WordPress MCP Server

Enterprise Governance · Audit Trail · Multi-Site · Plugin-Free

The enterprise governance layer for Claude-to-WordPress integrations — secure, auditable, and multi-site.

v4.6.0 Enterprise · 92 tools · 767 Vitest tests · GitHub Actions CI · HTTP Streamable transport · MCPB bundle · SEO metadata · SEO audit suite · Content intelligence · Plugin intelligence · Plugin layer (ACF, Elementor) · Plugin & theme management · Revision control · Editorial approval workflow · Destructive confirmation · Internal link analysis · WooCommerce (read + intelligence + write) · Execution controls · JSON audit trail · Multi-site targeting

---

Architecture

┌─────────────────────────┐
│     Claude Client       │  Claude Desktop · Claude Code · Any MCP client
└────────────┬────────────┘
             │ MCP Protocol (stdio or HTTP Streamable)
┌────────────▼────────────┐
│  WordPress MCP Server   │  Node.js · Standalone · No WordPress plugin
├─────────────────────────┤
│  Execution Controls     │  Read-only · Draft-only · Plugin mgmt · Type/status allowlists
├─────────────────────────┤
│  Audit Logging          │  JSON on stderr · 79 instrumentation points
├─────────────────────────┤
│  Rate Limiting          │  Client-side · Configurable per-minute cap
├─────────────────────────┤
│  HTTP Transport         │  Bearer auth · Session management · Origin validation
└────────────┬────────────┘
             │ HTTPS + WordPress Application Password (Basic Auth over TLS)
┌────────────▼────────────┐
│   WordPress REST API    │  Single site or multi-target
└─────────────────────────┘

Why This Server

Most WordPress MCP servers focus on what you can do. This one focuses on what you should be allowed to do — and who can verify it happened.

In regulated environments — financial services, healthcare, legal, government — AI-powered content operations need guardrails. This server provides them out of the box: read-only mode for monitoring, draft-only mode for review workflows, structured audit logs for compliance, and multi-site management for agencies operating across client portfolios.

No composer, no PHP build, no WordPress admin plugin. Point it at any WordPress site with an Application Password, configure your execution policy, and connect your Claude client.

Safety Model

This server is designed for safe operation in production environments:

• Default non-destructive — delete operations must be explicitly enabled
• Configurable execution modes — read-only, draft-only, or full access per deployment
• Pre-flight enforcement — all guardrails checked before any API call is made
• Full audit trail — every action logged with timestamp, target, outcome, and latency
• Credential isolation — secrets never appear in logs or error outputs
• Multi-tenant ready — independent auth and config per WordPress target

Data Retention

The server does not store or persist WordPress content. All processing is stateless — content flows through the server and is never cached, written to disk, or retained in memory beyond the scope of a single tool invocation. Audit logs are emitted to stderr in real-time and can be disabled (WP_AUDIT_LOG=off) or redirected to any logging pipeline based on deployment requirements. Zero data retention by design.

---

Quick Start

Requirements

• Node.js >= 18
• WordPress site with REST API enabled (default since WP 4.7)
• WordPress Application Password (WP 5.6+)
• HTTPS endpoint (required for production)
• WooCommerce 3.5+ (optional, for WooCommerce tools)

Install from npm (recommended)

# Run directly — no install needed
npx -y @adsim/wordpress-mcp-server

# Or install globally
npm install -g @adsim/wordpress-mcp-server

Install from GitHub

git clone https://github.com/GeorgesAdSim/wordpress-mcp-server.git
cd wordpress-mcp-server
npm install

Configure

Create a .env file:

WP_API_URL=https://yoursite.com
WP_API_USERNAME=your-username
WP_API_PASSWORD=xxxx xxxx xxxx xxxx xxxx xxxx

# Optional: WooCommerce (generate at WooCommerce → Settings → Advanced → REST API)
WC_CONSUMER_KEY=ck_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
WC_CONSUMER_SECRET=cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

To generate an Application Password: WordPress Admin → Users → Profile → Application Passwords → Add New.

Connect to Claude Desktop

Add to claude_desktop_config.json:

• macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
• Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "wordpress": {
      "command": "npx",
      "args": ["-y", "@adsim/wordpress-mcp-server"],
      "env": {
        "WP_API_URL": "https://yoursite.com",
        "WP_API_USERNAME": "your-username",
        "WP_API_PASSWORD": "xxxx xxxx xxxx xxxx xxxx xxxx"
      }
    }
  }
}

Connect to Claude Code

claude mcp add wordpress \
  -e WP_API_URL=https://yoursite.com \
  -e WP_API_USERNAME=your-username \
  -e WP_API_PASSWORD="xxxx xxxx xxxx xxxx xxxx xxxx" \
  -- npx -y @adsim/wordpress-mcp-server

---

HTTP Streamable Transport

New in v3.0.0 — Run the server over HTTP instead of (or alongside) stdio, following the MCP spec 2025-03-26.

Start in HTTP mode

MCP_TRANSPORT=http \
MCP_HTTP_PORT=3000 \
MCP_AUTH_TOKEN=your-secret-token \
WP_API_URL=https://yoursite.com \
WP_API_USERNAME=your-username \
WP_API_PASSWORD="xxxx xxxx xxxx xxxx" \
npx -y @adsim/wordpress-mcp-server

Dual mode (stdio + HTTP simultaneously)

MCP_TRANSPORT=http \
MCP_DUAL_MODE=true \
MCP_AUTH_TOKEN=your-secret-token \
npx -y @adsim/wordpress-mcp-server

HTTP environment variables

| Variable | Default | Description | |---|---|---| | MCP_TRANSPORT | stdio | Set to http to enable HTTP Streamable transport | | MCP_HTTP_PORT | 3000 | HTTP server port | | MCP_HTTP_HOST | 127.0.0.1 | Bind address | | MCP_AUTH_TOKEN | (none) | Bearer token for authentication (required in HTTP mode) | | MCP_ALLOWED_ORIGINS | (none) | Comma-separated allowed origins (anti-DNS-rebinding) | | MCP_SESSION_TIMEOUT_MS | 3600000 | Session TTL in milliseconds (1 hour) | | MCP_DUAL_MODE | false | Run stdio and HTTP transports simultaneously |

Health check

curl http://localhost:3000/health
# → { "status": "ok", "version": "4.6.0", "transport": "http" }

Connect an MCP client via HTTP

{
  "mcpServers": {
    "wordpress-http": {
      "url": "http://localhost:3000/mcp",
      "headers": {
        "Authorization": "Bearer your-secret-token"
      }
    }
  }
}

---

MCPB Bundle — Claude Desktop One-Click Install

New in v3.1.0 — Package the server as a .mcpb bundle for Claude Desktop distribution.

The bundle stores WordPress credentials securely in the OS keychain (sensitive: true) — no manual JSON editing required.

Build the bundle

npm run build:mcpb
# → wordpress-mcp-server.mcpb

Install in Claude Desktop

Double-click wordpress-mcp-server.mcpb — Claude Desktop will prompt for:

• WordPress Site URL
• WordPress Username
• WordPress Application Password (stored in OS keychain)

---

Available Tools (92)

Content Management

| Tool | Description | |---|---| | wp_list_posts | List posts with pagination, filtering by status/category/tag/author, and search | | wp_get_post | Get a post by ID with full content, meta fields, and taxonomy info | | wp_create_post | Create a post (defaults to draft). Supports HTML, categories, tags, featured image, meta | | wp_update_post | Update any post field. Only provided fields are modified | | wp_delete_post | Move to trash by default. Permanent deletion requires force=true. Returns confirmation token when WP_CONFIRM_DESTRUCTIVE=true | | wp_search | Full-text search across all content types | | wp_list_pages | List pages with hierarchy (parent/child), templates, and menu order | | wp_get_page | Get page content, template, and hierarchy info | | wp_create_page | Create a page with parent, template, and menu_order support | | wp_update_page | Update any page field |

Media Library

| Tool | Description | |---|---| | wp_list_media | Browse media with type filtering (image/video/audio/document) | | wp_get_media | Get URL, dimensions, alt text, caption, and all available sizes | | wp_upload_media | Upload a file from a public URL to the WordPress media library |

Taxonomies & Structure

| Tool | Description | |---|---| | wp_list_categories | List categories with hierarchy, post count, and descriptions | | wp_list_tags | List tags with post count | | wp_create_taxonomy_term | Create a new category or tag | | wp_list_post_types | Discover all registered post types (including custom ones) | | wp_list_custom_posts | List content from any custom post type (products, portfolio, events) |

Engagement

| Tool | Description | |---|---| | wp_list_comments | List comments with filtering by post, status, and author | | wp_create_comment | Create a comment or reply on any post | | wp_list_users | List users with roles (read-only) |

SEO Metadata

| Tool | Description | |---|---| | wp_get_seo_meta | Read SEO title, description, focus keyword, canonical, robots, Open Graph. Auto-detects Yoast, RankMath, SEOPress, All in One SEO | | wp_update_seo_meta | Update SEO metadata with automatic plugin detection | | wp_audit_seo | Bulk audit SEO across posts/pages with quality scoring (0-100), missing fields detection, and length checks |

SEO metadata updates are subject to the same enterprise controls and execution policies as all other write operations.

SEO Audit Suite

New in v4.0–v4.2 — Deep technical SEO analysis without requiring any WordPress plugin.

| Tool | Description | |---|---| | wp_audit_media_seo | Audit media library for missing alt text, short alt text, and unoptimized filenames. Returns per-image scores and prioritized fix list | | wp_find_orphan_pages | Identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion list | | wp_audit_heading_structure | Analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2 | | wp_find_thin_content | Surface posts below a configurable word count threshold. Scores content quality by word count, heading density, and paragraph structure | | wp_audit_canonicals | Validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, and cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEO | | wp_analyze_eeat_signals | Score E-E-A-T signals per post: author bio presence, publication/update dates, outbound citations, word count, structured data markers. Returns a 0-100 score with a breakdown by dimension | | wp_find_broken_internal_links | Check all internal links in a post via HEAD requests. Returns broken (4xx/5xx), redirected (3xx), and slow links. Configurable batch size and timeout | | wp_find_keyword_cannibalization | Detect posts sharing the same RankMath/Yoast/SEOPress/AIOSEO focus keyword. Groups conflicts by keyword and flags the weakest post by word count | | wp_audit_taxonomies | Identify taxonomy bloat: unused categories/tags, near-duplicate terms via Levenshtein distance, single-post terms, and over-tagged posts | | wp_audit_outbound_links | Analyze external link profile per post. Detects links to low-authority domains, missing rel="nofollow" on sponsored links, and broken external URLs |

All SEO audit tools are read-only and always allowed regardless of governance flags.

Content Intelligence

New in v4.4.0 — Deep content analysis and editorial intelligence without any WordPress plugin.

| Tool | Description | |---|---| | wp_get_content_brief | Editorial brief aggregator: SEO + structure + links in 1 call | | wp_extract_post_outline | H1-H6 outline extraction with category-level pattern analysis | | wp_audit_readability | Bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis | | wp_audit_update_frequency | Outdated content detection cross-referenced with SEO scores | | wp_build_link_map | Internal link matrix with simplified PageRank scoring (0-100) | | wp_audit_anchor_texts | Anchor text diversity audit: generic, over-optimized, image link detection | | wp_audit_schema_markup | JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness) | | wp_audit_content_structure | Editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images | | wp_find_duplicate_content | TF-IDF cosine similarity for near-duplicate detection with union-find clustering | | wp_find_content_gaps | Taxonomy under-representation analysis (categories + tags) | | wp_extract_faq_blocks | FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns | | wp_audit_cta_presence | CTA detection (6 types) with scoring 0-100 | | wp_extract_entities | Regex/heuristic named entity extraction (brands, locations, persons, organizations) | | wp_get_publishing_velocity | Publication cadence by author/category with trend detection | | wp_compare_revisions_diff | Textual diff between revisions with amplitude scoring | | wp_list_posts_by_word_count | Posts sorted by length with 6-tier segmentation |

All Content Intelligence tools are read-only and always allowed regardless of governance flags.

Plugin Intelligence Layer

New in v4.6.0 — Extensible adapter architecture for third-party WordPress plugins. Adapters activate only when the plugin is detected via REST API namespace discovery.

Disable all plugin tools: WP_DISABLE_PLUGIN_LAYERS=true

ACF (Advanced Custom Fields)

| Tool | Description | |---|---| | acf_get_fields | Get ACF custom fields for a post/page with key filtering and raw/compact/summary modes | | acf_list_field_groups | List all configured ACF field groups | | acf_get_field_group | Get full detail of an ACF field group by ID | | acf_update_fields | Update ACF custom fields for a post/page. Write — blocked by WP_READ_ONLY |

Requires ACF Pro or ACF Free with REST API enabled (/acf/v3 namespace).

Elementor

| Tool | Description | |---|---| | elementor_list_templates | List Elementor templates (page, section, block, popup) with type filtering | | elementor_get_template | Get full Elementor template content and elements. Context-guarded at 50k chars | | elementor_get_page_data | Get Elementor editor data for a post/page: widgets used, elements count |

Requires Elementor Free or Pro (/elementor/v1 namespace).

