
WordPress MCP
OfficialAutomattic's archived plugin exposing WordPress posts, users and WooCommerce to MCP clients; superseded by mcp-adapter.
Add to your client
Copy the config for your MCP client and paste it into its config file.
npx -y @automattic/mcp-wordpress-remote@latestPaste into ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"wordpress-mcp": {
"command": "npx",
"args": [
"-y",
"@automattic/mcp-wordpress-remote@latest"
],
"env": {
"WP_API_URL": "https://your-site.com/",
"JWT_TOKEN": "<your-jwt-token>"
}
}
}
}Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf
Before you start
- A WordPress site with the wordpress-mcp plugin installed and activated (zip from GitHub releases)
- A JWT token from Settings → WordPress MCP → Authentication Tokens (or a WordPress application password)
- Node.js for the npx proxy path
About WordPress MCP
WordPress MCP is a PHP plugin you install on the site itself. It registers MCP tools, resources and prompts inside WordPress, adds a Settings → WordPress MCP admin screen with feature toggles, and generates short-lived JWT tokens (1–24 h) from a React management UI. Everything an agent does runs under the WordPress user behind the token, so capability checks apply exactly as they would in wp-admin.
The tool surface splits into three groups: wp_* CRUD for posts and users, wc_* for WooCommerce products and orders, and an experimental generic REST bridge — discover endpoints, inspect their parameters, then execute — which covers custom post types and third-party plugin endpoints while automatically excluding sensitive routes. Individual create/update/delete capabilities can be disabled in settings.
There are two connection paths. The @automattic/mcp-wordpress-remote proxy runs locally via npx, speaks stdio to your client, and supports both JWT and application passwords plus WooCommerce extras. Modern clients can skip the proxy and hit the streamable JSON-RPC 2.0 endpoint (/wp-json/wp/v2/wpmcp/streamable) directly with a Bearer JWT — that route requires admin privileges.
The project was archived in 2025: Automattic's direction is WordPress/mcp-adapter, built on the Abilities API that ships in WordPress Core 6.9. This entry stays relevant because many sites still run the plugin, but for new deployments mcp-adapter is the maintained path.
Tools & capabilities (20)
wp_posts_searchSearch and filter WordPress posts with pagination
wp_get_postGet a post by ID
wp_add_postCreate a new post
wp_update_postUpdate a post by ID
wp_delete_postDelete a post by ID
wp_users_searchSearch and filter users with pagination
wp_get_userGet a user by ID
wp_add_userCreate a new user
wp_update_userUpdate a user by ID
wp_delete_userDelete a user by ID
wc_products_searchSearch WooCommerce products
wc_get_productGet a WooCommerce product by ID
wc_add_productCreate a WooCommerce product
wc_update_productUpdate a WooCommerce product
wc_orders_searchSearch WooCommerce orders
wc_get_orderGet a WooCommerce order by ID
wp_get_site_infoGet general site information
list_api_functionsDiscover all available WordPress REST API endpoints (experimental)
get_function_detailsInspect parameters and metadata for a specific endpoint/method (experimental)
run_api_functionExecute any REST API function with CRUD operations (experimental)
When to use it
- Draft, update and publish posts from an AI chat on an existing wordpress-mcp install
- Query WooCommerce orders and products conversationally
- Reach custom post types and plugin endpoints through the experimental generic REST tools
- Study a reference implementation of JWT-authenticated dual-transport MCP in a CMS
Quick setup
- 1Download wordpress-mcp.zip from the GitHub releases page and install it under /wp-content/plugins/, then activate
- 2In Settings → WordPress MCP, enable the plugin features and generate a JWT token (choose a 1–24 h duration)
- 3Add the proxy config to your client: npx -y @automattic/mcp-wordpress-remote@latest with WP_API_URL and JWT_TOKEN env vars
- 4Alternative direct route: connect streamable HTTP to https://your-site.com/wp-json/wp/v2/wpmcp/streamable with an Authorization: Bearer header
- 5For new projects, evaluate WordPress/mcp-adapter first — it's the maintained successor
Security notes
Archived project: no further features or security fixes — Automattic directs new work to WordPress/mcp-adapter, so treat this as legacy. Auth is scoped sensibly: JWT tokens expire in 1–24 hours and inherit the WordPress user's capabilities, and create/update/delete tools are individually toggleable in settings (the README warns to keep delete off unless you trust every MCP user).
WordPress MCP FAQ
Should I still use wordpress-mcp in 2026?
Only if you already run it. The repo is archived and Automattic explicitly recommends WordPress/mcp-adapter, which builds on the Abilities API shipping in WordPress Core 6.9. Existing installs keep working, but no fixes are coming.
Is it safe to expose my WordPress site through MCP this way?
The design is reasonably careful: JWTs expire in 1–24 hours, every action inherits the token user's capabilities, and destructive tools can be disabled per-operation (delete is the one to leave off). The real risk is the archived status — no future security patches — so weigh that for production sites.
Do I need the proxy, or can my client connect directly?
Both work. Clients with streamable HTTP support (like VS Code) can hit /wp-json/wp/v2/wpmcp/streamable directly with a Bearer JWT; stdio-only clients use the npx @automattic/mcp-wordpress-remote proxy, which also adds WooCommerce support and application-password auth.
Alternatives to WordPress MCP
Compare all alternatives →AI-powered task-management system for AI-driven development that drops into Cursor, Windsurf, Claude Code, and more.
Gives AI assistants deep knowledge of 2,000+ n8n nodes, plus optional workflow management on your own n8n instance.
Background computer-use MCP server that drives native macOS, Windows, and Linux desktop apps without stealing focus.
Compare WordPress MCP with: