WEBO MCP

WEBO MCP is a standalone MCP gateway for WordPress. It lets compatible clients call well-defined tools over REST using JSON-RPC, instead of scraping the admin or sharing broad credentials beyond what you intend.

What you get

• Primary router endpoint: POST /wp-json/mcp/v1/router
• Standard MCP-style flow: initialize → tools/list → tools/call
• Session lifecycle for clients (pass session_id or Mcp-Session-Id after initialize)
• Built-in tool registry for common WordPress operations (posts, media, terms, menus, options, and more)
• Bundled Abilities API + MCP Adapter integration, with automatic bridging from registered abilities to MCP tools (configurable)
• Public tool policy controls (category filters and optional allowlists) plus optional internal tool exposure for private environments

Security model (high level)

• MCP access requires a real WordPress user context: Application Password over HTTP Basic, or an existing logged-in session.
• Optional site-wide or per-user API key and HMAC can be enabled in Settings as an additional gate (they do not replace WordPress authentication).
• Default access expectations for the router and GET /wp-json/webo-mcp/v1/tools: users who are super admins, can manage_options, or can edit_posts, consistent with typical site operator and editor workflows (filterable).

Client guidance

Always discover tools before calling them: run tools/list, pick an exact tool name from the response, validate required arguments, then call tools/call. This reduces mistakes and keeps automation predictable in production.

Further documentation and optional integrations

• Project documentation and ecosystem notes: https://webomcp.com
• Optional n8n community node (separate package): https://www.npmjs.com/package/n8n-nodes-webo-mcp

Compatibility note: any MCP-capable client can be used; which large language model runs inside the client is outside this plugin.

Standalone core tools included: – Site info – Posts: list/get/create/update/delete, bulk update status, revisions (list/restore), search & replace – Users: list – Media: list/get/upload-from-url/update/delete – Comments: list/get/update/delete – Terms: list/create/update/delete (category, tag) – Nav menus: list menus, list menu items (menu_order, db_id), add menu link from post (explicit post_id + menu_order required) – Plugins: list active status, toggle (activate/deactivate) – Themes: list installed themes, switch active theme – Options: get/update (safe allowlist only) – SEO (WordPress post): seo/article-analysis — requires post_id; merges Rank Math meta when available (same data path as webo-rank-math/get-post-seo-meta); optional related-keyword suggestions via outbound request unless no_autocomplete is true

Excluded by default in standalone-safe mode: – Bulk/mass execution tools – Plugin/theme write-management abilities – Multisite-specific abilities

Privacy

This plugin does not phone home or send telemetry. MCP traffic is initiated by clients you configure. Some tools may perform outbound HTTP requests only when a client invokes them (for example seo/article-analysis may request keyword suggestions from a third-party suggest API unless you pass no_autocomplete).

The plugin stores the following options in the WordPress database when configured: – webo_mcp_api_key: API key used to authenticate MCP requests. – webo_mcp_hmac_secret: HMAC secret used to sign and validate MCP requests.

These options are removed when the plugin is uninstalled via the WordPress Plugins screen.

External services

This plugin can connect to Google Suggest (Autocomplete) when a client calls the seo/article-analysis tool and does not set no_autocomplete to true. This external request is used to return related keyword suggestions for SEO analysis.

Service provider: Google LLC (Google Suggest / Autocomplete API endpoint).

Data sent and when: – Sent only when seo/article-analysis is called with autocomplete enabled. – Sends the analysis query text to https://suggestqueries.google.com/complete/search as the q parameter. – Sends standard HTTP request metadata such as IP address and User-Agent as part of the web request.

Terms of Service: https://policies.google.com/terms Privacy Policy: https://policies.google.com/privacy

Developer Hooks

The plugin exposes the following actions and filters for developers:

Actions

• webo_mcp_register_tools Fired during plugin bootstrap after standalone tools are registered. Use this to register custom MCP tools from other plugins.

Filters

• webo_mcp_current_user_can_use_mcp (bool $allowed, int $user_id) Gate for all MCP REST access. Default: super admin OR manage_options OR edit_posts. Override to tighten (e.g. super-admin only) in hardened installs.

• webo_mcp_allow_internal_tools (bool $allow_internal, WP_REST_Request $request) Controls whether internal tools are included in tools/list responses. Defaults to false for public environments.

• webo_mcp_public_categories (array $categories, WP_REST_Request $request, array $tool) Filters which tool categories are exposed as public. Defaults to array( 'wordpress' ).

• webo_mcp_public_tool_allowlist (array $names, WP_REST_Request $request, array $tool) Optional allowlist of specific tool names that are always considered public.

• webo_mcp_bridge_deny_patterns (array $patterns) Controls which abilities are excluded when auto-bridging abilities into MCP tools (e.g. bulk, plugins/, themes/, multisite/).

• webo_mcp_auto_bridge_abilities (bool $enabled) Enables or disables automatic bridging of registered abilities into MCP tools. Defaults to true.

• webo_mcp_enable_adapter (bool $enabled) Enables or disables the bundled WordPress MCP Adapter runtime. Defaults to true.

• webo_mcp_validate_media_fetch_url (true|\WP_Error $ok, string $url, array $parsed) Reject unsafe URLs for webo/upload-media-from-url (return WP_Error to block).

Credits

Special thanks to the authors and open source projects that contributed to this plugin: – WordPress (https://wordpress.org) – Abilities API (https://github.com/WordPress/abilities-api) Reference: https://make.wordpress.org/ai/2025/07/17/abilities-api/ – MCP Adapter (https://github.com/WordPress/mcp-adapter) Reference: https://make.wordpress.org/ai/2025/07/17/mcp-adapter/ – Composer (https://getcomposer.org) – Other PHP and JS libraries from the community

If you use this plugin, please give credit to the authors of these libraries.

License

This plugin is licensed under the GPLv2 or later. See https://www.gnu.org/licenses/gpl-2.0.html for details.