Plugins

| Tool | Description | |---|---| | wp_list_plugins | List installed plugins with status, version, author. Requires Administrator (activate_plugins capability) | | wp_activate_plugin | Activate a plugin. Blocked by WP_READ_ONLY and WP_DISABLE_PLUGIN_MANAGEMENT | | wp_deactivate_plugin | Deactivate a plugin. Blocked by WP_READ_ONLY and WP_DISABLE_PLUGIN_MANAGEMENT |

Themes

| Tool | Description | |---|---| | wp_list_themes | List installed themes with active theme detection. Requires switch_themes capability | | wp_get_theme | Get theme details by stylesheet slug |

Revisions

| Tool | Description | |---|---| | wp_list_revisions | List revisions of a post or page (metadata only) | | wp_get_revision | Get a specific revision with full content | | wp_restore_revision | Restore a post to a previous revision (plugin-free 2-step approach) | | wp_delete_revision | Permanently delete a revision. Blocked by WP_READ_ONLY, WP_DISABLE_DELETE, and WP_CONFIRM_DESTRUCTIVE |

Editorial Workflow

New in v3.2.0 — Approval workflow for regulated content operations.

| Tool | Description | |---|---| | wp_submit_for_review | Transition a draft post to pending status (author action). Blocked by WP_READ_ONLY | | wp_approve_post | Transition a pending post to publish (editor/admin action). Blocked by WP_READ_ONLY and WP_DRAFT_ONLY | | wp_reject_post | Return a pending post to draft with a mandatory rejection reason (editor/admin action). Blocked by WP_READ_ONLY |

The approval workflow is enforced by WP_REQUIRE_APPROVAL=true, which blocks direct publish via wp_update_post and forces the draft → pending → publish path.

Internal Link Intelligence

New in v3.3.0 — Audit and improve internal linking without auto-insertion.

| Tool | Description | |---|---| | wp_analyze_links | Audit all internal and external links in a post. HEAD request verification per link (broken/warning/unknown). Configurable max checks and timeout | | wp_suggest_internal_links | Semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked posts |

Pre-flight linking workflow: wp_suggest_internal_links → user validates → wp_update_post (never auto-insert).

WooCommerce

New in v3.4.0–v3.6.0 — Full WooCommerce integration with read, intelligence, and write operations.

Requires WC_CONSUMER_KEY and WC_CONSUMER_SECRET environment variables. Generate API keys at WooCommerce → Settings → Advanced → REST API.

| Tool | Description | |---|---| | wc_list_products | List products with filtering by status, category, search, and sorting by price/popularity | | wc_get_product | Get a product by ID with full details. Includes variations summary for variable products | | wc_list_orders | List orders with filtering by status, customer, and date | | wc_get_order | Get an order by ID with line items, shipping, billing, and payment details | | wc_list_customers | List customers with search and role filtering | | wc_get_customer | Get a customer by ID with full profile, order history summary, and lifetime value | | wc_list_coupons | List coupons with filtering by type, expiry status, and usage | | wc_get_coupon | Get a coupon by ID with full discount rules and usage statistics | | wc_sales_report | Generate sales summary for a date range: revenue, orders, average order value, top products | | wc_top_products | Rank products by revenue, quantity sold, or order count for a given period | | wc_price_guardrail | Analyze a price change for safety (read-only). Returns safe/unsafe based on configurable threshold percentage | | wc_update_product | Update product fields (title, description, price, stock, status). Blocked by WP_READ_ONLY and subject to wc_price_guardrail thresholds | | wc_update_order_status | Transition order status (e.g., processing → completed). Blocked by WP_READ_ONLY |

All WooCommerce write tools are blocked by WP_READ_ONLY. wc_price_guardrail is always allowed — it never modifies data.

Operations

| Tool | Description | |---|---| | wp_set_target | Switch active WordPress site in multi-target mode | | wp_site_info | Site info, current user, post types, enterprise controls, available targets, and plugin_layer (detected plugins, tools count) |

---

Enterprise Controls

Configure execution policy via environment variables. All restrictions are enforced before any API call is made — including SEO metadata, plugin operations, and WooCommerce writes.

| Control | Default | Effect | |---|---|---| | WP_READ_ONLY | false | Blocks all write operations (create, update, delete, upload, SEO updates, plugin management, WooCommerce writes) | | WP_DRAFT_ONLY | false | Restricts to draft and pending statuses only | | WP_DISABLE_DELETE | false | Blocks all delete operations (posts + revisions) | | WP_DISABLE_PLUGIN_MANAGEMENT | false | Blocks plugin activate/deactivate (list still allowed) | | WP_REQUIRE_APPROVAL | false | Blocks direct publish via wp_update_post. Forces draft → pending → publish approval workflow | | WP_CONFIRM_DESTRUCTIVE | false | Requires a token confirmation before wp_delete_post and wp_delete_revision execute | | WP_ALLOWED_TYPES | all | Restricts to specific post types (e.g., post,page) | | WP_ALLOWED_STATUSES | all | Restricts to specific statuses (e.g., draft,pending) | | WP_MAX_CALLS_PER_MINUTE | unlimited | Client-side rate limiting | | WP_AUDIT_LOG | on | Structured JSON audit trail |

Destructive confirmation flow

When WP_CONFIRM_DESTRUCTIVE=true, wp_delete_post and wp_delete_revision return a stateless confirmation token on the first call instead of executing. The token is valid for 60 seconds (SHA-256, zero persistence). Pass the token back on a second call to confirm execution.

Governance priority order: WP_READ_ONLY → WP_DISABLE_DELETE → WP_CONFIRM_DESTRUCTIVE

Deployment profiles

Agency content production — writers can create and edit, but never publish or delete:

WP_DRAFT_ONLY=true
WP_DISABLE_DELETE=true
WP_ALLOWED_STATUSES=draft,pending
WP_MAX_CALLS_PER_MINUTE=30

Editorial review workflow — forces human approval before publication:

WP_REQUIRE_APPROVAL=true
WP_DISABLE_DELETE=true
WP_AUDIT_LOG=on

Compliance monitoring — read-only access for auditing existing content:

WP_READ_ONLY=true
WP_AUDIT_LOG=on

Regulated publishing — restrict to specific content types in a controlled environment:

WP_ALLOWED_TYPES=post
WP_ALLOWED_STATUSES=draft,pending,publish
WP_DISABLE_DELETE=true
WP_AUDIT_LOG=on

Locked infrastructure — content operations allowed, but no plugin/theme changes:

WP_DISABLE_PLUGIN_MANAGEMENT=true
WP_DISABLE_DELETE=true

E-commerce safe mode — WooCommerce read and intelligence, no writes:

WP_READ_ONLY=true
WC_CONSUMER_KEY=ck_xxx
WC_CONSUMER_SECRET=cs_xxx

Blocked actions return a clear error message explaining which control prevented execution, and are logged in the audit trail with status blocked.

