Headless WordPress: The Complete Developer's Guide
The rise of JAMstack architecture and modern JavaScript frameworks has transformed how we build web applications. At the forefront of this revolution is headless WordPress—a powerful approach that separates WordPress's robust content management capabilities from its traditional frontend rendering.
By decoupling the backend from the frontend, headless WordPress enables developers to build lightning-fast, highly scalable applications while maintaining the familiar WordPress content editing experience that millions of users love.
In this comprehensive guide, you'll learn everything about headless WordPress development, from basic concepts to advanced implementation strategies. Whether you're building a blog, e-commerce site, or enterprise application, this guide provides the knowledge and tools you need to succeed.
Table of Contents
- What is Headless WordPress?
- Choosing Your Data Layer
- Setting Up Your Headless Backend
- Building the Frontend
- Solving Common Challenges
- Hosting and Deployment
What is Headless WordPress?
The Evolution of Web Architecture
The web has evolved from server-rendered pages to dynamic, app-like experiences. This evolution has driven the need for more flexible content management solutions:
Traditional WordPress (Monolithic)
┌─────────────────────────────────┐
│ WordPress Core │
├─────────────────────────────────┤
│ Theme (PHP Templates) │
├─────────────────────────────────┤
│ MySQL Database │
└─────────────────────────────────┘
↓
HTML Response
Headless WordPress (Decoupled)
┌─────────────────────────────────┐
│ WordPress Backend │
│ (Content Management API) │
├─────────────────────────────────┤
│ MySQL Database │
└─────────────────────────────────┘
↓
JSON/GraphQL API
↓
┌─────────────────────────────────┐
│ Frontend Application │
│ (React/Vue/Next.js/etc.) │
└─────────────────────────────────┘
↓
HTML/App Response
Traditional vs Headless Architecture
Traditional WordPress Architecture
In traditional WordPress, the CMS handles everything: - Content storage and management - Business logic and data processing - Template rendering and HTML generation - Asset delivery and caching - User sessions and authentication
Advantages: - ✅ Simple setup and deployment - ✅ Thousands of themes available - ✅ Extensive plugin ecosystem - ✅ Familiar development process - ✅ Built-in SEO features
Limitations: - ❌ Performance constraints - ❌ Limited frontend flexibility - ❌ Scaling challenges - ❌ Mobile app integration difficulties - ❌ Modern JavaScript framework limitations
Headless WordPress Architecture
In headless WordPress, responsibilities are distributed:
WordPress Backend: - Content management interface - Data storage and relationships - User authentication and permissions - API endpoints (REST/GraphQL) - Business logic and processing
Frontend Application: - UI rendering and interactions - Routing and navigation - State management - API consumption - Performance optimization
Benefits of Going Headless
1. Performance Excellence
Headless architectures enable unprecedented performance improvements:
// Traditional WordPress
// Average Time to First Byte: 800-1200ms
// Full Page Load: 3-5 seconds
// Headless WordPress with Next.js
// Time to First Byte: 50-200ms
// Full Page Load: 0.8-1.5 seconds
// Performance gains:
const improvements = {
ttfb: '85% faster',
pageLoad: '70% faster',
lighthouse: '95+ score',
coreWebVitals: 'All green'
};
2. Security Enhancement
By separating the frontend from WordPress, you significantly reduce attack surfaces:
- WordPress admin is completely isolated
- No direct database access from frontend
- API endpoints can be strictly controlled
- DDoS attacks only affect static assets
- No WordPress theme vulnerabilities
3. Unlimited Frontend Flexibility
Choose any modern framework or technology:
// React Application
const BlogPost = ({ post }) => (
<article>
<h1>{post.title.rendered}</h1>
<div dangerouslySetInnerHTML={{ __html: post.content.rendered }} />
</article>
);
// Vue Application
<template>
<article>
<h1>{{ post.title.rendered }}</h1>
<div v-html="post.content.rendered"></div>
</article>
</template>
// Svelte Application
<script>
export let post;
</script>
<article>
<h1>{post.title.rendered}</h1>
{@html post.content.rendered}
</article>
4. Multi-Channel Content Delivery
One content source, infinite destinations:
// Same WordPress backend serves:
const channels = {
website: 'https://example.com', // Next.js site
mobileApp: 'MyApp iOS/Android', // React Native
smartwatch: 'MyApp Watch', // WearOS/watchOS
voiceAssistant: 'Alexa Skill', // Voice UI
digitalSignage: 'Store Displays', // Custom displays
emailNewsletter: 'Weekly Digest', // Email templates
socialMedia: 'Auto-posts' // Social APIs
};
Use Case Decision Matrix
| Use Case | Traditional | Headless | Reason |
|---|---|---|---|
| Simple Blog | ✅ | ❌ | Overhead not justified |
| News Site | ⚠️ | ✅ | Performance critical |
| E-commerce | ⚠️ | ✅ | Omnichannel required |
| Portfolio | ✅ | ⚠️ | Depends on interactivity |
| Enterprise | ❌ | ✅ | Scalability essential |
| Mobile App | ❌ | ✅ | API required |
| Multi-brand | ❌ | ✅ | Content reuse needed |
Cost Comparison Analysis
Traditional WordPress Costs
Hosting: $20-100/month (managed WordPress)
Theme: $0-100 (one-time or annual)
Plugins: $0-500/year
Development: $5,000-20,000
Maintenance: $200-1,000/month
Total Year 1: $7,500-35,000
Headless WordPress Costs
WordPress Hosting: $20-50/month (API only)
Frontend Hosting: $0-20/month (Vercel/Netlify)
Development: $10,000-50,000 (higher initial)
Maintenance: $500-2,000/month (specialized)
CDN/Services: $0-100/month
Total Year 1: $15,000-75,000
Real-World Success Stories
1. TechCrunch - News at Scale
- Challenge: Handle millions of daily visitors
- Solution: Headless WordPress + Next.js
- Results: 3x faster load times, 50% reduction in hosting costs
2. Smashing Magazine - Developer Community
- Challenge: Interactive content with great performance
- Solution: WordPress API + JAMstack
- Results: 10x performance improvement, better developer experience
3. BBC America - Multi-platform Content
- Challenge: Serve content to web, mobile, and TV apps
- Solution: Headless WordPress as central CMS
- Results: Unified content management, 60% faster deployment
Choosing Your Data Layer
REST API vs GraphQL: The Complete Comparison
The choice between REST API and GraphQL is crucial for your headless WordPress project. Let's explore both options in detail.
