@adsim/wordpress-mcp-server
v4.6.0
Published
A Model Context Protocol (MCP) server for WordPress REST API integration. Manage posts, search content, and interact with your WordPress site through any MCP-compatible client.
Maintainers
adsimReadme
WordPress MCP Server
Enterprise Governance · Audit Trail · Multi-Site · Plugin-Free
The enterprise governance layer for Claude-to-WordPress integrations — secure, auditable, and multi-site.
v4.6.0 Enterprise · 92 tools · 767 Vitest tests · GitHub Actions CI · HTTP Streamable transport · MCPB bundle · SEO metadata · SEO audit suite · Content intelligence · Plugin intelligence · Plugin layer (ACF, Elementor) · Plugin & theme management · Revision control · Editorial approval workflow · Destructive confirmation · Internal link analysis · WooCommerce (read + intelligence + write) · Execution controls · JSON audit trail · Multi-site targeting
Architecture
┌─────────────────────────┐
│ Claude Client │ Claude Desktop · Claude Code · Any MCP client
└────────────┬────────────┘
│ MCP Protocol (stdio or HTTP Streamable)
┌────────────▼────────────┐
│ WordPress MCP Server │ Node.js · Standalone · No WordPress plugin
├─────────────────────────┤
│ Execution Controls │ Read-only · Draft-only · Plugin mgmt · Type/status allowlists
├─────────────────────────┤
│ Audit Logging │ JSON on stderr · 79 instrumentation points
├─────────────────────────┤
│ Rate Limiting │ Client-side · Configurable per-minute cap
├─────────────────────────┤
│ HTTP Transport │ Bearer auth · Session management · Origin validation
└────────────┬────────────┘
│ HTTPS + WordPress Application Password (Basic Auth over TLS)
┌────────────▼────────────┐
│ WordPress REST API │ Single site or multi-target
└─────────────────────────┘Why This Server
Most WordPress MCP servers focus on what you can do. This one focuses on what you should be allowed to do — and who can verify it happened.
In regulated environments — financial services, healthcare, legal, government — AI-powered content operations need guardrails. This server provides them out of the box: read-only mode for monitoring, draft-only mode for review workflows, structured audit logs for compliance, and multi-site management for agencies operating across client portfolios.
No composer, no PHP build, no WordPress admin plugin. Point it at any WordPress site with an Application Password, configure your execution policy, and connect your Claude client.
Safety Model
This server is designed for safe operation in production environments:
- Default non-destructive — delete operations must be explicitly enabled
- Configurable execution modes — read-only, draft-only, or full access per deployment
- Pre-flight enforcement — all guardrails checked before any API call is made
- Full audit trail — every action logged with timestamp, target, outcome, and latency
- Credential isolation — secrets never appear in logs or error outputs
- Multi-tenant ready — independent auth and config per WordPress target
Data Retention
The server does not store or persist WordPress content. All processing is stateless — content flows through the server and is never cached, written to disk, or retained in memory beyond the scope of a single tool invocation. Audit logs are emitted to stderr in real-time and can be disabled (WP_AUDIT_LOG=off) or redirected to any logging pipeline based on deployment requirements. Zero data retention by design.
Quick Start
Requirements
- Node.js >= 18
- WordPress site with REST API enabled (default since WP 4.7)
- WordPress Application Password (WP 5.6+)
- HTTPS endpoint (required for production)
- WooCommerce 3.5+ (optional, for WooCommerce tools)
Install from npm (recommended)
# Run directly — no install needed
npx -y @adsim/wordpress-mcp-server
# Or install globally
npm install -g @adsim/wordpress-mcp-serverInstall from GitHub
git clone https://github.com/GeorgesAdSim/wordpress-mcp-server.git
cd wordpress-mcp-server
npm installConfigure
Create a .env file:
WP_API_URL=https://yoursite.com
WP_API_USERNAME=your-username
WP_API_PASSWORD=xxxx xxxx xxxx xxxx xxxx xxxx
# Optional: WooCommerce (generate at WooCommerce → Settings → Advanced → REST API)
WC_CONSUMER_KEY=ck_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
WC_CONSUMER_SECRET=cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxTo generate an Application Password: WordPress Admin → Users → Profile → Application Passwords → Add New.
Connect to Claude Desktop
Add to claude_desktop_config.json:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"wordpress": {
"command": "npx",
"args": ["-y", "@adsim/wordpress-mcp-server"],
"env": {
"WP_API_URL": "https://yoursite.com",
"WP_API_USERNAME": "your-username",
"WP_API_PASSWORD": "xxxx xxxx xxxx xxxx xxxx xxxx"
}
}
}
}Connect to Claude Code
claude mcp add wordpress \
-e WP_API_URL=https://yoursite.com \
-e WP_API_USERNAME=your-username \
-e WP_API_PASSWORD="xxxx xxxx xxxx xxxx xxxx xxxx" \
-- npx -y @adsim/wordpress-mcp-serverHTTP Streamable Transport
New in v3.0.0 — Run the server over HTTP instead of (or alongside) stdio, following the MCP spec 2025-03-26.
Start in HTTP mode
MCP_TRANSPORT=http \
MCP_HTTP_PORT=3000 \
MCP_AUTH_TOKEN=your-secret-token \
WP_API_URL=https://yoursite.com \
WP_API_USERNAME=your-username \
WP_API_PASSWORD="xxxx xxxx xxxx xxxx" \
npx -y @adsim/wordpress-mcp-serverDual mode (stdio + HTTP simultaneously)
MCP_TRANSPORT=http \
MCP_DUAL_MODE=true \
MCP_AUTH_TOKEN=your-secret-token \
npx -y @adsim/wordpress-mcp-serverHTTP environment variables
| Variable | Default | Description |
|---|---|---|
| MCP_TRANSPORT | stdio | Set to http to enable HTTP Streamable transport |
| MCP_HTTP_PORT | 3000 | HTTP server port |
| MCP_HTTP_HOST | 127.0.0.1 | Bind address |
| MCP_AUTH_TOKEN | (none) | Bearer token for authentication (required in HTTP mode) |
| MCP_ALLOWED_ORIGINS | (none) | Comma-separated allowed origins (anti-DNS-rebinding) |
| MCP_SESSION_TIMEOUT_MS | 3600000 | Session TTL in milliseconds (1 hour) |
| MCP_DUAL_MODE | false | Run stdio and HTTP transports simultaneously |
Health check
curl http://localhost:3000/health
# → { "status": "ok", "version": "4.6.0", "transport": "http" }Connect an MCP client via HTTP
{
"mcpServers": {
"wordpress-http": {
"url": "http://localhost:3000/mcp",
"headers": {
"Authorization": "Bearer your-secret-token"
}
}
}
}MCPB Bundle — Claude Desktop One-Click Install
New in v3.1.0 — Package the server as a
.mcpbbundle for Claude Desktop distribution.