---

SEO Metadata

The SEO tools auto-detect which SEO plugin is installed on your WordPress site and use the correct meta fields automatically.

Supported plugins:

• Yoast SEO — _yoast_wpseo_title, _yoast_wpseo_metadesc, _yoast_wpseo_focuskw, plus yoast_head_json REST API extension
• RankMath — rank_math_title, rank_math_description, rank_math_focus_keyword
• SEOPress — _seopress_titles_title, _seopress_titles_desc, _seopress_analysis_target_kw
• All in One SEO — _aioseo_title, _aioseo_description, _aioseo_keywords

SEO Audit Scoring

wp_audit_seo scores each post on a 100-point scale:

| Check | Penalty | |---|---| | Missing SEO title | -30 | | SEO title too short (< 30 chars) or too long (> 60 chars) | -10 | | Missing meta description | -30 | | Meta description too short (< 120 chars) or too long (> 160 chars) | -10 | | Missing focus keyword | -20 | | Focus keyword not in SEO title | -10 |

Exposing SEO Meta Fields (Required)

Most SEO plugins store their data in WordPress post meta fields that are not exposed via the REST API by default. Without this step, wp_get_seo_meta and wp_audit_seo will return empty results even though your SEO data exists in the database.

Add the following code to your theme's functions.php (Appearance → Theme File Editor → functions.php) or — preferably — create a custom mini-plugin (see below).

⚠️ Important: When pasting code into functions.php, make sure the file starts with exactly <?php — no extra characters before it. A stray character (like <<?php) will break the WordPress REST API by injecting invalid output before JSON responses, causing Unexpected token '<' errors in MCP.

RankMath:

add_action( 'init', function() {
    $fields = array(
        'rank_math_title',
        'rank_math_description',
        'rank_math_focus_keyword',
        'rank_math_canonical_url',
        'rank_math_robots',
        'rank_math_facebook_title',
        'rank_math_facebook_description',
        'rank_math_facebook_image',
    );
    foreach ( $fields as $field ) {
        foreach ( array( 'post', 'page' ) as $post_type ) {
            register_post_meta( $post_type, $field, array(
                'show_in_rest'  => true,
                'single'        => true,
                'type'          => 'string',
                'auth_callback' => function() {
                    return current_user_can( 'edit_posts' );
                },
            ) );
        }
    }
} );

Yoast SEO:

add_action( 'init', function() {
    $fields = array(
        '_yoast_wpseo_title',
        '_yoast_wpseo_metadesc',
        '_yoast_wpseo_focuskw',
        '_yoast_wpseo_canonical',
        '_yoast_wpseo_meta-robots-noindex',
        '_yoast_wpseo_meta-robots-nofollow',
        '_yoast_wpseo_opengraph-title',
        '_yoast_wpseo_opengraph-description',
        '_yoast_wpseo_opengraph-image',
    );
    foreach ( $fields as $field ) {
        foreach ( array( 'post', 'page' ) as $post_type ) {
            register_post_meta( $post_type, $field, array(
                'show_in_rest'  => true,
                'single'        => true,
                'type'          => 'string',
                'auth_callback' => function() {
                    return current_user_can( 'edit_posts' );
                },
            ) );
        }
    }
} );

SEOPress:

add_action( 'init', function() {
    $fields = array(
        '_seopress_titles_title',
        '_seopress_titles_desc',
        '_seopress_analysis_target_kw',
        '_seopress_robots_canonical',
        '_seopress_robots_index',
        '_seopress_social_fb_title',
        '_seopress_social_fb_desc',
        '_seopress_social_fb_img',
    );
    foreach ( $fields as $field ) {
        foreach ( array( 'post', 'page' ) as $post_type ) {
            register_post_meta( $post_type, $field, array(
                'show_in_rest'  => true,
                'single'        => true,
                'type'          => 'string',
                'auth_callback' => function() {
                    return current_user_can( 'edit_posts' );
                },
            ) );
        }
    }
} );

All in One SEO:

add_action( 'init', function() {
    $fields = array(
        '_aioseo_title',
        '_aioseo_description',
        '_aioseo_keywords',
        '_aioseo_og_title',
        '_aioseo_og_description',
        '_aioseo_og_image_url',
    );
    foreach ( $fields as $field ) {
        foreach ( array( 'post', 'page' ) as $post_type ) {
            register_post_meta( $post_type, $field, array(
                'show_in_rest'  => true,
                'single'        => true,
                'type'          => 'string',
                'auth_callback' => function() {
                    return current_user_can( 'edit_posts' );
                },
            ) );
        }
    }
} );

Alternative: MCP SEO Bridge Plugin (Recommended)

Note: Core content operations require no WordPress plugin. SEO metadata tools may require exposing meta fields via the REST API using either a theme snippet or this optional micro-plugin.

Instead of modifying your theme's functions.php (which gets overwritten on theme updates), create a standalone micro-plugin.

Create the file wp-content/plugins/mcp-seo-bridge.php:

<?php
/**
 * Plugin Name: MCP SEO Bridge
 * Description: Exposes SEO plugin meta fields via REST API for WordPress MCP Server
 * Version: 1.0.0
 * Author: AdSim
 * Author URI: https://adsim.be
 */

if ( ! defined( 'ABSPATH' ) ) exit;

add_action( 'init', function() {
    $fields = array();

    if ( defined( 'RANK_MATH_VERSION' ) ) {
        $fields = array(
            'rank_math_title', 'rank_math_description', 'rank_math_focus_keyword',
            'rank_math_canonical_url', 'rank_math_robots',
            'rank_math_facebook_title', 'rank_math_facebook_description', 'rank_math_facebook_image',
        );
    } elseif ( defined( 'WPSEO_VERSION' ) ) {
        $fields = array(
            '_yoast_wpseo_title', '_yoast_wpseo_metadesc', '_yoast_wpseo_focuskw',
            '_yoast_wpseo_canonical', '_yoast_wpseo_meta-robots-noindex', '_yoast_wpseo_meta-robots-nofollow',
            '_yoast_wpseo_opengraph-title', '_yoast_wpseo_opengraph-description', '_yoast_wpseo_opengraph-image',
        );
    } elseif ( defined( 'SEOPRESS_VERSION' ) ) {
        $fields = array(
            '_seopress_titles_title', '_seopress_titles_desc', '_seopress_analysis_target_kw',
            '_seopress_robots_canonical', '_seopress_robots_index',
            '_seopress_social_fb_title', '_seopress_social_fb_desc', '_seopress_social_fb_img',
        );
    } elseif ( defined( 'AIOSEO_VERSION' ) ) {
        $fields = array(
            '_aioseo_title', '_aioseo_description', '_aioseo_keywords',
            '_aioseo_og_title', '_aioseo_og_description', '_aioseo_og_image_url',
        );
    }

    foreach ( $fields as $field ) {
        foreach ( array( 'post', 'page' ) as $post_type ) {
            register_post_meta( $post_type, $field, array(
                'show_in_rest'  => true,
                'single'        => true,
                'type'          => 'string',
                'auth_callback' => function() {
                    return current_user_can( 'edit_posts' );
                },
            ) );
        }
    }
} );

Activate it from WordPress Admin → Plugins. This approach auto-detects your SEO plugin and survives theme updates.

