What is WebMCP?<\/strong><\/p>\n\nWebMCP is a new browser-native protocol (currently in Chrome Early Preview) that lets web apps expose their functionality as structured \"tools\" that AI agents can invoke \u2014 without needing to screenshot or parse HTML. Think of your website as an MCP server running entirely client-side.<\/p>\n\n
How it works<\/strong><\/p>\n\n\n- Install and activate the plugin<\/li>\n
- Enable the features you want from Settings \u2192 WebMCP Bridge<\/strong><\/li>\n
- Your tool manifest is immediately available at
\/wp-json\/webmcp-bridge\/v1\/manifest<\/code><\/li>\n- AI agents (or any JavaScript code) can call your tools via REST API or the native browser WebMCP API<\/li>\n<\/ol>\n\n
Included tools<\/strong><\/p>\n\nCore:<\/em><\/p>\n\n\nsearch_posts<\/code> \u2014 Search posts, pages, or custom post types<\/li>\nget_post<\/code> \u2014 Retrieve a single post by ID or slug<\/li>\nget_menu<\/code> \u2014 Return navigation menu items<\/li>\nget_categories<\/code> \u2014 List taxonomy terms<\/li>\nget_site_info<\/code> \u2014 Site name, description, URL, language<\/li>\nsubmit_contact_form<\/code> \u2014 Contact Form 7 integration<\/li>\n<\/ul>\n\nWooCommerce (requires WooCommerce plugin):<\/em><\/p>\n\n\nwoo_search_products<\/code> \u2014 Search by keyword, category, price range<\/li>\nwoo_get_product<\/code> \u2014 Full product details including attributes<\/li>\nwoo_add_to_cart<\/code> \u2014 Add a product to the cart<\/li>\nwoo_get_cart<\/code> \u2014 Current cart contents and totals<\/li>\nwoo_remove_from_cart<\/code> \u2014 Remove an item by cart key<\/li>\nwoo_apply_coupon<\/code> \u2014 Apply a coupon code<\/li>\nwoo_get_checkout_fields<\/code> \u2014 Return checkout field schema<\/li>\nwoo_get_product_categories<\/code> \u2014 List all product categories<\/li>\n<\/ul>\n\nEven more powerful with Mescio for Agents<\/strong><\/p>\n\nWebMCP Bridge integrates automatically with the Mescio for Agents<\/strong> plugin. When both plugins are active, two additional tools are unlocked:<\/p>\n\n\nget_markdown_content<\/code> \u2014 Returns any post or page as clean Markdown, the format AI models consume most efficiently. Instead of raw HTML, agents receive structured, token-optimized content ready for reasoning and summarization.<\/li>\nget_llms_txt<\/code> \u2014 Exposes the site-wide llms.txt<\/code> context document (index or full variant), giving agents an instant, structured overview of what the site is about, who it is for, and what content is available \u2014 before they even start searching.<\/li>\n<\/ul>\n\nTogether, the two plugins turn your WordPress site into a fully AI-native content source: WebMCP Bridge handles the tool layer (what agents can do<\/em>), while Mescio for Agents handles the content layer (what agents can read<\/em> and understand<\/em>).<\/p>\n\nPrivacy<\/strong><\/p>\n\nThis plugin does not collect, store, or transmit any user data to external servers. All tool execution happens locally within your WordPress installation. No telemetry, no phone-home, no external API calls.<\/p>\n\n\n
\n- Upload the
webmcp-bridge<\/code> folder to \/wp-content\/plugins\/<\/code><\/li>\n- Activate the plugin via Plugins \u2192 Installed Plugins<\/strong><\/li>\n
- Go to Settings \u2192 WebMCP Bridge<\/strong> and enable the features you want<\/li>\n<\/ol>\n\n
Minimum Requirements<\/h4>\n\n\n- WordPress 6.0 or higher<\/li>\n
- PHP 8.0 or higher<\/li>\n
- WooCommerce 7.0+ (optional, only required for WooCommerce tools)<\/li>\n
- Contact Form 7 (optional, only required for form tools)<\/li>\n
- Mescio for Agents (optional, unlocks
get_markdown_content<\/code> and get_llms_txt<\/code>)<\/li>\n<\/ul>\n\n\n\nDo I need Chrome for this to work?<\/h3><\/dt>\nNo. The REST API endpoints work in every browser and environment. The native WebMCP browser registration is only available in Chrome Early Preview (experimental), but the fallback JavaScript API (window.webmcpBridgeTools<\/code>) and REST endpoints work everywhere.<\/p><\/dd>\nIs this secure?<\/h3><\/dt>\nYes. Read-only tools (search, get post, etc.) are publicly accessible by default, matching WordPress's own REST API behaviour. Write-action tools (add to cart, apply coupon, submit form) require a valid WordPress nonce. You can customise which tools require authentication via the webmcp_bridge_protected_tools<\/code> filter.<\/p><\/dd>\nDoes it work with WooCommerce?<\/h3><\/dt>\nYes. WooCommerce tools are automatically registered when WooCommerce is active and the WooCommerce option is enabled in settings.<\/p><\/dd>\n