The bundle stores WordPress credentials securely in the OS keychain (sensitive: true) — no manual JSON editing required.
Build the bundle
npm run build:mcpb
# → wordpress-mcp-server.mcpbInstall in Claude Desktop
Double-click wordpress-mcp-server.mcpb — Claude Desktop will prompt for:
- WordPress Site URL
- WordPress Username
- WordPress Application Password (stored in OS keychain)
Available Tools (92)
Content Management
| Tool | Description |
|---|---|
| wp_list_posts | List posts with pagination, filtering by status/category/tag/author, and search |
| wp_get_post | Get a post by ID with full content, meta fields, and taxonomy info |
| wp_create_post | Create a post (defaults to draft). Supports HTML, categories, tags, featured image, meta |
| wp_update_post | Update any post field. Only provided fields are modified |
| wp_delete_post | Move to trash by default. Permanent deletion requires force=true. Returns confirmation token when WP_CONFIRM_DESTRUCTIVE=true |
| wp_search | Full-text search across all content types |
| wp_list_pages | List pages with hierarchy (parent/child), templates, and menu order |
| wp_get_page | Get page content, template, and hierarchy info |
| wp_create_page | Create a page with parent, template, and menu_order support |
| wp_update_page | Update any page field |
Media Library
| Tool | Description |
|---|---|
| wp_list_media | Browse media with type filtering (image/video/audio/document) |
| wp_get_media | Get URL, dimensions, alt text, caption, and all available sizes |
| wp_upload_media | Upload a file from a public URL to the WordPress media library |
Taxonomies & Structure
| Tool | Description |
|---|---|
| wp_list_categories | List categories with hierarchy, post count, and descriptions |
| wp_list_tags | List tags with post count |
| wp_create_taxonomy_term | Create a new category or tag |
| wp_list_post_types | Discover all registered post types (including custom ones) |
| wp_list_custom_posts | List content from any custom post type (products, portfolio, events) |
Engagement
| Tool | Description |
|---|---|
| wp_list_comments | List comments with filtering by post, status, and author |
| wp_create_comment | Create a comment or reply on any post |
| wp_list_users | List users with roles (read-only) |
SEO Metadata
| Tool | Description |
|---|---|
| wp_get_seo_meta | Read SEO title, description, focus keyword, canonical, robots, Open Graph. Auto-detects Yoast, RankMath, SEOPress, All in One SEO |
| wp_update_seo_meta | Update SEO metadata with automatic plugin detection |
| wp_audit_seo | Bulk audit SEO across posts/pages with quality scoring (0-100), missing fields detection, and length checks |
SEO metadata updates are subject to the same enterprise controls and execution policies as all other write operations.
SEO Audit Suite
New in v4.0–v4.2 — Deep technical SEO analysis without requiring any WordPress plugin.
| Tool | Description |
|---|---|
| wp_audit_media_seo | Audit media library for missing alt text, short alt text, and unoptimized filenames. Returns per-image scores and prioritized fix list |
| wp_find_orphan_pages | Identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion list |
| wp_audit_heading_structure | Analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2 |
| wp_find_thin_content | Surface posts below a configurable word count threshold. Scores content quality by word count, heading density, and paragraph structure |
| wp_audit_canonicals | Validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, and cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEO |
| wp_analyze_eeat_signals | Score E-E-A-T signals per post: author bio presence, publication/update dates, outbound citations, word count, structured data markers. Returns a 0-100 score with a breakdown by dimension |
| wp_find_broken_internal_links | Check all internal links in a post via HEAD requests. Returns broken (4xx/5xx), redirected (3xx), and slow links. Configurable batch size and timeout |
| wp_find_keyword_cannibalization | Detect posts sharing the same RankMath/Yoast/SEOPress/AIOSEO focus keyword. Groups conflicts by keyword and flags the weakest post by word count |
| wp_audit_taxonomies | Identify taxonomy bloat: unused categories/tags, near-duplicate terms via Levenshtein distance, single-post terms, and over-tagged posts |
| wp_audit_outbound_links | Analyze external link profile per post. Detects links to low-authority domains, missing rel="nofollow" on sponsored links, and broken external URLs |
All SEO audit tools are read-only and always allowed regardless of governance flags.
Content Intelligence
New in v4.4.0 — Deep content analysis and editorial intelligence without any WordPress plugin.
| Tool | Description |
|---|---|
| wp_get_content_brief | Editorial brief aggregator: SEO + structure + links in 1 call |
| wp_extract_post_outline | H1-H6 outline extraction with category-level pattern analysis |
| wp_audit_readability | Bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis |
| wp_audit_update_frequency | Outdated content detection cross-referenced with SEO scores |
| wp_build_link_map | Internal link matrix with simplified PageRank scoring (0-100) |
| wp_audit_anchor_texts | Anchor text diversity audit: generic, over-optimized, image link detection |
| wp_audit_schema_markup | JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness) |
| wp_audit_content_structure | Editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images |
| wp_find_duplicate_content | TF-IDF cosine similarity for near-duplicate detection with union-find clustering |
| wp_find_content_gaps | Taxonomy under-representation analysis (categories + tags) |
| wp_extract_faq_blocks | FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns |
| wp_audit_cta_presence | CTA detection (6 types) with scoring 0-100 |
| wp_extract_entities | Regex/heuristic named entity extraction (brands, locations, persons, organizations) |
| wp_get_publishing_velocity | Publication cadence by author/category with trend detection |
| wp_compare_revisions_diff | Textual diff between revisions with amplitude scoring |
| wp_list_posts_by_word_count | Posts sorted by length with 6-tier segmentation |
All Content Intelligence tools are read-only and always allowed regardless of governance flags.
Plugin Intelligence Layer
New in v4.6.0 — Extensible adapter architecture for third-party WordPress plugins. Adapters activate only when the plugin is detected via REST API namespace discovery.
Disable all plugin tools: WP_DISABLE_PLUGIN_LAYERS=true
ACF (Advanced Custom Fields)
| Tool | Description |
|---|---|
| acf_get_fields | Get ACF custom fields for a post/page with key filtering and raw/compact/summary modes |
| acf_list_field_groups | List all configured ACF field groups |
| acf_get_field_group | Get full detail of an ACF field group by ID |
| acf_update_fields | Update ACF custom fields for a post/page. Write — blocked by WP_READ_ONLY |
Requires ACF Pro or ACF Free with REST API enabled (/acf/v3 namespace).
Elementor
| Tool | Description |
|---|---|
| elementor_list_templates | List Elementor templates (page, section, block, popup) with type filtering |
| elementor_get_template | Get full Elementor template content and elements. Context-guarded at 50k chars |
| elementor_get_page_data | Get Elementor editor data for a post/page: widgets used, elements count |
Requires Elementor Free or Pro (/elementor/v1 namespace).
Plugins
| Tool | Description |
|---|---|
| wp_list_plugins | List installed plugins with status, version, author. Requires Administrator (activate_plugins capability) |
| wp_activate_plugin | Activate a plugin. Blocked by WP_READ_ONLY and WP_DISABLE_PLUGIN_MANAGEMENT |
| wp_deactivate_plugin | Deactivate a plugin. Blocked by WP_READ_ONLY and WP_DISABLE_PLUGIN_MANAGEMENT |
Themes
| Tool | Description |
|---|---|
| wp_list_themes | List installed themes with active theme detection. Requires switch_themes capability |
| wp_get_theme | Get theme details by stylesheet slug |
Revisions
| Tool | Description |
|---|---|
| wp_list_revisions | List revisions of a post or page (metadata only) |
| wp_get_revision | Get a specific revision with full content |
| wp_restore_revision | Restore a post to a previous revision (plugin-free 2-step approach) |
| wp_delete_revision | Permanently delete a revision. Blocked by WP_READ_ONLY, WP_DISABLE_DELETE, and WP_CONFIRM_DESTRUCTIVE |
Editorial Workflow
New in v3.2.0 — Approval workflow for regulated content operations.
| Tool | Description |
|---|---|
| wp_submit_for_review | Transition a draft post to pending status (author action). Blocked by WP_READ_ONLY |
| wp_approve_post | Transition a pending post to publish (editor/admin action). Blocked by WP_READ_ONLY and WP_DRAFT_ONLY |
| wp_reject_post | Return a pending post to draft with a mandatory rejection reason (editor/admin action). Blocked by WP_READ_ONLY |
The approval workflow is enforced by WP_REQUIRE_APPROVAL=true, which blocks direct publish via wp_update_post and forces the draft → pending → publish path.
Internal Link Intelligence
New in v3.3.0 — Audit and improve internal linking without auto-insertion.
| Tool | Description |
|---|---|
| wp_analyze_links | Audit all internal and external links in a post. HEAD request verification per link (broken/warning/unknown). Configurable max checks and timeout |
| wp_suggest_internal_links | Semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked posts |
Pre-flight linking workflow: wp_suggest_internal_links → user validates → wp_update_post (never auto-insert).
WooCommerce
New in v3.4.0–v3.6.0 — Full WooCommerce integration with read, intelligence, and write operations.
Requires WC_CONSUMER_KEY and WC_CONSUMER_SECRET environment variables. Generate API keys at WooCommerce → Settings → Advanced → REST API.
| Tool | Description |
|---|---|
| wc_list_products | List products with filtering by status, category, search, and sorting by price/popularity |
| wc_get_product | Get a product by ID with full details. Includes variations summary for variable products |
| wc_list_orders | List orders with filtering by status, customer, and date |
| wc_get_order | Get an order by ID with line items, shipping, billing, and payment details |
| wc_list_customers | List customers with search and role filtering |
| wc_get_customer | Get a customer by ID with full profile, order history summary, and lifetime value |
| wc_list_coupons | List coupons with filtering by type, expiry status, and usage |
| wc_get_coupon | Get a coupon by ID with full discount rules and usage statistics |
| wc_sales_report | Generate sales summary for a date range: revenue, orders, average order value, top products |
| wc_top_products | Rank products by revenue, quantity sold, or order count for a given period |
| wc_price_guardrail | Analyze a price change for safety (read-only). Returns safe/unsafe based on configurable threshold percentage |
| wc_update_product | Update product fields (title, description, price, stock, status). Blocked by WP_READ_ONLY and subject to wc_price_guardrail thresholds |
| wc_update_order_status | Transition order status (e.g., processing → completed). Blocked by WP_READ_ONLY |
All WooCommerce write tools are blocked by WP_READ_ONLY. wc_price_guardrail is always allowed — it never modifies data.
Operations
| Tool | Description |
|---|---|
| wp_set_target | Switch active WordPress site in multi-target mode |
| wp_site_info | Site info, current user, post types, enterprise controls, available targets, and plugin_layer (detected plugins, tools count) |
Enterprise Controls
Configure execution policy via environment variables. All restrictions are enforced before any API call is made — including SEO metadata, plugin operations, and WooCommerce writes.
| Control | Default | Effect |
|---|---|---|
| WP_READ_ONLY | false | Blocks all write operations (create, update, delete, upload, SEO updates, plugin management, WooCommerce writes) |
| WP_DRAFT_ONLY | false | Restricts to draft and pending statuses only |
| WP_DISABLE_DELETE | false | Blocks all delete operations (posts + revisions) |
| WP_DISABLE_PLUGIN_MANAGEMENT | false | Blocks plugin activate/deactivate (list still allowed) |
| WP_REQUIRE_APPROVAL | false | Blocks direct publish via wp_update_post. Forces draft → pending → publish approval workflow |
| WP_CONFIRM_DESTRUCTIVE | false | Requires a token confirmation before wp_delete_post and wp_delete_revision execute |
| WP_ALLOWED_TYPES | all | Restricts to specific post types (e.g., post,page) |
| WP_ALLOWED_STATUSES | all | Restricts to specific statuses (e.g., draft,pending) |
| WP_MAX_CALLS_PER_MINUTE | unlimited | Client-side rate limiting |
| WP_AUDIT_LOG | on | Structured JSON audit trail |
Destructive confirmation flow
When WP_CONFIRM_DESTRUCTIVE=true, wp_delete_post and wp_delete_revision return a stateless confirmation token on the first call instead of executing. The token is valid for 60 seconds (SHA-256, zero persistence). Pass the token back on a second call to confirm execution.
Governance priority order: WP_READ_ONLY → WP_DISABLE_DELETE → WP_CONFIRM_DESTRUCTIVE
Deployment profiles
Agency content production — writers can create and edit, but never publish or delete:
WP_DRAFT_ONLY=true
WP_DISABLE_DELETE=true
WP_ALLOWED_STATUSES=draft,pending
WP_MAX_CALLS_PER_MINUTE=30Editorial review workflow — forces human approval before publication:
WP_REQUIRE_APPROVAL=true
WP_DISABLE_DELETE=true
WP_AUDIT_LOG=onCompliance monitoring — read-only access for auditing existing content:
WP_READ_ONLY=true
WP_AUDIT_LOG=onRegulated publishing — restrict to specific content types in a controlled environment:
WP_ALLOWED_TYPES=post
WP_ALLOWED_STATUSES=draft,pending,publish
WP_DISABLE_DELETE=true
WP_AUDIT_LOG=onLocked infrastructure — content operations allowed, but no plugin/theme changes:
WP_DISABLE_PLUGIN_MANAGEMENT=true
WP_DISABLE_DELETE=trueE-commerce safe mode — WooCommerce read and intelligence, no writes:
WP_READ_ONLY=true
WC_CONSUMER_KEY=ck_xxx
WC_CONSUMER_SECRET=cs_xxxBlocked actions return a clear error message explaining which control prevented execution, and are logged in the audit trail with status blocked.
