Recommended compatibility update for sites relying on bundled MCP schema classes or layered ability execution through MCP clients.<\/p>","2.1.23":"
Opt-in fix for multisite Elementor\/custom HTML workflows that need trusted administrators to preserve raw HTML tags. Disabled by default.<\/p>","2.1.17":"
Adds post password updates to Recommended for multisite networks using child-site plugin activation through MCP; fixes WordPress capability checks after Adds core plugin mutation plus child-site plugin activation\/deactivation via Adds MCP audit logging, optional tool allowlists, and an administrator health\/status tool. Existing MCP access remains unchanged unless allowlist enforcement is enabled in Settings.<\/p>","2.1.11":" Recommended security hardening release: MCP tools now enforce object-level post\/media\/term capabilities and only list tools the current user can call.<\/p>","2.1.10":" Registers the missing Internal refactor (standalone tool bootstrap file only). No MCP tool renaming; safe routine update.<\/p>","2.1.8":" Critical for Recommended if MCP\/remote clients still hit Use this if MCP clients still fail JSON parse on If MCP clients still parse-fail on BOM: this release starts the BOM-stripping buffer before Further hardening for leading-BOM MCP JSON failures: earlier buffer bootstrap on MCP-like REST URLs.<\/p>","2.1.3":" Recommended if MCP clients show JSON parse errors (leading BOM) on Restores packaged agent Documentation-only refresh: use docs\/MCP_TOOL_MIGRATION.md when mapping old MCP tool names to dispatchers + Recommended update for MCP clients that batch process posts or rely on seo\/article-analysis; list-posts pagination and H1\/schema detection are more accurate.<\/p>","2.0.35":" Adds theme discovery and theme switching tools for MCP clients. This release also carries the shortened WordPress.org short description into the new tagged version.<\/p>","2.0.34":" Recommended update if you manage homepage reading settings via MCP; adds safe support for Documentation-only refresh on WordPress.org listings; recommended if you rely on the plugin directory description for onboarding.<\/p>","2.0.32":" Recommended update for WP 6.9+ sites using Abilities API and MCP adapter integration.<\/p>","2.0.31":" Maintenance update.<\/p>","2.0.30":" Maintenance update.<\/p>","2.0.29":" Maintenance update for runtime stability and cleaner CLI output. If you use WEBO MCP Pro, review\/update the Pro package compatibility notice before deploying this version to production.<\/p>","2.0.28":" WordPress.org compliance update: readme now documents Google Suggest external service usage with Terms\/Privacy links, and nav-menu API loading no longer relies on WPINC.<\/p>","2.0.27":" MCP clients must send WordPress Application Password (HTTP Basic) or use a logged-in session. API key\/HMAC alone are no longer sufficient when calling the router.<\/p>","2.0.26":" Adds seo\/article-analysis for post-level SEO diagnostics (optional outbound suggest API; set no_autocomplete to skip).<\/p>","2.0.7":" Readme and GitHub README now link webomcp.com and the n8n-nodes-webo-mcp npm package.<\/p>","2.0.6":" License declaration aligned between readme and main plugin file for WordPress.org review.<\/p>","2.0.5":" Plugin header updates for Plugin Check and WordPress.org tooling (@wordpress-plugin, GPLv2 license slug).<\/p>","2.0.4":" Plugin header formatting for WordPress.org Plugin Check (Description, Version, License).<\/p>","2.0.3":" Plugin Check and packaging fixes; upload the release zip from scripts\/build-release.ps1 for WordPress.org.<\/p>","2.0.2":" Packaging and readme updates for WordPress.org review. Always upload the zip from scripts\/build-release.ps1, not the raw git folder.<\/p>","2.0.0":" Major rename: reinstall from folder webo-mcp (or deploy to new path), then activate WEBO MCP. Settings are preserved via migration.<\/p>","1.1.1":" Recommended update to fix tools\/call validation for core tools with no input.