What does Mescio for Agents add?<\/h3><\/dt>\nWhen Mescio for Agents is active alongside WebMCP Bridge, two extra tools become available in the manifest: get_markdown_content<\/code> (AI-optimized content format) and get_llms_txt<\/code> (site-wide context document). These are detected automatically \u2014 no configuration needed.<\/p><\/dd>\nCan I add my own tools?<\/h3><\/dt>\nAbsolutely. Use the PHP API:<\/p>\n\n
add_action( 'plugins_loaded', function() {\n if ( ! class_exists( 'WebMCP_Bridge_Tool_Registry' ) ) return;\n $registry = WebMCP_Bridge_Tool_Registry::instance();\n $registry->register( 'my_tool', [\n 'description' => 'Does something useful.',\n 'group' => 'custom',\n 'inputSchema' => [ 'type' => 'object', 'properties' => [] ],\n 'callback' => function( $params ) { return [ 'ok' => true ]; },\n ] );\n} );\n<\/code><\/pre><\/dd>\nWhere is the manifest URL?<\/h3><\/dt>\nhttps:\/\/your-site.com\/wp-json\/webmcp-bridge\/v1\/manifest<\/p>\n\n
You can also find it on the Settings \u2192 WebMCP Bridge<\/strong> page with a one-click copy button.<\/p><\/dd>\nDoes this plugin collect any data?<\/h3><\/dt>\nNo. WebMCP Bridge does not collect, store, or send any data to external servers. See the Privacy section above.<\/p><\/dd>\n\n<\/dl>\n\n\n
1.6.0<\/h4>\n\n\n- JS: migrated browser registration to navigator.modelContext.provideContext() per current WebMCP spec; legacy ai.tools.register() kept as fallback<\/li>\n
- JS: corrected tool field from parameters to inputSchema (WebMCP\/Anthropic spec)<\/li>\n
- Discovery: added service-desc and service-doc Link relations alongside api-catalog and webmcp-manifest<\/li>\n
- Discovery: OAuth authorization-server and oauth-protected-resource now served on all sites (not WooCommerce-only) \u2014 explains WordPress nonce auth to agents<\/li>\n
- Discovery: HTML tags updated to include service-desc and service-doc<\/li>\n<\/ul>\n\n
1.5.0<\/h4>\n\n\n- Added WooCommerce commerce agent discovery (active only when WooCommerce is installed):\n\n
\n- OAuth Authorization Server metadata at \/.well-known\/oauth-authorization-server (RFC 8414)<\/li>\n
- OAuth Protected Resource metadata at \/.well-known\/oauth-protected-resource (RFC 9728)<\/li>\n
- Universal Commerce Protocol profile at \/.well-known\/ucp (ucp.dev)<\/li>\n
- Agentic Commerce Protocol discovery at \/.well-known\/acp.json (agenticcommerce.dev)<\/li>\n<\/ul><\/li>\n
- Added \/wp-json\/webmcp-bridge\/v1\/nonce endpoint \u2014 agents can fetch a fresh WP REST nonce for authenticated tool calls<\/li>\n
- Discovery endpoint now includes commerce URLs when WooCommerce is active<\/li>\n<\/ul>\n\n
1.4.4<\/h4>\n\n\n- Added Content-Signal directives to robots.txt (contentsignals.org): ai-train=yes, search=yes, ai-input=yes \u2014 filterable via webmcp_bridge_content_signals hook<\/li>\n
- Added Vary: Accept header so nginx\/CDN caches correctly serve Markdown for Agents requests separately from HTML responses<\/li>\n<\/ul>\n\n
1.4.3<\/h4>\n\n\n- Fixed RFC 8288 Link discovery for cached sites: added tags in HTML via wp_head<\/li>\n
- Link tags are part of the cached HTML so agents find them even when nginx serves cached pages without running PHP<\/li>\n
- HTTP Link headers still added via wp_headers as secondary channel on cache misses<\/li>\n<\/ul>\n\n
1.4.2<\/h4>\n\n\n- Fixed RFC 8288 Link headers: switched from send_headers action to wp_headers filter for reliable delivery through nginx\/cache layers<\/li>\n
- Link headers now added to all pages (not just homepage) so agents can discover the API from any entry point<\/li>\n<\/ul>\n\n
1.4.1<\/h4>\n\n\n- Fixed Agent Skills index: added sha256 digest field to each skill entry (required by v0.2.0 spec)<\/li>\n<\/ul>\n\n
1.4.0<\/h4>\n\n\n- Added RFC 8288 Link response headers on homepage: advertises manifest, API catalog and MCP Server Card to agents<\/li>\n
- Added \/.well-known\/mcp\/server-card.json (SEP-1649): MCP Server Card for agent discovery<\/li>\n
- Added \/.well-known\/api-catalog (RFC 9727): machine-readable API catalog including WebMCP and Mescio endpoints<\/li>\n
- Added \/.well-known\/agent-skills\/index.json: Agent Skills discovery index listing all site capabilities<\/li>\n