WordPress REST API Deep Dive
Architecture and Endpoints
The WordPress REST API provides a comprehensive set of endpoints:
// Core endpoints structure
const endpoints = {
posts: '/wp-json/wp/v2/posts',
pages: '/wp-json/wp/v2/pages',
categories: '/wp-json/wp/v2/categories',
tags: '/wp-json/wp/v2/tags',
users: '/wp-json/wp/v2/users',
media: '/wp-json/wp/v2/media',
comments: '/wp-json/wp/v2/comments',
taxonomies: '/wp-json/wp/v2/taxonomies',
types: '/wp-json/wp/v2/types',
statuses: '/wp-json/wp/v2/statuses',
settings: '/wp-json/wp/v2/settings'
};
Advanced REST API Usage
// Fetching posts with embedded data
const fetchPosts = async () => {
const params = new URLSearchParams({
_embed: true, // Include embedded data
per_page: 10, // Pagination
categories: '5,10', // Filter by categories
orderby: 'date', // Sort order
order: 'desc', // Sort direction
_fields: 'id,title,excerpt,content,featured_media' // Specific fields
});
const response = await fetch(`${API_URL}/wp/v2/posts?${params}`);
const posts = await response.json();
// Extract embedded data
return posts.map(post => ({
...post,
featuredImage: post._embedded?.['wp:featuredmedia']?.[0],
author: post._embedded?.author?.[0],
categories: post._embedded?.['wp:term']?.[0]
}));
};
// Custom endpoint registration
add_action('rest_api_init', function () {
register_rest_route('custom/v1', '/posts-with-meta', array(
'methods' => 'GET',
'callback' => 'get_posts_with_custom_meta',
'permission_callback' => '__return_true',
'args' => array(
'per_page' => array(
'default' => 10,
'sanitize_callback' => 'absint',
),
'meta_key' => array(
'required' => true,
'sanitize_callback' => 'sanitize_text_field',
),
),
));
});
function get_posts_with_custom_meta($request) {
$posts = get_posts(array(
'posts_per_page' => $request['per_page'],
'meta_key' => $request['meta_key'],
));
$data = array();
foreach ($posts as $post) {
$data[] = array(
'id' => $post->ID,
'title' => $post->post_title,
'content' => $post->post_content,
'meta_value' => get_post_meta($post->ID, $request['meta_key'], true),
'custom_fields' => get_fields($post->ID), // ACF fields
);
}
return rest_ensure_response($data);
}
WPGraphQL Comprehensive Overview
Installation and Setup
# Install via Composer
composer require wp-graphql/wp-graphql
# Or download from WordPress.org
wp plugin install wp-graphql --activate
Schema Definition and Extension
// Extending GraphQL schema
add_action('graphql_register_types', function() {
// Register custom type
register_graphql_object_type('ProjectDetails', [
'description' => 'Project custom fields',
'fields' => [
'client' => [
'type' => 'String',
'description' => 'Project client name',
],
'completionDate' => [
'type' => 'String',
'description' => 'Project completion date',
],
'technologies' => [
'type' => ['list_of' => 'String'],
'description' => 'Technologies used',
],
'budget' => [
'type' => 'Float',
'description' => 'Project budget',
],
],
]);
// Add field to Post type
register_graphql_field('Post', 'projectDetails', [
'type' => 'ProjectDetails',
'description' => 'Project details for portfolio posts',
'resolve' => function($post) {
return [
'client' => get_post_meta($post->ID, 'client', true),
'completionDate' => get_post_meta($post->ID, 'completion_date', true),
'technologies' => get_post_meta($post->ID, 'technologies', true),
'budget' => get_post_meta($post->ID, 'budget', true),
];
}
]);
});
Advanced GraphQL Queries
# Complex query with fragments and variables
query GetBlogPosts($first: Int!, $after: String, $categoryIn: [ID]) {
posts(
first: $first
after: $after
where: {
categoryIn: $categoryIn
status: PUBLISH
orderby: { field: DATE, order: DESC }
}
) {
pageInfo {
hasNextPage
endCursor
}
edges {
node {
...PostFields
...PostMeta
...PostRelationships
}
}
}
}
fragment PostFields on Post {
id
databaseId
title
slug
excerpt
content
date
modified
}
fragment PostMeta on Post {
featuredImage {
node {
sourceUrl
altText
mediaDetails {
width
height
}
}
}
seo {
title
metaDesc
canonical
}
}
fragment PostRelationships on Post {
author {
node {
name
avatar {
url
}
description
}
}
categories {
nodes {
name
slug
}
}
tags {
nodes {
name
slug
}
}
comments {
nodes {
content
author {
node {
name
}
}
}
}
}
Performance Benchmarks Comparison
Test Methodology
// Performance testing setup
const performanceTest = async (apiType, query) => {
const iterations = 100;
const times = [];
for (let i = 0; i < iterations; i++) {
const start = performance.now();
await executeQuery(apiType, query);
const end = performance.now();
times.push(end - start);
}
return {
average: times.reduce((a, b) => a + b) / times.length,
min: Math.min(...times),
max: Math.max(...times),
median: times.sort()[Math.floor(times.length / 2)]
};
};
Results Table
| Metric | REST API | GraphQL | Winner |
|---|---|---|---|
| Simple Post Query | 45ms | 52ms | REST |
| Complex Nested Query | 450ms | 120ms | GraphQL |
| 10 Posts + All Relations | 850ms | 180ms | GraphQL |
| Bandwidth (10 posts) | 125KB | 35KB | GraphQL |
| Under-fetching Issues | Common | Rare | GraphQL |
| Over-fetching Issues | Very Common | Rare | GraphQL |
| Caching Complexity | Simple | Complex | REST |
| Learning Curve | Gentle | Steep | REST |
Query Complexity Analysis
REST API Request Waterfall
// Multiple requests needed for complete data
async function getCompletePost(postId) {
// Request 1: Get post
const post = await fetch(`/wp-json/wp/v2/posts/${postId}`);
// Request 2: Get author details
const author = await fetch(`/wp-json/wp/v2/users/${post.author}`);
// Request 3: Get featured image
const media = await fetch(`/wp-json/wp/v2/media/${post.featured_media}`);
// Request 4: Get categories
const categories = await Promise.all(
post.categories.map(id =>
fetch(`/wp-json/wp/v2/categories/${id}`)
)
);
// Request 5: Get comments
const comments = await fetch(`/wp-json/wp/v2/comments?post=${postId}`);
// Total: 5+ HTTP requests
return { post, author, media, categories, comments };
}
GraphQL Single Request
# One request for all data
query GetCompletePost($id: ID!) {
post(id: $id) {
title
content
author {
name
email
avatar
}
featuredImage {
sourceUrl
altText
}
categories {
nodes {
name
slug
}
}
comments {
nodes {
content
author {
name
}
}
}
}
}
Authentication Methods Comparison
REST API Authentication
// 1. Cookie Authentication (same domain)
const response = await fetch('/wp-json/wp/v2/posts', {
credentials: 'include',
headers: {
'X-WP-Nonce': wpApiSettings.nonce
}
});
// 2. Application Passwords (WordPress 5.6+)
const credentials = btoa('username:application-password');
const response = await fetch('/wp-json/wp/v2/posts', {
headers: {
'Authorization': `Basic ${credentials}`
}
});
// 3. JWT Authentication (plugin required)
// First, get token
const tokenResponse = await fetch('/wp-json/jwt-auth/v1/token', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
username: 'user',
password: 'pass'
})
});
const { token } = await tokenResponse.json();
// Then use token
const response = await fetch('/wp-json/wp/v2/posts', {
headers: {
'Authorization': `Bearer ${token}`
}
});
// 4. OAuth 1.0a (plugin required)
const oauth = OAuth({
consumer: {
key: 'your-key',
secret: 'your-secret'
},
signature_method: 'HMAC-SHA1',
hash_function(base_string, key) {
return crypto
.createHmac('sha1', key)
.update(base_string)
.digest('base64');
}
});
GraphQL Authentication
// JWT with GraphQL
const GET_POSTS = gql`
query GetPosts {
posts {
nodes {
title
content
}
}
}
`;
const client = new ApolloClient({
uri: '/graphql',
headers: {
authorization: token ? `Bearer ${token}` : '',
}
});
// Or with refresh tokens
const authLink = setContext((_, { headers }) => {
const token = getAccessToken();
return {
headers: {
...headers,
authorization: token ? `Bearer ${token}` : '',
}
};
});
const client = new ApolloClient({
link: authLink.concat(httpLink),
cache: new InMemoryCache()
});
Decision Framework
Choose REST API When:
- Simple Content Needs
- Basic blog or content site
- Limited relationships between content
-
Standard WordPress data structure
-
Team Expertise
- Familiar with REST principles
- Limited GraphQL experience
-
Quick prototype needed
-
Caching Requirements
- Heavy caching needed
- Using CDN for API responses
-
Predictable query patterns
-
Third-Party Integration
- Many tools support REST
