Documentation
WasilaDev WP MCP · ← Back to product page
Getting Started
1. Install the plugin
- Download the zip from the download page.
- In WordPress admin, go to Plugins → Add New → Upload Plugin.
- Choose the zip file and click Install Now.
- Click Activate.
2. Generate an API key
- Go to Settings → WasilaDev WP MCP.
- Under “Connection details,” click Generate API key.
- Copy the key immediately — it’s shown only once.
3. Connect your AI client
The settings page provides a ready-to-paste JSON config. Copy it into your AI client’s configuration file (see client-specific guides below).
💡 Your MCP Server URL is always yoursite.com/wp-json/wp-mcp/v1/mcp. The settings page shows the exact URL for your site.
Connecting Claude Desktop
Edit your Claude Desktop config file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%Claudeclaude_desktop_config.json
Add this entry to the mcpServers object:
{
"mcpServers": {
"my-wordpress": {
"url": "https://yoursite.com/wp-json/wp-mcp/v1/mcp",
"headers": {
"Authorization": "Bearer wpmcp_YOUR_API_KEY"
}
}
}
}
Restart Claude Desktop. Your WordPress tools will appear automatically.
⚠️ If you get 401 errors, your host may strip the Authorization header (common on nginx+php-fpm and Cloudflare). Use "X-WP-MCP-Key": "wpmcp_YOUR_API_KEY" instead.
Connecting Cursor
In Cursor, go to Settings → MCP Servers → Add Server, or edit ~/.cursor/mcp.json:
{
"mcpServers": {
"my-wordpress": {
"url": "https://yoursite.com/wp-json/wp-mcp/v1/mcp",
"headers": {
"Authorization": "Bearer wpmcp_YOUR_API_KEY"
}
}
}
}
Connecting Z.ai
Add the MCP server in Z.ai’s settings using the same URL and Bearer header format. The plugin implements MCP protocol version 2025-06-18, fully compatible with Z.ai’s MCP client.
Tool Reference
The free tier includes 31 tools. Pro unlocks 34 more (Elementor + WooCommerce).
Security
How API keys work
- Keys are generated using
random_bytes(16)— cryptographically secure. - Keys are stored as bcrypt hashes — the plaintext is never persisted.
- The plaintext key is shown once at generation time, then discarded.
- Only Administrator-level users can generate or use keys.
Rate limiting
Failed authentication attempts are tracked per IP address. After 20 failures within 10 minutes, the IP is locked out for 15 minutes. The rate limiter uses REMOTE_ADDR only (not X-Forwarded-For) to prevent header spoofing.
Data privacy
The plugin runs entirely on your WordPress server. AI clients connect directly to your site’s REST API. No data passes through any intermediary or third-party service.
Troubleshooting
401 Unauthorized with a valid key
This usually means your hosting provider strips the Authorization header. Common on nginx+php-fpm, Cloudflare, and some Apache configurations. Solution: use the X-WP-MCP-Key header instead — both headers are checked.
CORS errors in browser-based clients
The plugin sends Access-Control-Allow-Origin headers reflecting the request Origin. If you’re behind a proxy that strips CORS headers, ensure your proxy passes them through.
Connection works but tools are missing
- Elementor/WooCommerce tools missing? These require a Pro license. Check Settings → WasilaDev WP MCP → Pro License.
- Elementor tools still missing after Pro? Ensure the Elementor plugin is installed and active on your site.
- WooCommerce tools still missing after Pro? Ensure WooCommerce is installed and active.
Page shows old content after AI update
If you’re using a caching plugin (WP Rocket, LiteSpeed Cache, etc.), clear the cache after making changes via MCP. The plugin can’t purge external caches.