Verifying SEO Fields Are Exposed

After adding the code, verify the fields are accessible:

curl -s -u "username:application-password" \
  "https://yoursite.com/wp-json/wp/v2/posts?per_page=1" | python3 -m json.tool | grep -E "rank_math|yoast|seopress|aioseo"

If you see your SEO fields in the meta object, the configuration is working.

Troubleshooting SEO Fields

| Symptom | Cause | Fix | |---|---|---| | wp_audit_seo returns empty SEO data | Meta fields not exposed via REST API | Add register_post_meta() code above | | Unexpected token '<' on all MCP calls | Stray character before <?php in functions.php | Remove any characters before <?php | | SEO fields visible but all null | SEO plugin not yet configured on those posts | Set titles/descriptions in RankMath/Yoast editor | | No SEO plugin detected | Plugin constant not matched | Verify your SEO plugin is active | | Fields lost after theme update | Code was in functions.php | Use the MCP SEO Bridge plugin instead |

---

WooCommerce Setup

Generate API Keys

Go to WooCommerce → Settings → Advanced → REST API → Add key.

Set permissions to Read/Write if you plan to use wc_update_product or wc_update_order_status. Set to Read for a read-only WooCommerce integration.

WC_CONSUMER_KEY=ck_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
WC_CONSUMER_SECRET=cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Price Guardrail

wc_price_guardrail analyzes proposed price changes before any write operation. It returns safe or unsafe based on a configurable threshold (default 20%). Claude should call this tool before wc_update_product when modifying prices.

WC_PRICE_GUARDRAIL_THRESHOLD=20   # percentage — changes above this require explicit override

wc_price_guardrail is always allowed regardless of WP_READ_ONLY. It never modifies data.

---

Testing

767 unit tests covering all 92 tools — zero network calls, fully mocked.

npm test              # run all tests (vitest)
npm run test:watch    # watch mode
npm run test:coverage # coverage report

| Test file | Scope | Tests | |---|---|---| | governance.test.js | All governance flags + combinations including WP_REQUIRE_APPROVAL and WP_CONFIRM_DESTRUCTIVE | 30 | | posts.test.js | list, get, create, update, delete, search | 18 | | pages.test.js | list, get, create, update | 12 | | media.test.js | list, get, upload | 14 | | taxonomies.test.js | categories, tags, create term | 16 | | comments.test.js | list, create | 12 | | users.test.js | list | 7 | | search.test.js | search, post types, custom posts | 10 | | seo.test.js | get, update, audit | 12 | | plugins.test.js | list, activate, deactivate | 16 | | themes.test.js | list, get | 8 | | revisions.test.js | list, get, restore, delete | 17 | | editorial.test.js | submit_for_review, approve, reject | 15 | | links.test.js | analyze_links, suggest_internal_links | 16 | | woocommerce.test.js | products, orders, customers, coupons, reports, write, guardrail | 40 | | auditMediaSeo.test.js | media alt text audit, filename scoring | 12 | | findOrphanPages.test.js | inbound link detection, exclusion list | 10 | | auditHeadingStructure.test.js | H1/H2/H3 hierarchy, level skips, keyword detection | 12 | | findThinContent.test.js | word count threshold, heading density | 10 | | auditCanonicals.test.js | canonical validation, mismatch detection, multi-plugin | 12 | | analyzeEeatSignals.test.js | E-E-A-T scoring, author bio, citations, structured data | 12 | | findBrokenInternalLinks.test.js | HEAD request batching, 4xx/3xx detection | 12 | | findKeywordCannibalization.test.js | focus keyword conflicts, multi-plugin detection | 10 | | auditTaxonomies.test.js | Levenshtein duplicates, unused terms, over-tagging | 12 | | auditOutboundLinks.test.js | external link profile, nofollow detection | 10 | | contentAnalyzer.test.js | readability, TF-IDF, cosine similarity, entities, text diff | 44 | | contentIntelligence.test.js | 16 content intelligence tools: brief, outline, readability, update frequency, link map, anchor texts, schema, structure, duplicates, gaps, FAQ, CTA, entities, velocity, revisions diff, word count | 125 | | site.test.js | site info, set target | 5 | | transport/http.test.js | HTTP transport, Bearer auth, sessions | 10 | | pluginDetector.test.js | SEO plugin detection, rendered head, HTML head parsing | 13 | | pluginIntelligence.test.js | 6 plugin intelligence tools: rendered head, rendered SEO audit, pillar content, schema plugins, SEO score, Twitter meta | 48 | | dxt/manifest.test.js | MCPB manifest validation, 86 tools declared | 10 | | dynamicFiltering.test.js | WooCommerce/editorial/plugin-intelligence filtering, combined counts, callable when filtered | 9 | | outputCompression.test.js | mode=full/summary/ids_only for 10 listing tools (pages, media, comments, categories, tags, users, custom posts, plugins, themes, revisions) | 30 | | siteOptions.test.js | wp_get_site_options: all options, key filtering, 403, audit log, not blocked by WP_READ_ONLY | 5 | | plugins/registry.test.js | PluginRegistry: ACF/Elementor detection, empty namespaces, WP_DISABLE_PLUGIN_LAYERS, getSummary | 6 | | plugins/contextGuard.test.js | applyContextGuard: under threshold, truncation, raw bypass, stderr log | 4 | | plugins/iPluginAdapter.test.js | validateAdapter: complete adapter, missing id, missing getTools | 3 | | plugins/acf/acfAdapter.test.js | ACF read tools: get fields, filter, contextGuard, 404, list groups, get group, audit log | 10 | | plugins/acf/acfAdapter.write.test.js | ACF write: update fields, WP_READ_ONLY blocking, validation, 404/403, audit log | 8 | | plugins/elementor/elementorAdapter.test.js | Elementor adapter: list/get templates, page data, contextGuard, validation, namespace detection, audit log | 10 | | pluginLayer.test.js | Plugin Layer integration: listTools, callTool routing, wp_site_info, WP_DISABLE_PLUGIN_LAYERS, no collisions | 8 |

Each test verifies: success response shape, governance blocking (write tools), HTTP error handling (403/404), and audit log entries.

