Open Specification v0.1.0

Stop giving every plugin
the keys to everything.

WP Apps is an open spec for sandboxed, permission-scoped extensions. Apps run as isolated services — zero access to your database, filesystem, or runtime. The Shopify model, for WordPress.

Read the Spec → How It Works
WordPress Site
WP Core
REST API
Hooks System
Database
Apps Runtime (mu-plugin)
API Gateway
Hook Dispatcher
Permission Enforcement
Audit Logging
HTTPS — Structured Protocol
App A
Cloud
App B
Container
App C
Same Server
01
The Problem

WordPress plugins run with the keys to the kingdom

Every plugin gets full, unrestricted access to everything. A single vulnerable plugin compromises the entire site. Here's what that looks like.

Traditional Plugin — Access Audit
wp_users Full Access
wp_posts Full Access
wp_options Full Access
$wpdb (raw SQL) Full Access
wp-config.php Full Access
/wp-content/ Full Access
PHP runtime Full Access
Network (outbound) Full Access
Other plugins Full Access
User passwords Full Access
Verdict: Unrestricted — total surface exposure
WP App — Access Audit
wp_users read:basic
wp_posts read, write
wp_options prefix_* only
$wpdb (raw SQL) Denied
wp-config.php Denied
/wp-content/ Denied
PHP runtime Denied
Network (outbound) Allowlist only
Other plugins Denied
User passwords Denied
Verdict: Scoped — minimum viable permissions

Plugin vulnerabilities are the #1 attack vector for WordPress sites. Not because developers are careless — because the architecture gives every extension the keys to everything.

02
How It Works

Six ideas borrowed from Shopify, adapted for WordPress

Apps are external services. They communicate through structured APIs. They get only the permissions they ask for.

Declare a manifest

Apps ship a wp-app.json that declares identity, permissions, hooks, UI surfaces, and storage. The manifest is the single source of truth.

Admin reviews & approves

The site admin sees exactly what the app requests before installation. Granular scopes like posts:read and users:read:basic.

OAuth token exchange

The app receives scoped, short-lived access tokens. No database credentials, no filesystem paths, no PHP runtime sharing.

API-only communication

Apps interact with WordPress exclusively through a REST API superset under /apps/v1/. Every call is authenticated, scoped, rate-limited, and logged.

Hook dispatch over HTTP

WordPress fires hooks to apps via HMAC-signed HTTP requests. Apps can filter content and respond to actions — without running PHP inside WordPress.

Structured UI bridge

Apps render admin panels, meta boxes, blocks, and dashboard widgets through a component schema — or sandboxed iframes with a JS bridge SDK.

03
Features

Everything apps need, nothing they don't

Granular permissions

Scopes follow resource:action:constraint patterns. Apps declare what they need; admins approve exactly that. Never-grantable capabilities protect core secrets.

Complete isolation

Apps cannot access other apps' data, WordPress core tables, the filesystem, or execute arbitrary PHP/SQL. Every app is a sandbox.

Hook subscriptions

Subscribe to WordPress actions and filters over HTTP. Sync filters for content modification, async actions for background work. Timeouts and circuit breakers keep things fast.

UI components

A structured component library for admin pages, meta boxes, blocks, and dashboard widgets — or full iframe mode with the Apps Bridge JS SDK for complex UIs.

Scoped storage

Declare custom tables, options, post meta, and transients in your manifest. The runtime creates, isolates, and enforces size limits automatically.

Full audit log

Every API call, hook dispatch, and data access is logged with app ID, endpoint, method, status, and timing. Complete visibility into what every app does.

Available Permission Scopes

posts:read posts:write posts:delete postmeta:read postmeta:write options:read:prefix_* options:write:prefix_* users:read:basic users:read:full media:read media:write comments:read comments:write taxonomies:read taxonomies:write email:send cron:register blocks:register rest:extend site:read themes:read
04
Developer Experience

Build apps in any language

Declare everything in a manifest. Handle hooks with a clean SDK. Ship anywhere that serves HTTP.

wp-app.json 
{
  "app": {
    "id": "com.example.my-seo-app",
    "name": "My SEO App",
    "version": "1.0.0"
  },

  "permissions": {
    "scopes": ["posts:read", "posts:write", "postmeta:read"]
  },

  "hooks": {
    "filters": [
      { "hook": "the_content", "priority": 99, "timeout_ms": 1000 }
    ],
    "actions": [
      { "hook": "save_post", "async": true, "timeout_ms": 3000 }
    ]
  },

  "surfaces": {
    "meta_boxes": [
      { "id": "seo-settings", "screen": ["post", "page"] }
    ]
  }
}
use WPApps\App;
use WPApps\Request;
use WPApps\Response;

$app = new App(__DIR__ . '/wp-app.json');

// Filter: modify post content
$app->onFilter('the_content', function (Request $req): Response {
    $content = $req->args[0];
    $content .= '<script type="application/ld+json">...</script>';
    return Response::filter($content);
});

// Action: analyze post on save (async)
$app->onAction('save_post', function (Request $req): Response {
    $post = $req->api->get("/apps/v1/posts/{$req->args[0]}");
    $score = analyze_seo($post['content']);
    $req->api->put("/apps/v1/posts/{$req->args[0]}/meta/_seo_score", [
        'value' => $score
    ]);
    return Response::ok();
});

$app->run();
# Scaffold a new app
$ wp-apps init my-seo-app --language php

# Validate your manifest
$ wp-apps validate ./wp-app.json
  ✓ Manifest valid
  ✓ 3 scopes declared
  ✓ 2 hooks registered
  ✓ 1 surface defined

# Run locally with tunnel to your dev site
$ wp-apps dev --site https://mysite.com
  App running at localhost:3000
  Tunnel: https://abc123.wp-apps.dev
  Connected to mysite.com ✓

# Deploy
$ wp-apps deploy --platform instawp
  ✓ Deployed v1.0.0 to InstaWP Apps Platform
05
Comparison

Plugins vs Apps, side by side

Aspect Traditional Plugin WP App
Execution In-process PHP External HTTP service
Database Full access ($wpdb, any table) Scoped API only
Filesystem Full (wp-config, core files) None
Network Unrestricted outbound Declared allowlist
Other extensions Can read and modify Fully isolated
Permissions All or nothing Granular scopes
Crash impact Takes down entire site App fails gracefully
Audit trail None Full audit log
Resource limits None Rate limits, timeouts, payload caps
Scalability Bound to PHP process Independently scalable

Apps can run on the same server as WordPress — as a separate process. Same machine, separate runtime. Co-located apps add just 1–5ms latency per hook, making them ideal for render-path filters.

Get Involved

The spec is open.
Build with us.

WP Apps is a living specification. Read it, build on it, contribute to it. The reference implementation is coming from InstaWP.

Read the Full Spec → Contribute on GitHub