INTRODUCTION
WordPress is no longer just a blogging tool — it is a powerful headless CMS used to build mobile apps, dashboards, SaaS tools, and modern web apps. One reason for this transformation is the WordPress REST API.
With REST API, developers can read, create, update, and delete WordPress data using simple HTTP requests.
But the real power appears when you create your own custom REST API endpoints.
In this guide, you’ll learn:
- What WordPress REST API?
- When to build custom endpoints
- Step-by-step way to register endpoints
- Complete working code
- How to test endpoints
- Security tips & authentication
- Real-world use cases
Let's begin.
What is WordPress REST API?
WordPress REST API allows external applications to communicate with your WordPress website using URLs (endpoints).
For example:
https://example.com/wp-json/wp/v2/posts
This endpoint fetches all posts.
REST API uses:
- GET → Read data
- POST → Create data
- PUT/PATCH → Update data
- DELETE → Remove data
If built properly, you can use your WordPress backend for: - Mobile apps
- JavaScript SPAs
- CRM dashboards
- Custom admin panels
- Affiliate reporting tools
- WooCommerce apps
Why Create Custom REST API Endpoints?
Default endpoints are powerful, but you may need more:
- Fetch specific custom data
- Run custom SQL queries.
- Show data of the custom post type.
- Process form submissions from Flutter/React apps
- Build plugin-specific APIs
A custom endpoint becomes a direct gateway to your data.
How to Create a Custom REST API Endpoint (Step-By-Step)
To build a custom endpoint, you use the WordPress function:
register_rest_route()
This function goes inside functions.php or a custom plugin.
✔ Step 1: Create a Callback Function
A callback function runs whenever the API endpoint is requested.
Example:
function kaddora_get_message() {
return array(
'status' => 'success',
'message' => 'Welcome to Custom REST API!'
);
}
This function returns JSON.
✔ Step 2: Register The REST Route
Use rest_api_init hook:
add_action('rest_api_init', function () {
register_rest_route('kaddora/v1', '/message', array(
'methods' => 'GET',
'callback' => 'kaddora_get_message',
));
});
Your Custom Endpoint is Ready
Visit:
https://yourwebsite.com/wp-json/kaddora/v1/message
you will get:
{
"status": "success",
"message": "Welcome to Custom REST API!"
}
Example 2: Return Custom Post Type (CPT) Data
Let’s return all products of a CPT called "course":
function kaddora_get_courses() {
$args = array(
'post_type' => 'course',
'posts_per_page' => -1
);
$posts = get_posts($args);
$data = [];
foreach ($posts as $post) {
$data[] = array(
'id' => $post->ID,
'title' => $post->post_title,
'link' => get_permalink($post->ID),
);
}
return $data;
}
add_action('rest_api_init', function () {
register_rest_route('kaddora/v1', '/courses', array(
'methods' => 'GET',
'callback' => 'kaddora_get_courses',
));
});
Call endpoint:
/wp-json/kaddora/v1/courses
Example 3: Create POST Endpoint (Save Data)
You can receive data from external apps.
function kaddora_save_message($request) {
$msg = sanitize_text_field($request['msg']);
$post_id = wp_insert_post(array(
'post_title' => $msg,
'post_status' => 'publish',
'post_type' => 'message'
));
return [
'status' => 'saved',
'id' => $post_id
];
}
add_action('rest_api_init', function () {
register_rest_route('kaddora/v1', '/save-message', array(
'methods' => 'POST',
'callback' => 'kaddora_save_message',
'permission_callback' => '__return_true'
));
});
You can send a POST request via:
- Postman
- Mobile app
JavaScript fetch()
How to Test REST API Endpoint (Postman)
- Open Postman
- Enter URL:
- https://yourwebsite.com/wp-json/kaddora/v1/message
- Choose method: GET
- Click Send
- View JSON response
For POST request:
- Select POST
- Body → Raw → JSON
- Add:
{
"msg": "Hello from App!"
}
Security & Authentication Tips
Some endpoints must not be public.
Use these methods:
✔ 1. Nonce Authentication (for logged-in users)
'permission_callback' => function () {
return current_user_can('manage_options');
}
✔ 2. API Key Authentication
Add the API key in the header and validate inside the callback.
✔ 3. JWT Authentication
Best for mobile apps.
Real Use Cases for Custom REST API Endpoints
- Display custom dashboards using React.
- Mobile app login/register system
- Custom form submission endpoints
- Affiliate tracking API for GPL stores
- WooCommerce product sync with external DB
- Headless CMS with Next.js
Custom reporting panels
Conclusion
Custom REST API endpoints turn WordPress into a powerful, flexible backend capable of supporting mobile apps, SaaS products, dashboards, and enterprise integrations. Once mastered, they significantly expand what your website or plugin can do.
If you're building plugins, themes, hybrid themes, or WooCommerce extensions, custom REST endpoints give you unlimited power.
Top 10 FAQs About Custom REST API in WordPress
1.What is a REST API endpoint in WordPress?
A URL that provides data or performs actions when accessed.
2. Where should I write code for custom API endpoints?
Inside a custom plugin or your theme’s functions.php. Plugins are recommended.
3. Can I use the REST API without authentication?
Yes, but only for GET requests. POST/PUT/DELETE require authentication unless you open them intentionally.
4. How do I protect my custom endpoints?
Use permissions, nonces, JWT, or API keys.
5. Can WordPress REST API work with mobile apps?
Absolutely — Flutter, React Native, Android, and iOS all support REST.
6. How do I send data to a POST endpoint?
Using Postman, JavaScript fetch(), or mobile app HTTP clients.
7. Can I return custom SQL results?
Yes, using $wpdb — but sanitise inputs to avoid SQL injection.
8. Can REST API handle WooCommerce products?
Yes, WooCommerce itself has a full REST API, and you can create your own custom routes.
9. Does REST API slow down a website?
Not if coded properly; caching boosts performance.
10. Is a custom REST API useful for headless WordPress?
Yes — it is the backbone of headless CMS development.
Comments (0)