SEO Metadata
The SEO tools auto-detect which SEO plugin is installed on your WordPress site and use the correct meta fields automatically.
Supported plugins:
- Yoast SEO —
_yoast_wpseo_title,_yoast_wpseo_metadesc,_yoast_wpseo_focuskw, plusyoast_head_jsonREST API extension - RankMath —
rank_math_title,rank_math_description,rank_math_focus_keyword - SEOPress —
_seopress_titles_title,_seopress_titles_desc,_seopress_analysis_target_kw - All in One SEO —
_aioseo_title,_aioseo_description,_aioseo_keywords
SEO Audit Scoring
wp_audit_seo scores each post on a 100-point scale:
| Check | Penalty | |---|---| | Missing SEO title | -30 | | SEO title too short (< 30 chars) or too long (> 60 chars) | -10 | | Missing meta description | -30 | | Meta description too short (< 120 chars) or too long (> 160 chars) | -10 | | Missing focus keyword | -20 | | Focus keyword not in SEO title | -10 |
Exposing SEO Meta Fields (Required)
Most SEO plugins store their data in WordPress post meta fields that are not exposed via the REST API by default. Without this step, wp_get_seo_meta and wp_audit_seo will return empty results even though your SEO data exists in the database.
Add the following code to your theme's functions.php (Appearance → Theme File Editor → functions.php) or — preferably — create a custom mini-plugin (see below).
⚠️ Important: When pasting code into
functions.php, make sure the file starts with exactly<?php— no extra characters before it. A stray character (like<<?php) will break the WordPress REST API by injecting invalid output before JSON responses, causingUnexpected token '<'errors in MCP.
RankMath:
add_action( 'init', function() {
$fields = array(
'rank_math_title',
'rank_math_description',
'rank_math_focus_keyword',
'rank_math_canonical_url',
'rank_math_robots',
'rank_math_facebook_title',
'rank_math_facebook_description',
'rank_math_facebook_image',
);
foreach ( $fields as $field ) {
foreach ( array( 'post', 'page' ) as $post_type ) {
register_post_meta( $post_type, $field, array(
'show_in_rest' => true,
'single' => true,
'type' => 'string',
'auth_callback' => function() {
return current_user_can( 'edit_posts' );
},
) );
}
}
} );Yoast SEO:
add_action( 'init', function() {
$fields = array(
'_yoast_wpseo_title',
'_yoast_wpseo_metadesc',
'_yoast_wpseo_focuskw',
'_yoast_wpseo_canonical',
'_yoast_wpseo_meta-robots-noindex',
'_yoast_wpseo_meta-robots-nofollow',
'_yoast_wpseo_opengraph-title',
'_yoast_wpseo_opengraph-description',
'_yoast_wpseo_opengraph-image',
);
foreach ( $fields as $field ) {
foreach ( array( 'post', 'page' ) as $post_type ) {
register_post_meta( $post_type, $field, array(
'show_in_rest' => true,
'single' => true,
'type' => 'string',
'auth_callback' => function() {
return current_user_can( 'edit_posts' );
},
) );
}
}
} );SEOPress:
add_action( 'init', function() {
$fields = array(
'_seopress_titles_title',
'_seopress_titles_desc',
'_seopress_analysis_target_kw',
'_seopress_robots_canonical',
'_seopress_robots_index',
'_seopress_social_fb_title',
'_seopress_social_fb_desc',
'_seopress_social_fb_img',
);
foreach ( $fields as $field ) {
foreach ( array( 'post', 'page' ) as $post_type ) {
register_post_meta( $post_type, $field, array(
'show_in_rest' => true,
'single' => true,
'type' => 'string',
'auth_callback' => function() {
return current_user_can( 'edit_posts' );
},
) );
}
}
} );All in One SEO:
add_action( 'init', function() {
$fields = array(
'_aioseo_title',
'_aioseo_description',
'_aioseo_keywords',
'_aioseo_og_title',
'_aioseo_og_description',
'_aioseo_og_image_url',
);
foreach ( $fields as $field ) {
foreach ( array( 'post', 'page' ) as $post_type ) {
register_post_meta( $post_type, $field, array(
'show_in_rest' => true,
'single' => true,
'type' => 'string',
'auth_callback' => function() {
return current_user_can( 'edit_posts' );
},
) );
}
}
} );Alternative: MCP SEO Bridge Plugin (Recommended)
Note: Core content operations require no WordPress plugin. SEO metadata tools may require exposing meta fields via the REST API using either a theme snippet or this optional micro-plugin.
Instead of modifying your theme's functions.php (which gets overwritten on theme updates), create a standalone micro-plugin.
Create the file wp-content/plugins/mcp-seo-bridge.php:
<?php
/**
* Plugin Name: MCP SEO Bridge
* Description: Exposes SEO plugin meta fields via REST API for WordPress MCP Server
* Version: 1.0.0
* Author: AdSim
* Author URI: https://adsim.be
*/
if ( ! defined( 'ABSPATH' ) ) exit;
add_action( 'init', function() {
$fields = array();
if ( defined( 'RANK_MATH_VERSION' ) ) {
$fields = array(
'rank_math_title', 'rank_math_description', 'rank_math_focus_keyword',
'rank_math_canonical_url', 'rank_math_robots',
'rank_math_facebook_title', 'rank_math_facebook_description', 'rank_math_facebook_image',
);
} elseif ( defined( 'WPSEO_VERSION' ) ) {
$fields = array(
'_yoast_wpseo_title', '_yoast_wpseo_metadesc', '_yoast_wpseo_focuskw',
'_yoast_wpseo_canonical', '_yoast_wpseo_meta-robots-noindex', '_yoast_wpseo_meta-robots-nofollow',
'_yoast_wpseo_opengraph-title', '_yoast_wpseo_opengraph-description', '_yoast_wpseo_opengraph-image',
);
} elseif ( defined( 'SEOPRESS_VERSION' ) ) {
$fields = array(
'_seopress_titles_title', '_seopress_titles_desc', '_seopress_analysis_target_kw',
'_seopress_robots_canonical', '_seopress_robots_index',
'_seopress_social_fb_title', '_seopress_social_fb_desc', '_seopress_social_fb_img',
);
} elseif ( defined( 'AIOSEO_VERSION' ) ) {
$fields = array(
'_aioseo_title', '_aioseo_description', '_aioseo_keywords',
'_aioseo_og_title', '_aioseo_og_description', '_aioseo_og_image_url',
);
}
foreach ( $fields as $field ) {
foreach ( array( 'post', 'page' ) as $post_type ) {
register_post_meta( $post_type, $field, array(
'show_in_rest' => true,
'single' => true,
'type' => 'string',
'auth_callback' => function() {
return current_user_can( 'edit_posts' );
},
) );
}
}
} );Activate it from WordPress Admin → Plugins. This approach auto-detects your SEO plugin and survives theme updates.
