Webmastery Site Toolkit for MCP

View on GitHub | Latest Release | Report an Issue

Webmastery Site Toolkit for MCP is a WordPress plugin that lets AI agents safely work with your site through MCP. It adds permission-aware abilities for posts, pages, media, taxonomy, comments, SEO metadata, site audits, plugin checks, and other WordPress workflows while relying on WordPress roles and capabilities.

It works with the MCP Adapter project: the adapter provides the MCP transport layer, and this plugin registers the WordPress abilities an agent can call. This page is the deeper reference for setup, role selection, ability groups, SEO provider behavior, and security expectations. The GitHub README is intentionally shorter.

Who This Is For

  • WordPress site owners who want AI agents to manage content safely.
  • Developers building MCP workflows around WordPress.
  • Technical editors and administrators who need permission-aware automation for content, media, SEO, and site operations.

Quick Start

  1. Install and activate the MCP Adapter plugin.
  2. Install and activate Webmastery Site Toolkit for MCP.
  3. Create a dedicated WordPress service account for your MCP client.
  4. Use the Editor role for routine content workflows, or a separate Administrator account for sensitive audits and plugin management.
  5. Create an application password for the service account.
  6. Configure your MCP client to use @automattic/mcp-wordpress-remote and your site’s MCP Adapter endpoint.
  7. Ask your MCP client to call mcp-adapter-discover-abilities and confirm the webmastery-site-toolkit-for-mcp/* abilities appear.

What It Does

  • Draft, update, publish, restore, trash, bulk publish, and bulk trash posts.
  • Create and manage pages, including hierarchy-aware page updates.
  • Inspect Gutenberg block paths and hashes, then replace one precise block instead of rewriting a full article.
  • List revisions and restore a post or page to a specific revision.
  • Manage categories, tags, comments, media, public image URL uploads, and featured images.
  • Discover eligible public custom post types and use generated CRUD abilities for each one.
  • Read, update, and delete safe post meta, including supported Yoast SEO and SEOPress fields.
  • Run content hygiene checks for orphaned media, missing featured images, and stuck scheduled posts.
  • Inspect safe site, current-user, and environment context.
  • Audit plugins, administrator accounts, backups, performance settings, database bloat, site health, and security posture.
  • Analyze SEO metadata, Yoast and SEOPress provider data, sitemap signals, and public Google/Bing webmaster verification proof.

Requirements

Requirement Version or note
WordPress 6.9+
PHP 8.0+
MCP Adapter Latest available release
Yoast SEO Optional. Required for Yoast-specific metadata, score, generated head, and sitemap diagnostics.
SEOPress Optional. Required for SEOPress-specific metadata inspection, writes, and site overview diagnostics.

Self-hosted WordPress is required. The plugin works on WordPress installations where custom plugins can be added, including most managed hosts. It is not intended for WordPress.com Free, Personal, or Premium plans.

Service Account Roles

Use a dedicated WordPress user for your MCP client. This keeps agent activity attributable and makes access easy to revoke.

Role Best use Notes
Subscriber Read-only site context and taxonomy browsing Works for abilities that only require read.
Author Limited own-content creation and media work WordPress scopes access to content the account owns unless broader capabilities are present.
Editor Recommended default for content workflows Handles posts, pages, taxonomy, comments, media, revisions, and content hygiene.
Administrator Sensitive audits and plugin management Use a separate admin service account only when needed.

Available Abilities

Every ability enforces WordPress capability checks. The account must already be allowed to perform the equivalent WordPress action.

Area Abilities Typical role
Posts list-posts, get-post, create-post, update-post, delete-post, restore-post, bulk-trash-posts, bulk-publish-posts, patch-post-content Author or Editor
Pages list-pages, get-page, create-page, update-page, delete-page, restore-page Editor
Blocks and revisions list-content-blocks, patch-content-block, list-revisions, restore-revision Author or Editor, scoped by target content
Post meta get-post-meta, update-post-meta, delete-post-meta; post/page create and update also support selected Yoast SEO and SEOPress metadata fields Author or Editor, scoped by target content
Featured images set-featured-image, remove-featured-image Author or Editor, scoped by target content
Custom post types list-post-types plus generated list-cpt-{post-type}, get-cpt-{post-type}, create-cpt-{post-type}, update-cpt-{post-type}, and delete-cpt-{post-type} The CPT capability map
Taxonomy list-categories, get-category, create-category, update-category, delete-category, list-tags, get-tag, create-tag, update-tag, delete-tag Subscriber for reads; Editor for writes
Comments list-comments, reply-comment, update-comment, approve-comment, trash-comment, spam-comment Editor
Media list-media, get-media, update-media, upload-image, delete-media Author or Editor
Content hygiene list-orphaned-media, list-posts-no-featured-image, list-stuck-scheduled Author or Editor, scoped by content access
Site info get-site-info, get-user-info, get-environment-info Subscriber
SEO seo-analyze-post, seo-site-overview, get-seo-scores, get-readability-scores, get-yoast-metadata, get-seopress-metadata Author to Administrator, depending on scope
Webmaster verification webmaster-verification-status Subscriber
Plugins list-plugins, plugin-audit, activate-plugin, deactivate-plugin Administrator
Users list-users, get-user, user-access-audit Administrator
Site audits site-health-check, security-audit, database-health, performance-status, backup-status Administrator