<\/p>","1.0.2":" Recommended update to support active plugin verification via MCP tool.<\/p>","1.0.1":" Recommended update to refresh plugin metadata and improve tools\/list compatibility.<\/p>","1.0.0":" Initial public release of WEBO MCP (formerly WEBO WordPress MCP).<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3514777,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3514777,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.0.28","2.0.29","2.0.34","2.0.35","2.0.40","2.0.45","2.1.0","2.1.10","2.1.11","2.1.12","2.1.13","2.1.14","2.1.17","2.1.19","2.1.3","2.1.4","2.1.9","2.2.0","2.2.1"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"MCP endpoint working in a REST client (initialize)","2":"tools\/list response with public tools","3":"tools\/call response for a WordPress tool"}},"plugin_section":[],"plugin_tags":[2353,1556,569,69473,242115],"plugin_category":[],"plugin_contributors":[261006],"plugin_business_model":[],"class_list":["post-293340","plugin","type-plugin","status-publish","hentry","plugin_tags-ai","plugin_tags-api","plugin_tags-automation","plugin_tags-json-rpc","plugin_tags-mcp","plugin_contributors-phuongwebo","plugin_committers-phuongwebo"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/webo-mcp\/assets\/icon-128x128.png?rev=3514777","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"\n WEBO MCP is a standalone MCP gateway for WordPress. It lets compatible clients call well-defined tools over REST using JSON-RPC, instead of scraping the admin or sharing broad credentials beyond what you intend.<\/p>\n\n What you get<\/strong><\/p>\n\n Security model (high level)<\/strong><\/p>\n\n Client guidance<\/strong><\/p>\n\n Always discover tools before calling them: run Further documentation and optional integrations<\/strong><\/p>\n\n Compatibility note: any MCP-capable client can be used; which large language model runs inside the client is outside this plugin.<\/p>\n\n Standalone core tools included:\n- Site info\n- Content (posts\/pages): Excluded by default in standalone-safe mode:\n- Bulk\/mass execution tools\n- Plugin\/theme write-management abilities\n- Multisite-specific abilities<\/p>\n\n This plugin does not phone home or send telemetry. MCP traffic is initiated by clients you configure. Some tools may perform outbound HTTP requests only when a client invokes them (for example seo\/article-analysis may request keyword suggestions from a third-party suggest API unless you pass no_autocomplete).<\/p>\n\n The plugin stores the following options in the WordPress database when configured:\n- These options are removed when the plugin is uninstalled via the WordPress Plugins screen.<\/p>\n\n This plugin can connect to Google Suggest (Autocomplete) when a client calls the Service provider: Google LLC (Google Suggest \/ Autocomplete API endpoint).<\/p>\n\n Data sent and when:\n- Sent only when Terms of Service: https:\/\/policies.google.com\/terms\nPrivacy Policy: https:\/\/policies.google.com\/privacy<\/p>\n\n The plugin exposes the following actions and filters for developers:<\/p>\n\n Special thanks to the authors and open source projects that contributed to this plugin:\n- WordPress (https:\/\/wordpress.org)\n- Abilities API (https:\/\/github.com\/WordPress\/abilities-api)\n Reference: https:\/\/make.wordpress.org\/ai\/2025\/07\/17\/abilities-api\/\n- MCP Adapter (https:\/\/github.com\/WordPress\/mcp-adapter)\n Reference: https:\/\/make.wordpress.org\/ai\/2025\/07\/17\/mcp-adapter\/\n- Composer (https:\/\/getcomposer.org)\n- Other PHP and JS libraries from the community<\/p>\n\n If you use this plugin, please give credit to the authors of these libraries.<\/p>\n\n This plugin is licensed under the GPLv2 or later.\nSee https:\/\/www.gnu.org\/licenses\/gpl-2.0.html for details.<\/p>\n\n\n For release packaging, use scripts\/build-release.ps1 to create a clean zip with .distignore exclusions.