Infrastructure Control

The Hard-Lock "Backend Only" Mode for WordPress.

Turn WordPress into a secure, headless data origin. Redirect public traffic to your frontend, protect static assets, and manage content safely without exposing your API to the world.

Download Plugin View Documentation

Nuclear Mode for Headless

Designed for staging environments, internal tools, and hybrid React/WP backends. Origin and destination URLs are never defined inside the plugin—you control the policy.

Hard Redirects

Redirects all front-end traffic, including anonymous REST API requests, to a configured external destination. Leaves AJAX, Cron, and WP-CLI untouched.

Ref: README.md

Asset Proxy

PHP validation for static files. Force image and PDF uploads through WordPress permission checks before serving them to the user.

Ref: StaticAssetProtection.md

Traffic Shaping

Built-in support for Blue/Green deployments. Split traffic between two landing URLs based on IP hashing for gradual rollouts.

Ref: Settings.php

Configuration via Code

Perimeter is designed to be environment-neutral. Define your routing logic in a simple MU-plugin filter.

Flexible Logic

Use the wp2_perimeter_config filter to define your landing URL, status code, and whitelisted paths programmatically.

Enabled: True
Status: 302 Found
wp-content/mu-plugins/perimeter-config.php
<?php add_filter( 'wp2_perimeter_config', function ( $config ) { // 1. Activate the perimeter $config['enabled'] = true; // 2. Define external destination $config['landing_url'] = 'https://my-headless-frontend.com'; // 3. Traffic Splitting (Blue/Green) $config['traffic_mode'] = 'split'; $config['landing_url_green'] = 'https://beta.frontend.com'; $config['green_percent'] = 25; // 4. Whitelist critical paths $config['whitelisted'] = [ 'healthcheck', 'api/internal/*', ]; return $config; } );

Safety First

Infrastructure-grade software needs fail-safes. WP2 Perimeter ensures you never get locked out of your own backend.

  • Emergency Failsafe: If no admin activity is detected for 24 hours, the perimeter can auto-release to prevent permanent lockout.
  • JWT Tokens: Authenticate headless preview requests via Bearer tokens without needing a full session.
  • IP Allowlist: Bypass redirects for office IP ranges or VPN subnets.

24h

Lockout Timer

Future Roadmap

We are constantly evolving to support complex infrastructure needs.

Planned

Origin-Based Routing

Redirect only from specific domains or handle different destinations per hostname.

In Consideration

Per-Role Destinations

Direct Editors to a specific portal while sending public traffic to the main site.

Backlog

Environment Profiles

Switchable modes for Local, Staging, and Production environments via config profiles.