- Webhook compatibility
- Standard authentication
Choose GraphQL When:
- Complex Data Requirements
- Deep content relationships
- Multiple content types
-
Dynamic field requirements
-
Performance Critical
- Mobile applications
- Limited bandwidth
-
Complex UI requirements
-
Developer Experience
- Type safety important
- Self-documenting API
-
Rapid iteration needed
-
Modern Stack
- React/Apollo usage
- Real-time updates needed
- Subscription support
Setting Up Your Headless Backend
Server Requirements and Optimization
Recommended Server Specifications
# Minimum Requirements
CPU: 2 cores
RAM: 4GB
Storage: 20GB SSD
PHP: 7.4+
MySQL: 5.7+ or MariaDB 10.3+
SSL: Required
# Recommended for Production
CPU: 4+ cores
RAM: 8GB+
Storage: 50GB+ NVMe SSD
PHP: 8.0+
MySQL: 8.0+ or MariaDB 10.5+
Redis: 6.0+
SSL: Required with HTTP/2
PHP Configuration Optimization
; /etc/php/8.0/fpm/php.ini
memory_limit = 256M
max_execution_time = 300
max_input_time = 300
post_max_size = 64M
upload_max_filesize = 64M
max_input_vars = 3000
; OPcache settings
opcache.enable = 1
opcache.memory_consumption = 256
opcache.interned_strings_buffer = 16
opcache.max_accelerated_files = 10000
opcache.revalidate_freq = 2
opcache.save_comments = 1
Nginx Configuration for Headless
server {
listen 443 ssl http2;
server_name api.example.com;
root /var/www/wordpress;
index index.php;
# SSL configuration
ssl_certificate /etc/ssl/certs/api.example.com.crt;
ssl_certificate_key /etc/ssl/private/api.example.com.key;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# CORS headers for headless
add_header Access-Control-Allow-Origin "$http_origin" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE" always;
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" always;
add_header Access-Control-Allow-Credentials "true" always;
# Handle preflight requests
if ($request_method = 'OPTIONS') {
return 204;
}
# Block access to sensitive files
location ~ /\. {
deny all;
}
location ~ ^/(?:wp-content|wp-includes)/.*\.php$ {
deny all;
}
# Allow only API and admin access
location ~ ^/(?!wp-json|wp-admin|wp-login\.php) {
return 403;
}
# PHP handling
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php8.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
# API specific
fastcgi_read_timeout 300;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
}
# API rate limiting
location /wp-json/ {
limit_req zone=api burst=20 nodelay;
try_files $uri $uri/ /index.php?$args;
}
}
# Rate limiting zone
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
Essential Plugins Installation Guide
Core Plugins for Headless WordPress
# Using WP-CLI for installation
wp plugin install --activate \
wp-graphql \
wp-graphql-acf \
wp-gatsby \
jwt-authentication-for-wp-rest-api \
custom-post-type-ui \
advanced-custom-fields \
wordpress-seo \
wp-super-cache \
wordfence
Plugin Configuration
1. WPGraphQL Configuration
// Extend GraphQL schema
add_action('graphql_register_types', function() {
// Add custom scalars
register_graphql_scalar('Email', [
'serialize' => function($value) {
return sanitize_email($value);
},
'parseValue' => function($value) {
if (!is_email($value)) {
throw new Error('Invalid email format');
}
return sanitize_email($value);
},
'parseLiteral' => function($ast) {
if (!is_email($ast->value)) {
throw new Error('Invalid email format');
}
return sanitize_email($ast->value);
}
]);
// Add custom mutations
register_graphql_mutation('submitContactForm', [
'inputFields' => [
'name' => [
'type' => 'String',
'description' => 'Sender name',
],
'email' => [
'type' => 'Email',
'description' => 'Sender email',
],
'message' => [
'type' => 'String',
'description' => 'Message content',
],
],
'outputFields' => [
'success' => [
'type' => 'Boolean',
'description' => 'Was the submission successful',
],
'message' => [
'type' => 'String',
'description' => 'Response message',
],
],
'mutateAndGetPayload' => function($input) {
// Process form submission
$result = wp_mail(
get_option('admin_email'),
'Contact Form Submission',
sprintf(
"Name: %s\nEmail: %s\nMessage: %s",
$input['name'],
$input['email'],
$input['message']
)
);
return [
'success' => $result,
'message' => $result ? 'Message sent successfully' : 'Failed to send message',
];
}
]);
});
2. JWT Authentication Setup
// wp-config.php
define('JWT_AUTH_SECRET_KEY', 'your-secret-key-here');
define('JWT_AUTH_CORS_ENABLE', true);
// Custom authentication endpoint
add_action('rest_api_init', function () {
register_rest_route('custom/v1', '/auth/refresh', array(
'methods' => 'POST',
'callback' => 'refresh_jwt_token',
'permission_callback' => function() {
return is_user_logged_in();
}
));
});
function refresh_jwt_token($request) {
$user = wp_get_current_user();
if (!$user->exists()) {
return new WP_Error('invalid_user', 'User not found', array('status' => 404));
}
// Generate new token
$secret_key = defined('JWT_AUTH_SECRET_KEY') ? JWT_AUTH_SECRET_KEY : false;
$token = jwt_encode(
array(
'iss' => get_bloginfo('url'),
'iat' => time(),
'nbf' => time(),
'exp' => time() + (DAY_IN_SECONDS * 7),
'data' => array(
'user' => array(
'id' => $user->ID,
)
)
),
$secret_key,
'HS256'
);
return array(
'token' => $token,
'user_email' => $user->user_email,
'user_nicename' => $user->user_nicename,
'user_display_name' => $user->display_name,
);
}
Custom Post Types and Fields Setup
Advanced Custom Post Type Registration
// Portfolio post type with full API support
function register_portfolio_post_type() {
$labels = array(
'name' => 'Portfolio',
'singular_name' => 'Portfolio Item',
'menu_name' => 'Portfolio',
'add_new' => 'Add New',
'add_new_item' => 'Add New Portfolio Item',
'edit_item' => 'Edit Portfolio Item',
'new_item' => 'New Portfolio Item',
'view_item' => 'View Portfolio Item',
'search_items' => 'Search Portfolio',
'not_found' => 'No portfolio items found',
'not_found_in_trash' => 'No portfolio items found in trash',
);
$args = array(
'labels' => $labels,
'public' => true,
'publicly_queryable' => true,
'show_ui' => true,
'show_in_menu' => true,
'query_var' => true,
'rewrite' => array('slug' => 'portfolio'),
'capability_type' => 'post',
'has_archive' => true,
'hierarchical' => false,
'menu_position' => 5,
'menu_icon' => 'dashicons-portfolio',
'supports' => array('title', 'editor', 'thumbnail', 'excerpt', 'custom-fields'),
'show_in_rest' => true,
'rest_base' => 'portfolio',
'rest_controller_class' => 'WP_REST_Posts_Controller',
'show_in_graphql' => true,
'graphql_single_name' => 'portfolio',
'graphql_plural_name' => 'portfolios',
);
register_post_type('portfolio', $args);
// Register custom taxonomy
register_taxonomy('portfolio_category', 'portfolio', array(
'labels' => array(
'name' => 'Portfolio Categories',
'singular_name' => 'Portfolio Category',
),
'public' => true,
'hierarchical' => true,
'show_in_rest' => true,
'show_in_graphql' => true,
'graphql_single_name' => 'portfolioCategory',
'graphql_plural_name' => 'portfolioCategories',
));
}
add_action('init', 'register_portfolio_post_type');
// Add custom fields to REST API
add_action('rest_api_init', function() {
register_rest_field('portfolio', 'project_details', array(
'get_callback' => function($object) {
return array(
'client' => get_field('client', $object['id']),
'project_url' => get_field('project_url', $object['id']),
'completion_date' => get_field('completion_date', $object['id']),
'technologies' => get_field('technologies', $object['id']),
'testimonial' => get_field('testimonial', $object['id']),
'gallery' => get_field('gallery', $object['id']),
);
},
'update_callback' => function($value, $object) {
foreach ($value as $field_key => $field_value) {
update_field($field_key, $field_value, $object->ID);
}
return true;
},
'schema' => array(
'description' => 'Project details',
'type' => 'object',
),
));
});
API Security Hardening
Comprehensive Security Implementation
// 1. Rate limiting
add_filter('rest_pre_dispatch', function($result, $server, $request) {
$ip = $_SERVER['REMOTE_ADDR'];
$route = $request->get_route();
// Check rate limit
$transient_key = 'rate_limit_' . md5($ip . $route);
$requests = get_transient($transient_key) ?: 0;
if ($requests > 100) { // 100 requests per hour
return new WP_Error(
'rate_limit_exceeded',
'Too many requests',
array('status' => 429)