<\/p>\n\n\n POST \/wp-json\/mcp\/v1\/router<\/p><\/dd>\n The project hub is https:\/\/webomcp.com. For n8n, install the community node from npm: https:\/\/www.npmjs.com\/package\/n8n-nodes-webo-mcp<\/p><\/dd>\n Yes. On WordPress versions where Core provides the Abilities API, WEBO MCP uses Core and does not load a duplicate bundled Abilities API. On older WordPress versions it falls back to the bundled Composer package. The default bridge mode is Only abilities that explicitly set Use Yes, via filter webo_mcp_allow_internal_tools in private environments.<\/p><\/dd>\n Yes, via filter webo_mcp_public_categories.<\/p><\/dd>\n Yes. Default bridge rules exclude patterns for bulk, plugins\/themes, and multisite abilities.<\/p><\/dd>\n Yes, when used with proper authentication, TLS, and a limited tool exposure policy.<\/p><\/dd>\n Use a WordPress Application Password<\/strong> (Users \u2192 Profile \u2192 Application Passwords) and send it with HTTP Basic Auth (username = WordPress username, password = the application password). You can combine that with the optional API Key<\/strong> and HMAC<\/strong> values from Settings \u2192 WEBO MCP when those fields are set. If a client cannot send headers, create a short-lived scoped URL connector token and pass it as Use webo\/content-mutate<\/code> for protected content workflows.<\/p>","2.1.14":"switch_to_blog()<\/code>.<\/p>","2.1.13":"site_id<\/code> or blog_id<\/code> for multisite network admins.<\/p>","2.1.12":"webo\/plugin-query<\/code><\/strong> tool (plugin inventory and updates via MCP). Recommended for automation that lists pending plugin updates.<\/p>","2.1.9":"webo.vn<\/code> \/ multi-BOM REST bodies: fixes BOM sanitizer regex so repeated UTF-8 BOM prefixes are actually removed.<\/p>","2.1.7":"Unexpected token<\/code> \/ invalid JSON \u2014 BOM strip now defaults on for all<\/strong> REST API responses.<\/p>","2.1.6":"discover-abilities<\/code> \/ ability tools \u2014 BOM strip now covers wp-abilities<\/code> REST routes.<\/p>","2.1.5":"rest_api_init<\/code> for MCP-like URLs.<\/p>","2.1.4":"tools\/list<\/code> or tools\/call<\/code> \u2014 response body is sanitized for MCP REST routes.<\/p>","2.1.2":"skills\/<\/code><\/strong> in the upstream repo clone; upgrade if you rely on Cursor\/Codex skills from GitHub.<\/p>","2.1.1":"action<\/code>. No behavioral change vs 2.1.0 expected.<\/p>","2.0.40":"show_on_front<\/code> and page_on_front<\/code> updates.<\/p>","2.0.33":"\n
*-query<\/code> (all reads) and *-mutate<\/code> (all writes) \u2014 with a single action<\/code> discriminator. tools\/list<\/code> payload is up to 70% smaller than per-operation APIs, which means less of the model's context window is consumed by tool schemas, lower cost per session, and fewer hallucinated tool names.<\/li>\nPOST \/wp-json\/mcp\/v1\/router<\/code><\/li>\ninitialize<\/code> \u2192 tools\/list<\/code> \u2192 tools\/call<\/code><\/li>\nsession_id<\/code> or Mcp-Session-Id<\/code> after initialize<\/code>)<\/li>\n\n
mcp_token<\/code> URL connector token in Settings -> WEBO MCP.<\/li>\nGET \/wp-json\/webo-mcp\/v1\/tools<\/code>: users who are super admins, can manage_options<\/code>, or can edit_posts<\/code>, consistent with typical site operator and editor workflows (filterable).<\/li>\n<\/ul>\n\ntools\/list<\/code>, pick an exact tool name from the response, validate required arguments, then call tools\/call<\/code>. This reduces mistakes and keeps automation predictable in production.<\/p>\n\n\n
webo\/content-query<\/code> (list, get, find-by-url, search-replace, list-revisions, get-revision) and webo\/content-mutate<\/code> (create, update, delete, bulk-update-status, restore-revision)\n- Users: list\n- Media: webo\/media-query<\/code> (list, get) and webo\/media-mutate<\/code> (upload, update, delete)\n- Comments: webo\/comment-query<\/code> (list, get) and webo\/comment-mutate<\/code> (update, delete)\n- Taxonomy\/Terms: webo\/taxonomy-query<\/code> (discover, list, get) and webo\/taxonomy-mutate<\/code> (create, update, delete)\n- Nav menus: list menus, list menu items (menu_order, db_id), add menu link from post (explicit post_id + menu_order