Gallop

Gallop is the headless WordPress REST API for Next.js that’s FAST and SIMPLE. Keep the WordPress you write in, lose the theme that slows you down — and ship your whole page from one request.

The WordPress editing experience your team already knows, with the speed of a fully decoupled Next.js front end. One endpoint, one response, done.

Visit the Gallop homepage & documentation →

Most headless setups make you stitch together a waterfall of core WordPress REST calls per page — /wp/v2/posts, /wp/v2/media, meta, and taxonomy — then bolt on a JWT layer and an auth service just to log a user in. Gallop replaces all of that.

One request. The whole page. Hand Gallop a URI and it returns the post body, an SEO block, and your global site data — already joined, already resolved, ready to render. The API is the point: a dedicated, Next.js-shaped REST namespace (/wp-json/gallop/v1) so your front-end code stays simple — one fetch, one response, ready to render.

Why choose Gallop?

• One round trip instead of five. Everything a page needs — post, seo, and site — in a single response.
• No JWT, no API keys, no separate auth service. Cookie-based login is built in and wired to WordPress’s own wp_signon().
• SEO done for you. With Yoast active, the seo block ships search-ready out of the box.
• No-code custom post types. Register REST-enabled CPTs from the admin — no register_post_type() boilerplate.
• Instant publishing. Publish in WordPress and Gallop revalidates the affected Next.js routes automatically — no full redeploy.
• Framework-agnostic JSON. Next.js is the reference target, but any HTTP client can consume the API.
• Keep your workflow. Your editors keep the exact WordPress publishing experience they already rely on.

Everything a page needs, in one request

Hand Gallop a URI and it returns the whole page in a single response: the full post, its seo metadata, and your global site data, already joined, already resolved, ready to render. GET|POST /gallop/v1/post handles posts and pages, and POST /gallop/v1/category does the same for taxonomy archives. No waterfall of /wp/v2/posts, /wp/v2/media, meta, and taxonomy calls per page — one round trip instead of five, with no JWT, API keys, or complicated authentication to set up. Your front end stays simple, and your pages load fast.

The SEO is done for you. With Yoast active, the seo block is populated straight from Yoast’s indexables (canonical, meta description, OpenGraph, robots flags, reading time) so every page ships search-ready out of the box. Without Yoast, seo comes back as an empty object instead of disappearing, so your front end can check it and fall back to its own defaults.

Login, editing, and cache revalidation, already wired up

Moving off a WordPress template usually means rebuilding everything it gave you for free. Gallop ships with it already done. Cookie-based login is wired into the front end through the Gallop plugin, so editors sign in on your Next.js site with their normal WordPress credentials — no JWT layer, no separate auth service to stand up, and no API keys to manage.

Editing works the way your team already knows. Publish or update a post or page in WordPress and Gallop tells your Next.js site to revalidate the affected routes and clear their cache, so changes and new posts go live instantly with no full redeploy. Login, editing, and cache invalidation are all baked in, so you keep the WordPress workflow your team relies on and still ship a fast Next.js front end.

Settings and custom post types, configured from WordPress

Point Gallop at your Next.js production URL and it 301-redirects public WordPress front-end requests to the matching path on your headless host. Admin, REST API, and previews are left untouched.

Register REST-enabled custom post types from the Post Types tab and they’re immediately available through the Gallop namespace — no register_post_type() boilerplate, no developer round trip. Core post types are left alone, and content you create survives a deactivate/uninstall.

Trusted on real production sites

Gallop isn’t a proof of concept — it powers live production sites today:

• douglasnewby.com
• cmwelectric.com
• winx.gallop.software

Every one edits in WordPress and ships a fast Next.js front end — headless content, real Google rankings and structured data, no theme holding it back, and the same WordPress publishing experience your team already knows.

See how Gallop powers headless WordPress →

REST endpoints

All endpoints live under the gallop/v1 namespace.

• GET|POST /gallop/v1/post — Resolve a front-end URI to a post and return post, seo, and site payloads. Accepts uri as a parameter.
• POST /gallop/v1/category — Resolve a category URI to a term and return category, seo, and site payloads.
• POST /gallop/v1/auth/login — Cookie-based login for a headless front end. Accepts username, password, and optional remember. Rate-limited per username/IP.
• POST /gallop/v1/auth/logout — Log out the current user.
• GET /gallop/v1/auth/session — Return the current user payload, or { "user": null } when not logged in.

Login support

Gallop ships with everything a Next.js site needs to authenticate users against WordPress — no extra plugin, no JWT layer to wire up:

• Cookie-based login via POST /gallop/v1/auth/login, which calls WordPress’s built-in wp_signon() and sets the standard auth cookies. A Next.js front end on the same registered domain can then make authenticated requests with credentials included.
• Session checks via GET /gallop/v1/auth/session, so your front end can tell whether a visitor is logged in and render accordingly.
• Logout via POST /gallop/v1/auth/logout.
• Brute-force protection out of the box: five failed attempts per username + client IP within fifteen minutes return HTTP 429 until the window expires, with optional reverse-proxy IP awareness for sites behind Cloudflare or a load balancer.

SEO integration

When the Yoast SEO plugin is active, the seo block in the post and category responses is populated from Yoast’s indexable data (canonical, meta description, OpenGraph fields, robots flags, reading time, etc.). Without Yoast, seo is returned as an empty object so clients can branch safely.

Action hooks

• gallop_auth_login_success — fires after a successful REST login. Args: WP_User $user, WP_REST_Request $request.
• gallop_auth_login_failed — fires after a failed REST login. Args: string $username, WP_REST_Request $request.
• gallop_auth_logout — fires after a REST logout. Args: WP_User $user, WP_REST_Request $request.

Filter hooks

• gallop_trust_forwarded_ip — filter the boolean controlling whether reverse-proxy IP headers (CF-Connecting-IP, X-Forwarded-For) are trusted when rate-limiting REST auth. Defaults to the “Trust proxy IP headers” setting. Only enable behind a trusted proxy that overwrites these headers, otherwise the per-IP rate limit can be bypassed by spoofing them.

Data stored

• gallop_post_types (option) — your custom post type definitions.
• gallop_nextjs_production_url (option) — the redirect target, if configured.
• gallop_trust_forwarded_ip (option) — whether to trust reverse-proxy IP headers when rate-limiting auth (default off).
• gallop_auth_* (transients) — short-lived login rate-limit counters.

Privacy

Gallop does not send any data to external services. All data stays on your WordPress site.

The /gallop/v1/auth/login endpoint authenticates users with WordPress’s built-in wp_signon() and sets the standard WordPress auth cookies. To mitigate brute-force attacks, Gallop temporarily stores failed-login counters in WordPress transients keyed by username and by the requesting IP address. These counters expire automatically (typically within 15 minutes) and are removed on plugin uninstall.

No personal data is shared with third parties. No tracking, analytics, or telemetry is performed.