
View on GitHub | Latest Release | Report an Issue
Webmastery Site Toolkit for MCP is a WordPress plugin that lets AI agents safely work with your site through MCP. It adds permission-aware abilities for posts, pages, media, taxonomy, comments, SEO metadata, site audits, plugin checks, and other WordPress workflows while relying on WordPress roles and capabilities.
It works with the MCP Adapter project: the adapter provides the MCP transport layer, and this plugin registers the WordPress abilities an agent can call. This page is the deeper reference for setup, role selection, ability groups, SEO provider behavior, and security expectations. The GitHub README is intentionally shorter.
Who This Is For
- WordPress site owners who want AI agents to manage content safely.
- Developers building MCP workflows around WordPress.
- Technical editors and administrators who need permission-aware automation for content, media, SEO, and site operations.
Quick Start
- Install and activate the MCP Adapter plugin.
- Install and activate Webmastery Site Toolkit for MCP.
- Create a dedicated WordPress service account for your MCP client.
- Use the Editor role for routine content workflows, or a separate Administrator account for sensitive audits and plugin management.
- Create an application password for the service account.
- Configure your MCP client to use
@automattic/mcp-wordpress-remoteand your site’s MCP Adapter endpoint. - Ask your MCP client to call
mcp-adapter-discover-abilitiesand confirm thewebmastery-site-toolkit-for-mcp/*abilities appear.
What It Does
- Draft, update, publish, restore, trash, bulk publish, and bulk trash posts.
- Create and manage pages, including hierarchy-aware page updates.
- Inspect Gutenberg block paths and hashes, then replace one precise block instead of rewriting a full article.
- List revisions and restore a post or page to a specific revision.
- Manage categories, tags, comments, media, public image URL uploads, and featured images.
- Discover eligible public custom post types and use generated CRUD abilities for each one.
- Read, update, and delete safe post meta, including supported Yoast SEO and SEOPress fields.
- Run content hygiene checks for orphaned media, missing featured images, and stuck scheduled posts.
- Inspect safe site, current-user, and environment context.
- Audit plugins, administrator accounts, backups, performance settings, database bloat, site health, and security posture.
- Analyze SEO metadata, Yoast and SEOPress provider data, sitemap signals, and public Google/Bing webmaster verification proof.
Requirements
| Requirement | Version or note |
|---|---|
| WordPress | 6.9+ |
| PHP | 8.0+ |
| MCP Adapter | Latest available release |
| Yoast SEO | Optional. Required for Yoast-specific metadata, score, generated head, and sitemap diagnostics. |
| SEOPress | Optional. Required for SEOPress-specific metadata inspection, writes, and site overview diagnostics. |
Self-hosted WordPress is required. The plugin works on WordPress installations where custom plugins can be added, including most managed hosts. It is not intended for WordPress.com Free, Personal, or Premium plans.
Service Account Roles
Use a dedicated WordPress user for your MCP client. This keeps agent activity attributable and makes access easy to revoke.
| Role | Best use | Notes |
|---|---|---|
| Subscriber | Read-only site context and taxonomy browsing | Works for abilities that only require read. |
| Author | Limited own-content creation and media work | WordPress scopes access to content the account owns unless broader capabilities are present. |
| Editor | Recommended default for content workflows | Handles posts, pages, taxonomy, comments, media, revisions, and content hygiene. |
| Administrator | Sensitive audits and plugin management | Use a separate admin service account only when needed. |
Available Abilities
Every ability enforces WordPress capability checks. The account must already be allowed to perform the equivalent WordPress action.
| Area | Abilities | Typical role |
|---|---|---|
| Posts | list-posts, get-post, create-post, update-post, delete-post, restore-post, bulk-trash-posts, bulk-publish-posts, patch-post-content |
Author or Editor |
| Pages | list-pages, get-page, create-page, update-page, delete-page, restore-page |
Editor |
| Blocks and revisions | list-content-blocks, patch-content-block, list-revisions, restore-revision |
Author or Editor, scoped by target content |
| Post meta | get-post-meta, update-post-meta, delete-post-meta; post/page create and update also support selected Yoast SEO and SEOPress metadata fields |
Author or Editor, scoped by target content |
| Featured images | set-featured-image, remove-featured-image |
Author or Editor, scoped by target content |
| Custom post types | list-post-types plus generated list-cpt-{post-type}, get-cpt-{post-type}, create-cpt-{post-type}, update-cpt-{post-type}, and delete-cpt-{post-type} |
The CPT capability map |
| Taxonomy | list-categories, get-category, create-category, update-category, delete-category, list-tags, get-tag, create-tag, update-tag, delete-tag |
Subscriber for reads; Editor for writes |
| Comments | list-comments, reply-comment, update-comment, approve-comment, trash-comment, spam-comment |
Editor |
| Media | list-media, get-media, update-media, upload-image, delete-media |
Author or Editor |
| Content hygiene | list-orphaned-media, list-posts-no-featured-image, list-stuck-scheduled |
Author or Editor, scoped by content access |
| Site info | get-site-info, get-user-info, get-environment-info |
Subscriber |
| SEO | seo-analyze-post, seo-site-overview, get-seo-scores, get-readability-scores, get-yoast-metadata, get-seopress-metadata |
Author to Administrator, depending on scope |
| Webmaster verification | webmaster-verification-status |
Subscriber |
| Plugins | list-plugins, plugin-audit, activate-plugin, deactivate-plugin |
Administrator |
| Users | list-users, get-user, user-access-audit |
Administrator |
| Site audits | site-health-check, security-audit, database-health, performance-status, backup-status |
Administrator |
SEO Provider Behavior
Yoast SEO and SEOPress are optional. Structural checks such as title length, word count, image alt text, internal links, and slug length still work without either plugin.