);
}
set_transient($transient_key, $requests + 1, HOUR_IN_SECONDS);
return $result;
}, 10, 3);
// 2. API Key authentication
add_filter('rest_authentication_errors', function($result) {
// Skip authentication for public endpoints
if (strpos($_SERVER['REQUEST_URI'], '/wp-json/wp/v2/posts') !== false && $_SERVER['REQUEST_METHOD'] === 'GET') {
return $result;
}
$api_key = $_SERVER['HTTP_X_API_KEY'] ?? '';
if (empty($api_key)) {
return new WP_Error(
'missing_api_key',
'API key is required',
array('status' => 401)
);
}
// Validate API key
$valid_keys = get_option('headless_api_keys', array());
if (!in_array($api_key, $valid_keys)) {
return new WP_Error(
'invalid_api_key',
'Invalid API key',
array('status' => 403)
);
}
return $result;
});
// 3. CORS configuration
add_action('rest_api_init', function() {
remove_filter('rest_pre_serve_request', 'rest_send_cors_headers');
add_filter('rest_pre_serve_request', function($value) {
$origin = get_http_origin();
$allowed_origins = array(
'https://example.com',
'https://www.example.com',
'http://localhost:3000', // Development
);
if (in_array($origin, $allowed_origins)) {
header('Access-Control-Allow-Origin: ' . $origin);
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization, X-API-Key');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400');
}
return $value;
});
});
// 4. Content sanitization
add_filter('rest_pre_insert_post', function($prepared_post, $request) {
// Sanitize content
if (isset($prepared_post->post_content)) {
$prepared_post->post_content = wp_kses_post($prepared_post->post_content);
}
if (isset($prepared_post->post_title)) {
$prepared_post->post_title = sanitize_text_field($prepared_post->post_title);
}
return $prepared_post;
}, 10, 2);
// 5. Disable unnecessary endpoints
add_filter('rest_endpoints', function($endpoints) {
// Remove user endpoints for non-authenticated requests
if (!is_user_logged_in()) {
unset($endpoints['/wp/v2/users']);
unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
}
// Remove unnecessary endpoints
unset($endpoints['/wp/v2/settings']);
unset($endpoints['/wp/v2/themes']);
return $endpoints;
});
Development vs Production Setup
Environment-Specific Configuration
// wp-config.php
define('WP_ENVIRONMENT_TYPE', getenv('WP_ENV') ?: 'production');
switch (WP_ENVIRONMENT_TYPE) {
case 'development':
define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', true);
define('SCRIPT_DEBUG', true);
define('JWT_AUTH_CORS_ENABLE', true);
define('GRAPHQL_DEBUG', true);
break;
case 'staging':
define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', false);
break;
case 'production':
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);
define('SCRIPT_DEBUG', false);
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
break;
}
// Environment-specific functionality
add_action('init', function() {
if (WP_ENVIRONMENT_TYPE === 'development') {
// Enable GraphQL IDE
add_filter('graphql_ide_enabled', '__return_true');
// Disable caching
add_filter('wp_cache_enabled', '__return_false');
// Log all API requests
add_filter('rest_pre_dispatch', function($result, $server, $request) {
error_log(sprintf(
'API Request: %s %s',
$request->get_method(),
$request->get_route()
));
return $result;
}, 10, 3);
}
if (WP_ENVIRONMENT_TYPE === 'production') {
// Enable aggressive caching
add_filter('rest_cache_headers', function($headers) {
$headers['Cache-Control'] = 'public, max-age=3600';
return $headers;
});
// Disable plugin/theme editor
if (!defined('DISALLOW_FILE_EDIT')) {
define('DISALLOW_FILE_EDIT', true);
}
}
});
Building the Frontend
Next.js + WordPress Complete Tutorial
Project Setup and Configuration
# Create Next.js project
npx create-next-app@latest my-headless-wp --typescript --tailwind --app
cd my-headless-wp
# Install dependencies
npm install @apollo/client graphql isomorphic-unfetch
npm install @wordpress/api-fetch @wordpress/url
npm install react-intersection-observer framer-motion
npm install --save-dev @types/wordpress__api-fetch
Environment Configuration
# .env.local
NEXT_PUBLIC_WORDPRESS_API_URL=https://api.example.com
WORDPRESS_API_URL=https://api.example.com
WORDPRESS_GRAPHQL_ENDPOINT=https://api.example.com/graphql
WORDPRESS_AUTH_REFRESH_TOKEN=your-refresh-token
PREVIEW_SECRET=your-preview-secret
REVALIDATE_SECRET=your-revalidate-secret
Apollo Client Setup
// lib/apollo-client.ts
import { ApolloClient, InMemoryCache, createHttpLink } from '@apollo/client';
import { setContext } from '@apollo/client/link/context';
const httpLink = createHttpLink({
uri: process.env.WORDPRESS_GRAPHQL_ENDPOINT,
});
const authLink = setContext((_, { headers }) => {
return {
headers: {
...headers,
authorization: process.env.WORDPRESS_AUTH_REFRESH_TOKEN
? `Bearer ${process.env.WORDPRESS_AUTH_REFRESH_TOKEN}`
: '',
},
};
});
const client = new ApolloClient({
link: authLink.concat(httpLink),
cache: new InMemoryCache({
typePolicies: {
RootQuery: {
fields: {
posts: {
keyArgs: ['where'],
merge(existing = { edges: [], pageInfo: {} }, incoming) {
return {
edges: [...(existing.edges || []), ...(incoming.edges || [])],
pageInfo: incoming.pageInfo,
};
},
},
},
},
},
}),
});
export default client;
GraphQL Queries
// lib/queries.ts
import { gql } from '@apollo/client';
export const GET_ALL_POSTS = gql`
query GetAllPosts($first: Int!, $after: String) {
posts(first: $first, after: $after, where: { status: PUBLISH }) {
pageInfo {
endCursor
hasNextPage
}
edges {
node {
id
databaseId
title
slug
excerpt
date
modified
featuredImage {
node {
sourceUrl
altText
mediaDetails {
width
height
}
}
}
author {
node {
name
avatar {
url
}
}
}
categories {
edges {
node {
name
slug
}
}
}
}
}
}
}
`;
export const GET_POST_BY_SLUG = gql`
query GetPostBySlug($slug: ID!) {
post(id: $slug, idType: SLUG) {
id
databaseId
title
content
date
modified
excerpt
featuredImage {
node {
sourceUrl
altText
mediaDetails {
width
height
}
}
}
author {
node {
name
description
avatar {
url
}
}
}
categories {
edges {
node {
name
slug
}
}
}
tags {
edges {
node {
name
slug
}
}
}
seo {
title
metaDesc
canonical
opengraphTitle
opengraphDescription
opengraphImage {
sourceUrl
}
twitterTitle
twitterDescription
twitterImage {
sourceUrl
}
}
}
}
`;
Homepage Implementation
// app/page.tsx
import client from '@/lib/apollo-client';
import { GET_ALL_POSTS } from '@/lib/queries';
import PostGrid from '@/components/PostGrid';
import Hero from '@/components/Hero';
import { Metadata } from 'next';
export const metadata: Metadata = {
title: 'My Headless WordPress Blog',
description: 'A modern blog built with Next.js and WordPress',
};
async function getPosts() {
const { data } = await client.query({
query: GET_ALL_POSTS,
variables: {
first: 10,
},
});
return data.posts.edges;
}
export default async function HomePage() {
const posts = await getPosts();
return (
<main>
<Hero />
<section className="max-w-7xl mx-auto px-4 py-12">
<h2 className="text-3xl font-bold mb-8">Latest Posts</h2>
<PostGrid posts={posts} />
</section>
</main>
);
}
Dynamic Post Pages
// app/blog/[slug]/page.tsx
import { notFound } from 'next/navigation';
import client from '@/lib/apollo-client';
import { GET_POST_BY_SLUG, GET_ALL_POSTS } from '@/lib/queries';
import PostContent from '@/components/PostContent';
import { Metadata } from 'next';
interface PostPageProps {
params: {
slug: string;
};
}
export async function generateStaticParams() {
const { data } = await client.query({
query: GET_ALL_POSTS,
variables: {
first: 100,
},
});
return data.posts.edges.map((edge: any) => ({
slug: edge.node.slug,
}));
}
export async function generateMetadata({ params }: PostPageProps): Promise<Metadata> {
const { data } = await client.query({
query: GET_POST_BY_SLUG,
variables: {
slug: params.slug,
},
});
const post = data?.post;
if (!post) {
return {
title: 'Post Not Found',
};
}
return {
title: post.seo?.title || post.title,
description: post.seo?.metaDesc || post.excerpt,
openGraph: {
title: post.seo?.opengraphTitle || post.title,
description: post.seo?.opengraphDescription || post.excerpt,
images: [
{
url: post.seo?.opengraphImage?.sourceUrl || post.featuredImage?.node?.sourceUrl,
},
],
},
};
}
export default async function PostPage({ params }: PostPageProps) {
const { data } = await client.query({
query: GET_POST_BY_SLUG,
variables: {
