Best Practices

Code Organisation

• One file for all WordPress fetches. Keep all API calls in src/lib/wordpress.ts. Never fetch directly inside components.
• Type everything. Define TypeScript interfaces for every WordPress data shape. It catches errors before production.
• Keep components focused. Server components fetch data. Client components handle interactivity. Do not mix them.

WordPress Administration

• Never delete the active theme. Even headless WordPress needs an active theme. Keep Twenty Twenty-Four active — it will not be visible to users.
• Use a staging environment before editing functions.php. A PHP syntax error can lock you out of wp-admin entirely.
• Back up before every major change. Hostinger has built-in backups. Use them.

Security

• Never commit .env.local to GitHub. Add it to .gitignore. Use Vercel or Cloudflare environment variable settings for production values.
• Rotate your revalidation secret if you think it was exposed.
• Keep all WordPress plugins updated. Plugin vulnerabilities are the most common WordPress attack vector.
• Use a strong password for the WordPress admin — the CMS is now publicly reachable via its subdomain.

Performance

• Always use ?_embed in API requests to get featured images in a single request.
• Use Next.js Image for all images — automatic WebP conversion, lazy loading, and responsive sizes.
• Set appropriate revalidate values: