Building static sites

The GraphQL API for WordPress provides safe default settings, to make "live" sites secure:

  • The single endpoint is disabled
  • The “sensitive” data fields (eg: to query posts with status "draft") are not added to the schema
  • Only a few of settings options and meta keys (for posts, users, etc) can be queried
  • The number of entities (for posts, users, etc) that can be queried at once is limited

These safe default settings are not needed when building "static" sites, where the WordPress site is not exposed to the Internet. These settings can be used instead:

  • The single endpoint is enabled
  • The “sensitive” data fields are added to the schema
  • All settings options and meta keys can be queried
  • The number of entities that can be queried at once is unlimited

To enable unsafe defaults, set in wp-config.php:

define( 'GRAPHQL_API_ENABLE_UNSAFE_DEFAULTS', true );

Or define this same key/value as an environment variable.