Recommended Setup

Novamira is designed for development and staging environments. This page covers best practices for getting the most out of it while minimizing risk.

Use a staging environment

Run Novamira on staging, development, or local sites only. Don’t activate AI abilities on production. See Can I use Novamira on a live/production site? for the full reasoning and the technical safeguards (domain lock, MCP client config, sandbox loader behavior).

If you do not have a staging environment, most WordPress hosting providers offer one-click staging. Or set up a local environment with LocalWP, wp-env, DDEV, or Lando.

Keep backups

Before starting a session with an AI agent, make sure you have a recent backup. Most hosting providers offer automated daily backups. For extra safety, create a manual backup before major operations.

Novamira does not create backups and does not roll back changes. The AI agent can modify files, alter database tables, and change plugin settings. Backups are your safety net.

Configure tool approval in your AI client

Most MCP-compatible AI clients support a “require approval” or “ask before running” mode for MCP tools. This means the AI proposes an action, and you review and approve it before it executes. This is the recommended workflow.

Examples:

  • Claude Code: By default, asks for approval before running tools. You can approve individual actions or allow specific tools to run automatically.
  • Claude Desktop: Shows a confirmation dialog for each tool invocation.
  • Cursor: Agent mode requests permission before running MCP tools.

The review step is important: it lets you catch unintended operations before they run. Even the best AI models can misinterpret instructions.

Choose the right model

The AI model reads content from your WordPress site: database entries, file contents, plugin output. This content could include adversarial instructions designed to manipulate the model into unintended actions (prompt injection). Use models with built-in protections against prompt injection, and always review proposed actions before approving them.

For best results, use capable, instruction-following models. Models that are good at code generation and reasoning tend to make better use of the WordPress environment and are less likely to make mistakes.

Start small

When working with a new AI agent or model, start with read-only operations: listing plugins, reading configuration files, querying the database. This lets you verify the connection works and gives you a feel for how the model interacts with WordPress before giving it write access.

Review sandbox files

After an AI agent creates files in the sandbox, review them. Go to Novamira > Sandbox in the admin, or read the files using a code editor. Sandbox files run on every WordPress request, so they should be reviewed like any other plugin code.

If a sandbox file looks wrong or you are unsure about it, disable it first (rather than deleting it) so you can re-enable it later if needed.

Revoke unused credentials

When you are done working with an AI agent, consider revoking the application password used for that session. This is especially important if you shared the password with a tool or service you no longer use. See Authentication for details.

Monitor the admin bar

When AI abilities are enabled, a red Novamira ON indicator appears in the WordPress admin bar. This is a persistent visual reminder that AI agents can access your site. If you see this on a site where it should not be active, disable AI abilities immediately in Novamira > Settings.

Give your AI a visual feedback loop

Novamira lets your AI write PHP, edit files, and query the database, but by default it is working blind. For anything involving the frontend, pair Novamira with a browser control tool so the AI can open the site, inspect the DOM, take screenshots, and verify its own work.

Recommended setups:

  • Chrome DevTools MCP: lets the AI drive a real Chrome tab. Best for fast iteration and inspecting computed styles, console errors, and network requests.
  • Playwright: full browser automation across Chromium, Firefox, and WebKit. Ideal when you want repeatable scripted checks.
  • Puppeteer: headless Chrome automation. Good for screenshots and DOM scraping from the AI side.

Any of these turns Novamira into a closed loop: the AI builds with Novamira, then opens the page in a browser, sees the result, and corrects itself. Without this loop, you end up testing visual work manually for the AI; with it, the AI catches its own mistakes.