Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini

Royal MCP is a security-first Model Context Protocol (MCP) server for WordPress. It gives AI platforms like Claude, ChatGPT, and Google Gemini structured access to your WordPress content — with authentication, rate limiting, and audit logging that most MCP implementations skip entirely.

According to recent security research, 41% of public MCP servers have no authentication and respond to tool calls without any credentials. Royal MCP takes the opposite approach: every MCP session requires an API key, every request is rate-limited, and every interaction is logged.

Why Security Matters for MCP

MCP gives AI agents the ability to read, create, update, and delete your WordPress content. Without proper authentication, anyone who discovers your MCP endpoint can:

• Read all your posts, pages, and media
• Create or delete content
• Access user data and plugin information
• Overwhelm your server with rapid-fire requests

Royal MCP prevents all of this with API key authentication on session initialization, timing-safe key comparison, per-IP rate limiting (60 requests/minute), and a full activity log of every MCP interaction.

67 Core Tools + 55 Integration Tools

WordPress Core (67 tools):

• Posts — create, read, update, delete, search, count (any registered public post type, featured images supported)
• Pages — full CRUD with parent page support
• Post Types — discover all registered public post types on the site
• Post Revisions — list revision history and roll a post back to any prior version
• Media — browse, upload from URL or base64, update alt text/caption/title/description, set as featured image, delete
• Comments — create, read, delete; full moderation suite (list pending, approve, mark spam, trash)
• Users — display names and roles (emails and usernames are not exposed)
• Categories & Tags & Custom Taxonomies — create, update (rename/re-slug/edit/move), delete, assign, count, discover all registered taxonomies
• Term Meta — read, update, delete (most useful for Yoast / Rank Math / AIOSEO term-level SEO meta)
• Menus — list menus, list menu items, create / update / delete / reorder menu items
• Post Meta — read, update, delete custom fields (works with ACF, MetaBox, JetEngine, Pods, CPT UI)
• SEO Meta — read and write Yoast SEO or Rank Math title/description/focus keyword/robots/OG fields (auto-detects active SEO plugin)
• Site Info — site name, description, WordPress version, timezone
• Plugins & Themes — list installed plugins and themes with active status
• Theme Appearance — get active theme, read/write theme mods (gated by admin toggle + allowlist), read/write Custom CSS
• Search — full-text content search across post types
• Permalink Structure — read and update permalink settings (gated by admin toggle)
• Options — read allowlisted core options, read full plugin settings by slug (sensitive keys redacted), and write to allowlisted options when an admin enables it

Plugin Integrations (Conditional)

Royal MCP automatically detects compatible plugins and adds specialized MCP tools. No configuration needed — if the plugin is active, the tools appear.

WooCommerce Integration (26 tools): When WooCommerce is active, AI agents can manage your store end-to-end:

• Browse and search products by category, status, or type
• Create and update simple and variable products with prices, SKUs, stock levels
• Manage variable products — list, get, create, update, delete, and batch-update product variations
• Manage global attributes (pa_* taxonomies) — list registered attributes, list attribute terms, register new attributes, assign attributes to a product as variation axes
• Manage coupons — list, search by code, get, create, update, delete (trash or permanent), and bulk-purge trash; supports all standard WC coupon fields (discount type, expiry, usage limits, product/category restrictions, email allowlists)
• View orders, order details, and update order status
• List customers with order count and total spent
• Get store statistics — revenue, order count, average order value by period

GuardPress Integration (7 tools): When GuardPress is active, AI agents can monitor your site security:

• Get current security score and grade with factor breakdown
• View security statistics — failed logins, blocked IPs, alerts
• Run vulnerability scans and review results
• List blocked IP addresses and failed login attempts
• Browse the security audit log filtered by severity

SiteVault Integration (6 tools): When SiteVault is active, AI agents can manage your backups:

• List available backups filtered by status or type
• Trigger new backups (full, database, files, plugins, themes)
• Check backup progress in real time
• View backup statistics — total size, last backup, counts
• List and review backup schedules

ForgeCache Integration (3 tools): When ForgeCache is active, AI agents can manage your page cache:

• Clear the entire cache, or purge a specific URL
• View cache statistics — hit rate, file count, total size

Royal Ledger Integration (4 tools): When Royal Ledger is active, AI agents can review your software costs and license data:

• List recurring software costs and renewal dates
• Get cost summaries grouped by month, vendor, or category
• List stored license keys (key VALUES are never exposed — only masked previews; decryption requires logging into wp-admin)

Royal Links Integration (3 tools): When Royal Links is active, AI agents can manage your branded short links:

• List existing links with click counts and target URLs
• Create new branded short links
• Get click statistics for any link

Elementor Integration (6 tools): When Elementor (free or Pro) is active, AI agents can clone and customize existing Elementor pages without trying to generate page-builder JSON from scratch:

• Clone an existing Elementor page with a new title and fresh element IDs (so the duplicate opens in the editor without ID collisions)
• Bulk-replace text across heading, text-editor, button, image-box, icon-box, icon-list, testimonial, tabs, accordion, toggle, star-rating, call-to-action, and flip-box widgets
• Swap image URLs across image, image-box, background_image, and gallery widget settings
• Get a compact outline of any page (section/container hierarchy, widget types, text snippets) so Claude can reason over a full page in a few KB instead of the raw JSON
• List saved templates from the Elementor template library and import templates from JSON
• Atomic widgets (Elementor 4.0+ Editor V4 elements) pass through opaque — we never decode atomic schemas because Elementor itself may shift them. Widget-level creation from scratch is intentionally out of scope; the design commitment is to work from an existing-known-good source.

