A minimal WordPress theme designed to work as a headless CMS with GraphQL support and enhanced security features. This theme serves as a backend for JAMstack applications.
- Disabled frontend rendering
- Optimized for GraphQL content delivery
- Minimal theme structure
- Cleaned up WordPress head and removed unnecessary features
- Custom login page through
/console/endpoint - Disabled standard wp-login.php
- Protected wp-admin access
- Implemented security headers
- Disabled file editing in admin panel
- Hash-based temporary login links
- Rate limiting protection:
- 5 attempts per hour per IP
- 3 attempts per temporary link
- 30 minutes link expiration
- Brute force protection
- Access logging
- Session management
- Protected REST API endpoints
- GraphQL access control
- Disabled XML-RPC
- Disabled directory browsing
- Protected sensitive files
- Configured for WPGraphQL with MYGraphQL extension
- Selective field exposure for optimal data transfer
- Custom post type handling with meta fields control
- Structured content delivery with caching
- API endpoint protection
- Clone this repository to your server:
cd /www
git clone [repository-url] .- Add the following constants to your wp-config.php:
define('WP_ADMIN_PROTECTION', true);
define('CUSTOM_LOGIN_PATH', 'console');
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);- Add the security rules to your .htaccess:
# Protect wp-login.php and wp-admin
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-login\.php$ - [R=403,L]
RewriteCond %{REQUEST_URI} ^/wp-admin
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_ [NC]
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>- Navigate to
/console/ - Get a temporary login link
- Use the link within 30 minutes
- Login with your WordPress credentials
The GraphQL endpoint is available at /graphql. Example query:
query GetPosts {
posts {
nodes {
id
title
content
}
}
}The GraphQL endpoint is available at /graphql. Example optimized query with controlled field exposure:
{
pages(first: 10) {
nodes {
id
title
featuredImage {
node {
id
sourceUrl
altText
}
}
# Only exposed meta fields will be available
pageFields {
key
value
}
}
}
}The MYGraphQL plugin allows you to:
- Explicitly define which meta fields are exposed
- Cache frequently accessed data
- Control featured image exposure
- Implement type-specific field restrictions
- Rate limiting is implemented at both IP and attempt levels
- All login attempts are logged in
/console/access.log - Security headers are automatically added to all responses
- Admin area is protected from unauthorized access
www/
│── console/
│ └── index.php # Custom login implementation
├── wp-content/
│ ├── themes/
│ │ └── headless-theme/ # Headless Theme
│ └── plugins/
│ └── mygraphql/ # GraphQL field control plugin
├── wp-config.php
└── .htaccess
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.