MCP Directory

WordPress MCP

Official

Automattic's archived plugin exposing WordPress posts, users and WooCommerce to MCP clients; superseded by mcp-adapter.

Unverified
stdio (local)
API key
Stale
PHP

Add to your client

Copy the config for your MCP client and paste it into its config file.

Install / run
npx -y @automattic/mcp-wordpress-remote@latest

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "wordpress-mcp": {
      "command": "npx",
      "args": [
        "-y",
        "@automattic/mcp-wordpress-remote@latest"
      ],
      "env": {
        "WP_API_URL": "https://your-site.com/",
        "JWT_TOKEN": "<your-jwt-token>"
      }
    }
  }
}

Step-by-step guides: Add to Claude Desktop · Add to Cursor · Add to Windsurf

Before you start

  • A WordPress site with the wordpress-mcp plugin installed and activated (zip from GitHub releases)
  • A JWT token from Settings → WordPress MCP → Authentication Tokens (or a WordPress application password)
  • Node.js for the npx proxy path

About WordPress MCP

WordPress MCP is a PHP plugin you install on the site itself. It registers MCP tools, resources and prompts inside WordPress, adds a Settings → WordPress MCP admin screen with feature toggles, and generates short-lived JWT tokens (1–24 h) from a React management UI. Everything an agent does runs under the WordPress user behind the token, so capability checks apply exactly as they would in wp-admin.

The tool surface splits into three groups: wp_* CRUD for posts and users, wc_* for WooCommerce products and orders, and an experimental generic REST bridge — discover endpoints, inspect their parameters, then execute — which covers custom post types and third-party plugin endpoints while automatically excluding sensitive routes. Individual create/update/delete capabilities can be disabled in settings.

There are two connection paths. The @automattic/mcp-wordpress-remote proxy runs locally via npx, speaks stdio to your client, and supports both JWT and application passwords plus WooCommerce extras. Modern clients can skip the proxy and hit the streamable JSON-RPC 2.0 endpoint (/wp-json/wp/v2/wpmcp/streamable) directly with a Bearer JWT — that route requires admin privileges.

The project was archived in 2025: Automattic's direction is WordPress/mcp-adapter, built on the Abilities API that ships in WordPress Core 6.9. This entry stays relevant because many sites still run the plugin, but for new deployments mcp-adapter is the maintained path.

Tools & capabilities (20)

wp_posts_search

Search and filter WordPress posts with pagination

wp_get_post

Get a post by ID

wp_add_post

Create a new post

wp_update_post

Update a post by ID

wp_delete_post

Delete a post by ID

wp_users_search

Search and filter users with pagination

wp_get_user

Get a user by ID

wp_add_user

Create a new user

wp_update_user

Update a user by ID

wp_delete_user

Delete a user by ID

wc_products_search

Search WooCommerce products

wc_get_product

Get a WooCommerce product by ID

wc_add_product

Create a WooCommerce product

wc_update_product

Update a WooCommerce product

wc_orders_search

Search WooCommerce orders

wc_get_order

Get a WooCommerce order by ID

wp_get_site_info

Get general site information

list_api_functions

Discover all available WordPress REST API endpoints (experimental)

get_function_details

Inspect parameters and metadata for a specific endpoint/method (experimental)

run_api_function

Execute any REST API function with CRUD operations (experimental)

When to use it

  • Draft, update and publish posts from an AI chat on an existing wordpress-mcp install
  • Query WooCommerce orders and products conversationally
  • Reach custom post types and plugin endpoints through the experimental generic REST tools
  • Study a reference implementation of JWT-authenticated dual-transport MCP in a CMS

Quick setup

  1. 1Download wordpress-mcp.zip from the GitHub releases page and install it under /wp-content/plugins/, then activate
  2. 2In Settings → WordPress MCP, enable the plugin features and generate a JWT token (choose a 1–24 h duration)
  3. 3Add the proxy config to your client: npx -y @automattic/mcp-wordpress-remote@latest with WP_API_URL and JWT_TOKEN env vars
  4. 4Alternative direct route: connect streamable HTTP to https://your-site.com/wp-json/wp/v2/wpmcp/streamable with an Authorization: Bearer header
  5. 5For new projects, evaluate WordPress/mcp-adapter first — it's the maintained successor

Security notes

Archived project: no further features or security fixes — Automattic directs new work to WordPress/mcp-adapter, so treat this as legacy. Auth is scoped sensibly: JWT tokens expire in 1–24 hours and inherit the WordPress user's capabilities, and create/update/delete tools are individually toggleable in settings (the README warns to keep delete off unless you trust every MCP user).

WordPress MCP FAQ

Should I still use wordpress-mcp in 2026?

Only if you already run it. The repo is archived and Automattic explicitly recommends WordPress/mcp-adapter, which builds on the Abilities API shipping in WordPress Core 6.9. Existing installs keep working, but no fixes are coming.

Is it safe to expose my WordPress site through MCP this way?

The design is reasonably careful: JWTs expire in 1–24 hours, every action inherits the token user's capabilities, and destructive tools can be disabled per-operation (delete is the one to leave off). The real risk is the archived status — no future security patches — so weigh that for production sites.

Do I need the proxy, or can my client connect directly?

Both work. Clients with streamable HTTP support (like VS Code) can hit /wp-json/wp/v2/wpmcp/streamable directly with a Bearer JWT; stdio-only clients use the npx @automattic/mcp-wordpress-remote proxy, which also adds WooCommerce support and application-password auth.

Alternatives to WordPress MCP

Compare all alternatives →

AI-powered task-management system for AI-driven development that drops into Cursor, Windsurf, Claude Code, and more.

Unverified
stdio (local)
API key
JavaScript
15 tools
Updated 2 months agoRepo

Gives AI assistants deep knowledge of 2,000+ n8n nodes, plus optional workflow management on your own n8n instance.

Unverified
stdio (local)
API key
TypeScript
22 tools
Updated 3 days agoRepo

Background computer-use MCP server that drives native macOS, Windows, and Linux desktop apps without stealing focus.

Unverified
stdio (local)
No auth
Rust
33 tools
Updated 5 days agoRepo