Romi Muharom
Back to projects
3 min read

Headless WordPress Theme

Headless WordPress Theme is a minimal WordPress theme built for headless implementations. It keeps WordPress focused on content management and API delivery, while the actual frontend can be handled by another application such as React, Vue, Next.js, Nuxt, Gatsby, or SvelteKit.

The theme is designed to reduce unnecessary frontend behavior, improve API readiness, and make the WordPress admin clearly communicate that the site is running in headless mode.

Overview

In a headless WordPress setup, the public website is usually rendered by a separate frontend application. WordPress acts as the CMS and data source through the REST API or GraphQL.

This theme supports that architecture by returning a 404 response for regular frontend requests, providing a simple informational page, and enhancing WordPress REST API output for easier frontend consumption.

Problem

Traditional WordPress themes are built to render frontend pages. In a headless setup, that behavior is often unnecessary and can create confusion, duplicate frontend surfaces, and additional security exposure.

The goal of this project was to create a clean theme that makes WordPress behave more like a backend CMS while still keeping the admin experience understandable for developers and content editors.

Role

I designed and implemented the theme structure, frontend fallback behavior, REST API enhancements, customizer options, dashboard indicators, and security hardening.

The project also includes documentation for installation, configuration, frontend integration, recommended plugins, troubleshooting, and development hooks.

Stack

  • WordPress for the CMS
  • PHP for theme functionality
  • WordPress REST API for content delivery
  • WordPress Customizer for editable headless information
  • theme.json for theme configuration

Features

  • Return HTTP 404 for normal frontend requests
  • Show a clean informational page for headless API usage
  • Add REST API fields for headless consumption
  • Provide customizer settings for title, description, colors, and frontend URL
  • Add admin dashboard indicators for headless mode
  • Disable XML-RPC and pingbacks
  • Hide WordPress version information
  • Keep theme files minimal and focused

API Enhancements

The theme improves REST API responses by adding fields that are commonly needed by frontend applications:

  • Direct featured image URL
  • Page excerpts
  • Cleaner response data for headless usage

These additions make it easier for a separate frontend to fetch posts and pages without repeatedly resolving media or missing page excerpt data.

Security Notes

The theme reduces the WordPress attack surface by disabling XML-RPC, blocking pingbacks and trackbacks, hiding version information, and removing unnecessary frontend behavior.

It is still meant to be used alongside normal WordPress security practices, including HTTPS, proper authentication for protected APIs, rate limiting, CORS configuration, plugin hygiene, and regular updates.

Implementation Notes

The theme uses a small WordPress theme structure:

  • style.css for theme metadata
  • index.php for the main response and informational page
  • functions.php for API enhancements and security behavior
  • header.php and footer.php for minimal template support
  • customize.php for Customizer preview behavior
  • theme.json for WordPress theme configuration

This keeps the theme easy to inspect while still covering the important pieces needed in a headless WordPress workflow.

Outcome

The result is a focused WordPress theme for projects that need WordPress as a CMS but do not want WordPress to own the frontend rendering layer.

It can be used as a starter for headless WordPress builds, internal CMS backends, or API-first content projects where the public interface is built with a separate frontend framework.