DEV Community


Posted on


Headless WordPress + Sapper, JAMstack Security (Part 6)

Now that you have the complete frontend that works independent of WordPress you can completely rid the PHP frontend of WordPress and use only as a backend.

#1 Security

Preventing access to wp-admin and wp-login.php by IP address and forbid access. This requires you to modify the .htaccess file on your WordPress instance you need to add these rules.

Note, should be replaced with your current IP if you need to allow access to multiple IP addresses if you have several authors then you need to add extra allow from

<Files wp-login.php>
order deny,allow
deny from all
allow from
Enter fullscreen mode Exit fullscreen mode

But if you are behind Cloudflare like me then the above configuration will not work you need to do something like this.

SetEnvIF CF-Connecting-IP "" MySecretIP
<Files wp-login.php>
order allow,deny
allow from env=MySecretIP
Enter fullscreen mode Exit fullscreen mode

If you try going to your wp-admin from another IP (test via mobile data) you will hit 403 Forbidden.

#2 Ditching the WordPress frontend

The final step, getting rid of WordPress frontend, assuming you already have YOUR-DOMAIN pointing to WordPress you might need to move to something like SUBDOMAIN.YOUR-DOMAIN and have YOUR-DOMAIN pointed to your Sapper frontend. Easiest way is to use any migration plugins to move to your subdomain so that you don't mess much with the delicate backend and if you have the version then you will have an easier time with this because you can consume the APIs from your custom WordPress URL.

Also do not forget to change the API Endpoints on your .env file.

Here is my repo. The trash folder has the default blog of Sapper.

Here is the Sapper version of the site

Top comments (0)

Visualizing Promises and Async/Await 🤓

async await

☝️ Check out this all-time classic DEV post on visualizing Promises and Async/Await 🤓