Solution · Secure static
Secure Static WordPress and Protected Client Portals
A static WordPress site can still support protected content, authenticated experiences and portal-style workflows when access control moves to AWS.
Short answer: Secure static WordPress means public pages remain fast static assets while protected paths use Cognito identity, CloudFront behaviors and signed-cookie issuance. WP Suite combines Gatey, Static Publisher and the Site Guardian stack so private portal sections can remain static without becoming publicly accessible.
Why this matters
Static sites are attractive because they reduce the public WordPress attack surface, but many real projects still need gated documentation, client-only downloads, profile-aware content or authenticated form flows.
Classic membership plugins often assume WordPress is serving every request. That assumption breaks when pages are exported to S3 and CloudFront.
A safer architecture separates public static delivery from identity, signed access and API authorization.
Architecture and data flow
Visitor browser
↓ public page request
CloudFront + S3 static content
↓ login required where appropriate
Gatey Authenticator → Cognito User Pool
↓ tokens / identity state
Protected API or signed access flow
↓
API Gateway / Lambda / CloudFront signed cookies / protected resources
Capability map
Gatey
Browser-side Cognito sign-in, sign-up, MFA, SSO and account attributes; protected frontend flows do not require WordPress to remain publicly reachable as an OAuth/PHP callback layer.
Cognito deployment template
The Gatey Cognito infrastructure package provides the reviewable CloudFormation/SAR deployment contract for user-pool setup, app clients, token hooks and Cognito email delivery choices.
Site Guardian CloudFormation stack
The Site Guardian stack can deploy S3, CloudFront, protected/public behaviors, Lambda@Edge signed-cookie issuance, key material handling and optional Route 53 records for a protected static site.
Path and group authorization
Protected paths can be mapped to groups or scopes so private static sections such as dashboards, member areas or client downloads are controlled by JWT-backed authorization rather than by WordPress page visibility alone.
Static Publisher
Publishes the public and protected static asset tree to S3/CloudFront while WordPress remains the content and configuration source.
Authenticated runtime actions
Flow and AI-Kit features can call authenticated APIs only after Gatey/Cognito has established the user context, which keeps visitor actions separate from public cacheable HTML.
Protected static deployment model
A protected static WordPress project has two separate jobs: publish safe static assets quickly, and issue access only to users who are allowed to see private paths. WP Suite separates those jobs instead of forcing them back into WordPress runtime logic.
WordPress CMS / Static Publisher
↓
S3 + CloudFront static delivery
↓
Public paths: served normally
Protected paths: CloudFront behavior + signed cookies
↓
/issue-cookie endpoint validates JWT
↓
Cognito / Gatey user identity + optional group/scope checks
The Site Guardian stack is especially relevant when the exported site has private areas such as member dashboards, client portals, paid resources or documentation that should remain static but not public.
Decision table
| Mode / dimension | Best for | Data path / approach | Trade-off |
|---|---|---|---|
| Public static pages | Marketing and documentation content | CloudFront → S3 | Fastest and lowest runtime surface |
| Authenticated frontend UI | Login, profile, gated widgets | Browser → Cognito | Requires browser-side identity configuration |
| Protected files or paths | Client portals, private downloads | CloudFront signed cookies or protected behaviors | Requires careful cache and path design |
| Authenticated APIs | Forms, account data, workflows | Browser → API Gateway/Lambda | Requires token validation and authorization rules |
How this differs from the usual approach
Traditional membership plugin
Often simple inside dynamic WordPress, but expects PHP request-time logic.
Password-protected static files
Can hide assets, but does not provide modern user identity, SSO or API authorization.
WP Suite secure static model
Combines static delivery with Cognito identity and selected AWS runtime services.
When this is a good fit
- Client portals where public pages should be static but selected areas need login.
- Documentation sites with private sections.
- Agency projects where client-owned Cognito and AWS infrastructure is preferred.
- Static sites that need authenticated API calls or protected downloads.
When not to use this
- A fully dynamic application where every view is personalized server-side.
- A site that only needs a single shared password for temporary preview.
- Projects without time to design identity, token handling and CloudFront behavior rules.
Implementation path
- Decide which sections are public, protected, group-restricted or API-backed.
- Configure Cognito and Gatey for browser login, account state and token handling.
- Use the Cognito deployment template or wizard path where a repeatable user-pool setup is preferred.
- Publish public pages and protected static assets using Static Publisher.
- Deploy/configure Site Guardian for S3/CloudFront, signed-cookie issuance and protected path behavior.
- Map protected paths to user groups/scopes where private areas need role-based access.
- Test public cache behavior, protected redirects, cookie issuance, sign-out and direct asset access.
- Only add Flow or AI-Kit APIs behind authenticated calls when the portal actually needs interactive runtime features.
Related resources
Gatey
Cognito login, SSO, MFA and browser-side authentication
WordPress SSO with AWS Cognito
federated identity and enterprise SSO use case
Cognito-Protected Static WordPress
protected static delivery architecture
Gatey vs WordPress SSO plugins
SSO decision support
Docs
shortcodes, blocks, CSS variables and JavaScript API
Static Publisher
product page for crawl, rewrite, deploy and invalidation workflows
FAQ
What deploys the protected static-site layer?
The Site Guardian stack is the protected static-site layer. It provisions the S3/CloudFront protection pattern, signed-cookie issuance and supporting edge resources.
Can protected paths be tied to groups?
Yes. The protected-path model can use JWT scopes or group-style mappings so different paths can require different user entitlements.
What is Secure Static WordPress?
Secure static WordPress means serving public or protected pages from a static AWS edge layer while moving access control and runtime behavior to services such as Cognito, CloudFront and API endpoints. In WP Suite, Gatey handles frontend identity, while Static Publisher and AWS patterns keep the public WordPress runtime out of the request path.
Does this replace WordPress?
No. The recommended model keeps WordPress as the editorial and management layer. WP Suite adds cloud-native runtime capabilities around it rather than forcing a CMS migration.
Can this work with static WordPress?
Yes, when the required browser-side and API endpoints are reachable after export. Static publishing changes where the public HTML is served from; it does not prevent JavaScript components from calling configured APIs.
Is this only for large enterprise projects?
No, but it is most valuable when identity, security, AI, forms, workflows, protected APIs or repeatable AWS deployment patterns matter. For a simple brochure site, it may be unnecessary.
Can a static WordPress site have members?
It can support authenticated experiences, but the membership model should be designed around external identity and APIs rather than PHP-only WordPress session state.
Does Gatey store secrets in WordPress?
Gatey is designed around browser-side Cognito flows. The public frontend does not need WordPress to store server-side OAuth secrets for the login flow.
Can CloudFront protect static files?
Yes, with patterns such as signed cookies and path-specific behaviors. The exact design depends on the portal, caching and authorization model.
Is this the same as a classic membership plugin?
No. Classic membership plugins usually run inside WordPress request handling. This architecture keeps static delivery separate from identity and protected runtime APIs.
Build protected WordPress experiences on a static AWS edge layer
Use static WordPress delivery with Cognito login, protected paths, signed access and AWS-native runtime services for secure client portals.