Close Menu
AI

MCP for WordPress: set up an MCP server in 2026

Martynas VareikisBy Updated:No Comments9 Mins Read76 Views
Illustration combining the WordPress mark with an MCP architecture node and JSON-RPC data flow
Illustration: Ransomnews

This is the second piece in our Model Context Protocol series. If you haven’t read the first one yet, start with What is MCP? A complete guide to MCP servers, it covers the protocol, the architecture, and the three primitives (tools, resources, prompts). Here we get specific: how to turn a WordPress site into an MCP server, what you can actually do with it, and what to lock down before you hand the keys to an AI agent.

WordPress still powers roughly 43% of the public web. Even if you don’t run WordPress yourself, you almost certainly have a stakeholder, client, or customer who does, and “let an AI assistant edit my WordPress site for me” is one of the most-requested workflows in the AI-tooling Discords. The good news: the integration is straightforward. The less-good news: WordPress is a permissive platform that gives a connected client a lot of power very quickly. We’ll cover both halves.

What you can actually do once it’s wired up

A WordPress MCP server gives an AI client (Claude Desktop, Cursor, Claude Code, VS Code agent mode, etc.) a typed handle into your CMS. Once it’s running, the model can:

  • Read and search content. Pull post snapshots, drafts, comments, taxonomies, media, user data, options, and custom-post-type entries. Great for editorial workflows, audits, and content analysis.
  • Create, edit, and delete posts / pages. Generate drafts, schedule publications, find-and-replace across content, restructure taxonomies, update SEO meta, set featured images.
  • Manage media. Upload images, rename files, attach images to posts, generate alt text in bulk.
  • Touch the admin surface. List plugins, activate or deactivate plugins, switch themes, edit theme files, run database queries. This is where the security surface widens, see the hardening section below.
  • Run scripted maintenance. Backup jobs, regenerating thumbnails, cleaning up orphan attachments, bulk-tagging old content. Anything you’d otherwise do via WP-CLI or a plugin admin page.

The architecture, applied to WordPress

// WP + MCP DATA FLOW ① CLIENT Claude · Cursor MCP-aware app stdio / HTTP ② MCP ADAPTER AI Engine plugin tools · resources · prompts internal WP API ③ WORDPRESS CORE Posts · Media · Plugins · DB capabilities & scoping enforced SECURITY LAYERS ▸ API key / OAuth scope ▸ allow-list of MCP tools ▸ WP role & capability check ▸ audit log applied at the adapter tools the model can call per WP user, per action every call recorded
Figure 1, Three-stage flow: an MCP client → the MCP adapter plugin on WordPress → WP core, with four security layers stacked on the adapter.

The easiest path: the AI Engine MCP adapter

There are several open-source MCP adapters for WordPress, but the most mature production option in 2026 is the MCP Adapter that ships as part of the AI Engine plugin family (Pro tier). It exposes a curated set of WordPress operations, read posts, create/update posts, manage media, run WP-CLI-style admin tasks, as MCP tools, behind an API-key auth layer, with per-tool allow-listing.

The alternative is Automattic’s open-source wordpress-mcp, which lives on GitHub and is a clean reference implementation with a smaller surface. We’ll cover the AI Engine path here because it’s what most production sites end up using; the Automattic plugin uses near-identical configuration if you prefer to go that route.

Step 1, Install the adapter

From your WordPress admin, go to Plugins → Add New, search for “AI Engine”, and install both AI Engine and AI Engine Pro. The MCP adapter is bundled with Pro. Activate both.

Once activated, head to Meow Apps → AI Engine → MCP in the admin sidebar. You’ll see the MCP module configuration panel. Toggle the MCP server on, the endpoint will appear at:

https://your-site.com/wp-json/mcp/v1/

That’s the MCP HTTP transport endpoint your client will connect to.

Step 2, Create a scoped API key

Under Meow Apps → AI Engine → Settings → API, generate a new MCP Access Token. Do this from a dedicated WP user, not your own admin account, and not the global “wp_admin” user. Create a new user with a memorable name like mcp-agent, give it the lowest WordPress role that still satisfies the workflows you want to enable, and generate the token from that user’s profile.

  • Subscriber, read-only. Good for content-analysis agents.
  • Author, can create / edit / publish their own posts. Good for drafting agents.
  • Editor, full content management. Useful, but powerful.
  • Administrator, only if you really need plugin / theme / option management. Treat this token like a root password.

This is the single most important hardening step in the entire tutorial. Don’t issue admin tokens for content-only workflows. WordPress’s role and capability system is genuinely good, use it.

Step 3, Pick which tools to expose

Back in the MCP panel, you’ll see a tool allow-list with categories like:

  • wp_get_post, wp_get_posts, wp_get_post_snapshot, read operations.
  • wp_create_post, wp_update_post, wp_alter_post, wp_delete_post, write operations.
  • wp_upload_media, wp_set_featured_image, wp_delete_media, media operations.
  • wp_get_users, wp_create_user, wp_update_user, user management.
  • wp_db_query, direct SQL. The single most dangerous tool. Disable unless you have a hard requirement.
  • wp_plugin_*, wp_theme_*, plugin / theme file editing. Disable for any production site you don’t fully control.