Verifying SEO Fields Are Exposed
After adding the code, verify the fields are accessible:
curl -s -u "username:application-password" \
"https://yoursite.com/wp-json/wp/v2/posts?per_page=1" | python3 -m json.tool | grep -E "rank_math|yoast|seopress|aioseo"If you see your SEO fields in the meta object, the configuration is working.
Troubleshooting SEO Fields
| Symptom | Cause | Fix |
|---|---|---|
| wp_audit_seo returns empty SEO data | Meta fields not exposed via REST API | Add register_post_meta() code above |
| Unexpected token '<' on all MCP calls | Stray character before <?php in functions.php | Remove any characters before <?php |
| SEO fields visible but all null | SEO plugin not yet configured on those posts | Set titles/descriptions in RankMath/Yoast editor |
| No SEO plugin detected | Plugin constant not matched | Verify your SEO plugin is active |
| Fields lost after theme update | Code was in functions.php | Use the MCP SEO Bridge plugin instead |
WooCommerce Setup
Generate API Keys
Go to WooCommerce → Settings → Advanced → REST API → Add key.
Set permissions to Read/Write if you plan to use wc_update_product or wc_update_order_status. Set to Read for a read-only WooCommerce integration.
WC_CONSUMER_KEY=ck_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
WC_CONSUMER_SECRET=cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxPrice Guardrail
wc_price_guardrail analyzes proposed price changes before any write operation. It returns safe or unsafe based on a configurable threshold (default 20%). Claude should call this tool before wc_update_product when modifying prices.
WC_PRICE_GUARDRAIL_THRESHOLD=20 # percentage — changes above this require explicit overridewc_price_guardrail is always allowed regardless of WP_READ_ONLY. It never modifies data.
Testing
767 unit tests covering all 92 tools — zero network calls, fully mocked.
npm test # run all tests (vitest)
npm run test:watch # watch mode
npm run test:coverage # coverage report| Test file | Scope | Tests |
|---|---|---|
| governance.test.js | All governance flags + combinations including WP_REQUIRE_APPROVAL and WP_CONFIRM_DESTRUCTIVE | 30 |
| posts.test.js | list, get, create, update, delete, search | 18 |
| pages.test.js | list, get, create, update | 12 |
| media.test.js | list, get, upload | 14 |
| taxonomies.test.js | categories, tags, create term | 16 |
| comments.test.js | list, create | 12 |
| users.test.js | list | 7 |
| search.test.js | search, post types, custom posts | 10 |
| seo.test.js | get, update, audit | 12 |
| plugins.test.js | list, activate, deactivate | 16 |
| themes.test.js | list, get | 8 |
| revisions.test.js | list, get, restore, delete | 17 |
| editorial.test.js | submit_for_review, approve, reject | 15 |
| links.test.js | analyze_links, suggest_internal_links | 16 |
| woocommerce.test.js | products, orders, customers, coupons, reports, write, guardrail | 40 |
| auditMediaSeo.test.js | media alt text audit, filename scoring | 12 |
| findOrphanPages.test.js | inbound link detection, exclusion list | 10 |
| auditHeadingStructure.test.js | H1/H2/H3 hierarchy, level skips, keyword detection | 12 |
| findThinContent.test.js | word count threshold, heading density | 10 |
| auditCanonicals.test.js | canonical validation, mismatch detection, multi-plugin | 12 |
| analyzeEeatSignals.test.js | E-E-A-T scoring, author bio, citations, structured data | 12 |
| findBrokenInternalLinks.test.js | HEAD request batching, 4xx/3xx detection | 12 |
| findKeywordCannibalization.test.js | focus keyword conflicts, multi-plugin detection | 10 |
| auditTaxonomies.test.js | Levenshtein duplicates, unused terms, over-tagging | 12 |
| auditOutboundLinks.test.js | external link profile, nofollow detection | 10 |
| contentAnalyzer.test.js | readability, TF-IDF, cosine similarity, entities, text diff | 44 |
| contentIntelligence.test.js | 16 content intelligence tools: brief, outline, readability, update frequency, link map, anchor texts, schema, structure, duplicates, gaps, FAQ, CTA, entities, velocity, revisions diff, word count | 125 |
| site.test.js | site info, set target | 5 |
| transport/http.test.js | HTTP transport, Bearer auth, sessions | 10 |
| pluginDetector.test.js | SEO plugin detection, rendered head, HTML head parsing | 13 |
| pluginIntelligence.test.js | 6 plugin intelligence tools: rendered head, rendered SEO audit, pillar content, schema plugins, SEO score, Twitter meta | 48 |
| dxt/manifest.test.js | MCPB manifest validation, 86 tools declared | 10 |
| dynamicFiltering.test.js | WooCommerce/editorial/plugin-intelligence filtering, combined counts, callable when filtered | 9 |
| outputCompression.test.js | mode=full/summary/ids_only for 10 listing tools (pages, media, comments, categories, tags, users, custom posts, plugins, themes, revisions) | 30 |
| siteOptions.test.js | wp_get_site_options: all options, key filtering, 403, audit log, not blocked by WP_READ_ONLY | 5 |
| plugins/registry.test.js | PluginRegistry: ACF/Elementor detection, empty namespaces, WP_DISABLE_PLUGIN_LAYERS, getSummary | 6 |
| plugins/contextGuard.test.js | applyContextGuard: under threshold, truncation, raw bypass, stderr log | 4 |
| plugins/iPluginAdapter.test.js | validateAdapter: complete adapter, missing id, missing getTools | 3 |
| plugins/acf/acfAdapter.test.js | ACF read tools: get fields, filter, contextGuard, 404, list groups, get group, audit log | 10 |
| plugins/acf/acfAdapter.write.test.js | ACF write: update fields, WP_READ_ONLY blocking, validation, 404/403, audit log | 8 |
| plugins/elementor/elementorAdapter.test.js | Elementor adapter: list/get templates, page data, contextGuard, validation, namespace detection, audit log | 10 |
| pluginLayer.test.js | Plugin Layer integration: listTools, callTool routing, wp_site_info, WP_DISABLE_PLUGIN_LAYERS, no collisions | 8 |
Each test verifies: success response shape, governance blocking (write tools), HTTP error handling (403/404), and audit log entries.
