PHPackages valu/wp-graphql-lock - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [API Development](/categories/api) 4. / 5. valu/wp-graphql-lock ActiveWordpress-plugin[API Development](/categories/api) valu/wp-graphql-lock ==================== Query locking for wp-graphql v0.1.5(2mo ago)2554.8k↓44.2%8[1 PRs](https://github.com/valu-digital/wp-graphql-lock/pulls)GPL-2.0-or-laterPHPCI failing Since Nov 6Pushed 2mo ago3 watchersCompare [ Source](https://github.com/valu-digital/wp-graphql-lock)[ Packagist](https://packagist.org/packages/valu/wp-graphql-lock)[ RSS](/packages/valu-wp-graphql-lock/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (4)Dependencies (4)Versions (8)Used By (0) 🔒 WP GraphQL Lock ================= [](#-wp-graphql-lock) This plugin enables query locking for [WPGraphQL](https://github.com/wp-graphql/wp-graphql) by implementing persisted GraphQL queries. Persisted GraphQL queries allow a GraphQL client to optimistically send a hash of the query instead of the full query; if the server has seen the query before, it can satisfy the request. Once the server knowns all the possible queries the plugin can lock it down disallowing any unwanted queries that are possibly malicious. This can greatly improve the server security and can even protect against unpatched vulnerabilities in some cases. Alternatively you can pre-generate the query IDs from your client source code with the [GraphQL Code Generator plugin](https://github.com/valu-digital/graphql-codegen-persisted-query-ids) and load the IDs with the `graphql_lock_load_query` filter. In addition to enabling query locking this saves network overhead and makes it possible to move to `GET` requests instead of `POST`. The primary benefit of `GET` requests is that they can be easily cached at the edge (e.g., with Varnish, nginx etc.). This plugin requires WPGraphQL 0.2.0 or newer. Compatibility ------------- [](#compatibility) Apollo Client provides an easy implementation of persisted queries: This plugin aims to be compatible with that implementation, but will work with any client that sends a `queryId` alongside the `query`. Make sure your client also sends `operationName` with the optimistic request. Implementation -------------- [](#implementation) When the client provides a query hash or ID, that query will be persisted in a custom post type. By default, this post type will be visible in the dashboard only to admins. Query IDs are case-insensitive (i.e., `MyQuery` and `myquery` are equivalent). Installation ------------ [](#installation) If you use composer you can install it from packagist ``` composer require valu/wp-graphql-lock ``` Otherwise you can clone it from Github to your plugins using the stable branch ``` cd wp-content/plugins git clone --branch stable https://github.com/valu-digital/wp-graphql-lock.git ``` Filters ------- [](#filters) ### `graphql_lock_load_query` [](#graphql_lock_load_query) - Load the queries from a custom location - The query ID is passed as the second parameter Example: ``` add_filter( 'graphql_lock_load_query', function( string $query, string $query_id ) { $queries = json_decode( file_get_contents( __DIR__ . '/.persisted-query-ids/server.json' ), true ); return $queries[ $query_id ] ?? null; }, 10, 2 ); ``` Note: You should prefer using hidden directories / files to avoid exposing the lock file via your webserver. ### `graphql_lock_post_type` [](#graphql_lock_post_type) - Default: `'graphql_query'` - The custom post type used to persist queries. If empty, queries will not be persisted. ### `graphql_lock_show_in_graphql` [](#graphql_lock_show_in_graphql) - Default: `false` - Whether the custom post type will itself be exposed via GraphQL. Enabling allows insight into which queries are persisted. ``` query PersistedQueryQuery { persistedQueries { nodes { id title content(format: RAW) } } } ``` If you'd like to further customize the custom post type, filter `register_post_type_args`. Lock mode --------- [](#lock-mode) When it's active no new queries can be saved and only the saved ones can be used. This can greatly improve security as attackers cannot send arbitrary queries to the endpoint. Lock mode can be activated by setting `graphql_lock_locked` option to true: ``` update_option( 'graphql_lock_locked', true ); ``` ``` add_filter( 'option_graphql_lock_locked', function() { return 'production' === WP_ENV; }, 10 , 1 ); ``` Settings -------- [](#settings) There's a settings screen for managing the option [![settings](https://user-images.githubusercontent.com/225712/55174721-a360ac00-5186-11e9-91de-bd1c45ffad11.png)](https://user-images.githubusercontent.com/225712/55174721-a360ac00-5186-11e9-91de-bd1c45ffad11.png) Acknowledgements ---------------- [](#acknowledgements) This plugin is based on the [Quartz persisted Queries](https://github.com/Quartz/wp-graphql-persisted-queries) plugin. Contributing ------------ [](#contributing) Read [CONTRIBUTING.md](/CONTRIBUTING.md) ### Health Score 52 — FairBetter than 96% of packages Maintenance88 Actively maintained with recent releases Popularity40 Moderate usage in the ecosystem Community18 Small or concentrated contributor base Maturity52 Maturing project, gaining track record Bus Factor1 Top contributor holds 86.9% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~580 days Total 5 Last Release 62d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/62e64ab16d2c22b2d02dd123a85135093821bc9f7f3619f38c84227ed93427af?d=identicon)[valu](/maintainers/valu) --- Top Contributors [![esamattis](https://avatars.githubusercontent.com/u/225712?v=4)](https://github.com/esamattis "esamattis (73 commits)")[![chriszarate](https://avatars.githubusercontent.com/u/739304?v=4)](https://github.com/chriszarate "chriszarate (5 commits)")[![saulirajala](https://avatars.githubusercontent.com/u/5536354?v=4)](https://github.com/saulirajala "saulirajala (3 commits)")[![laurisaarni](https://avatars.githubusercontent.com/u/17442949?v=4)](https://github.com/laurisaarni "laurisaarni (1 commits)")[![luuptekman](https://avatars.githubusercontent.com/u/31472433?v=4)](https://github.com/luuptekman "luuptekman (1 commits)")[![michaellopez](https://avatars.githubusercontent.com/u/487039?v=4)](https://github.com/michaellopez "michaellopez (1 commits)") --- Tags graphqlwordpress-plugin ### Embed Badge ![Health badge](/badges/valu-wp-graphql-lock/health.svg) ``` [![Health](https://phpackages.com/badges/valu-wp-graphql-lock/health.svg)](https://phpackages.com/packages/valu-wp-graphql-lock) ``` ### Alternatives [stripe/stripe-php Stripe PHP Library 4.0k143.3M480](/packages/stripe-stripe-php)[twilio/sdk A PHP wrapper for Twilio's API 1.6k92.9M272](/packages/twilio-sdk)[facebook/php-business-sdk PHP SDK for Facebook Business 90821.9M34](/packages/facebook-php-business-sdk)[meilisearch/meilisearch-php PHP wrapper for the Meilisearch API 74513.7M114](/packages/meilisearch-meilisearch-php)[google/gax Google API Core for PHP 265103.1M454](/packages/google-gax)[google/common-protos Google API Common Protos for PHP 173103.7M50](/packages/google-common-protos) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)