WPMCP Documentation
Connect Claude, Cursor, or any AI client to your WordPress site over the Model Context Protocol.
Overview
WPMCP turns your WordPress site into an MCP server. Install the plugin, generate one API key, and any MCP client can read and control your site over JSON-RPC — all on your own server. 31 tools are free; WPMCP Pro adds 34 more (65 total).
Getting started
Register & download
Get the free plugin from the download page. Enter your name, email, and the site's domain — a registration token is shown on screen. Copy it: it is shown once.
Install & activate
Upload the zip via Plugins → Add New → Upload Plugin, then activate. A new install asks for your registration token — paste it in. (Sites upgrading from an earlier version keep working, no token needed.)
Generate a key
Open WPMCP → Connect and click Generate API Key. It is shown once and stored only as a hash.
Connect
Paste the server URL + key into your AI client's MCP config (below).
Verify
Ask your client to “List my posts.” Every call is recorded under WPMCP → Activity.
Your registration token is domain-locked: it works only on the
exact site you registered (example.com, www.example.com, and
https://example.com all count as the same site). To run WP-MCP on a
different domain, register that domain for a fresh token. Tokens are delivered
on screen at download — no email required. If the license server is ever
unreachable, the plugin never blocks a site that is already registered.
Connecting your AI client
Add the server with a Bearer header (example for claude_desktop_config.json):
{
"mcpServers": {
"yoursite": {
"url": "https://yoursite.com/wp-json/wp-mcp/v1/mcp",
"headers": {
"Authorization": "Bearer wpmcp_your_key_here",
"X-WP-MCP-Key": "wpmcp_your_key_here"
}
}
}
}
Both headers are sent for compatibility: if your host strips
Authorization (common on nginx+php-fpm or behind Cloudflare), the plugin also accepts
X-WP-MCP-Key.
Tool reference
Free — 31 tools
| Posts | list, get, create, update, delete |
| Pages | list, get, create, update, delete |
| Media | list, get, upload from URL |
| Comments | list, approve, delete |
| Categories & terms | list, create |
| Navigation menus | full CRUD (9 tools) |
| Users, search, site | list users, full-content search, site info, active plugins |
WPMCP Pro — +34 tools
| Elementor (9) | List Elementor pages, get structure, find elements, add widgets & containers, update settings, remove elements, list templates. |
| WooCommerce (25) | Orders (list, get, update status, refund), Products (full CRUD + variations), Customers, Coupons, Reports (sales summary, top products, top customers). |
Security & monitoring
The API key is stored only as a bcrypt hash and shown once at generation. Every call runs as the key owner (an administrator), so protect the key like a password. All tool calls are logged under WPMCP → Activity (the free tier keeps the most recent calls; Pro retains full history). Requests are rate-limited and CORS is locked down by default.