Recommended Setup

Novamira is designed for development and staging environments. This page covers best practices for getting the most out of it while minimizing risk.

Use a staging environment

Run Novamira on a staging copy of your site, not on production. Most WordPress hosting providers offer one-click staging environments. Use that. If something goes wrong, you can reset the staging environment without affecting your live site.

If you do not have a staging environment, consider a local development setup using tools like LocalWP, wp-env, DDEV, or Lando.

Keep backups

Before starting a session with an AI agent, make sure you have a recent backup. Most hosting providers offer automated daily backups. For extra safety, create a manual backup before major operations.

Novamira does not create backups and does not roll back changes. The AI agent can modify files, alter database tables, and change plugin settings. Backups are your safety net.

Configure tool approval in your AI client

Most MCP-compatible AI clients support a “require approval” or “ask before running” mode for MCP tools. This means the AI proposes an action, and you review and approve it before it executes. This is the recommended workflow.

Examples:

  • Claude Code: By default, asks for approval before running tools. You can approve individual actions or allow specific tools to run automatically.
  • Claude Desktop: Shows a confirmation dialog for each tool invocation.
  • Cursor: Agent mode requests permission before running MCP tools.

The review step is important: it lets you catch unintended operations before they run. Even the best AI models can misinterpret instructions.

Choose the right model

The AI model reads content from your WordPress site: database entries, file contents, plugin output. This content could include adversarial instructions designed to manipulate the model into unintended actions (prompt injection). Use models with built-in protections against prompt injection, and always review proposed actions before approving them.

For best results, use capable, instruction-following models. Models that are good at code generation and reasoning tend to make better use of the WordPress environment and are less likely to make mistakes.

Start small

When working with a new AI agent or model, start with read-only operations: listing plugins, reading configuration files, querying the database. This lets you verify the connection works and gives you a feel for how the model interacts with WordPress before giving it write access.

Review sandbox files

After an AI agent creates files in the sandbox, review them. Go to Novamira > Sandbox in the admin, or read the files using a code editor. Sandbox files run on every WordPress request, so they should be reviewed like any other plugin code.

If a sandbox file looks wrong or you are unsure about it, disable it first (rather than deleting it) so you can re-enable it later if needed.

Revoke unused credentials

When you are done working with an AI agent, consider revoking the application password used for that session. This is especially important if you shared the password with a tool or service you no longer use. See Authentication for details.

Monitor the admin bar

When AI abilities are enabled, a red Novamira ON indicator appears in the WordPress admin bar. This is a persistent visual reminder that AI agents can access your site. If you see this on a site where it should not be active, disable AI abilities immediately in Novamira > Settings.