Least privilege by design
The agent connects as a real, scoped WordPress user through OAuth or an Application Password, never an admin-equivalent key.
Free on WordPress.org, built on the Abilities API
It turns WordPress into a governed MCP server: the agent connects as a real, scoped user, not an admin key. Nothing is exposed until you switch it on, and every call is checked and written to a log in your own database.
Install it with everything off. Turn on your first ability when you are ready, not before.
83 core plus 70 integrations, and the catalog keeps growing. Every count on this site is read from one file, so it never drifts from the plugin.
Other MCP plugins count their tools. This one governs them. These six guarantees hold on every connection and every call, not just the first one.
The agent connects as a real, scoped WordPress user through OAuth or an Application Password, never an admin-equivalent key.
Nothing is exposed until you enable it, and updates never silently widen access.
A connection only sees the tools its user can call, and every call re-checks that capability before it runs.
Every call is recorded, denied attempts included, with the principal and the argument keys, never the values. It lives in your own database.
No arbitrary option or meta access, no remote URL fetch, no code execution. Deletes go to Trash where supported; the last administrator can never be removed.
The plugin contacts no AI provider and no external service. Your AI client connects in; the plugin never reaches out. Zero telemetry.
The tool call carries values. The audit log keeps only the argument keys, never the values, and it records the denials too.
An illustrative exchange. The second request asks to delete the last administrator. The site refuses, and the refusal is logged like everything else.
No external dashboard, no account with us. The plugin lives in wp-admin: your endpoint, the abilities you enabled, the agent users, and the audit log, all in your own database.
The abilities are only half the plugin. This is the layer that decides whether a call is allowed to run, grouped by what it protects.
| Access | |
|---|---|
| Scoped user identity Read only | The agent authenticates as a real WordPress user you pick through OAuth or an Application Password, never an admin-equivalent key. |
| Filtered discovery Read only | A connection only lists the tools its user is allowed to run. An agent cannot see a tool it has no right to call. |
| Per-call capability check Guarded write | Before an ability runs, the plugin re-checks that user’s capability. Discovery and execution are gated separately. |
| Writes | |
| Guarded writes Guarded write | Writes stay conservative and every one is capability-checked. There is no arbitrary option or meta write. |
| Deletes go to Trash Guarded write | Where WordPress supports it, deletions move items to Trash rather than removing them for good. |
| Last administrator protected Denied | The last remaining administrator account can never be removed, whatever the agent asks. |
| No code or remote fetch Denied | The plugin runs no arbitrary code and fetches no remote URLs on the agent’s behalf. |
| Data | |
| No data leaves your site Read only | The plugin contacts no AI provider and makes no outbound calls of its own. Zero telemetry. |
| Personal-data integrations gated Guarded write | WooCommerce and ACF can reach real personal data, so they sit behind a clear admin notice before you enable them. |
| Rate limit and IP allowlist Off until enabled | Add a per-minute rate limit or an IP allowlist. Both stay off until you set them. |
| Force-to-draft and title cap Off until enabled | Force new content to draft, or cap title length. Optional guards, off until you turn them on. |
| Audit | |
| Every call logged Read only | Each call is recorded in a table in your own database, with the principal and the argument keys. |
| Denials logged too Denied | Refused attempts are written to the same log, so you can see what an agent tried to do and was stopped from doing. |
| Values never stored Read only | The log keeps argument keys, never the values, so it stays useful without hoarding sensitive content. |
Discovery and execution are gated separately, so an agent never gets more reach than the user you bound it to. Here is the path one call takes.
The agent authenticates through OAuth or an Application Password as a real, least-privilege WordPress account you pick. Never an admin key.
The tool list is filtered to the connected user’s capabilities. An agent cannot list a tool it has no right to run.
Before an ability runs, the plugin checks that user’s capability again. Discovery and execution are gated separately.
Every call lands in an audit log in your own database, with the principal and the argument keys, never the values.
No arbitrary option access, no remote fetch, no code execution. Deletes go to Trash where supported.
Curated WordPress actions, exposed to the agent as MCP tools. Each one is off until you switch it on, so the catalog is a menu, not a default.
Reads, plus guarded writes. Deletes go to Trash where WordPress supports it.
Create, read, update, and revise posts and pages. New writes can be forced to draft.
Read and manage categories, tags, and custom taxonomy terms.
Read, moderate, and reply to comments under the connected user’s capability.
Browse the media library and manage attachments the user can access.
Read and write post meta, limited to an allowlist of keys. No arbitrary meta access.
Read and manage users only as far as the connected user’s capabilities allow.
Read and adjust navigation menus and the site’s structure.
Read the revision history of posts and pages. Read only.
Read and manage reusable blocks and block templates.
Read a bounded set of settings and site-health signals. No open settings access.
Run a single search across every post type. Read only.
Each set appears only while its host plugin is active, and stays off until you enable it.
products, orders, customers (touches real personal data, gated behind a clear notice)
read and write ACF field data
read and manage Rank Math data
read and manage Yoast data
read and manage AIOSEO data
WooCommerce and ACF can reach real personal data, so they sit behind a clear admin notice before you turn them on.
6 clients connect right now, some directly and some through an open-source bridge that runs on your own machine.
Connect and start calling the abilities you enabled.
These want a streamable HTTP connector the adapter does not serve natively yet.
The bridge: Clients that cannot open a remote MCP connection use the open-source mcp-remote bridge, which runs on your own machine.
The agent acts as a real WordPress user you pick, never an admin-equivalent key. Choose the one that fits how you work.
Approve the agent once in the browser. No secret to store; the agent acts as your own account.
Point a dedicated low-privilege user at the endpoint. A guided screen builds the client config and checks the endpoint for you.
Requires WordPress 6.9+ and PHP 8.0+. Free on WordPress.org, no paid tier, no API key to buy, no usage limits.
The short version. The full FAQ lives in the docs.
Yes, when the connection is scoped, which is what this plugin is built around. The agent connects as a real, least-privilege user you choose, every ability is off until you enable it, and every call is logged, denials included.
No. The agent authenticates as whatever WordPress user you bind it to. Point it at the dedicated low-privilege user the plugin creates, and it can only do what that user can do. Each ability re-checks the capability before it runs.
No. The plugin connects to no AI provider and makes no outbound requests of its own. Your own AI client connects in and calls the abilities you enabled.
The REST API exposes raw endpoints. MCP describes your site’s abilities as discoverable tools an agent can reason about and call, and this plugin wraps each one in a governance layer: off by default, capability-gated on every call, and logged.
It can only do what the user you bound it to can do, and the capability is re-checked before every call. Deletes go to Trash where WordPress supports it, so they can be restored, and the last administrator can never be removed no matter what the agent asks. Anything it is not allowed to do is refused, and the refusal is written to the audit log too.
The difference is governance, not tool count. Every ability is off by default, the agent connects as a real least-privilege user rather than an admin key, each call re-checks the capability before it runs, and every call is written to an audit log in your own database, denials included. It is genuinely free on WordPress.org, with no paid tier waiting behind it.
Install it, keep everything off, and switch on one ability at a time as you build trust. You hold the leash the whole way.
Free on WordPress.org, with no paid tier waiting behind it.