required)\n- Plugins: webo\/plugin-query<\/code> (installed, active, updates, \u2026) and webo\/plugin-mutate<\/code> (install, activate, deactivate; supports child-site site_id<\/code> \/ blog_id<\/code> activation for network admins)\n- Health: webo\/health-status<\/code> (REST\/router status, Application Password support, permalinks, cron, object cache, plugin update summary, WordPress\/PHP versions, and redacted MCP config)\n- Abilities bridge: webo\/ability-query<\/code> and webo\/ability-execute<\/code> in default layered mode. Only abilities with meta.mcp.public === true<\/code> are visible and executable through WEBO MCP.\n- Themes: webo\/theme-query<\/code> (installed themes) and webo\/theme-mutate<\/code> (install from WordPress.org by slug, switch installed theme)\n- Menus: webo\/menu-query<\/code>, webo\/menu-mutate<\/code> (navigation menu items; not post\/CPT list order)\n- Post\/CPT order (optional): webo\/reorder-query<\/code>, webo\/reorder-mutate<\/code> when Webo Reorder<\/a> is active \u2014 see docs\/abilities\/reorder.md\n- Options: get\/update (safe allowlist only), set site icon\/favicon from media\n- SEO (WordPress post): seo\/article-analysis \u2014 requires post_id; merges Rank Math meta when available (same data path as webo-rank-math\/get-post-seo-meta); optional related-keyword suggestions via outbound request unless no_autocomplete is true<\/p>\n\nPrivacy<\/h3>\n\n
webo_mcp_api_key<\/code>: API key used to authenticate MCP requests.\n- webo_mcp_hmac_secret<\/code>: HMAC secret used to sign and validate MCP requests.\n- webo_mcp_url_connector_tokens<\/code>: hashed, expirable, revocable URL connector tokens for clients that cannot send headers. Raw tokens are shown once and are not stored.\n- webo_mcp_tool_allowlist_enabled<\/code> and webo_mcp_tool_allowlist_rules<\/code>: optional administrator-configured MCP tool allowlist policy.\n- webo_mcp_audit_log_enabled<\/code>, webo_mcp_audit_log_max_entries<\/code>, and webo_mcp_audit_log<\/code>: bounded MCP tool-call audit log settings and compact audit events. Audit entries include user\/tool\/action\/status data, anonymized IPs, and hashed session IDs; they do not store request payloads, API keys, HMAC secrets, or Application Passwords.<\/p>\n\nExternal services<\/h3>\n\n
seo\/article-analysis<\/code> tool and does not set no_autocomplete<\/code> to true. This external request is used to return related keyword suggestions for SEO analysis.<\/p>\n\nseo\/article-analysis<\/code> is called with autocomplete enabled.\n- Sends the analysis query text to https:\/\/suggestqueries.google.com\/complete\/search<\/code> as the q<\/code> parameter.\n- Sends standard HTTP request metadata such as IP address and User-Agent as part of the web request.<\/p>\n\nDeveloper Hooks<\/h3>\n\n
Actions<\/h3>\n\n
\n
webo_mcp_register_tools<\/code>\nFired during plugin bootstrap after standalone tools are registered. Use this to register custom MCP tools from other plugins.<\/li>\n<\/ul>\n\nFilters<\/h3>\n\n
\n
webo_mcp_current_user_can_use_mcp<\/code> (bool $allowed, int $user_id)\nGate for all MCP REST access. Default: super admin OR manage_options<\/code> OR edit_posts<\/code>. Override to tighten (e.g. super-admin only) in hardened installs.<\/p><\/li>\nwebo_mcp_allow_internal_tools<\/code> (bool $allow_internal, WP_REST_Request $request)\nControls whether internal tools are included in tools\/list responses. Defaults to false for public environments.<\/p><\/li>\nwebo_mcp_public_categories<\/code> (array $categories, WP_REST_Request $request, array $tool)\nFilters which tool categories are exposed as public. Defaults to array( 'wordpress' ).<\/p><\/li>\nwebo_mcp_public_tool_allowlist<\/code> (array $names, WP_REST_Request $request, array $tool)\nOptional allowlist of specific tool names that are always considered public.<\/p><\/li>\nwebo_mcp_bridge_deny_patterns<\/code> (array $patterns)\nControls which abilities are excluded when auto-bridging abilities into MCP tools (e.g. bulk, plugins\/, themes\/, multisite\/).