Royal MCP

Royal MCP is a security-first Model Context Protocol (MCP) server for WordPress. It gives AI platforms like Claude, ChatGPT, and Google Gemini structured access to your WordPress content — with authentication, rate limiting, and audit logging that most MCP implementations skip entirely.

According to recent security research, 41% of public MCP servers have no authentication and respond to tool calls without any credentials. Royal MCP takes the opposite approach: every MCP session requires an API key, every request is rate-limited, and every interaction is logged.

Why Security Matters for MCP

MCP gives AI agents the ability to read, create, update, and delete your WordPress content. Without proper authentication, anyone who discovers your MCP endpoint can:

• Read all your posts, pages, and media
• Create or delete content
• Access user data and plugin information
• Overwhelm your server with rapid-fire requests

Royal MCP prevents all of this with API key authentication on session initialization, timing-safe key comparison, per-IP rate limiting (60 requests/minute), and a full activity log of every MCP interaction.

37+ MCP Tools Built In

WordPress Core (37 tools):

• Posts — create, read, update, delete, search, count
• Pages — full CRUD with parent page support
• Media — library browsing, metadata, deletion
• Comments — create (respects moderation settings), read, delete
• Users — display names and roles (emails and usernames are not exposed)
• Categories & Tags — create, assign, delete, count
• Menus — list menus and menu items
• Post Meta — read, update, delete custom fields
• Site Info — site name, description, WordPress version, timezone
• Plugins & Themes — list installed plugins and themes with active status
• Search — full-text content search across post types
• Options — read allowlisted safe options only

Plugin Integrations (Conditional)

Royal MCP automatically detects compatible plugins and adds specialized MCP tools. No configuration needed — if the plugin is active, the tools appear.

WooCommerce Integration (9 tools): When WooCommerce is active, AI agents can manage your store:

• Browse and search products by category, status, or type
• Create and update products with prices, SKUs, stock levels
• View orders, order details, and update order status
• List customers with order count and total spent
• Get store statistics — revenue, order count, average order value by period

GuardPress Integration (7 tools): When GuardPress is active, AI agents can monitor your site security:

• Get current security score and grade with factor breakdown
• View security statistics — failed logins, blocked IPs, alerts
• Run vulnerability scans and review results
• List blocked IP addresses and failed login attempts
• Browse the security audit log filtered by severity

SiteVault Integration (6 tools): When SiteVault is active, AI agents can manage your backups:

• List available backups filtered by status or type
• Trigger new backups (full, database, files, plugins, themes)
• Check backup progress in real time
• View backup statistics — total size, last backup, counts
• List and review backup schedules

Works Alongside WordPress Core MCP

WordPress is building MCP support into core via the Abilities API. Royal MCP complements this by providing security controls that the core implementation does not include — API key authentication, rate limiting, activity logging, and sensitive data filtering. When the Abilities API ships, Royal MCP will continue to provide the security layer, plugin integrations, and WooCommerce tools that core does not cover.

Supported AI Platforms

• Claude (Anthropic) — Full MCP support via Claude Desktop, Claude Code, and VS Code
• OpenAI / ChatGPT — GPT-4o, GPT-4 Turbo, GPT-3.5 Turbo
• Google Gemini — Gemini 1.5 Pro, 1.5 Flash
• Groq — Llama 3.3, Mixtral, Gemma 2
• Azure OpenAI — Azure-hosted OpenAI deployments
• AWS Bedrock — Claude, Llama, Titan models
• Ollama / LM Studio — Local self-hosted models (no external data transmission)
• Custom MCP Servers — Connect to any MCP-compatible endpoint

MCP Spec Compliance

Royal MCP implements the MCP 2025-03-26 Streamable HTTP transport specification:

• Single /mcp endpoint for all JSON-RPC communication
• POST for client messages, GET for server-sent events, DELETE for session termination
• Cryptographically secure session IDs with transient-based storage
• Origin header validation to prevent DNS rebinding attacks
• Proper CORS handling for browser-based MCP clients

External Services

This plugin connects to third-party AI services to enable AI platforms to interact with your WordPress content. No data is transmitted until you explicitly configure and enable a platform connection.

What data is sent: Your WordPress content (posts, pages, media metadata) as requested by the connected AI platform through authenticated MCP tool calls.

When data is sent: Only when you have configured a platform with API credentials AND enabled that platform connection AND the AI platform makes an authenticated request.

Supported services and their policies:

• Anthropic Claude — Used for Claude AI integration Terms of Service | Privacy Policy

• OpenAI — Used for ChatGPT/GPT-4 integration Terms of Use | Privacy Policy

• Google Gemini — Used for Gemini AI integration Terms of Service | Privacy Policy

• Groq — Used for Groq LPU inference Terms of Service | Privacy Policy

• Microsoft Azure OpenAI — Used for Azure-hosted OpenAI models Terms of Service | Privacy Policy

• AWS Bedrock — Used for AWS-hosted AI models Terms of Service | Privacy Policy

• Ollama / LM Studio — Local self-hosted models (no external data transmission)

• Custom MCP Servers — User-configured servers (data sent to user-specified endpoints only)