Structured Audit Log
Every tool invocation is recorded as a JSON event on stderr — ready for ingestion into Datadog, Splunk, CloudWatch, Langfuse, ELK, or any JSON-compatible pipeline.
{
"timestamp": "2026-02-19T18:42:00.000Z",
"tool": "wp_create_post",
"target": 1234,
"target_type": "post",
"action": "create",
"status": "success",
"latency_ms": 245,
"site": "production",
"params": { "title": "New Post", "status": "draft" },
"error": null
}79 instrumentation points across all tools. Three status types: success, error, blocked.
| Field | Description |
|---|---|
| timestamp | ISO 8601 |
| tool | Tool name invoked |
| target | Resource ID when applicable |
| target_type | Resource type (post, page, media, comment, category, tag, plugin, theme, revision, product, order, customer, coupon) |
| action | Operation: list, read, create, update, trash, permanent_delete, upload, search, switch_target, read_seo, update_seo, audit_seo, activate, deactivate, restore, submit_review, approve, reject, analyze_links, suggest_links, guardrail, audit_media_seo, find_orphans, audit_headings, find_thin_content, audit_canonicals, analyze_eeat, find_broken_links, find_cannibalization, audit_taxonomies, audit_outbound_links, content_brief, extract_outline, audit_readability, audit_update_frequency, build_link_map, audit_anchor_texts, audit_schema, audit_content_structure, find_duplicates, find_content_gaps, extract_faq, audit_cta, extract_entities, publishing_velocity, compare_revisions, list_by_word_count |
| status | success, error, or blocked |
| latency_ms | Execution time |
| site | Active target name |
| params | Sanitized parameters (content fields truncated) |
| error | Error detail or null |
Multi-Target
Manage multiple WordPress sites from a single server instance. Designed for agencies and multi-brand organizations.
Inline configuration:
WP_TARGETS_JSON='{"production":{"url":"https://mysite.com","username":"admin","password":"xxxx"},"staging":{"url":"https://staging.mysite.com","username":"editor","password":"xxxx"}}'File-based configuration:
WP_TARGETS_FILE=/path/to/targets.json{
"production": {
"url": "https://mysite.com",
"username": "admin",
"password": "xxxx xxxx xxxx xxxx xxxx xxxx"
},
"staging": {
"url": "https://staging.mysite.com",
"username": "editor",
"password": "xxxx xxxx xxxx xxxx xxxx xxxx"
},
"client-blog": {
"url": "https://client.com",
"username": "content-manager",
"password": "xxxx xxxx xxxx xxxx xxxx xxxx"
}
}Switch targets during a session with wp_set_target. All available sites and the active target are visible in wp_site_info.
Health & Reliability
The server performs a health check on startup: REST API connectivity, user authentication, and role verification. During operation: automatic retry with exponential backoff (configurable, default 3 attempts), request timeout (default 30s), rate limit handling (respects 429 + retry-after), and contextual error messages with diagnosis guidance.
| Setting | Default | Description |
|---|---|---|
| WP_MCP_VERBOSE | false | Debug-level logging |
| WP_MCP_TIMEOUT | 30000 | Request timeout (ms) |
| WP_MCP_MAX_RETRIES | 3 | Max retry attempts |
Security
- HTTPS required in production. HTTP only for localhost
- Application Passwords only — never use WordPress login credentials
- Credentials never logged — audit trail sanitizes all sensitive data
- No credentials in code —
.envor environment variables only - Instant revocation — Application Passwords can be revoked from WordPress admin
- Traceable requests — custom
User-Agent: WordPress-MCP-Server/4.6.0 - Bearer token auth in HTTP mode — timing-safe comparison, no token in logs
- Origin validation in HTTP mode — anti-DNS-rebinding protection
Troubleshooting
| Issue | Solution |
|---|---|
| 401 Unauthorized | Verify username and Application Password |
| 403 Forbidden | Check WordPress user role and capabilities |
| 404 Not Found | Verify WP_API_URL and REST API availability |
| Unexpected token '<' | Stray character before <?php in functions.php — see SEO Troubleshooting |
| Blocked: READ-ONLY mode | Disable WP_READ_ONLY to allow writes |
| Blocked: DRAFT-ONLY mode | Only draft/pending allowed. Check WP_DRAFT_ONLY |
| Blocked: PLUGIN MANAGEMENT | Disable WP_DISABLE_PLUGIN_MANAGEMENT to allow activate/deactivate |
| Blocked: APPROVAL REQUIRED | WP_REQUIRE_APPROVAL=true — use wp_submit_for_review then wp_approve_post |
| Confirmation token required | WP_CONFIRM_DESTRUCTIVE=true — pass the returned token on a second call within 60s |
| 401 Unauthorized (HTTP mode) | Set MCP_AUTH_TOKEN and pass Authorization: Bearer <token> |
| 403 Forbidden (HTTP mode) | Check MCP_ALLOWED_ORIGINS includes your client origin |
| WooCommerce 401 | Verify WC_CONSUMER_KEY and WC_CONSUMER_SECRET |
| WooCommerce 403 | API key needs Read/Write permissions for write tools |
| Rate limit exceeded | Adjust WP_MAX_CALLS_PER_MINUTE |
| Timeout | Increase WP_MCP_TIMEOUT or check server |
| Site not found | Verify site key in WP_TARGETS_JSON or file |
| No SEO plugin detected | Install Yoast, RankMath, SEOPress, or AIOSEO |
| SEO meta fields empty | Add register_post_meta() code or install MCP SEO Bridge plugin — see Exposing SEO Meta Fields |
| wp_find_broken_internal_links slow | Reduce batchSize parameter or increase timeoutMs |
| wp_audit_outbound_links empty | External HEAD requests blocked by your server firewall |
| Server not starting | Check Node.js 18+ is installed: node --version |
Development
# Clone the repository
git clone https://github.com/GeorgesAdSim/wordpress-mcp-server.git
cd wordpress-mcp-server
# Install dependencies
npm install
# Run tests
npm test
# Run locally (stdio)
WP_API_URL="https://your-site.com" \
WP_API_USERNAME="user" \
WP_API_PASSWORD="xxxx xxxx xxxx xxxx" \
node index.js
# Run locally (HTTP)
MCP_TRANSPORT=http \
MCP_AUTH_TOKEN=dev-token \
WP_API_URL="https://your-site.com" \
WP_API_USERNAME="user" \
WP_API_PASSWORD="xxxx xxxx xxxx xxxx" \
node index.js
# Build MCPB bundle
npm run build:mcpbTesting with MCP Inspector
npx @modelcontextprotocol/inspector node index.jsChangelog
v4.6.0 (2026-02-22) — Plugin Intelligence Layer
Extensible adapter architecture for third-party WordPress plugins. Adapters activate only when their plugin is detected via REST API namespace discovery — zero overhead when plugins are absent.