<\/p><\/li>\nwebo_mcp_auto_bridge_abilities<\/code> (bool $enabled)\nEnables or disables automatic bridging of registered abilities into MCP tools. Defaults to true; bridge mode still controls whether the bridge is off, layered, or full.<\/p><\/li>\nwebo_mcp_bridge_mode<\/code> (string $mode)\nControls Abilities bridge mode after the WEBO_MCP_BRIDGE_MODE<\/code> constant and before the stored option. Values: off<\/code>, layered<\/code>, full<\/code>. Default: layered<\/code>.<\/p><\/li>\nwebo_mcp_enable_adapter<\/code> (bool $enabled)\nEnables or disables the bundled WordPress MCP Adapter runtime. Defaults to true.<\/p><\/li>\nwebo_mcp_validate_media_fetch_url<\/code> (true|\\WP_Error $ok, string $url, array $parsed)\nReject unsafe URLs for webo\/media-mutate upload action (return WP_Error to block).<\/p><\/li>\nwebo_mcp_tool_allowlist_allowed<\/code> (bool $allowed, string $tool_name, WP_REST_Request $request, array $params, array $allowed_tools)\nFilters the optional per-user\/role\/client allowlist decision.<\/p><\/li>\n<\/ul>\n\nCredits<\/h3>\n\n
License<\/h3>\n\n
\n
\n
Which endpoint should MCP clients use?<\/h3><\/dt>\n
Where is the official website and the n8n package?<\/h3><\/dt>\n
Can this run WordPress abilities by itself?<\/h3><\/dt>\n
layered<\/code>, which exposes compact webo\/ability-query<\/code> and webo\/ability-execute<\/code> tools instead of one tool per ability. You can set bridge mode to off<\/code>, layered<\/code>, or full<\/code> with WEBO_MCP_BRIDGE_MODE<\/code>, the webo_mcp_bridge_mode<\/code> filter, or the webo_mcp_bridge_mode<\/code> option.<\/p><\/dd>\nWhich abilities are exposed through WEBO MCP?<\/h3><\/dt>\n
meta.mcp.public<\/code> to true are exposed. Execution also checks the ability permission callback, WEBO allowlist\/policy, and scope\/risk metadata such as meta.webo_mcp.scope<\/code> and meta.webo_mcp.risk<\/code>.<\/p><\/dd>\nHow do I migrate from legacy one-operation tool names?<\/h3><\/dt>\n
tools\/list<\/code> to discover the dispatcher tool names on your site, then pass the correct action<\/code> (or query\/mutate discriminant) for each operation. Use docs\/MIGRATION_GUIDE_2.1.0.md for the 2.1.0 rollout narrative and docs\/MCP_TOOL_MIGRATION.md for a consolidated addon-by-addon map (Rank Math, Rocket, WooCommerce groups, etc.).<\/p><\/dd>\nCan I expose internal tools?<\/h3><\/dt>\n
Can I limit public tools by category?<\/h3><\/dt>\n
Can I keep only WordPress.org-safe features?<\/h3><\/dt>\n
Is this plugin suitable for production?<\/h3><\/dt>\n
How do I authenticate MCP clients?<\/h3><\/dt>\n
?mcp_token=...<\/code>; it is shown once, stored only as a hash, limited to an explicit tool scope, expirable, and revocable.<\/p><\/dd>\nDoes WEBO MCP reorder posts and pages?<\/h3><\/dt>\n
webo\/reorder-query<\/code><\/strong> and webo\/reorder-mutate<\/code><\/strong> when the separate Webo Reorder<\/strong> plugin is installed and active. Those tools control post menu_order<\/code> and taxonomy-specific order \u2014 not navigation menus. For Appearance \u2192 Menus, use webo\/menu-query<\/code><\/strong> and webo\/menu-mutate<\/code><\/strong>. See docs\/abilities\/reorder.md<\/code> in the plugin repository.<\/p><\/dd>\n\n<\/dl>\n\n\n2.2.1<\/h4>\n\n
\n
webo\/ability-execute<\/code>.<\/li>\n2.2.0<\/h4>\n\n
\n
webo\/connector-query<\/code>), WP AI prompt tool (webo\/ai-prompt<\/code>), agent profiles, rate limits, audit webhook\/CSV export, and multisite network bridge defaults.<\/li>\nwp webo-mcp health<\/code>, tools-list<\/code>, revoke-tokens<\/code>, audit-count<\/code>.<\/li>\n2.1.23<\/h4>\n\n
\n
script<\/code>, style<\/code>, canvas<\/code>, iframe<\/code>, and other raw HTML when explicitly enabled.<\/li>\nwebo\/get-options<\/code> and webo\/update-options<\/code> to read and configure the Trusted Raw HTML policy.<\/li>\n<\/ul>\n\n2.1.22<\/h4>\n\n
\n
mcp_token<\/code> URL connector tokens for clients that cannot send headers.<\/li>\n2.1.21<\/h4>\n\n
\n
2.1.20<\/h4>\n\n
\n