- Yoast SEO: As of v2.4.0, supported Yoast coverage includes score lists, readability score lists, metadata inspection and writes for supported fields, canonical URLs, breadcrumb titles, Schema.org page and article types, Open Graph metadata, Twitter metadata, primary category, robots directives, inclusive-language score inspection, generated Yoast head inspection, and deeper sitemap index diagnostics.
- SEOPress: As of v2.4.0, supported SEOPress coverage includes title and description fields, target keywords, canonical URLs, Open Graph metadata, Twitter/X metadata, primary category, robots directives, breadcrumb titles, read-only metadata inspection, writes for supported fields, and SEOPress-specific site overview diagnostics.
- Side-by-side support: Yoast inputs write Yoast keys, and SEOPress inputs write SEOPress keys. The plugin does not translate or overwrite one provider’s metadata with the other provider’s data.
Connect Your MCP Client
Configure @automattic/mcp-wordpress-remote to point at your site’s MCP Adapter endpoint. Use the dedicated username and application password, not the user’s normal login password.
{
"mcpServers": {
"wordpress": {
"command": "npx",
"args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
"env": {
"WP_API_URL": "https://your-site.com/wp-json/mcp/mcp-adapter-default-server",
"WP_API_USERNAME": "ai-editor",
"WP_API_PASSWORD": "xxxx xxxx xxxx xxxx xxxx xxxx"
}
}
}
}Code language: JSON / JSON with Comments (json)
Codex uses TOML:
[mcp_servers.wordpress]
command = "npx"
args = ["-y", "@automattic/mcp-wordpress-remote@latest"]Code language: JavaScript (javascript)
[mcp_servers.wordpress.env]
WP_API_URL = “https://your-site.com/wp-json/mcp/mcp-adapter-default-server” WP_API_USERNAME = “ai-editor” WP_API_PASSWORD = “xxxx xxxx xxxx xxxx xxxx xxxx”
Client-specific notes:
| Client | Config note |
|---|---|
| Claude Code | Use .mcp.json for a project or ~/.claude.json globally. The root key is mcpServers. |
| Claude Desktop | Use the Claude desktop config file. The root key is mcpServers. |
| GitHub Copilot in VS Code | Uses servers, not mcpServers. |
| Copilot CLI, Windsurf, Gemini CLI | Use the same JSON shape, adjusted for each client’s config file location. |
| ChatGPT | Requires a hosted remote HTTP endpoint rather than a local stdio process. |
Verify
Ask your MCP client to call mcp-adapter-discover-abilities. You should see the adapter discovery tools plus the webmastery-site-toolkit-for-mcp/* abilities installed on that WordPress site.
Good first checks:
webmastery-site-toolkit-for-mcp/list-posts: list recent posts.webmastery-site-toolkit-for-mcp/get-site-info: get safe public site context.webmastery-site-toolkit-for-mcp/webmaster-verification-status: check public Google/Bing proof.webmastery-site-toolkit-for-mcp/plugin-audit: audit plugins with an Administrator service account.
Security
- Use a dedicated service account and an application password.
- Use Editor for routine content work; use a separate Administrator account only for sensitive audits and plugin management.
- Every ability uses WordPress capability checks and object-level access checks where applicable.
- Posts and pages move to trash; media deletion permanently deletes the attachment and files.
- Block and partial-content edits can use hash preconditions and fail when targets are missing, ambiguous, or stale.
- Site info abilities deliberately avoid secrets, salts, auth keys, filesystem paths, and raw server internals.
- Plugin audits use local plugin metadata and WordPress core’s cached update transient. They do not directly call WordPress.org during the audit.
- User access audits return account and application-password metadata, never application password secrets.
- Database health uses read-only database queries and is Administrator-only.
- Public webmaster verification checks do not confirm Google Search Console or Bing Webmaster Tools account ownership. Account verification remains
unknownwithout separate OAuth/API credentials.
Feature requests and bug reports: GitHub Issues.