How to Get off WordPress
6. Replacing Common WordPress Features
Practical replacements for forms, search, auth, and comments without plugin sprawl.
6.1 Forms
Forms are usually the highest hidden risk area.
Recommended pattern
- Build typed API endpoints in Next.js
- Validate payload server-side
- Integrate with Brevo for notifications and CRM sync
- Add bot protection with Turnstile or similar challenge
Form reliability checklist
- Server-side validation only, never client-only
- Rate limits per IP and endpoint
- Spam trap fields and challenge verification
- If you use Turnstile, validate the token server-side on every submission
- Retry-safe processing for webhook failures
6.2 Search
Start with simple search, then scale.
Stage 1
- Database-backed
ILIKEor full-text search - Title and excerpt weighted scoring
Stage 2
- External index with Algolia or Meilisearch
- Synonyms, typo tolerance, facet filters
6.3 Auth
Only migrate auth if the site really needs it.
Options
- Payload auth for content/member-centric apps
- NextAuth when integrating external identity providers
Security basics
- Strong session expiration and renewal policy
- CSRF and origin checks on state-changing actions
- Auditable login and role change events
6.4 Comments
Many teams should remove comments if moderation cost is high and business value is low.
If comments are needed:
- External managed service for quick launch
- Custom implementation only if ownership and moderation tooling are funded
Feature parity matrix
| WordPress feature | Modern replacement |
|---|---|
| Contact Form 7 or Gravity Forms | Next.js API routes + validation + Brevo |
| Search plugins | DB search, then Algolia or Meilisearch |
| WP user auth | Payload auth or NextAuth |
| WP comments | Managed comment provider or custom service |