- Added \/wp-json\/webmcp-bridge\/v1\/discovery: convenience endpoint listing all discovery URLs<\/li>\n
- All well-known endpoints include Mescio for Agents data automatically when plugin is active<\/li>\n<\/ul>\n\n
1.3.2<\/h4>\n\n\n- Fixed PHP syntax error in sanitize_markdown() regex (inline event handler pattern)<\/li>\n
- All PHP files pass WordPress.org pre-commit syntax check<\/li>\n<\/ul>\n\n
1.3.1<\/h4>\n\n\n- Security: sanitize Markdown output in get_markdown_content and get_llms_txt \u2014 prevents stored XSS and prompt injection via post content<\/li>\n
- Removed admin_email from get_site_info response \u2014 not needed by agents, sensitive data<\/li>\n
- Removed author display_name from get_post response \u2014 exposes internal WordPress usernames<\/li>\n
- Added global rate limiting on \/execute endpoint (default: 120 calls\/60s, configurable in settings)<\/li>\n
- Rate limit is global (not per-IP) \u2014 effective against proxy rotation attacks; returns HTTP 429<\/li>\n<\/ul>\n\n
1.3.0<\/h4>\n\n\n- Removed admin_email from get_site_info \u2014 sensitive data not needed by agents<\/li>\n
- Removed author field from get_post \u2014 avoids exposing internal WordPress usernames<\/li>\n
- Added global rate limiting on \/execute: configurable max calls per time window in settings<\/li>\n
- Rate limit counter uses WP transients; returns HTTP 429 when exceeded<\/li>\n
- Rate limit and window now editable from Settings \u2192 WebMCP Bridge<\/li>\n<\/ul>\n\n
1.2.0<\/h4>\n\n\n- Added Live API Examples section in admin: test every tool directly from the settings page<\/li>\n
- curl and JavaScript snippets auto-generated for each tool with real site URL<\/li>\n
- Added Mescio for Agents examples (llms.txt, get_markdown_content) when plugin is active<\/li>\n
- Admin JS extracted to separate file for better caching and CSP compatibility<\/li>\n
- Added full Italian translation (it_IT) \u2014 .po, .mo and .pot files included<\/li>\n
- Admin UI: tab navigation for examples, live JSON output viewer<\/li>\n<\/ul>\n\n
1.1.0<\/h4>\n\n\n- Added integration with Mescio for Agents plugin: when active, unlocks
get_markdown_content<\/code> and get_llms_txt<\/code> tools<\/li>\n- Manifest now filters tools based on enabled settings \u2014 disabled groups no longer appear<\/li>\n
- Added
site_url<\/code> and mescio_for_agents<\/code> fields to manifest response<\/li>\n- Tool groups refactored: core split into
content<\/code>, navigation<\/code>, forms<\/code> for finer control<\/li>\n- Improved error handling: registry now catches all
Throwable<\/code> (not just Exception<\/code>)<\/li>\n- Fixed
wp_remote_get<\/code> in llms-full.txt fetch: proper timeout, user-agent, SSL filter<\/li>\n- Fixed: tools disabled in settings were still executable via REST \u2014 now correctly blocked<\/li>\n<\/ul>\n\n
1.0.1<\/h4>\n\n\n- Added automatic compatibility with Autoptimize, WP Rocket, LiteSpeed Cache, W3 Total Cache, SG Optimizer<\/li>\n
- Fixed duplicate textdomain and deactivation hooks<\/li>\n
- Added ABSPATH protection to all PHP files<\/li>\n
- Fixed output escaping in exception messages<\/li>\n<\/ul>\n\n
1.0.0<\/h4>\n\n\n- Initial release<\/li>\n
- Core tools: search_posts, get_post, get_menu, get_categories, get_site_info, submit_contact_form<\/li>\n
- WooCommerce tools: product search, cart management, coupon, checkout fields<\/li>\n
- REST API manifest and execution endpoints<\/li>\n
- JavaScript frontend bridge with WebMCP browser API support and fallback<\/li>\n
- Admin settings page<\/li>\n<\/ul>","raw_excerpt":"Make your WordPress site natively AI-agent friendly via the WebMCP protocol \u2014 no backend server required.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/289683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=289683"}],"author":[{"embeddable":true,"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/vinsmach"}],"wp:attachment":[{"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=289683"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=289683"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=289683"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=289683"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=289683"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/ca.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=289683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}