Static sites are great. They're fast, cheap, and secure by default.
But if you've ever tried to add login or user-only content to a static WordPress export… you know the pain.
/wp-login.php
doesn't exist anymore. PHP is gone. And yet, users still expect a sign-in flow that feels smooth and professional.
That's exactly the challenge we faced - and here's how we solved it with Amazon Cognito + API Gateway + Lambda + CloudFront signed cookies.
Why Even Bother With Static WordPress?
Static WordPress exports (via plugins, S3 + CloudFront, or Netlify) are becoming popular because:
- Speed: HTML served directly from a CDN
- Cost: no dynamic servers to manage
- Security: surface area is tiny
But the trade-off is obvious: all the built-in WP authentication features vanish.
We wanted the best of both worlds: keep WordPress static and fast, but add real authentication powered by AWS.
The AWS Approach
Instead of bending WordPress to handle login, we let AWS handle it at the edge.
Here's the high-level design:
- Amazon Cognito handles user sign-up, login, MFA, and tokens.
- API Gateway + Lambda exchange Cognito tokens for CloudFront signed cookies.
- CloudFront enforces access, serving protected resources only to users with valid cookies.
No PHP callbacks, no secrets stored in WordPress. Just clean, serverless authentication.
How It Feels for Users
From the user's perspective:
- They click Sign In on the WordPress site.
- They see a branded Cognito-powered login (integrated with Gatey blocks).
- On success, they get signed cookies behind the scenes.
- CloudFront now lets them access members-only pages, media, or even entire routes.
It feels just like a "normal" site, but under the hood it's 100% serverless.
A Quick Architecture Sketch
[ User ] → [ WordPress (static) ]
↘ Sign-In → [ Amazon Cognito ]
↘ Tokens → [ API Gateway + Lambda ]
↘ Issue Signed Cookies → [ CloudFront ]
CloudFront becomes the gatekeeper. If your cookies are valid, you're in. If not, you're redirected to login.
Why This Rocks
- Performance - static WordPress stays lightning-fast
- Security - Cognito & signed cookies > old-school PHP sessions
- Scalability - runs natively on AWS infra
- Flexibility - protect full sites or just specific routes
And most importantly: it keeps your WordPress database completely out of the authentication loop.
Real-World Use Cases
- Membership sites hosted statically
- Documentation portals with role-based access
- Hybrid sites where only certain routes need login
- SaaS dashboards powered by WordPress as the frontend
If you're already using CloudFront, this pattern feels very natural.
Full Tutorial with Code & Screenshots
This post was just the overview.
We wrote up the step-by-step guide with SAR template, Lambda code, and WordPress integration here:
Static WordPress Authentication Made Simple - Deploy with the AWS SAR Template
Closing Thoughts
Static WordPress doesn't mean static functionality.
With Cognito + CloudFront signed cookies, you can have speed, security, and scalability - without giving up authentication.
Curious what you think: would you ever run WordPress in static mode if authentication "just worked"? Drop your thoughts below.
Top comments (0)