Invizo Headless Mode is a WordPress plugin for turning WordPress into a focused headless CMS backend. It helps you disable the public WordPress frontend, redirect visitors to your decoupled frontend, protect default login URLs, and keep WordPress admin/API workflows available.
The plugin is built for decoupled WordPress projects and modern frontend stacks such as Next.js, Gatsby, Nuxt, SvelteKit, Remix, Astro, or a custom app.
- Disable WP frontend access by redirecting public WordPress routes to your frontend.
- Keep WordPress admin, REST API, AJAX, cron, media/static assets, and supported API routes available.
- Configure the headless frontend URL from the WordPress admin.
- Add strict CORS headers for your frontend origin or a custom origin allowlist.
- Generate signed draft preview URLs for headless preview workflows.
- Hide direct
/wp-admin/and/wp-login.phpaccess behind an optional custom admin/login slug. - Return JSON errors for blocked default admin/login URLs.
- Customize the WordPress login page logo, colors, background image, and back-to-site link visibility.
- Disable XML-RPC, hide WordPress version output, and block common user enumeration vectors.
- Disable RSS/Atom feeds, RSD, WLW manifest, oEmbed discovery, shortlinks, and related discovery headers.
- Rewrite post, page, custom post type, and term permalinks to your headless frontend URL.
- Redirect logout to the frontend and login to WordPress admin.
- WordPress 6.4 or later
- PHP 8.1 or later
- Copy the
invizo-headless-modefolder intowp-content/plugins/. - Activate Invizo Headless Mode in WordPress.
- Go to Settings > Headless Mode.
- Set your Front-End URL.
- Review the CORS, preview, security, discovery, login, permalink, and login design settings.
If you enable permalink restructuring or change the custom admin slug, go to Settings > Permalinks and click Save Changes once.
Set Front-End URL to your public frontend:
https://example.com
Public WordPress routes redirect to the same path on that frontend. WordPress admin and API requests remain available.
If Allowed Origins is empty, the plugin allows browser API requests only from the configured Front-End URL. Add one origin per line when you need additional trusted origins for staging, local development, or multiple frontend apps.
The plugin creates signed preview tokens using the Preview Secret. A frontend preview endpoint can verify those tokens before rendering unpublished WordPress content.
When a custom admin slug is configured, logged-out visitors can use that slug to reach the login form. Direct logged-out access to /wp-admin/ and /wp-login.php returns a generic JSON error and does not reveal the custom login URL.
When Restructure Permalinks is enabled, generated WordPress post, page, custom post type, and taxonomy links point to your frontend domain. This helps editors copy the correct public URL from WordPress.
Run:
./scripts/make-release-zip.shThe release archive is written to:
dist/invizo-headless-mode.1.0.3.zip
The zip contains the plugin under the required invizo-headless-mode/ root folder and excludes GitHub/development-only files.
Run PHP syntax checks:
find . -name '*.php' -not -path './dist/*' -print0 | xargs -0 -n1 php -lRun WordPress Plugin Check when available:
wp plugin check invizo-headless-mode --format=tableThis plugin does not send tracking data to the plugin author. It uses URLs that site administrators configure, such as the Front-End URL for redirects, CORS allowlisting, logout redirects, permalink rewriting, and preview links.
GPLv2 or later. See readme.txt and the plugin header for license metadata.