This plugin overrides WordPress's native preview functionality and securely sends you to your decoupled frontend to preview your content. This ensures that your preview content has parity with your published content. It works by issuing a one-time use token, locked to a specific post, that can be redeemed by the frontend to obtain preview content for that post.
This plugin currently only works with our Next.js boilerplate and should be disabled if you are not using it. If you are interested in using this plugin for other frontend frameworks, there are two main components that need to be implemented:
- Redirect logic that intercepts preview requests that are missing a token and sends them back to WordPress so that a token can be generated. See this config block in our Next.js boilerplate. This is necessary because of the lack of filterability of preview links in the block editor.
- A preview route that will extract the token and add it to a special request header for preview queries. See this preview route in our Next.js boilerplate.
Default: 3600 (one hour in seconds)
Filter the token lifetime (expiration window). Note that this is subject to a (filterable) maximum (see below).
Default: 10800 (three hours in seconds)
Filter the maximum allowed token lifetime. The default value represents a reasonable trade-off between utility and security, but longer lifetimes may represent an acceptable risk for some organizations.
Default: true
Filter whether to expire the token on use. By default, tokens are "one-time use" and we mark them as expired as soon as they are used. If you want to allow tokens to be used more than once, filter this value to false.
Understand the security implications of this change: Within the expiration window, tokens / preview URLs become bearer tokens for viewing the associated draft post preview. Anyone who possesses them will be able to view and share the preview, even if they are not an authorized WordPress user.