slug: params.slug,
},
});
const post = data?.post;
if (!post) {
notFound();
}
return <PostContent post={post} />;
}
Nuxt.js Integration Guide
Setup and Configuration
# Create Nuxt.js project
npx nuxi init my-headless-wp-nuxt
cd my-headless-wp-nuxt
# Install dependencies
npm install @nuxtjs/apollo graphql
npm install @nuxtjs/tailwindcss @nuxtjs/google-fonts
Nuxt Configuration
// nuxt.config.ts
export default defineNuxtConfig({
modules: [
'@nuxtjs/apollo',
'@nuxtjs/tailwindcss',
'@nuxtjs/google-fonts',
],
apollo: {
clients: {
default: {
httpEndpoint: process.env.WORDPRESS_GRAPHQL_ENDPOINT || 'https://api.example.com/graphql',
httpLinkOptions: {
credentials: 'include',
},
tokenName: 'apollo-token',
},
},
},
runtimeConfig: {
public: {
wordpressUrl: process.env.WORDPRESS_API_URL || 'https://api.example.com',
},
},
googleFonts: {
families: {
Inter: [400, 500, 600, 700],
},
},
});
Composables for Data Fetching
// composables/useWordPress.ts
export const useWordPressPosts = async (variables: any = {}) => {
const query = gql`
query GetPosts($first: Int, $after: String) {
posts(first: $first, after: $after) {
edges {
node {
id
title
slug
excerpt
date
}
}
pageInfo {
endCursor
hasNextPage
}
}
}
`;
const { data } = await useAsyncQuery(query, variables);
return data.value?.posts;
};
export const useWordPressPost = async (slug: string) => {
const query = gql`
query GetPost($slug: ID!) {
post(id: $slug, idType: SLUG) {
id
title
content
date
}
}
`;
const { data } = await useAsyncQuery(query, { slug });
return data.value?.post;
};
SvelteKit Implementation
Project Setup
npm create svelte@latest my-headless-wp-svelte
cd my-headless-wp-svelte
npm install
npm install graphql-request graphql
Data Fetching
// src/lib/wordpress.ts
import { GraphQLClient } from 'graphql-request';
const endpoint = import.meta.env.VITE_WORDPRESS_GRAPHQL_ENDPOINT;
export const client = new GraphQLClient(endpoint);
export const getPosts = async (first = 10) => {
const query = `
query GetPosts($first: Int!) {
posts(first: $first) {
edges {
node {
id
title
slug
excerpt
date
}
}
}
}
`;
const data = await client.request(query, { first });
return data.posts.edges;
};
Route Implementation
<!-- src/routes/+page.svelte -->
<script lang="ts">
export let data;
</script>
<h1>Latest Posts</h1>
<div class="post-grid">
{#each data.posts as { node: post }}
<article>
<h2><a href="/blog/{post.slug}">{post.title}</a></h2>
<p>{@html post.excerpt}</p>
</article>
{/each}
</div>
<!-- src/routes/+page.server.ts -->
import { getPosts } from '$lib/wordpress';
export async function load() {
const posts = await getPosts();
return {
posts
};
}
Data Fetching Strategies
1. Static Generation (SSG)
// Next.js - Static Generation
export async function getStaticProps() {
const posts = await fetchPosts();
return {
props: {
posts,
},
revalidate: 3600, // Revalidate every hour
};
}
// Nuxt.js - Static Generation
<script setup>
const { data: posts } = await useAsyncData('posts', () => fetchPosts(), {
transform: (posts) => posts.map(post => ({
...post,
date: new Date(post.date).toLocaleDateString()
}))
});
</script>
2. Server-Side Rendering (SSR)
// Next.js App Router - SSR with caching
async function getPosts() {
const res = await fetch('https://api.example.com/wp-json/wp/v2/posts', {
next: { revalidate: 60 }, // Cache for 60 seconds
});
if (!res.ok) {
throw new Error('Failed to fetch posts');
}
return res.json();
}
// Nuxt.js - SSR
export default defineEventHandler(async (event) => {
const posts = await $fetch('/wp-json/wp/v2/posts', {
baseURL: 'https://api.example.com',
headers: {
'Cache-Control': 's-maxage=60, stale-while-revalidate',
},
});
return posts;
});
3. Incremental Static Regeneration (ISR)
// Next.js - ISR Implementation
export default async function Post({ params }) {
const post = await getPost(params.slug);
return <PostContent post={post} />;
}
export async function generateStaticParams() {
// Generate first 100 posts at build time
const posts = await getPosts({ per_page: 100 });
return posts.map((post) => ({
slug: post.slug,
}));
}
// On-demand revalidation API
export default async function handler(req, res) {
if (req.query.secret !== process.env.REVALIDATION_SECRET) {
return res.status(401).json({ message: 'Invalid token' });
}
try {
await res.revalidate(`/blog/${req.query.slug}`);
return res.json({ revalidated: true });
} catch (err) {
return res.status(500).send('Error revalidating');
}
}
State Management Approaches
1. React Context + useReducer
// context/WordPressContext.tsx
import { createContext, useContext, useReducer } from 'react';
interface State {
posts: Post[];
loading: boolean;
error: string | null;
currentPage: number;
hasMore: boolean;
}
type Action =
| { type: 'FETCH_POSTS_START' }
| { type: 'FETCH_POSTS_SUCCESS'; payload: { posts: Post[]; hasMore: boolean } }
| { type: 'FETCH_POSTS_ERROR'; payload: string }
| { type: 'SET_PAGE'; payload: number };
const WordPressContext = createContext<{
state: State;
dispatch: React.Dispatch<Action>;
} | null>(null);
function wordpressReducer(state: State, action: Action): State {
switch (action.type) {
case 'FETCH_POSTS_START':
return { ...state, loading: true, error: null };
case 'FETCH_POSTS_SUCCESS':
return {
...state,
loading: false,
posts: [...state.posts, ...action.payload.posts],
hasMore: action.payload.hasMore,
};
case 'FETCH_POSTS_ERROR':
return { ...state, loading: false, error: action.payload };
case 'SET_PAGE':
return { ...state, currentPage: action.payload };
default:
return state;
}
}
export function WordPressProvider({ children }: { children: React.ReactNode }) {
const [state, dispatch] = useReducer(wordpressReducer, {
posts: [],
loading: false,
error: null,
currentPage: 1,
hasMore: true,
});
return (
<WordPressContext.Provider value={{ state, dispatch }}>
{children}
</WordPressContext.Provider>
);
}
export const useWordPress = () => {
const context = useContext(WordPressContext);
if (!context) {
throw new Error('useWordPress must be used within WordPressProvider');
}
return context;
};
2. Zustand Store
// store/wordpress.ts
import { create } from 'zustand';
import { devtools, persist } from 'zustand/middleware';
interface WordPressState {
posts: Post[];
categories: Category[];
loading: boolean;
error: string | null;
fetchPosts: (page?: number) => Promise<void>;
fetchCategories: () => Promise<void>;
clearError: () => void;
}
export const useWordPressStore = create<WordPressState>()(
devtools(
persist(
(set, get) => ({
posts: [],
categories: [],
loading: false,
error: null,
fetchPosts: async (page = 1) => {
set({ loading: true, error: null });
try {
const response = await fetch(
`/api/posts?page=${page}&per_page=10`
);
if (!response.ok) {
throw new Error('Failed to fetch posts');
}
const newPosts = await response.json();
set((state) => ({
posts: page === 1 ? newPosts : [...state.posts, ...newPosts],
loading: false,
}));
} catch (error) {
set({ error: error.message, loading: false });
}
},
fetchCategories: async () => {
try {
const response = await fetch('/api/categories');
const categories = await response.json();
set({ categories });
} catch (error) {
console.error('Failed to fetch categories:', error);
}
},
clearError: () => set({ error: null }),
}),
{
name: 'wordpress-storage',
}
)
)
);
Component Architecture
Atomic Design Pattern
// atoms/Button.tsx
interface ButtonProps {
variant?: 'primary' | 'secondary' | 'ghost';
size?: 'sm' | 'md' | 'lg';
children: React.ReactNode;
onClick?: () => void;
}
export const Button: React.FC<ButtonProps> = ({
variant = 'primary',
size = 'md',
children,
onClick,
}) => {
const variants = {
primary: 'bg-blue-600 text-white hover:bg-blue-700',
secondary: 'bg-gray-200 text-gray-900 hover:bg-gray-300',
ghost: 'bg-transparent text-gray-700 hover:bg-gray-100',
};
const sizes = {
sm: 'px-3 py-1 text-sm',
md: 'px-4 py-2',
lg: 'px-6 py-3 text-lg',
};
return (
<button
onClick={onClick}
className={`rounded-md font-medium transition-colors ${variants[variant]} ${sizes[size]}`}
>
{children}
</button>
);
};
// molecules/PostCard.tsx
interface PostCardProps {
post: Post;
}
export const PostCard: React.FC<PostCardProps> = ({ post }) => {
return (
<article className="bg-white rounded-lg shadow-md overflow-hidden">
{post.featuredImage && (
<img
