

#### Pro Version

[HWConnector Pro](https://winstonmark.gumroad.com/l/dchlm) unlocks:

 * Unlimited CORS origins
 * Unlimited Custom Post Types in the REST API
 * Newsletter endpoint — `POST /wp-json/site/v1/newsletter` with FluentCRM integration

#### Who it’s for

Developers building headless WordPress sites with Next.js, Astro, Nuxt, SvelteKit,
or any other JavaScript frontend who want a clean, reusable setup instead of copying
functions.php boilerplate on every project.

#### Requirements

 * WordPress 5.8+
 * PHP 7.4+
 * ACF (Advanced Custom Fields) — optional, required only for the REST API tab

## Installation

 1. Upload the `headless-wp-connector-lite` folder to `/wp-content/plugins/`
 2. Activate the plugin via the **Plugins** menu
 3. Go to **Settings  Headless Connector** in your WordPress admin
 4. Configure each tab and save

## FAQ

### Does this work with WordPress.com?

No. This plugin requires self-hosted WordPress (wordpress.org).

### Do I need ACF installed?

Only for the REST API feature. CORS, the contact endpoint, and security work independently.

### The contact form endpoint isn’t sending emails. What should I check?

WordPress uses `wp_mail()` which relies on your server’s mail configuration. On 
most shared hosts it works out of the box. If not, install an SMTP plugin like WP
Mail SMTP and configure it with your mail provider.

### CORS headers aren’t being sent. What should I check?

 1. Confirm the origin is listed exactly as the browser sends it — including `http://`
    or `https://`, no trailing slash
 2. Check that no other plugin is adding conflicting `Access-Control-Allow-Origin` 
    headers

### Endpoints return 404.

Go to **Settings  Permalinks** and click **Save Changes** to flush WordPress rewrite
rules.

### Do I need to know PHP?

No. The plugin handles all the PHP. You configure everything through the admin dashboard.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“HWConnector Lite – Headless REST API & CORS” is open source software. The following
people have contributed to this plugin.

Contributors

 *   [ markmym ](https://profiles.wordpress.org/markmym/)

[Translate “HWConnector Lite – Headless REST API & CORS” into your language.](https://translate.wordpress.org/projects/wp-plugins/hwconnector-lite-headless-wp-rest-api-cors)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/hwconnector-lite-headless-wp-rest-api-cors/),
check out the [SVN repository](https://plugins.svn.wordpress.org/hwconnector-lite-headless-wp-rest-api-cors/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/hwconnector-lite-headless-wp-rest-api-cors/)
by [RSS](https://plugins.trac.wordpress.org/log/hwconnector-lite-headless-wp-rest-api-cors/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.1

 * Renamed plugin to remove trademark term from display name and slug
 * Updated all function, class, constant, and option prefixes to meet WordPress.
   org guidelines (hwclite_)
 * Added self as contributor to readme
 * Security: added transient-based rate limiting on the contact endpoint (max 5 
   per IP per 10 minutes)
 * Security: added input length validation on name (max 100 chars) and message (
   min 10, max 2000 chars)
 * Security: added honeypot field to reject automated bot submissions
 * Security: added explicit CRLF stripping on Reply-To header values as defence-
   in-depth

#### 1.0.0

 * Initial release

## Meta

 *  Version **1.0.1**
 *  Last updated **1 month ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [acf](https://wordpress.org/plugins/tags/acf/)[cors](https://wordpress.org/plugins/tags/cors/)
   [headless](https://wordpress.org/plugins/tags/headless/)[Headless WordPress](https://wordpress.org/plugins/tags/headless-wordpress/)
   [rest-api](https://wordpress.org/plugins/tags/rest-api/)
 *  [Advanced View](https://wordpress.org/plugins/hwconnector-lite-headless-wp-rest-api-cors/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/hwconnector-lite-headless-wp-rest-api-cors/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/hwconnector-lite-headless-wp-rest-api-cors/reviews/)

## Contributors

 *   [ markmym ](https://profiles.wordpress.org/markmym/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/hwconnector-lite-headless-wp-rest-api-cors/)