Architecture:
src/plugins/registry.js— PluginRegistry with automatic plugin detection via REST namespaces.WP_DISABLE_PLUGIN_LAYERS=truedisables all plugin toolssrc/plugins/contextGuard.js— LLM context overflow protection: automatic truncation at 50k chars with truncation metadatasrc/plugins/IPluginAdapter.js— Adapter contract interface: id, namespace, riskLevel, contextConfig, getTools, handleToolwp_site_infonow reportsplugin_layer(detected plugins, available tools count)
ACF Adapter:
acf_get_fields— ACF custom fields with key filtering, raw/compact/summary modesacf_list_field_groups— all configured field groupsacf_get_field_group— field group detail by IDacf_update_fields— update custom fields. Blocked byWP_READ_ONLY. riskLevel: "medium"
Elementor Adapter (read-only):
elementor_list_templates— templates with type filter (page/section/block/popup)elementor_get_template— full template content, context-guarded at 50k charselementor_get_page_data— widgets used, elements count, Elementor status per post
767 Vitest unit tests · 92 tools
v4.5.1 (2026-02-21) — Context Optimization
LLM context reduction across all 85 tools — zero breaking changes.
Dynamic filtering:
getFilteredTools()hides WooCommerce (13), editorial (3), and plugin intelligence (6) tools when their env vars are absentlistToolsreturns only exposed tools;callToolstill handles all 85wp_site_infonow reportstools_total,tools_exposed,filtered_out
LLM-optimized descriptions:
- All 85 tool descriptions rewritten:
"Use when [TRIGGER]. [ACTION]. [Read-only | Write — blocked by X]. [Hint: optional]"
Schema compact:
- Redundant
descriptionfields removed frominputSchemaproperties (id, per_page, page, status with enum, search, force, post_type with enum, etc.)
Output compression (mode parameter):
- 10 listing tools gain
modeparam:full(default),summary(key fields only),ids_only(flat array) - wp_list_pages, wp_list_media, wp_list_comments, wp_list_categories, wp_list_tags, wp_list_users, wp_list_custom_posts, wp_list_plugins, wp_list_themes, wp_list_revisions
713 Vitest unit tests · 85 tools
v4.5.0 (2026-02-21) — Plugin Intelligence (RankMath + Yoast)
6 new tools exploiting native RankMath and Yoast SEO API endpoints for rendered head analysis, schema validation, and social meta management.
New shared module:
src/pluginDetector.js— SEO plugin auto-detection via REST API namespace discovery (cached), rendered head fetching, HTML head parsing
Rendered SEO Analysis:
wp_get_rendered_head— fetch the real<head>HTML via RankMath/rankmath/v1/getHeador Yoast/yoast/v1/get_headendpoints, compare rendered vs stored metawp_audit_rendered_seo— bulk audit rendered vs stored SEO meta divergences with per-post scoring (title/description/canonical/robots/schema mismatches)
Plugin-Native Features:
wp_get_pillar_content— read/write RankMathrank_math_pillar_contentcornerstone flag. Write mode blocked byWP_READ_ONLYwp_audit_schema_plugins— validate JSON-LD schemas from plugin native fields (rank_math_schemaor Yoastyoast_head_json). Checks required fields per @typewp_get_seo_score— read RankMath native SEO score (0-100) with bulk mode distribution statswp_get_twitter_meta— read/write Twitter Card meta (title, description, image) for RankMath, Yoast, and SEOPress. Write mode blocked byWP_READ_ONLY
674 Vitest unit tests · 85 tools
v4.4.0 (2026-02-21) — Content Intelligence
16 new read-only analysis tools for deep content intelligence without any WordPress plugin.
Foundations:
src/contentAnalyzer.js— shared analysis engine: readability (Flesch-Kincaid FR), TF-IDF, cosine similarity, entity extraction, text diff, content structure detectionwp_get_content_brief— editorial brief aggregator (SEO + structure + links in 1 call)wp_extract_post_outline— H1-H6 outline extraction with category-level pattern analysis
SEO Advanced:
wp_audit_readability— bulk Flesch-Kincaid FR scoring with transition word and passive voice analysiswp_audit_update_frequency— outdated content detection cross-referenced with SEO scoreswp_build_link_map— internal link matrix with simplified PageRank scoring (0-100)
Technical Quality:
wp_audit_anchor_texts— anchor text diversity audit: generic, over-optimized, image link detectionwp_audit_schema_markup— JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness)wp_audit_content_structure— editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images
Intelligence Advanced:
wp_find_duplicate_content— TF-IDF cosine similarity for near-duplicate detection with union-find clusteringwp_find_content_gaps— taxonomy under-representation analysis (categories + tags)wp_extract_faq_blocks— FAQ inventory: JSON-LD, Gutenberg blocks, HTML patternswp_audit_cta_presence— CTA detection (6 types) with scoring 0-100wp_extract_entities— regex/heuristic named entity extraction (brands, locations, persons, organizations)wp_get_publishing_velocity— publication cadence by author/category with trend detectionwp_compare_revisions_diff— textual diff between revisions with amplitude scoringwp_list_posts_by_word_count— posts sorted by length with 6-tier segmentation
All Content Intelligence tools are read-only and always allowed regardless of governance flags.