---

Structured Audit Log

Every tool invocation is recorded as a JSON event on stderr — ready for ingestion into Datadog, Splunk, CloudWatch, Langfuse, ELK, or any JSON-compatible pipeline.

{
  "timestamp": "2026-02-19T18:42:00.000Z",
  "tool": "wp_create_post",
  "target": 1234,
  "target_type": "post",
  "action": "create",
  "status": "success",
  "latency_ms": 245,
  "site": "production",
  "params": { "title": "New Post", "status": "draft" },
  "error": null
}

79 instrumentation points across all tools. Three status types: success, error, blocked.

| Field | Description | |---|---| | timestamp | ISO 8601 | | tool | Tool name invoked | | target | Resource ID when applicable | | target_type | Resource type (post, page, media, comment, category, tag, plugin, theme, revision, product, order, customer, coupon) | | action | Operation: list, read, create, update, trash, permanent_delete, upload, search, switch_target, read_seo, update_seo, audit_seo, activate, deactivate, restore, submit_review, approve, reject, analyze_links, suggest_links, guardrail, audit_media_seo, find_orphans, audit_headings, find_thin_content, audit_canonicals, analyze_eeat, find_broken_links, find_cannibalization, audit_taxonomies, audit_outbound_links, content_brief, extract_outline, audit_readability, audit_update_frequency, build_link_map, audit_anchor_texts, audit_schema, audit_content_structure, find_duplicates, find_content_gaps, extract_faq, audit_cta, extract_entities, publishing_velocity, compare_revisions, list_by_word_count | | status | success, error, or blocked | | latency_ms | Execution time | | site | Active target name | | params | Sanitized parameters (content fields truncated) | | error | Error detail or null |

---

Multi-Target

Manage multiple WordPress sites from a single server instance. Designed for agencies and multi-brand organizations.

Inline configuration:

WP_TARGETS_JSON='{"production":{"url":"https://mysite.com","username":"admin","password":"xxxx"},"staging":{"url":"https://staging.mysite.com","username":"editor","password":"xxxx"}}'

File-based configuration:

WP_TARGETS_FILE=/path/to/targets.json

{
  "production": {
    "url": "https://mysite.com",
    "username": "admin",
    "password": "xxxx xxxx xxxx xxxx xxxx xxxx"
  },
  "staging": {
    "url": "https://staging.mysite.com",
    "username": "editor",
    "password": "xxxx xxxx xxxx xxxx xxxx xxxx"
  },
  "client-blog": {
    "url": "https://client.com",
    "username": "content-manager",
    "password": "xxxx xxxx xxxx xxxx xxxx xxxx"
  }
}

Switch targets during a session with wp_set_target. All available sites and the active target are visible in wp_site_info.

---

Health & Reliability

The server performs a health check on startup: REST API connectivity, user authentication, and role verification. During operation: automatic retry with exponential backoff (configurable, default 3 attempts), request timeout (default 30s), rate limit handling (respects 429 + retry-after), and contextual error messages with diagnosis guidance.

| Setting | Default | Description | |---|---|---| | WP_MCP_VERBOSE | false | Debug-level logging | | WP_MCP_TIMEOUT | 30000 | Request timeout (ms) | | WP_MCP_MAX_RETRIES | 3 | Max retry attempts |

---

Security

• HTTPS required in production. HTTP only for localhost
• Application Passwords only — never use WordPress login credentials
• Credentials never logged — audit trail sanitizes all sensitive data
• No credentials in code — .env or environment variables only
• Instant revocation — Application Passwords can be revoked from WordPress admin
• Traceable requests — custom User-Agent: WordPress-MCP-Server/4.6.0
• Bearer token auth in HTTP mode — timing-safe comparison, no token in logs
• Origin validation in HTTP mode — anti-DNS-rebinding protection

---

Troubleshooting

| Issue | Solution | |---|---| | 401 Unauthorized | Verify username and Application Password | | 403 Forbidden | Check WordPress user role and capabilities | | 404 Not Found | Verify WP_API_URL and REST API availability | | Unexpected token '<' | Stray character before <?php in functions.php — see SEO Troubleshooting | | Blocked: READ-ONLY mode | Disable WP_READ_ONLY to allow writes | | Blocked: DRAFT-ONLY mode | Only draft/pending allowed. Check WP_DRAFT_ONLY | | Blocked: PLUGIN MANAGEMENT | Disable WP_DISABLE_PLUGIN_MANAGEMENT to allow activate/deactivate | | Blocked: APPROVAL REQUIRED | WP_REQUIRE_APPROVAL=true — use wp_submit_for_review then wp_approve_post | | Confirmation token required | WP_CONFIRM_DESTRUCTIVE=true — pass the returned token on a second call within 60s | | 401 Unauthorized (HTTP mode) | Set MCP_AUTH_TOKEN and pass Authorization: Bearer <token> | | 403 Forbidden (HTTP mode) | Check MCP_ALLOWED_ORIGINS includes your client origin | | WooCommerce 401 | Verify WC_CONSUMER_KEY and WC_CONSUMER_SECRET | | WooCommerce 403 | API key needs Read/Write permissions for write tools | | Rate limit exceeded | Adjust WP_MAX_CALLS_PER_MINUTE | | Timeout | Increase WP_MCP_TIMEOUT or check server | | Site not found | Verify site key in WP_TARGETS_JSON or file | | No SEO plugin detected | Install Yoast, RankMath, SEOPress, or AIOSEO | | SEO meta fields empty | Add register_post_meta() code or install MCP SEO Bridge plugin — see Exposing SEO Meta Fields | | wp_find_broken_internal_links slow | Reduce batchSize parameter or increase timeoutMs | | wp_audit_outbound_links empty | External HEAD requests blocked by your server firewall | | Server not starting | Check Node.js 18+ is installed: node --version |

---

Development

# Clone the repository
git clone https://github.com/GeorgesAdSim/wordpress-mcp-server.git
cd wordpress-mcp-server

# Install dependencies
npm install

# Run tests
npm test

# Run locally (stdio)
WP_API_URL="https://your-site.com" \
WP_API_USERNAME="user" \
WP_API_PASSWORD="xxxx xxxx xxxx xxxx" \
node index.js

# Run locally (HTTP)
MCP_TRANSPORT=http \
MCP_AUTH_TOKEN=dev-token \
WP_API_URL="https://your-site.com" \
WP_API_USERNAME="user" \
WP_API_PASSWORD="xxxx xxxx xxxx xxxx" \
node index.js

# Build MCPB bundle
npm run build:mcpb

Testing with MCP Inspector

npx @modelcontextprotocol/inspector node index.js

---

Changelog

v4.6.0 (2026-02-22) — Plugin Intelligence Layer

Extensible adapter architecture for third-party WordPress plugins. Adapters activate only when their plugin is detected via REST API namespace discovery — zero overhead when plugins are absent.

