DEV Community

Cover image for Static WordPress Authentication with Amazon Cognito and AWS SAR Template
László Tóth
László Tóth

Posted on

Static WordPress Authentication with Amazon Cognito and AWS SAR Template

#aws #cognito #wordpress #cloudfront

Static sites are great. They're fast, cheap, and secure by default.

But if you've ever tried to add login or user-only content to a static WordPress export… you know the pain.

/wp-login.php doesn't exist anymore. PHP is gone. And yet, users still expect a sign-in flow that feels smooth and professional.

That's exactly the challenge we faced - and here's how we solved it with Amazon Cognito + API Gateway + Lambda + CloudFront signed cookies.

Why Even Bother With Static WordPress?

Static WordPress exports (via plugins, S3 + CloudFront, or Netlify) are becoming popular because:

  • Speed: HTML served directly from a CDN
  • Cost: no dynamic servers to manage
  • Security: surface area is tiny

But the trade-off is obvious: all the built-in WP authentication features vanish.

We wanted the best of both worlds: keep WordPress static and fast, but add real authentication powered by AWS.

The AWS Approach

Instead of bending WordPress to handle login, we let AWS handle it at the edge.

Here's the high-level design:

  1. Amazon Cognito handles user sign-up, login, MFA, and tokens.
  2. API Gateway + Lambda exchange Cognito tokens for CloudFront signed cookies.
  3. CloudFront enforces access, serving protected resources only to users with valid cookies.

No PHP callbacks, no secrets stored in WordPress. Just clean, serverless authentication.

How It Feels for Users

From the user's perspective:

  • They click Sign In on the WordPress site.
  • They see a branded Cognito-powered login (integrated with Gatey blocks).
  • On success, they get signed cookies behind the scenes.
  • CloudFront now lets them access members-only pages, media, or even entire routes.

It feels just like a "normal" site, but under the hood it's 100% serverless.

A Quick Architecture Sketch 

[ User ] → [ WordPress (static) ]
       ↘ Sign-In → [ Amazon Cognito ]
                    ↘ Tokens → [ API Gateway + Lambda ]
                                  ↘ Issue Signed Cookies → [ CloudFront ]
Enter fullscreen mode Exit fullscreen mode

CloudFront becomes the gatekeeper. If your cookies are valid, you're in. If not, you're redirected to login.

Why This Rocks

  • Performance - static WordPress stays lightning-fast
  • Security - Cognito & signed cookies > old-school PHP sessions
  • Scalability - runs natively on AWS infra
  • Flexibility - protect full sites or just specific routes

And most importantly: it keeps your WordPress database completely out of the authentication loop.

Real-World Use Cases

  • Membership sites hosted statically
  • Documentation portals with role-based access
  • Hybrid sites where only certain routes need login
  • SaaS dashboards powered by WordPress as the frontend

If you're already using CloudFront, this pattern feels very natural.

Full Tutorial with Code & Screenshots

This post was just the overview.

We wrote up the step-by-step guide with SAR template, Lambda code, and WordPress integration here:

Static WordPress Authentication Made Simple - Deploy with the AWS SAR Template

Closing Thoughts

Static WordPress doesn't mean static functionality.

With Cognito + CloudFront signed cookies, you can have speed, security, and scalability - without giving up authentication.

Curious what you think: would you ever run WordPress in static mode if authentication "just worked"? Drop your thoughts below.

Top comments (0)