src={post.featuredImage.node.sourceUrl}
alt={post.featuredImage.node.altText}
className="w-full h-48 object-cover"
/>
)}
<div className="p-6">
<h2 className="text-xl font-bold mb-2">
<Link href={`/blog/${post.slug}`}>{post.title}</Link>
</h2>
<div
className="text-gray-600 mb-4"
dangerouslySetInnerHTML={{ __html: post.excerpt }}
/>
<Button variant="ghost" size="sm">
Read More →
</Button>
</div>
</article>
);
};
// organisms/PostGrid.tsx
interface PostGridProps {
posts: Post[];
loading?: boolean;
}
export const PostGrid: React.FC<PostGridProps> = ({ posts, loading }) => {
if (loading) {
return <PostGridSkeleton />;
}
return (
<div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-6">
{posts.map((post) => (
<PostCard key={post.id} post={post} />
))}
</div>
);
};
Solving Common Challenges
Preview Implementation Techniques
WordPress Preview Setup
// Add preview support to WordPress
add_action('init', function() {
// Add preview parameter to REST API
add_filter('rest_post_query', function($args, $request) {
if ($request->get_param('preview')) {
$args['post_status'] = array('publish', 'draft', 'pending', 'private');
}
return $args;
}, 10, 2);
// Add preview data to response
add_filter('rest_prepare_post', function($response, $post, $request) {
if ($request->get_param('preview') && current_user_can('edit_post', $post->ID)) {
$preview = wp_get_post_autosave($post->ID);
if ($preview) {
$response->data['title']['rendered'] = $preview->post_title;
$response->data['content']['rendered'] = apply_filters('the_content', $preview->post_content);
$response->data['excerpt']['rendered'] = apply_filters('the_excerpt', $preview->post_excerpt);
}
}
return $response;
}, 10, 3);
});
// Generate preview links
add_filter('preview_post_link', function($preview_link, $post) {
$frontend_url = 'https://example.com';
$secret = 'your-preview-secret';
return add_query_arg(array(
'secret' => $secret,
'slug' => $post->post_name,
'id' => $post->ID,
'post_type' => $post->post_type,
), $frontend_url . '/api/preview');
}, 10, 2);
Next.js Preview API
// pages/api/preview.ts
import { NextApiRequest, NextApiResponse } from 'next';
export default async function handler(
req: NextApiRequest,
res: NextApiResponse
) {
// Check secret
if (req.query.secret !== process.env.PREVIEW_SECRET) {
return res.status(401).json({ message: 'Invalid token' });
}
// Validate request
const { slug, id, post_type } = req.query;
if (!slug || !id) {
return res.status(400).json({ message: 'Missing parameters' });
}
// Enable preview mode
res.setPreviewData({
post: {
id,
slug,
post_type: post_type || 'post',
},
});
// Redirect to the post
const redirectUrl = post_type === 'page' ? `/${slug}` : `/blog/${slug}`;
res.redirect(redirectUrl);
}
// pages/api/exit-preview.ts
export default function handler(
req: NextApiRequest,
res: NextApiResponse
) {
res.clearPreviewData();
res.redirect('/');
}
Form Handling Solutions
Contact Form Implementation
// Frontend form component
import { useState } from 'react';
import { useMutation, gql } from '@apollo/client';
const SUBMIT_CONTACT_FORM = gql`
mutation SubmitContactForm($input: SubmitContactFormInput!) {
submitContactForm(input: $input) {
success
message
}
}
`;
export function ContactForm() {
const [formData, setFormData] = useState({
name: '',
email: '',
message: '',
});
const [submitForm, { loading, error }] = useMutation(SUBMIT_CONTACT_FORM);
const handleSubmit = async (e: React.FormEvent) => {
e.preventDefault();
try {
const { data } = await submitForm({
variables: {
input: formData,
},
});
if (data.submitContactForm.success) {
alert('Message sent successfully!');
setFormData({ name: '', email: '', message: '' });
} else {
alert('Failed to send message.');
}
} catch (err) {
console.error('Form submission error:', err);
}
};
return (
<form onSubmit={handleSubmit} className="space-y-4">
<input
type="text"
placeholder="Your Name"
value={formData.name}
onChange={(e) => setFormData({ ...formData, name: e.target.value })}
required
className="w-full px-4 py-2 border rounded"
/>
<input
type="email"
placeholder="Your Email"
value={formData.email}
onChange={(e) => setFormData({ ...formData, email: e.target.value })}
required
className="w-full px-4 py-2 border rounded"
/>
<textarea
placeholder="Your Message"
value={formData.message}
onChange={(e) => setFormData({ ...formData, message: e.target.value })}
required
rows={5}
className="w-full px-4 py-2 border rounded"
/>
<button
type="submit"
disabled={loading}
className="px-6 py-2 bg-blue-600 text-white rounded hover:bg-blue-700 disabled:opacity-50"
>
{loading ? 'Sending...' : 'Send Message'}
</button>
{error && <p className="text-red-600">Error: {error.message}</p>}
</form>
);
}
SEO Optimization Strategies
Meta Tags Implementation
// components/SEO.tsx
import Head from 'next/head';
interface SEOProps {
title: string;
description: string;
canonical?: string;
image?: string;
article?: boolean;
publishedTime?: string;
modifiedTime?: string;
author?: string;
}
export function SEO({
title,
description,
canonical,
image,
article = false,
publishedTime,
modifiedTime,
author,
}: SEOProps) {
const siteName = 'My Headless WordPress Site';
const siteUrl = 'https://example.com';
return (
<Head>
<title>{`${title} | ${siteName}`}</title>
<meta name="description" content={description} />
<link rel="canonical" href={canonical || siteUrl} />
{/* Open Graph */}
<meta property="og:site_name" content={siteName} />
<meta property="og:type" content={article ? 'article' : 'website'} />
<meta property="og:title" content={title} />
<meta property="og:description" content={description} />
<meta property="og:url" content={canonical || siteUrl} />
{image && <meta property="og:image" content={image} />}
{/* Article specific */}
{article && publishedTime && (
<meta property="article:published_time" content={publishedTime} />
)}
{article && modifiedTime && (
<meta property="article:modified_time" content={modifiedTime} />
)}
{article && author && (
<meta property="article:author" content={author} />
)}
{/* Twitter */}
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:title" content={title} />
<meta name="twitter:description" content={description} />
{image && <meta name="twitter:image" content={image} />}
</Head>
);
}
Sitemap Generation
// pages/sitemap.xml.tsx
import { GetServerSideProps } from 'next';
import client from '@/lib/apollo-client';
import { gql } from '@apollo/client';
const SITEMAP_QUERY = gql`
query SitemapQuery {
posts(first: 1000, where: { status: PUBLISH }) {
nodes {
slug
modified
}
}
pages(first: 1000, where: { status: PUBLISH }) {
nodes {
slug
modified
}
}
}
`;
function generateSiteMap(posts: any[], pages: any[]) {
return `<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://example.com</loc>
<lastmod>${new Date().toISOString()}</lastmod>
<changefreq>daily</changefreq>
<priority>1.0</priority>
</url>
${posts
.map((post) => {
return `
<url>
<loc>https://example.com/blog/${post.slug}</loc>
<lastmod>${post.modified}</lastmod>
<changefreq>weekly</changefreq>
<priority>0.8</priority>
</url>
`;
})
.join('')}
${pages
.map((page) => {
return `
<url>
<loc>https://example.com/${page.slug}</loc>
<lastmod>${page.modified}</lastmod>
<changefreq>monthly</changefreq>
<priority>0.7</priority>
</url>
`;
})
.join('')}
</urlset>`;
}
export const getServerSideProps: GetServerSideProps = async ({ res }) => {
const { data } = await client.query({
query: SITEMAP_QUERY,
});
const sitemap = generateSiteMap(data.posts.nodes, data.pages.nodes);
res.setHeader('Content-Type', 'text/xml');
res.write(sitemap);
res.end();
return {
props: {},
};
};
export default function Sitemap() {
return null;
}
Authentication and User Management
JWT Implementation
// lib/auth.ts
import jwt from 'jsonwebtoken';
import { GraphQLClient } from 'graphql-request';
interface User {
id: string;
email: string;
name: string;
role: string;
}
export class AuthService {
private client: GraphQLClient;
constructor() {
this.client = new GraphQLClient(process.env.WORDPRESS_GRAPHQL_ENDPOINT!);
}
async login(username: string, password: string): Promise<{ user: User; token: string }> {
const mutation = `
mutation Login($username: String!, $password: String!) {
login(input: { username: $username, password: $password }) {
authToken
user {
