Documentation

WasilaDev WP MCP · ← Back to product page

Getting Started

1. Install the plugin

  1. Download the zip from the download page.
  2. In WordPress admin, go to Plugins → Add New → Upload Plugin.
  3. Choose the zip file and click Install Now.
  4. Click Activate.

2. Generate an API key

  1. Go to Settings → WasilaDev WP MCP.
  2. Under “Connection details,” click Generate API key.
  3. Copy the key immediately — it’s shown only once.

3. Connect your AI client

The settings page provides a ready-to-paste JSON config. Copy it into your AI client’s configuration file (see client-specific guides below).

💡 Your MCP Server URL is always yoursite.com/wp-json/wp-mcp/v1/mcp. The settings page shows the exact URL for your site.

Connecting Claude Desktop

Edit your Claude Desktop config file:

  • macOS:~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows:%APPDATA%Claudeclaude_desktop_config.json

Add this entry to the mcpServers object:

claude_desktop_config.json
{
  "mcpServers": {
    "my-wordpress": {
      "url": "https://yoursite.com/wp-json/wp-mcp/v1/mcp",
      "headers": {
        "Authorization": "Bearer wpmcp_YOUR_API_KEY"
      }
    }
  }
}

Restart Claude Desktop. Your WordPress tools will appear automatically.

⚠️ If you get 401 errors, your host may strip the Authorization header (common on nginx+php-fpm and Cloudflare). Use "X-WP-MCP-Key": "wpmcp_YOUR_API_KEY" instead.

Connecting Cursor

In Cursor, go to Settings → MCP Servers → Add Server, or edit ~/.cursor/mcp.json:

mcp.json
{
  "mcpServers": {
    "my-wordpress": {
      "url": "https://yoursite.com/wp-json/wp-mcp/v1/mcp",
      "headers": {
        "Authorization": "Bearer wpmcp_YOUR_API_KEY"
      }
    }
  }
}

Connecting Z.ai

Add the MCP server in Z.ai’s settings using the same URL and Bearer header format. The plugin implements MCP protocol version 2025-06-18, fully compatible with Z.ai’s MCP client.

Tool Reference

The free tier includes 31 tools. Pro unlocks 34 more (Elementor + WooCommerce).

Free — Core WordPress (22 tools)
wp_list_posts
wp_get_post
wp_create_post
wp_update_post
wp_delete_post
wp_list_pages
wp_get_page
wp_create_page
wp_update_page
wp_delete_page
wp_list_media
wp_get_media
wp_upload_media
wp_list_comments
wp_approve_comment
wp_delete_comment
wp_list_categories
wp_create_category
wp_list_users
wp_search_content
wp_get_site_info
wp_list_active_plugins
Free — Navigation Menus (9 tools)
wp_list_menus
wp_get_menu
wp_list_menu_locations
wp_create_menu
wp_delete_menu
wp_add_menu_item
wp_update_menu_item
wp_delete_menu_item
wp_assign_menu_location
Pro — Elementor (9 tools)
wp_elementor_list_pages
wp_elementor_get_structure
wp_elementor_get_element
wp_elementor_find_elements
wp_elementor_list_templates
wp_elementor_update_element
wp_elementor_add_widget
wp_elementor_add_container
wp_elementor_remove_element
Pro — WooCommerce (25 tools)
wp_wc_list_orders
wp_wc_get_order
wp_wc_update_order_status
wp_wc_refund_order
wp_wc_list_refunds
wp_wc_get_refund
wp_wc_delete_order
wp_wc_list_products
wp_wc_get_product
wp_wc_create_product
wp_wc_update_product
wp_wc_delete_product
wp_wc_list_variations
wp_wc_update_variation
wp_wc_list_customers
wp_wc_get_customer
wp_wc_delete_customer
wp_wc_list_coupons
wp_wc_get_coupon
wp_wc_create_coupon
wp_wc_update_coupon
wp_wc_delete_coupon
wp_wc_sales_summary
wp_wc_top_products
wp_wc_top_customers

Security

How API keys work

  • Keys are generated using random_bytes(16) — cryptographically secure.
  • Keys are stored as bcrypt hashes — the plaintext is never persisted.
  • The plaintext key is shown once at generation time, then discarded.
  • Only Administrator-level users can generate or use keys.

Rate limiting

Failed authentication attempts are tracked per IP address. After 20 failures within 10 minutes, the IP is locked out for 15 minutes. The rate limiter uses REMOTE_ADDR only (not X-Forwarded-For) to prevent header spoofing.

Data privacy

The plugin runs entirely on your WordPress server. AI clients connect directly to your site’s REST API. No data passes through any intermediary or third-party service.

Troubleshooting

401 Unauthorized with a valid key

This usually means your hosting provider strips the Authorization header. Common on nginx+php-fpm, Cloudflare, and some Apache configurations. Solution: use the X-WP-MCP-Key header instead — both headers are checked.

CORS errors in browser-based clients

The plugin sends Access-Control-Allow-Origin headers reflecting the request Origin. If you’re behind a proxy that strips CORS headers, ensure your proxy passes them through.

Connection works but tools are missing

  • Elementor/WooCommerce tools missing? These require a Pro license. Check Settings → WasilaDev WP MCP → Pro License.
  • Elementor tools still missing after Pro? Ensure the Elementor plugin is installed and active on your site.
  • WooCommerce tools still missing after Pro? Ensure WooCommerce is installed and active.

Page shows old content after AI update

If you’re using a caching plugin (WP Rocket, LiteSpeed Cache, etc.), clear the cache after making changes via MCP. The plugin can’t purge external caches.