By CTIMEXICO | Open Source | WordPress

We have been building WordPress sites for years. And for years, every time a client asked us “how do we notify our readers when we publish something new?”, the answer was always the same: install OneSignal, create an account, paste an API key, hope it works, and pray the free tier lasts long enough before the bill arrives.

That answer never felt right.

Not because those services are bad — some of them are excellent. But because they introduce a dependency that has nothing to do with your content. Your readers subscribe. Your readers trust you. And somewhere in the middle, a third-party server you don’t control decides whether that notification gets delivered.

So we built something different.

Introducing WebPush Hub by CTIMEXICO

WebPush Hub is a free, open-source WordPress plugin that delivers native Web Push notifications to your subscribers — directly from your server, with no middlemen, no monthly fees, and no external accounts required.

When you publish a post, your WordPress installation sends the notification. Your readers receive it. That’s it.

No dashboard on someone else’s platform. No API keys to rotate. No vendor lock-in.

👉 Download it free on WordPress.org

How It Works — The Simple Version

A small popup appears at the bottom of your site asking visitors if they want to be notified when you publish something new. If they say yes, the browser asks for permission. One click later, they’re subscribed.

The next time you hit “Publish”, every subscribed reader gets a notification on their phone or computer — even if the browser is closed.

No email address collected. No account created. No friction.

How It Works — The Technical Version

For those who want to know what’s happening under the hood:

The plugin implements the VAPID protocol (RFC 8292) and aes128gcm encryption (RFC 8291) natively in PHP, using only the standard extensions that come with any modern hosting environment — openssl, curl, json and mbstring. No Composer. No external libraries. No dependencies.

When a visitor subscribes, their browser generates a unique push subscription endpoint managed by the browser vendor (Google for Chrome, Mozilla for Firefox, Apple for Safari). The plugin stores that endpoint securely in your WordPress database.

When you publish, your WordPress site sends an encrypted HTTP request to that endpoint. The browser vendor’s push service delivers it to the device. The content of the notification is end-to-end encrypted — even Google and Mozilla cannot read it.

The entire cryptographic stack — VAPID key generation, JWT signing, ECDH key exchange, AES-GCM encryption — runs on your server. Nothing leaves your infrastructure until the moment a notification is sent, and even then, only encrypted data does.

What We Learned Building This

Building a production-ready Web Push implementation in native PHP without external libraries is not trivial. The Web Push protocol is a stack of several RFCs layered on top of each other, and the interplay between VAPID authentication and payload encryption is the kind of thing that looks straightforward in documentation and turns into three days of debugging in practice.

A few things we ran into:

openssl_pkey_derive() argument order changes between PHP versions. What works in PHP 8.0 breaks in PHP 8.2. We found this the hard way. The fix is documented in the code.

Service Workers need HTTPS and the right scope headers. A Service Worker registered from inside a plugin’s folder cannot control the root of a site without the Service-Worker-Allowed header. WordPress does not set this automatically. We handled it by routing the Service Worker through a WordPress URL that sets the header before serving the file.

Cache plugins will eat your inline scripts. Autoptimize, WP Super Cache, and similar tools aggressively process and defer JavaScript. A push notification plugin that injects inline configuration data is exactly the kind of thing they will silently break. The solution is to use wp_enqueue_script and wp_add_inline_script properly, and to document the cache-clearing steps clearly.

WordPress Multisite is a different animal. Each subsite in a network has its own database prefix. Activation hooks run in the context of the main site. VAPID keys stored in blog 1’s options table are invisible from blog 3. We solved this with a multisite initialization routine that runs across all subsites on network activation.

We documented all of this so that if you hit any of these issues, you don’t have to spend three days figuring it out.

Features at a Glance

• No third-party services — notifications go directly from your server to your readers
• No emails, no registrations — one click to subscribe, zero friction
• Customizable popup — text, background color, text color, delay
• Smart re-prompt — if a visitor dismisses the popup, it reappears after 7 days (configurable)
• Automatic sending — publish a post, notifications go out instantly
• Multisite ready — network activation configures all subsites automatically
• Per-site toggle — pause notifications on any subsite without uninstalling
• Self-cleaning — expired subscriptions are removed automatically
• Chrome, Firefox, Edge, Safari — all major browsers supported

Who Is This For?

Content publishers who want to build a direct relationship with their audience without depending on email open rates or social media algorithms.

WordPress developers who are tired of recommending third-party services to clients and would rather deploy something they fully control.

Agencies and multisite operators who need a notification solution that works across an entire WordPress network without per-site configuration.

Privacy-conscious site owners who want to minimize the amount of subscriber data that flows through external platforms.

A Note on Scale

Web Push is not a replacement for email newsletters at large scale. If you have hundreds of thousands of subscribers and need detailed analytics, segmentation, A/B testing, and delivery guarantees with retry logic, a dedicated service is the right tool.

But if you have a growing audience and you want a fast, free, privacy-respecting way to bring them back every time you publish — WebPush Hub is built for you.

At a few thousand subscribers, the HTTP requests your server makes to Google and Mozilla’s push services are negligible. At tens of thousands, you may want to consider queuing. We have plans for that in a future version.

Open Source, Community-First

WebPush Hub is free and open source, licensed under GPL v2. We built it because we needed it, and we are publishing it because others will too.

If you find a bug, open an issue. If you have an idea, submit a pull request. If you use it on your site, we would genuinely love to know — drop us a line at ctimexico.com.

The plugin is published on WordPress.org and the code is on GitHub. Both are linked below.

We believe that the open-source ecosystem around WordPress is one of the most remarkable things in software. Every plugin in the directory is someone’s contribution to a platform that powers 40% of the web. We are proud to add ours.

Get Started

Installing WebPush Hub takes less than two minutes:

1. Search for “WebPush Hub by CTIMEXICO” in your WordPress plugin directory, or download it directly from WordPress.org.
2. Activate the plugin.
3. Go to Settings → Push Notifications and generate your VAPID keys if they weren’t created automatically.
4. Customize your popup text and colors.
5. Done. Your first subscriber is one page visit away.

Download on WordPress.org → View on GitHub → Plugin documentation →

WebPush Hub by CTIMEXICO is free software. It will always be free.