id
email
name
role
}
}
}
`;
const data = await this.client.request(mutation, { username, password });
return {
user: data.login.user,
token: data.login.authToken,
};
}
async refreshToken(token: string): Promise<string> {
const mutation = `
mutation RefreshToken($token: String!) {
refreshJwtAuthToken(input: { jwtRefreshToken: $token }) {
authToken
}
}
`;
this.client.setHeader('authorization', `Bearer ${token}`);
const data = await this.client.request(mutation, { token });
return data.refreshJwtAuthToken.authToken;
}
verifyToken(token: string): User | null {
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET!) as any;
return {
id: decoded.data.user.id,
email: decoded.data.user.email,
name: decoded.data.user.name,
role: decoded.data.user.role,
};
} catch (error) {
return null;
}
}
}
// React Hook
export function useAuth() {
const [user, setUser] = useState<User | null>(null);
const [loading, setLoading] = useState(true);
useEffect(() => {
const token = localStorage.getItem('authToken');
if (token) {
const authService = new AuthService();
const user = authService.verifyToken(token);
setUser(user);
}
setLoading(false);
}, []);
const login = async (username: string, password: string) => {
const authService = new AuthService();
const { user, token } = await authService.login(username, password);
localStorage.setItem('authToken', token);
setUser(user);
};
const logout = () => {
localStorage.removeItem('authToken');
setUser(null);
};
return { user, loading, login, logout };
}
Image Optimization
Next.js Image Component
// components/OptimizedImage.tsx
import Image from 'next/image';
import { useState } from 'react';
interface OptimizedImageProps {
src: string;
alt: string;
width: number;
height: number;
priority?: boolean;
className?: string;
}
export function OptimizedImage({
src,
alt,
width,
height,
priority = false,
className = '',
}: OptimizedImageProps) {
const [isLoading, setLoading] = useState(true);
// Convert WordPress URL to use Next.js Image Optimization API
const optimizedSrc = src.replace(
'https://api.example.com',
'/_next/image?url=' + encodeURIComponent(src) + '&w=' + width + '&q=75'
);
return (
<div className={`relative overflow-hidden ${className}`}>
<Image
src={src}
alt={alt}
width={width}
height={height}
priority={priority}
className={`
duration-700 ease-in-out
${isLoading ? 'scale-110 blur-2xl' : 'scale-100 blur-0'}
`}
onLoadingComplete={() => setLoading(false)}
/>
</div>
);
}
// WordPress image processing
add_filter('rest_prepare_attachment', function($response, $attachment, $request) {
$data = $response->get_data();
// Add WebP version
$webp_url = str_replace(
array('.jpg', '.jpeg', '.png'),
'.webp',
$data['source_url']
);
if (file_exists(str_replace(site_url(), ABSPATH, $webp_url))) {
$data['webp_url'] = $webp_url;
}
// Add responsive sizes
$data['responsive'] = array(
'small' => image_downsize($attachment->ID, 'thumbnail')[0],
'medium' => image_downsize($attachment->ID, 'medium')[0],
'large' => image_downsize($attachment->ID, 'large')[0],
'full' => $data['source_url'],
);
$response->set_data($data);
return $response;
}, 10, 3);
Search Functionality
Algolia Integration
// lib/algolia.ts
import algoliasearch from 'algoliasearch/lite';
const searchClient = algoliasearch(
process.env.NEXT_PUBLIC_ALGOLIA_APP_ID!,
process.env.NEXT_PUBLIC_ALGOLIA_SEARCH_KEY!
);
export const searchIndex = searchClient.initIndex('posts');
// Sync WordPress to Algolia
export async function syncToAlgolia(posts: any[]) {
const objects = posts.map(post => ({
objectID: post.id,
title: post.title,
excerpt: post.excerpt,
content: post.content.replace(/<[^>]*>/g, ''), // Strip HTML
slug: post.slug,
author: post.author.node.name,
categories: post.categories.edges.map((edge: any) => edge.node.name),
publishedAt: new Date(post.date).getTime(),
image: post.featuredImage?.node?.sourceUrl,
}));
await searchIndex.saveObjects(objects);
}
// Search component
import { InstantSearch, SearchBox, Hits, Highlight } from 'react-instantsearch-dom';
export function Search() {
return (
<InstantSearch searchClient={searchClient} indexName="posts">
<SearchBox
placeholder="Search posts..."
className="w-full px-4 py-2 border rounded"
/>
<Hits
hitComponent={({ hit }) => (
<article className="p-4 border-b">
<h3>
<Link href={`/blog/${hit.slug}`}>
<Highlight attribute="title" hit={hit} />
</Link>
</h3>
<p className="text-gray-600">
<Highlight attribute="excerpt" hit={hit} />
</p>
</article>
)}
/>
</InstantSearch>
);
}
Hosting and Deployment
Backend Hosting Comparison
Hosting Options Analysis
| Provider | Best For | Pricing | Pros | Cons |
|---|---|---|---|---|
| Kinsta | High-traffic APIs | $35-1,800/mo | Excellent performance, Auto-scaling, Google Cloud | Expensive for small projects |
| WP Engine | Enterprise | $25-5,800/mo | Managed security, Good support | Limited to WordPress |
| Cloudways | Flexibility | $12-275/mo | Multiple cloud providers, Good value | Learning curve |
| DigitalOcean | Developers | $5-80/mo | Full control, Affordable | Requires management |
| AWS Lightsail | Scalability | $3.50-240/mo | AWS ecosystem, Predictable pricing | Complex for beginners |
| Pantheon | Teams | $41-1,000/mo | Dev workflow, Multidev | WordPress specific |
Optimized Backend Configuration
# DigitalOcean Droplet Setup
#!/bin/bash
# Update system
apt update && apt upgrade -y
# Install dependencies
apt install -y nginx mysql-server php8.1-fpm php8.1-mysql \
php8.1-curl php8.1-gd php8.1-mbstring php8.1-xml \
php8.1-zip php8.1-bcmath redis-server
# Configure PHP-FPM for API performance
cat > /etc/php/8.1/fpm/pool.d/wordpress.conf << EOF
[wordpress]
user = www-data
group = www-data
listen = /run/php/php8.1-fpm-wordpress.sock
listen.owner = www-data
listen.group = www-data
pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
EOF
# Install WordPress CLI
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp
# Setup WordPress
cd /var/www
wp core download --allow-root
wp config create --dbname=wordpress --dbuser=root --dbpass=password --allow-root
wp core install --url=api.example.com --title="Headless WP" \
--admin_user=admin [email protected] --allow-root
Frontend Platform Analysis
Platform Comparison
| Platform | Best For | Free Tier | Pricing | Features |
|---|---|---|---|---|
| Vercel | Next.js | Generous | $20/user/mo | Edge functions, Analytics |
| Netlify | Static sites | Good | $19/user/mo | Forms, Identity |
| Cloudflare Pages | Performance | Unlimited | $20/mo | Global CDN, Workers |
| AWS Amplify | Full-stack | Limited | Pay-as-you-go | AWS integration |
| Render | Simplicity | Basic | $7/mo | Auto-deploy, SSL |
| Railway | Quick deploy | $5 credit | $5/mo | Database included |
Vercel Deployment Configuration
// vercel.json
{
"framework": "nextjs",
"buildCommand": "npm run build",
"devCommand": "npm run dev",
"installCommand": "npm install",
"regions": ["iad1", "sfo1", "lhr1"],
"functions": {
"app/api/revalidate.ts": {
"maxDuration": 60
}
},
"headers": [
{
"source": "/(.*)",
"headers": [
{
"key": "X-Content-Type-Options",
"value": "nosniff"
},
{
"key": "X-Frame-Options",
"value": "DENY"
},
{
"key": "X-XSS-Protection",
"value": "1; mode=block"
}
]
}
],
"rewrites": [
{
"source": "/api/:path*",
"destination": "https://api.example.com/:path*"
}
]
}
CI/CD Pipeline Setup
GitHub Actions Workflow
# .github/workflows/deploy.yml
name: Deploy Headless WordPress
on:
push:
branches: [main]
pull_request:
branches: [main]
env:
WORDPRESS_API_URL: ${{ secrets.WORDPRESS_API_URL }}
WORDPRESS_GRAPHQL_ENDPOINT: ${{ secrets.WORDPRESS_GRAPHQL_ENDPOINT }}
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm test
- name: Run E2E tests
run: npm run test:e2e
env:
PLAYWRIGHT_BASE_URL: ${{ secrets.STAGING_URL }}
build:
needs: test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build application
run: npm run build
env:
NEXT_PUBLIC_WORDPRESS_API_URL: ${{ secrets.WORDPRESS_API_URL }}
- name: Upload build artifacts
uses: actions/upload-artifact@v3
with:
name: build-files
path: |
.next
public
package.json
package-lock.json
deploy-staging:
needs: build
runs-on: ubuntu-latest
environment: staging
steps:
- name: Deploy to Vercel Staging
uses: amondnet/vercel-action@v20
with:
vercel-token: ${{ secrets.VERCEL_TOKEN }}
vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
scope: ${{ secrets.VERCEL_ORG_ID }}
alias-domains: staging.example.com
deploy-production:
needs: deploy-staging
runs-on: ubuntu-latest
environment: production
if: github.ref == 'refs/heads/main'
steps:
- name: Deploy to Vercel Production
uses: amondnet/vercel-action@v20
with:
vercel-token: ${{ secrets.VERCEL_TOKEN }}
vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
vercel-args: '--prod'
scope: ${{ secrets.VERCEL_ORG_ID }}
- name: Purge CDN Cache
run: |
curl -X POST "https://api.cloudflare.com/client/v4/zones/${{ secrets.CLOUDFLARE_ZONE_ID }}/purge_cache" \
-H "Authorization: Bearer ${{ secrets.CLOUDFLARE_API_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"purge_everything":true}'
- name: Notify Slack
uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
text: 'Production deployment completed'
webhook_url: ${{ secrets.SLACK_WEBHOOK }}
Environment Management
Multi-Environment Setup
// config/environments.ts
interface Environment {
name: string;
apiUrl: string;
graphqlEndpoint: string;
previewSecret: string;
revalidateSecret: string;
}
const environments: Record<string, Environment> = {
development: {
name: 'Development',
apiUrl: 'http://localhost:8080',
graphqlEndpoint: 'http://localhost:8080/graphql',
previewSecret: 'dev-preview-secret',
revalidateSecret: 'dev-revalidate-secret',
},
staging: {
name: 'Staging',
apiUrl: 'https://staging-api.example.com',
graphqlEndpoint: 'https://staging-api.example.com/graphql',
previewSecret: process.env.STAGING_PREVIEW_SECRET!,
revalidateSecret: process.env.STAGING_REVALIDATE_SECRET!,
},
production: {
name: 'Production',
apiUrl: 'https://api.example.com',
graphqlEndpoint: 'https://api.example.com/graphql',
previewSecret: process.env.PREVIEW_SECRET!,
revalidateSecret: process.env.REVALIDATE_SECRET!,
},
};
export const getEnvironment = (): Environment => {
const env = process.env.NODE_ENV || 'development';
return environments[env] || environments.development;
};
// Usage in application
const env = getEnvironment();
const client = new ApolloClient({
uri: env.graphqlEndpoint,
// ... other config
});
Monitoring and Debugging
Application Monitoring Setup
// lib/monitoring.ts
import * as Sentry from '@sentry/nextjs';
export function initMonitoring() {
Sentry.init({
dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
environment: process.env.NODE_ENV,
tracesSampleRate: 0.1,
debug: false,
beforeSend(event, hint) {
// Filter sensitive data
if (event.request?.cookies) {
delete event.request.cookies;
}
return event;
},
});
}
// Custom error boundary
import { ErrorBoundary } from '@sentry/nextjs';
export function AppErrorBoundary({ children }: { children: React.ReactNode }) {
return (
<ErrorBoundary
fallback={({ error, resetError }) => (
<div className="error-boundary">
<h2>Something went wrong</h2>
<details>
<summary>Error details</summary>
<pre>{error.message}</pre>
</details>
<button onClick={resetError}>Try again</button>
</div>
)}
showDialog
>
{children}
</ErrorBoundary>
);
}
// Performance monitoring
export function trackPerformance() {
if (typeof window !== 'undefined' && window.performance) {
const navigation = performance.getEntriesByType('navigation')[0] as PerformanceNavigationTiming;
const metrics = {
dns: navigation.domainLookupEnd - navigation.domainLookupStart,
tcp: navigation.connectEnd - navigation.connectStart,
ttfb: navigation.responseStart - navigation.requestStart,
download: navigation.responseEnd - navigation.responseStart,
domInteractive: navigation.domInteractive - navigation.fetchStart,
domComplete: navigation.domComplete - navigation.fetchStart,
};
// Send to analytics
if (window.gtag) {
window.gtag('event', 'performance', {
event_category: 'Web Vitals',
event_label: 'Page Load',
value: Math.round(metrics.domComplete),
...metrics,
});
}
}
}
Scaling Strategies
Horizontal Scaling Architecture
# docker-compose.yml for WordPress backend
version: '3.8'
services:
nginx:
image: nginx:alpine
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- wordpress:/var/www/html
ports:
- "80:80"
depends_on:
- wordpress1
- wordpress2
- wordpress3
wordpress1:
image: wordpress:php8.1-fpm
volumes:
- wordpress:/var/www/html
environment:
WORDPRESS_DB_HOST: mysql
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: ${DB_PASSWORD}
WORDPRESS_DB_NAME: wordpress
depends_on:
- mysql
- redis
wordpress2:
extends: wordpress1
wordpress3:
extends: wordpress1
mysql:
image: mysql:8.0
volumes:
- mysql_data:/var/lib/mysql
environment:
MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
MYSQL_DATABASE: wordpress
MYSQL_USER: wordpress
MYSQL_PASSWORD: ${DB_PASSWORD}
redis:
image: redis:alpine
command: redis-server --maxmemory 256mb --maxmemory-policy allkeys-lru
volumes:
wordpress:
mysql_data:
CDN Configuration
// next.config.js with CDN
const withBundleAnalyzer = require('@next/bundle-analyzer')({
enabled: process.env.ANALYZE === 'true',
});
module.exports = withBundleAnalyzer({
images: {
domains: ['api.example.com', 'cdn.example.com'],
loader: 'cloudinary',
path: 'https://res.cloudinary.com/your-cloud-name/image/upload/',
},
assetPrefix: process.env.NODE_ENV === 'production'
? 'https://cdn.example.com'
: '',
compress: true,
poweredByHeader: false,
async headers() {
return [
{
source: '/:all*(svg|jpg|jpeg|png|webp|gif|ico|woff|woff2)',
locale: false,
headers: [
{
key: 'Cache-Control',
value: 'public, max-age=31536000, immutable',
},
],
},
];
},
webpack: (config, { isServer }) => {
// Optimize chunks
config.optimization.splitChunks = {
chunks: 'all',
cacheGroups: {
default: false,
vendors: false,
vendor: {
name: 'vendor',
chunks: 'all',
test: /node_modules/,
},
common: {
minChunks: 2,
priority: -10,
reuseExistingChunk: true,
},
},
};
return config;
},
});
Best Practices and Recommendations
Security Best Practices
- API Security
- Use HTTPS everywhere
- Implement rate limiting
- Validate all inputs
- Use proper authentication
-
Keep WordPress updated
-
Frontend Security
- Sanitize dynamic content
- Implement CSP headers
- Use environment variables
- Validate user inputs
- Regular dependency updates
Performance Optimization
- Backend Optimization
- Enable object caching
- Optimize database queries
- Use CDN for media
- Implement API caching
-
Minimize plugin usage
-
Frontend Optimization
- Implement ISR/SSG
- Optimize images
- Lazy load components
- Minimize JavaScript
- Use edge functions
Development Workflow
- Version Control
- Use Git flow
- Semantic versioning
- Meaningful commits
- Code reviews
-
Documentation
-
Testing Strategy
- Unit tests for components
- Integration tests for API
- E2E tests for critical paths
- Performance testing
- Security audits
Conclusion
Headless WordPress represents the future of content management, combining WordPress's powerful backend with modern frontend technologies. This architecture enables unprecedented performance, flexibility, and scalability while maintaining the familiar WordPress editing experience.
Key takeaways from this guide:
- Architecture Matters: Choose between REST API and GraphQL based on your specific needs
- Performance First: Implement caching, CDN, and optimization strategies from the start
- Security Always: Protect both your WordPress backend and frontend application
- Developer Experience: Use modern tools and workflows to increase productivity
- Scalability Built-in: Design for growth with proper hosting and deployment strategies
The journey to headless WordPress may seem complex, but the benefits—blazing-fast performance, unlimited frontend flexibility, and true omnichannel content delivery—make it worthwhile for ambitious projects.
Start small, experiment with different approaches, and gradually build your expertise. The headless WordPress ecosystem is rapidly evolving, offering new opportunities for developers willing to embrace this modern architecture.
Whether you're building a simple blog or a complex enterprise application, headless WordPress provides the foundation for creating exceptional digital experiences that delight users and achieve business goals.
Ready to dive deeper into modern WordPress development? Explore our other comprehensive guides on Gutenberg and Full-Site Editing, WordPress Performance Optimization, and WooCommerce Development.