Architecture:

• src/plugins/registry.js — PluginRegistry with automatic plugin detection via REST namespaces. WP_DISABLE_PLUGIN_LAYERS=true disables all plugin tools
• src/plugins/contextGuard.js — LLM context overflow protection: automatic truncation at 50k chars with truncation metadata
• src/plugins/IPluginAdapter.js — Adapter contract interface: id, namespace, riskLevel, contextConfig, getTools, handleTool
• wp_site_info now reports plugin_layer (detected plugins, available tools count)

ACF Adapter:

• acf_get_fields — ACF custom fields with key filtering, raw/compact/summary modes
• acf_list_field_groups — all configured field groups
• acf_get_field_group — field group detail by ID
• acf_update_fields — update custom fields. Blocked by WP_READ_ONLY. riskLevel: "medium"

Elementor Adapter (read-only):

• elementor_list_templates — templates with type filter (page/section/block/popup)
• elementor_get_template — full template content, context-guarded at 50k chars
• elementor_get_page_data — widgets used, elements count, Elementor status per post

767 Vitest unit tests · 92 tools

v4.5.1 (2026-02-21) — Context Optimization

LLM context reduction across all 85 tools — zero breaking changes.

Dynamic filtering:

• getFilteredTools() hides WooCommerce (13), editorial (3), and plugin intelligence (6) tools when their env vars are absent
• listTools returns only exposed tools; callTool still handles all 85
• wp_site_info now reports tools_total, tools_exposed, filtered_out

LLM-optimized descriptions:

• All 85 tool descriptions rewritten: "Use when [TRIGGER]. [ACTION]. [Read-only | Write — blocked by X]. [Hint: optional]"

Schema compact:

• Redundant description fields removed from inputSchema properties (id, per_page, page, status with enum, search, force, post_type with enum, etc.)

Output compression (mode parameter):

• 10 listing tools gain mode param: full (default), summary (key fields only), ids_only (flat array)
• wp_list_pages, wp_list_media, wp_list_comments, wp_list_categories, wp_list_tags, wp_list_users, wp_list_custom_posts, wp_list_plugins, wp_list_themes, wp_list_revisions

713 Vitest unit tests · 85 tools

v4.5.0 (2026-02-21) — Plugin Intelligence (RankMath + Yoast)

6 new tools exploiting native RankMath and Yoast SEO API endpoints for rendered head analysis, schema validation, and social meta management.

New shared module:

• src/pluginDetector.js — SEO plugin auto-detection via REST API namespace discovery (cached), rendered head fetching, HTML head parsing

Rendered SEO Analysis:

• wp_get_rendered_head — fetch the real <head> HTML via RankMath /rankmath/v1/getHead or Yoast /yoast/v1/get_head endpoints, compare rendered vs stored meta
• wp_audit_rendered_seo — bulk audit rendered vs stored SEO meta divergences with per-post scoring (title/description/canonical/robots/schema mismatches)

Plugin-Native Features:

• wp_get_pillar_content — read/write RankMath rank_math_pillar_content cornerstone flag. Write mode blocked by WP_READ_ONLY
• wp_audit_schema_plugins — validate JSON-LD schemas from plugin native fields (rank_math_schema or Yoast yoast_head_json). Checks required fields per @type
• wp_get_seo_score — read RankMath native SEO score (0-100) with bulk mode distribution stats
• wp_get_twitter_meta — read/write Twitter Card meta (title, description, image) for RankMath, Yoast, and SEOPress. Write mode blocked by WP_READ_ONLY

674 Vitest unit tests · 85 tools

v4.4.0 (2026-02-21) — Content Intelligence

16 new read-only analysis tools for deep content intelligence without any WordPress plugin.

Foundations:

• src/contentAnalyzer.js — shared analysis engine: readability (Flesch-Kincaid FR), TF-IDF, cosine similarity, entity extraction, text diff, content structure detection
• wp_get_content_brief — editorial brief aggregator (SEO + structure + links in 1 call)
• wp_extract_post_outline — H1-H6 outline extraction with category-level pattern analysis

SEO Advanced:

• wp_audit_readability — bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis
• wp_audit_update_frequency — outdated content detection cross-referenced with SEO scores
• wp_build_link_map — internal link matrix with simplified PageRank scoring (0-100)

Technical Quality:

• wp_audit_anchor_texts — anchor text diversity audit: generic, over-optimized, image link detection
• wp_audit_schema_markup — JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness)
• wp_audit_content_structure — editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images

Intelligence Advanced:

• wp_find_duplicate_content — TF-IDF cosine similarity for near-duplicate detection with union-find clustering
• wp_find_content_gaps — taxonomy under-representation analysis (categories + tags)
• wp_extract_faq_blocks — FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns
• wp_audit_cta_presence — CTA detection (6 types) with scoring 0-100
• wp_extract_entities — regex/heuristic named entity extraction (brands, locations, persons, organizations)
• wp_get_publishing_velocity — publication cadence by author/category with trend detection
• wp_compare_revisions_diff — textual diff between revisions with amplitude scoring
• wp_list_posts_by_word_count — posts sorted by length with 6-tier segmentation

All Content Intelligence tools are read-only and always allowed regardless of governance flags.

