[wp-trac] [WordPress Trac] #65095: Introduce Application Mode (DISABLE_BLOG) to disable post/blog features for secure non-CMS usage
WordPress Trac
noreply at wordpress.org
Sat Apr 18 03:44:15 UTC 2026
#65095: Introduce Application Mode (DISABLE_BLOG) to disable post/blog features for
secure non-CMS usage
-------------------------+-------------------------------------------------
Reporter: | Owner: (none)
dramitstalbot |
Type: feature | Status: new
request |
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords: feature-request needs-design-
Focuses: rest-api, | feedback
performance |
-------------------------+-------------------------------------------------
WordPress has evolved beyond a blogging platform and is widely used as an
application framework for building systems such as CRMs, ERPs, and
healthcare software.
There is currently no supported, centralized way to disable blog/content-
related functionality at the core level when it is not needed.
Problem
Even when WordPress is used purely as an application framework:
* Core blog features (posts, categories, tags, comments, feeds) are always
loaded
* Associated hooks, filters, and REST endpoints remain active
* Rewrite rules and query handling for posts are still registered
* Admin UI includes unused components
This increases:
* Attack surface (especially via plugins targeting post workflows)
* Resource usage
* Complexity in securing deployments
Real-World Use Case
I am a medical doctor and developer building a Hospital Management
Information System (HMIS) on WordPress.
This system includes:
* Patient records and clinical documentation
* Prescription workflows
* Medical file storage
* Billing and administration
In this context:
* WordPress is used strictly as an application framework
* Blog functionality is completely unused
* Reducing unnecessary components is critical for security, especially in
healthcare environments
Proposal
Introduce a core constant:
define('DISABLE_BLOG', true);
When enabled, WordPress operates in an Application Mode.
Expected Behavior
When DISABLE_BLOG is enabled:
* Do not register:
* post post type
* category and post_tag taxonomies
* comment system
* Disable:
* Post-related REST API endpoints (e.g., /wp/v2/posts)
* Feeds and post permalinks
* Author archives
* Skip loading:
* Blog-related hooks and filters
* Admin UI:
* Remove Posts and Comments menus
* Remove related dashboard widgets
Benefits
* Reduced attack surface
* Improved performance
* Cleaner application-focused architecture
* Better suitability for secure and regulated environments
* Encourages WordPress adoption for non-CMS use cases
Why This Matters
One of WordPress’s biggest strengths is its low learning curve and ease of
use. Because of this, many developers consider WordPress first before
exploring other frameworks.
Providing a native way to disable blog functionality would:
* Strengthen WordPress as a general-purpose framework
* Retain developers who might otherwise move to other stacks
* Expand adoption in enterprise and healthcare systems
Technical Considerations (Initial Thoughts)
* Conditional loading in wp-settings.php and default-filters.php
* Introduce helper:
function wp_is_application_mode() {
return defined('DISABLE_BLOG') && DISABLE_BLOG;
}
* Wrap blog-specific registrations and hooks
* Provide filters for extensibility (e.g., REST whitelist)
Backward Compatibility
* Default behavior unchanged
* Feature is opt-in via constant
* Plugins/themes can detect and adapt
Future Scope
* Granular flags:
* WP_DISABLE_COMMENTS
* WP_DISABLE_FEEDS
* WP_DISABLE_REST_POSTS
* Preset modes:
* CMS Mode (default)
* Application Mode
Summary
This proposal introduces a lightweight Application Mode that allows
WordPress to function as a secure, minimal framework when CMS features are
not required.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65095>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list