Royal MCP and the WordPress Core Abilities API

WordPress 6.9 shipped the Abilities API in November 2025 — a primitive that lets plugins register typed capabilities AI agents can call. Core ships three default abilities (site info, user info, environment info) and the wordpress/mcp-adapter package bridges abilities to the MCP protocol.

Royal MCP is a complete, production-ready MCP server that predates the official adapter. It runs the full Streamable HTTP transport, enforces API key authentication on every request, ships OAuth 2.0 for Claude Desktop’s native connector flow, rate-limits per-IP, redacts sensitive data, and logs every interaction. Out of the box it includes 67 tools for WordPress core operations plus 49 integration tools that auto-load when WooCommerce, GuardPress, SiteVault, ForgeCache, Royal Ledger, or Royal Links is active.

Supported AI Platforms

• Claude (Anthropic) — Full MCP support via Claude Desktop, Claude Code, and VS Code
• OpenAI / ChatGPT — GPT-4o, GPT-4 Turbo, GPT-3.5 Turbo
• Google Gemini — Gemini 1.5 Pro, 1.5 Flash
• Groq — Llama 3.3, Mixtral, Gemma 2
• Azure OpenAI — Azure-hosted OpenAI deployments
• AWS Bedrock — Claude, Llama, Titan models
• Ollama / LM Studio — Local self-hosted models (no external data transmission)
• Custom MCP Servers — Connect to any MCP-compatible endpoint

Compatible Clients & Frameworks

Royal MCP works with any MCP-compliant client, IDE, or AI agent framework — no per-tool configuration required:

• Desktop AI apps — Claude Desktop (native MCP connector via OAuth 2.0), ChatGPT Desktop, Gemini Advanced.
• AI code IDEs — Claude Code, VS Code (with MCP extension), Cursor, Windsurf, Continue, Cline, Zed, JetBrains AI Assistant.
• API testing tools — Postman, Bruno, Insomnia (use the API key in the X-Royal-MCP-API-Key header).
• Custom field plugins — Advanced Custom Fields (ACF), MetaBox, JetEngine, Pods, CPT UI, Custom Field Suite. The wp_get_post_meta / wp_update_post_meta tools read and write any custom field, so AI agents can populate ACF fields just like a human editor.
• Page builders — Elementor has dedicated tools for clone-and-customize workflows (clone a page, find/replace text, swap images, get an outline, import templates) — see the Tools list. Widget-level creation from scratch is intentionally out of scope. Divi, Beaver Builder, Bricks, Gutenberg, Spectra, and Stackable store standard post content that is readable and writable by AI; page-builder-specific JSON storage is opaque unless covered by a dedicated tool.
• Multilingual — WPML, Polylang, TranslatePress, qTranslate. Translated posts appear as separate posts and can be read or written via the standard post tools.
• AI agent frameworks — LangChain, AutoGen, CrewAI, LlamaIndex, Haystack — any MCP-compatible framework can call Royal MCP’s tools.
• AI app platforms — Anthropic Console, OpenAI Playground, Google AI Studio, Vertex AI, Azure AI Studio, Amazon Bedrock Console.

MCP Spec Compliance

Royal MCP implements the MCP 2025-11-25 Streamable HTTP transport specification:

• Single /mcp endpoint for all JSON-RPC communication
• POST for client messages, GET for server-sent events, DELETE for session termination
• Cryptographically secure session IDs with transient-based storage
• Origin header validation to prevent DNS rebinding attacks
• Proper CORS handling for browser-based MCP clients

External Services

This plugin connects to third-party AI services to enable AI platforms to interact with your WordPress content. No data is transmitted until you explicitly configure and enable a platform connection.

What data is sent: Your WordPress content (posts, pages, media metadata) as requested by the connected AI platform through authenticated MCP tool calls.

When data is sent: Only when you have configured a platform with API credentials AND enabled that platform connection AND the AI platform makes an authenticated request.

Supported services and their policies:

• Anthropic Claude — Used for Claude AI integration Terms of Service | Privacy Policy

• OpenAI — Used for ChatGPT/GPT-4 integration Terms of Use | Privacy Policy

• Google Gemini — Used for Gemini AI integration Terms of Service | Privacy Policy

• Groq — Used for Groq LPU inference Terms of Service | Privacy Policy

• Microsoft Azure OpenAI — Used for Azure-hosted OpenAI models Terms of Service | Privacy Policy

• AWS Bedrock — Used for AWS-hosted AI models Terms of Service | Privacy Policy

• Ollama / LM Studio — Local self-hosted models (no external data transmission)

• Custom MCP Servers — User-configured servers (data sent to user-specified endpoints only)