Skip to content

bjornfix/mcp-abilities-filesystem

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
README.md
README.md
 
 
mcp-abilities-filesystem.php
mcp-abilities-filesystem.php
 
 
readme.txt
readme.txt
 
 

Repository files navigation

MCP Abilities - Filesystem

Secure file operations for WordPress via MCP.

GitHub release License: GPL v2

Tested up to: 6.9 Stable tag: 1.0.6 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html

What It Does

This add-on plugin exposes filesystem operations through MCP (Model Context Protocol). Your AI assistant can read plugin files, edit configuration, manage uploads - all through conversation. Security-hardened to prevent PHP injection and path traversal attacks.

Part of the MCP Expose Abilities ecosystem.

Requirements

Installation

  1. Install the required plugins (Abilities API, MCP Adapter)
  2. Download the latest release from Releases
  3. Upload via WordPress Admin → Plugins → Add New → Upload Plugin
  4. Activate the plugin

Abilities (11)

Ability Description
filesystem/read-file Read file contents (text or binary)
filesystem/write-file Write content to file (PHP blocked)
filesystem/append-file Append content to existing file
filesystem/delete-file Delete file (creates backup first)
filesystem/delete-directory Delete directory (optional recursive delete)
filesystem/copy-file Copy file to new location
filesystem/move-file Move or rename file
filesystem/list-directory List directory contents
filesystem/create-directory Create new directory
filesystem/file-info Get file metadata (size, dates, permissions)
filesystem/get-changelog Get changelog from plugin/theme

Usage Examples

Read a file

{
  "ability_name": "filesystem/read-file",
  "parameters": {
    "path": "wp-content/plugins/my-plugin/config.json"
  }
}

Write a file

{
  "ability_name": "filesystem/write-file",
  "parameters": {
    "path": "wp-content/uploads/data/export.csv",
    "content": "name,email\nJohn,john@example.com"
  }
}

List directory

{
  "ability_name": "filesystem/list-directory",
  "parameters": {
    "path": "wp-content/uploads/2024/",
    "recursive": false
  }
}

Delete with backup

{
  "ability_name": "filesystem/delete-file",
  "parameters": {
    "path": "wp-content/uploads/old-file.txt"
  }
}

Files are backed up to wp-content/mcp-backups/YYYY-MM-DD/ before deletion.

Security Features

This plugin includes extensive security hardening:

  • PHP Injection Detection - Blocks <?php, <?=, and obfuscated PHP patterns
  • Encoding Bypass Protection - Detects UTF-7, UTF-16, and Base64 encoded PHP
  • Path Traversal Protection - Blocks ../ and absolute paths outside WordPress
  • Directory Restrictions - Limited to the WordPress root directory
  • Automatic Backups - Files backed up before deletion
  • 50+ Attack Vectors Tested - Comprehensive security testing

Changelog

1.0.6

  • Docs: expanded the WordPress-standard readme.txt so the published ZIP now includes fuller requirements, abilities, use cases, and Devenia ecosystem links

1.0.5

  • Added: max_items limit for safer recursive directory listing
  • Added: returned and truncated output fields for list-directory

1.0.3

  • Improve log append efficiency for filesystem operations

1.0.2

  • Security: Restrict filesystem operations to the WordPress root directory
  • Fixed: Use WP_Filesystem for backups and copy operations

1.0.1

  • Fixed: Use WP_Filesystem API instead of native PHP functions
  • Fixed: Proper sanitization of REMOTE_ADDR

License

GPL-2.0+

Author

Devenia - We've been doing SEO and web development since 1993.

Links

About

MCP Abilities Filesystem - Add-on for mcp-expose-abilities WordPress plugin

devenia.com/plugins/mcp-expose-abilities/

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 3

v1.0.6 Latest
Mar 10, 2026
+ 2 releases

Packages

 
 
 

Contributors

Languages