miniOrange Secure MCP Server

miniOrange Secure MCP Server helps WordPress administrators with AI governance and policy enforcement: understanding, and controlling, what AI assistants and MCP clients are allowed to do on their site.

The WordPress Abilities API (available in WordPress 6.9 and later) lets plugins and WordPress core expose discrete, machine-callable capabilities — for example: get site info, create a post, or generate a summary. This plugin turns those abilities into a remote Model Context Protocol (MCP) server so AI clients can discover and invoke them, protected by a self-hosted OAuth 2.1 authorization server.

What this version does

• Abilities viewer. A read-only admin screen (in the Secure MCP Server menu) that lists every ability registered on your site, with its label, description, category, source namespace, and full input/output JSON schema.
• Connection guide. A „Connect to AI“ tab with step-by-step instructions and your site’s MCP URL for connecting clients such as ChatGPT and Claude.
• Built-in content abilities. Create Post and Update Post abilities (exposed as MCP tools) so connected clients can draft and edit posts, gated by the user’s capabilities.
• MCP server. A single Streamable HTTP endpoint that exposes every registered ability as an MCP tool. Tool calls run through the Abilities API, so each ability’s own permission check still applies.
• Self-hosted dynamic OAuth. WordPress acts as its own OAuth 2.1 authorization server with OAuth 2.0 Dynamic Client Registration (RFC 7591), Protected Resource Metadata (RFC 9728), Authorization Server Metadata (RFC 8414), and Authorization Code flow with PKCE. Clients such as ChatGPT and Claude can register themselves and connect with no manual credential setup.

Every MCP request runs as the WordPress user who authorized it, so what an AI client can do is bounded by that user’s own capabilities.