613 Vitest unit tests · 79 tools

v4.2.0 (2026-02-19) — SEO Audit Suite (Sprint 3)

• wp_find_broken_internal_links — HEAD request link checker with configurable batch size and timeout. Returns broken (4xx/5xx), redirected (3xx), and slow links
• wp_find_keyword_cannibalization — detect posts sharing the same focus keyword. Auto-detects RankMath/Yoast/SEOPress/AIOSEO. Groups conflicts by keyword, flags weakest post by word count
• wp_audit_taxonomies — taxonomy bloat detection: unused terms, near-duplicate detection via Levenshtein distance, single-post terms, over-tagged posts
• wp_audit_outbound_links — external link profile per post: low-authority domains, missing rel="nofollow", broken external URLs
• src/htmlParser.js — shared HTML parsing service (parseImagesFromHtml, extractHeadings, extractInternalLinks, countWords)
• 400 Vitest unit tests · 63 tools

v4.1.0 (2026-02-19) — SEO Audit Suite (Sprint 2)

• wp_find_thin_content — surface posts below configurable word count threshold. Scores content quality by word count, heading density, and paragraph structure
• wp_audit_canonicals — validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEO
• wp_analyze_eeat_signals — E-E-A-T scoring per post (0-100): author bio presence, publication/update dates, outbound citations, word count, structured data markers
• 368 Vitest unit tests · 59 tools

v4.0.0 (2026-02-19) — SEO Audit Suite (Sprint 1)

• wp_audit_media_seo — audit media library for missing alt text, short alt text, unoptimized filenames. Returns per-image scores and prioritized fix list
• wp_find_orphan_pages — identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion list
• wp_audit_heading_structure — analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2
• All 10 SEO audit tools are read-only and always allowed regardless of governance flags
• 340 Vitest unit tests · 56 tools

v3.6.0 (2026-02-19) — WooCommerce Write

• wc_update_product — update product fields (title, description, price, stock, status). Integrated with wc_price_guardrail threshold enforcement
• wc_update_order_status — transition order status (e.g., processing → completed)
• WC_PRICE_GUARDRAIL_THRESHOLD — configurable price change safety threshold (default 20%)
• All WooCommerce write tools blocked by WP_READ_ONLY
• 305 Vitest unit tests · 53 tools

v3.5.0 (2026-02-19) — WooCommerce Intelligence

• wc_get_customer — customer profile with order history summary and lifetime value
• wc_list_coupons / wc_get_coupon — coupon management with discount rules and usage stats
• wc_sales_report — revenue, orders, and average order value for a date range
• wc_top_products — ranking by revenue, quantity sold, or order count
• 287 Vitest unit tests · 50 tools

v3.4.0 (2026-02-19) — WooCommerce Core

• wc_list_products / wc_get_product — product catalog with variation support
• wc_list_orders / wc_get_order — order management with full line item detail
• wc_list_customers — customer list with search and role filtering
• wc_price_guardrail — read-only price change safety analysis
• Requires WC_CONSUMER_KEY and WC_CONSUMER_SECRET
• 271 Vitest unit tests · 46 tools

v3.3.0 (2026-02-19) — Internal Link Intelligence

• wp_analyze_links — audit all internal/external links in a post. HEAD request verification per link (broken/warning/unknown). Max 20 checks, configurable timeout
• wp_suggest_internal_links — semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked posts
• src/linkUtils.js — 6 shared utilities: extractInternalLinks, extractExternalLinks, checkLinkStatus, extractFocusKeyword (auto-detects RankMath/Yoast/SEOPress/AIOSEO), calculateRelevanceScore, suggestAnchorText
• Pre-flight linking workflow: suggest → user validates → wp_update_post (never auto-insert)
• 253 Vitest unit tests · 40 tools

v3.2.0 (2026-02-19) — Governance Workflows

• Editorial approval workflow: wp_submit_for_review (draft → pending), wp_approve_post (pending → publish), wp_reject_post (pending → draft + mandatory reason)
• New governance flag: WP_REQUIRE_APPROVAL — blocks direct publish, forces approval workflow
• Two-step confirmation for destructive operations: wp_delete_post and wp_delete_revision return a stateless token (60s TTL, SHA-256) when WP_CONFIRM_DESTRUCTIVE=true
• New governance flag: WP_CONFIRM_DESTRUCTIVE — requires explicit token confirmation before any delete
• src/confirmationToken.js — stateless token system, zero persistence
• Governance priority: WP_READ_ONLY → WP_DISABLE_DELETE → WP_CONFIRM_DESTRUCTIVE
• 225 Vitest unit tests · 38 tools

v3.1.0 (2026-02-19) — MCPB Bundle

• dxt/manifest.json — MCPB v0.3 spec, 35 tools declared
• WordPress credentials stored in OS keychain (sensitive: true)
• npm run build:mcpb — build script for .mcpb distribution
• 10 new manifest validation tests (201 total)
• Published to npm: npx -y @adsim/wordpress-mcp-server@3.1.0

v3.0.0 (2026-02-19) — HTTP Streamable Transport

• HTTP Streamable transport (MCP spec 2025-03-26) via MCP_TRANSPORT=http
• Bearer token authentication with timing-safe comparison (MCP_AUTH_TOKEN)
• Session management via Mcp-Session-Id header (UUID v4)
• Origin header validation (anti-DNS-rebinding)
• Health endpoint GET /health
• Dual mode MCP_DUAL_MODE=true — stdio + HTTP simultaneously
• Graceful shutdown SIGTERM/SIGINT across both transports
• 10 new HTTP/auth unit tests (191 total)
• Published to npm: @adsim/wordpress-mcp-server

v2.2.0 (2026-02-19) — Enterprise Edition

• 9 new tools: plugins (list/activate/deactivate), themes (list/get), revisions (list/get/restore/delete)
• New governance flag: WP_DISABLE_PLUGIN_MANAGEMENT
• 171 Vitest unit tests covering all 35 tools (governance, success, 403/404, audit logs)
• GitHub Actions CI workflow
• Governance functions read env at call time for testability
• Exported handleToolCall for direct testing

v2.1.0 (2026-02-16)

• Enterprise governance controls (read-only, draft-only, type/status allowlists)
• Structured JSON audit trail (27 instrumentation points)
• Multi-target site management
• 27 MCP tools including pages CRUD, media upload, taxonomy creation, custom post types
• SEO auto-detection for 4 plugins (Yoast, RankMath, SEOPress, AIOSEO)
• Health checks, retry with backoff, rate limiting

v1.0.0 (2025-10-17)

• Initial release — JavaScript, 5 tools (list, get, create, update, search posts)

---

Roadmap

v4.7 — GSC Integration

• wp_get_gsc_performance — Google Search Console API (clicks, impressions, position, CTR per URL)
• wp_find_quick_win_keywords — surface keywords ranking positions 11–20 for targeted updates
• wp_seo_content_decay — cross-reference GSC traffic loss with content age to prioritize refresh candidates

v4.8 — Redirect Intelligence

• wp_create_redirect — create 301 redirects via Redirection plugin or RankMath/Yoast Redirects. Auto-triggered governance hook when wp_update_post changes a slug
• wp_list_404_errors — surface recent 404s from Redirection plugin log

v4.9 — OAuth & Registry

• OAuth 2.0 / JWT authentication
• MCP Registry submission

---

Contributing

Contributions welcome. Open an issue or submit a pull request.

License

MIT — see LICENSE.

Credits

Built by AdSim — Digital Marketing & AI Agency, Liège, Belgium.

Building the governance layer for Claude-powered WordPress infrastructure in regulated environments.