SEO Provider Behavior

Yoast SEO and SEOPress are optional. Structural checks such as title length, word count, image alt text, internal links, and slug length still work without either plugin.

  • Yoast SEO: As of v2.4.0, supported Yoast coverage includes score lists, readability score lists, metadata inspection and writes for supported fields, canonical URLs, breadcrumb titles, Schema.org page and article types, Open Graph metadata, Twitter metadata, primary category, robots directives, inclusive-language score inspection, generated Yoast head inspection, and deeper sitemap index diagnostics.
  • SEOPress: As of v2.4.0, supported SEOPress coverage includes title and description fields, target keywords, canonical URLs, Open Graph metadata, Twitter/X metadata, primary category, robots directives, breadcrumb titles, read-only metadata inspection, writes for supported fields, and SEOPress-specific site overview diagnostics.
  • Side-by-side support: Yoast inputs write Yoast keys, and SEOPress inputs write SEOPress keys. The plugin does not translate or overwrite one provider’s metadata with the other provider’s data.

Connect Your MCP Client

Configure @automattic/mcp-wordpress-remote to point at your site’s MCP Adapter endpoint. Use the dedicated username and application password, not the user’s normal login password.

{
  "mcpServers": {
    "wordpress": {
      "command": "npx",
      "args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
      "env": {
        "WP_API_URL": "https://your-site.com/wp-json/mcp/mcp-adapter-default-server",
        "WP_API_USERNAME": "ai-editor",
        "WP_API_PASSWORD": "xxxx xxxx xxxx xxxx xxxx xxxx"
      }
    }
  }
}Code language: JSON / JSON with Comments (json)

Codex uses TOML:

[mcp_servers.wordpress]
command = "npx"
args = ["-y", "@automattic/mcp-wordpress-remote@latest"]Code language: JavaScript (javascript)

[mcp_servers.wordpress.env]

WP_API_URL = “https://your-site.com/wp-json/mcp/mcp-adapter-default-server” WP_API_USERNAME = “ai-editor” WP_API_PASSWORD = “xxxx xxxx xxxx xxxx xxxx xxxx”

Client-specific notes:

Client Config note
Claude Code Use .mcp.json for a project or ~/.claude.json globally. The root key is mcpServers.
Claude Desktop Use the Claude desktop config file. The root key is mcpServers.
GitHub Copilot in VS Code Uses servers, not mcpServers.
Copilot CLI, Windsurf, Gemini CLI Use the same JSON shape, adjusted for each client’s config file location.
ChatGPT Requires a hosted remote HTTP endpoint rather than a local stdio process.

Verify

Ask your MCP client to call mcp-adapter-discover-abilities. You should see the adapter discovery tools plus the webmastery-site-toolkit-for-mcp/* abilities installed on that WordPress site.

Good first checks:

  • webmastery-site-toolkit-for-mcp/list-posts: list recent posts.
  • webmastery-site-toolkit-for-mcp/get-site-info: get safe public site context.
  • webmastery-site-toolkit-for-mcp/webmaster-verification-status: check public Google/Bing proof.
  • webmastery-site-toolkit-for-mcp/plugin-audit: audit plugins with an Administrator service account.

Security

  • Use a dedicated service account and an application password.
  • Use Editor for routine content work; use a separate Administrator account only for sensitive audits and plugin management.
  • Every ability uses WordPress capability checks and object-level access checks where applicable.
  • Posts and pages move to trash; media deletion permanently deletes the attachment and files.
  • Block and partial-content edits can use hash preconditions and fail when targets are missing, ambiguous, or stale.
  • Site info abilities deliberately avoid secrets, salts, auth keys, filesystem paths, and raw server internals.
  • Plugin audits use local plugin metadata and WordPress core’s cached update transient. They do not directly call WordPress.org during the audit.
  • User access audits return account and application-password metadata, never application password secrets.
  • Database health uses read-only database queries and is Administrator-only.
  • Public webmaster verification checks do not confirm Google Search Console or Bing Webmaster Tools account ownership. Account verification remains unknown without separate OAuth/API credentials.

Feature requests and bug reports: GitHub Issues.