Mainframe

Headless WordPress Theme — Full Dashboard, Full REST API, Minimal Public Face

Download Latest Release View on GitHub

Mainframe is a free, open source WordPress theme built for developers who use WordPress as a backend CMS and REST API source rather than a public-facing website. It treats the admin dashboard as the product and the public frontend as an implementation detail. The full wp-admin experience remains intact — posts, media, users, and any plugin that operates inside the admin panel continue to work without change.

No plugins required. No build tools. No external dependencies. Distributed via GitHub Releases with a built-in auto-updater that surfaces new versions through the standard WordPress Appearance → Themes UI.

REST API

Every registered post type is force-exposed via show_in_rest on activation. An opt-out filter (mainframe_expose_post_type_in_rest) is available for post types that should remain private. Beyond basic exposure, Mainframe adds fields to every REST response that headless setups almost always need but have to wire up manually.

  • featured_media_url

    A direct image URL on the post object. No second request to /wp/v2/media/:id needed.

  • featured_media_sizes

    A map of every registered image size name to its URL (thumbnail, medium, full, and any custom sizes). External URLs return {"full": url}.

  • author_info

    A complete author object inline — id, name, slug, avatar URL, description, and profile URL. Eliminates the follow-up request to /wp/v2/users/:id.

  • categories_info

    An array of category objects with id, name, and slug rather than a bare array of IDs.

  • ancestor_ids

    An ordered array of ancestor IDs (nearest-to-root) for hierarchical post types. Useful for breadcrumb generation in the consuming app. Returns [] for flat types.

  • frontend_link

    The WordPress permalink passed through the mainframe_frontend_link filter. Override it per post type to map WordPress URLs to your frontend app's URL structure.

  • /wp-json/mainframe/v1/site

    A single-call site summary endpoint: site name, description, URL, logo, and all navigation menus with their top-level items. Everything a consuming app needs to render a header in one request.

  • CORS

    Configurable Access-Control-Allow-Origin header in Mainframe Settings. Leaving it empty keeps WordPress default behavior.

Public Frontend

The front page is a blank white canvas by default. Through the WordPress Customizer it optionally displays a logo, headline, short message, and linktree-style link cards populated from navigation menus. All archive, search, author, and date routes redirect to the front page. Singular posts and pages redirect by default, with a per-post meta box that overrides the site default on a post-by-post basis.

  • Per-post route behavior

    Each post has a Public Route Behavior meta box with three options: use site default, show content, or redirect to home. The _mainframe_route_behavior value is exposed in the REST API.

  • Plugin routes untouched

    Plugin-generated routes and custom rewrite rules are left intact. Only standard WordPress route types (archives, search, author pages, singular posts) are affected.

Admin Cleanup & Security

  • Admin cleanup

    Irrelevant Customizer sections, Appearance → Patterns, Settings → Reading, Settings → Discussion, and the block editor Discussion and Preview panels are all removed. The classic editor Preview button is filtered out via preview_post_link. These changes reduce the admin surface area to what is useful in a headless context.

  • Custom login URL

    When a slug is configured, /wp-login.php is blocked and the login form is served at the custom path. All WordPress-generated login, logout, and lost-password URLs are rewritten automatically. No slug is set by default.

  • Robots & sitemap hardening

    When “Discourage search engines” is enabled, the WordPress core XML sitemap is disabled and X-Robots-Tag: noindex, nofollow is added to all public-facing page responses. Both follow blog_public and are toggled as part of Headless Quick Setup.

Featured Images & Deploy Webhook

  • Featured Image URL field

    A per-post Featured Image URL field in both the block editor and classic editor stores an external image URL that overrides the attached featured image in all REST responses. Posts previously using the Featured Image from URL plugin display their existing images automatically without re-entry.

  • Default featured image

    A site-wide fallback image URL in Mainframe Settings serves as the featured_media_url value for posts with no featured image of any kind.

  • Deploy webhook

    Fires a non-blocking HTTP POST whenever a post is published or unpublished. The JSON body (event, post_id, post_type, site_url) is consumed directly by Vercel, Netlify, and Cloudflare Pages deploy hooks. An optional HMAC-SHA256 signing secret adds an X-Mainframe-Signature header. A 10-second site-wide cooldown prevents flooding.

Auto-Updates & REST API Reference

  • Auto-updates

    Mainframe checks the GitHub Releases API every 12 hours and surfaces available updates through the standard WordPress Appearance → Themes UI. One-click updates install mainframe.zip attached to the latest release. No plugin required.

  • Live REST API Reference

    Appearance → REST API Reference is a browseable admin page that introspects the live REST API at render time. Any field added by a plugin or custom code appears automatically. All mainframe/v1 endpoints are documented with response schemas. Extra fields registered via register_rest_field are listed with Mainframe or Custom source badges.

Headless Quick Setup

On first activation, Mainframe runs in safe mode — all WordPress content is publicly accessible at standard URLs. A persistent admin notice links to a Quick Setup card in Mainframe Settings with five opt-in checkboxes:

  • Redirect all public routes to home — sets Default Route Behavior to Redirect
  • Discourage search engine indexing — sets blog_public = 0
  • Disable comments and pingbacks — closes comments/pings on new posts
  • Flat upload folder structure — disables year/month subfolders (skipped if folders exist)
  • Custom login URL slug — sets a slug and blocks /wp-login.php

All settings are reversible from Mainframe Settings after setup. Dismissing the admin notice applies nothing.

Requirements & Installation

Mainframe requires WordPress 6.0 or later and PHP 8.0 or later. No build tools, no npm, no external dependencies.

Download the latest release ZIP from GitHub, then install via Appearance → Themes → Add New → Upload Theme in wp-admin. Activate the theme and follow the Quick Setup notice to configure headless defaults.

Download mainframe.zip → GitHub repository → All releases →

Need a Custom WordPress Solution?

Custom WordPress plugin development, REST API integrations, or headless WordPress setup — reach out to discuss your project.

Get in touch →