The right default for most sites is read + post CRUD + media, with everything else off. You can always re-enable a tool when a specific workflow needs it.

Step 4, Connect from Claude Desktop

Open ~/Library/Application Support/Claude/claude_desktop_config.json (macOS), equivalent on Windows / Linux, and add:

{
  "mcpServers": {
    "wordpress": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-fetch-mcp",
        "https://your-site.com/wp-json/mcp/v1/"
      ],
      "env": {
        "MCP_ACCESS_TOKEN": "your_access_token_here"
      }
    }
  }
}

Restart Claude Desktop. Open a new chat and type “What’s the title of post 100 on the site?”, the model should call wp_get_post, return the result, and answer. If it fails, the most common causes are (a) the token isn’t being passed in the Authorization header, (b) a security plugin (Wordfence, iThemes) is blocking the request, or (c) the REST API is locked down by another plugin. Check the WP error log first.

Step 5, Try a real workflow

Here are three patterns we’ve actually used in production at Ransomnews to give you a feel for what’s possible.

Editorial audit

“Find me the five least-read posts from the last six months that have broken outbound links, and draft an email to the authors with the list.” The model walks the post catalogue, runs link checks, groups by author, and produces a Markdown email. The whole loop is roughly 90 seconds and replaces an annual chore that used to take half a day.

SEO rewrite

“Open my last 20 posts, pull the H1, meta description, and first paragraph, and tell me which ones don’t have an H1 that matches the target keyword.” Pure read workflow, Subscriber-role token is enough.

Bulk featured-image generation

Chain the WordPress MCP server with an image-generation MCP server. The model loops through posts without featured images, generates one per post via the image server, uploads it via wp_upload_media, attaches it via wp_set_featured_image. This is exactly the workflow that produced the cover images for this article and the MCP servers primer.

Security: the stuff you have to get right

WordPress + MCP is powerful enough that the failure modes deserve their own checklist. We covered the general MCP security model in the primer piece; the WordPress-specific tightening is:

  1. Dedicated low-privilege WP user for the token. Never reuse your own admin user. If the token leaks, you want to rotate one principal, not your whole admin identity.
  2. Per-tool allow-list, default deny. wp_db_query, wp_create_user, wp_plugin_alter_file, wp_theme_* off unless you actually need them. The blast radius of an injected prompt that ends up calling wp_db_query("DROP TABLE wp_posts") is your entire site.
  3. IP allow-list at the WAF / Cloudflare layer. If your MCP traffic only ever comes from one or two known IPs, lock the REST endpoint to those. Wordfence and Cloudflare both support this with a single rule.
  4. HTTPS only, HSTS on, no API token in URL parameters. Tokens go in the Authorization header. Period. Tokens in query strings end up in access logs, browser history, and referrer headers.
  5. Treat every model output that asks for a destructive action as untrusted. Prompt injection is the dominant risk class. An MCP server should require explicit user confirmation before wp_delete_post, wp_delete_user, wp_update_option on anything in the wp_options security-sensitive set. Most MCP adapters now ship a “confirm_destructive” flag, keep it on.
  6. Audit logging. Every MCP tool call should be logged with the user, the tool, the arguments, and the result code. Wordfence Premium, Stream, and Simple History plugins all capture this. Without an audit log, “the AI broke my site” is unsolvable.
  7. Rotate tokens regularly. 90-day rotation minimum, sooner if any client running the token is decommissioned or compromised.
  8. Don’t expose MCP from a site that hosts customer PII without a security review. The endpoint is, by design, a remote-administration interface. Treat it like SSH.

The other concern unique to WordPress: plugin sprawl. Most WP installs have 20–40 plugins, and each one can override the REST API, change capabilities, or hook into the request lifecycle. Test your MCP setup with the exact plugin set you run in production, security plugins (Wordfence, iThemes Security, NinjaFirewall) in particular have aggressive default rules that will silently 403 MCP requests until you allow-list the route.

When NOT to use MCP for WordPress

A few patterns where MCP is the wrong tool for the job:

  • Public-user-facing AI features. A chatbot on your contact page should not have an MCP token. Use the REST API directly with proper rate-limiting and CSRF protection.
  • Scheduled jobs. If a task is non-interactive and predictable, WP-Cron + WP-CLI is more reliable than putting an LLM in the loop.
  • Sensitive data flows. If your WP install holds health, financial, or identity data, the MCP endpoint is now part of your compliance perimeter. Get sign-off before turning it on.

Further reading

Tags: MCP for WordPress, WordPress MCP server, AI Engine MCP, Claude WordPress integration, AI-assisted WordPress, MCP tutorial, LLM WordPress, WP-CLI alternative, Anthropic MCP, WordPress automation

Share.

Martynas Vareikis is the AI Editor at Ransomnews. He covers the intersection of artificial intelligence and information security — from machine-learning models in defensive tooling to the adversarial use of LLMs by ransomware operators, deepfake-driven social engineering, and the rise of agentic threats. His reporting focuses on translating fast-moving AI research into practical guidance for defenders, journalists, and the broader security community. Reach Martynas via [email protected].

Related Posts

Comments are closed.