613 Vitest unit tests · 79 tools
v4.2.0 (2026-02-19) — SEO Audit Suite (Sprint 3)
wp_find_broken_internal_links— HEAD request link checker with configurable batch size and timeout. Returns broken (4xx/5xx), redirected (3xx), and slow linkswp_find_keyword_cannibalization— detect posts sharing the same focus keyword. Auto-detects RankMath/Yoast/SEOPress/AIOSEO. Groups conflicts by keyword, flags weakest post by word countwp_audit_taxonomies— taxonomy bloat detection: unused terms, near-duplicate detection via Levenshtein distance, single-post terms, over-tagged postswp_audit_outbound_links— external link profile per post: low-authority domains, missing rel="nofollow", broken external URLssrc/htmlParser.js— shared HTML parsing service (parseImagesFromHtml, extractHeadings, extractInternalLinks, countWords)- 400 Vitest unit tests · 63 tools
v4.1.0 (2026-02-19) — SEO Audit Suite (Sprint 2)
wp_find_thin_content— surface posts below configurable word count threshold. Scores content quality by word count, heading density, and paragraph structurewp_audit_canonicals— validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEOwp_analyze_eeat_signals— E-E-A-T scoring per post (0-100): author bio presence, publication/update dates, outbound citations, word count, structured data markers- 368 Vitest unit tests · 59 tools
v4.0.0 (2026-02-19) — SEO Audit Suite (Sprint 1)
wp_audit_media_seo— audit media library for missing alt text, short alt text, unoptimized filenames. Returns per-image scores and prioritized fix listwp_find_orphan_pages— identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion listwp_audit_heading_structure— analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2- All 10 SEO audit tools are read-only and always allowed regardless of governance flags
- 340 Vitest unit tests · 56 tools
v3.6.0 (2026-02-19) — WooCommerce Write
wc_update_product— update product fields (title, description, price, stock, status). Integrated withwc_price_guardrailthreshold enforcementwc_update_order_status— transition order status (e.g., processing → completed)WC_PRICE_GUARDRAIL_THRESHOLD— configurable price change safety threshold (default 20%)- All WooCommerce write tools blocked by
WP_READ_ONLY - 305 Vitest unit tests · 53 tools
v3.5.0 (2026-02-19) — WooCommerce Intelligence
wc_get_customer— customer profile with order history summary and lifetime valuewc_list_coupons/wc_get_coupon— coupon management with discount rules and usage statswc_sales_report— revenue, orders, and average order value for a date rangewc_top_products— ranking by revenue, quantity sold, or order count- 287 Vitest unit tests · 50 tools
v3.4.0 (2026-02-19) — WooCommerce Core
wc_list_products/wc_get_product— product catalog with variation supportwc_list_orders/wc_get_order— order management with full line item detailwc_list_customers— customer list with search and role filteringwc_price_guardrail— read-only price change safety analysis- Requires
WC_CONSUMER_KEYandWC_CONSUMER_SECRET - 271 Vitest unit tests · 46 tools
v3.3.0 (2026-02-19) — Internal Link Intelligence
wp_analyze_links— audit all internal/external links in a post. HEAD request verification per link (broken/warning/unknown). Max 20 checks, configurable timeoutwp_suggest_internal_links— semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked postssrc/linkUtils.js— 6 shared utilities: extractInternalLinks, extractExternalLinks, checkLinkStatus, extractFocusKeyword (auto-detects RankMath/Yoast/SEOPress/AIOSEO), calculateRelevanceScore, suggestAnchorText- Pre-flight linking workflow: suggest → user validates →
wp_update_post(never auto-insert) - 253 Vitest unit tests · 40 tools
v3.2.0 (2026-02-19) — Governance Workflows
- Editorial approval workflow:
wp_submit_for_review(draft → pending),wp_approve_post(pending → publish),wp_reject_post(pending → draft + mandatory reason) - New governance flag:
WP_REQUIRE_APPROVAL— blocks direct publish, forces approval workflow - Two-step confirmation for destructive operations:
wp_delete_postandwp_delete_revisionreturn a stateless token (60s TTL, SHA-256) whenWP_CONFIRM_DESTRUCTIVE=true - New governance flag:
WP_CONFIRM_DESTRUCTIVE— requires explicit token confirmation before any delete src/confirmationToken.js— stateless token system, zero persistence- Governance priority:
WP_READ_ONLY→WP_DISABLE_DELETE→WP_CONFIRM_DESTRUCTIVE - 225 Vitest unit tests · 38 tools
v3.1.0 (2026-02-19) — MCPB Bundle
dxt/manifest.json— MCPB v0.3 spec, 35 tools declared- WordPress credentials stored in OS keychain (
sensitive: true) npm run build:mcpb— build script for.mcpbdistribution- 10 new manifest validation tests (201 total)
- Published to npm:
npx -y @adsim/[email protected]
v3.0.0 (2026-02-19) — HTTP Streamable Transport
- HTTP Streamable transport (MCP spec 2025-03-26) via
MCP_TRANSPORT=http - Bearer token authentication with timing-safe comparison (
MCP_AUTH_TOKEN) - Session management via
Mcp-Session-Idheader (UUID v4) - Origin header validation (anti-DNS-rebinding)
- Health endpoint
GET /health - Dual mode
MCP_DUAL_MODE=true— stdio + HTTP simultaneously - Graceful shutdown SIGTERM/SIGINT across both transports
- 10 new HTTP/auth unit tests (191 total)
- Published to npm:
@adsim/wordpress-mcp-server
v2.2.0 (2026-02-19) — Enterprise Edition
- 9 new tools: plugins (list/activate/deactivate), themes (list/get), revisions (list/get/restore/delete)
- New governance flag:
WP_DISABLE_PLUGIN_MANAGEMENT - 171 Vitest unit tests covering all 35 tools (governance, success, 403/404, audit logs)
- GitHub Actions CI workflow
- Governance functions read env at call time for testability
- Exported
handleToolCallfor direct testing
v2.1.0 (2026-02-16)
- Enterprise governance controls (read-only, draft-only, type/status allowlists)
- Structured JSON audit trail (27 instrumentation points)
- Multi-target site management
- 27 MCP tools including pages CRUD, media upload, taxonomy creation, custom post types
- SEO auto-detection for 4 plugins (Yoast, RankMath, SEOPress, AIOSEO)
- Health checks, retry with backoff, rate limiting
v1.0.0 (2025-10-17)
- Initial release — JavaScript, 5 tools (list, get, create, update, search posts)
Roadmap
v4.7 — GSC Integration
wp_get_gsc_performance— Google Search Console API (clicks, impressions, position, CTR per URL)wp_find_quick_win_keywords— surface keywords ranking positions 11–20 for targeted updateswp_seo_content_decay— cross-reference GSC traffic loss with content age to prioritize refresh candidates
v4.8 — Redirect Intelligence
wp_create_redirect— create 301 redirects via Redirection plugin or RankMath/Yoast Redirects. Auto-triggered governance hook whenwp_update_postchanges a slugwp_list_404_errors— surface recent 404s from Redirection plugin log
v4.9 — OAuth & Registry
- OAuth 2.0 / JWT authentication
- MCP Registry submission
Contributing
Contributions welcome. Open an issue or submit a pull request.
License
MIT — see LICENSE.
Credits
Built by AdSim — Digital Marketing & AI Agency, Liège, Belgium.
Building the governance layer for Claude-powered WordPress infrastructure in regulated environments.