Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3495168

Timestamp:

03/31/2026 06:11:11 AM (23 hours ago)

Author:

royalpluginsteam

Message:

Update to version 1.3.0

Location:

royal-mcp

Files:

: 49 added
: 3 edited

assets/banner-1544x500.png (added)
tags/1.3.0 (added)
tags/1.3.0/LICENSE (added)
tags/1.3.0/README.md (added)
tags/1.3.0/assets (added)
tags/1.3.0/assets/css (added)
tags/1.3.0/assets/css/admin.css (added)
tags/1.3.0/assets/css/index.php (added)
tags/1.3.0/assets/index.php (added)
tags/1.3.0/assets/js (added)
tags/1.3.0/assets/js/admin.js (added)
tags/1.3.0/assets/js/index.php (added)
tags/1.3.0/includes (added)
tags/1.3.0/includes/API (added)
tags/1.3.0/includes/API/REST_Controller.php (added)
tags/1.3.0/includes/API/index.php (added)
tags/1.3.0/includes/Admin (added)
tags/1.3.0/includes/Admin/Settings_Page.php (added)
tags/1.3.0/includes/Admin/index.php (added)
tags/1.3.0/includes/Integrations (added)
tags/1.3.0/includes/Integrations/GuardPress.php (added)
tags/1.3.0/includes/Integrations/SiteVault.php (added)
tags/1.3.0/includes/Integrations/WooCommerce.php (added)
tags/1.3.0/includes/Integrations/index.php (added)
tags/1.3.0/includes/MCP (added)
tags/1.3.0/includes/MCP/Client.php (added)
tags/1.3.0/includes/MCP/Server.php (added)
tags/1.3.0/includes/MCP/index.php (added)
tags/1.3.0/includes/Platform (added)
tags/1.3.0/includes/Platform/Registry.php (added)
tags/1.3.0/includes/Platform/index.php (added)
tags/1.3.0/includes/index.php (added)
tags/1.3.0/languages (added)
tags/1.3.0/languages/index.php (added)
tags/1.3.0/readme.txt (added)
tags/1.3.0/royal-mcp.php (added)
tags/1.3.0/templates (added)
tags/1.3.0/templates/admin (added)
tags/1.3.0/templates/admin/index.php (added)
tags/1.3.0/templates/admin/logs.php (added)
tags/1.3.0/templates/admin/settings.php (added)
tags/1.3.0/templates/index.php (added)
tags/1.3.0/uninstall.php (added)
trunk/README.md (added)
trunk/includes/Integrations (added)
trunk/includes/Integrations/GuardPress.php (added)
trunk/includes/Integrations/SiteVault.php (added)
trunk/includes/Integrations/WooCommerce.php (added)
trunk/includes/Integrations/index.php (added)
trunk/includes/MCP/Server.php (modified) (14 diffs)
trunk/readme.txt (modified) (4 diffs)
trunk/royal-mcp.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

royal-mcp/trunk/includes/MCP/Server.php

-                      r3439404
+                      r3495168
 <?php
 namespace Royal_MCP\MCP;
+use Royal_MCP\Integrations\WooCommerce as WooIntegration;
+use Royal_MCP\Integrations\GuardPress as GPIntegration;
+use Royal_MCP\Integrations\SiteVault as SVIntegration;
 if (!defined('ABSPATH')) {
 …
      */
     private $sessions = [];
+    /**
+     * Rate limit: max requests per window per IP
+     */
+    private $rate_limit_max = 60;
+    private $rate_limit_window = 60; // seconds
     /**
 …
     /**
+     * Validate API key for MCP authentication.
+     * Required on initialize to create an authenticated session.
+     *
+     * @param \WP_REST_Request $request The request object
+     * @return bool|WP_REST_Response True if valid, error response if invalid
+     */
+    private function validate_api_key($request) {
+        $api_key = $request->get_header('X-Royal-MCP-API-Key');
+        if (empty($api_key)) {
+            return new \WP_REST_Response([
+                'jsonrpc' => '2.0',
+                'error' => [
+                    'code' => -32600,
+                    'message' => 'Authentication required. Include X-Royal-MCP-API-Key header.',
+                ],
+            ], 401);
+        }
+        $settings = get_option('royal_mcp_settings', []);
+        // Check plugin is enabled
+        if (empty($settings['enabled'])) {
+            return new \WP_REST_Response([
+                'jsonrpc' => '2.0',
+                'error' => [
+                    'code' => -32600,
+                    'message' => 'Royal MCP is currently disabled.',
+                ],
+            ], 403);
+        }
+        // Validate key using timing-safe comparison
+        if (empty($settings['api_key']) || !hash_equals($settings['api_key'], $api_key)) {
+            return new \WP_REST_Response([
+                'jsonrpc' => '2.0',
+                'error' => [
+                    'code' => -32600,
+                    'message' => 'Invalid API key.',
+                ],
+            ], 403);
+        }
+        return true;
+    }
+    /**
+     * Check rate limit for an IP address.
+     *
+     * @param string $ip Client IP address
+     * @return bool|WP_REST_Response True if allowed, error response if rate limited
+     */
+    private function check_rate_limit($ip) {
+        $transient_key = 'royal_mcp_rate_' . md5($ip);
+        $data = get_transient($transient_key);
+        if ($data === false) {
+            set_transient($transient_key, ['count' => 1, 'start' => time()], $this->rate_limit_window);
+            return true;
+        }
+        if (time() - $data['start'] > $this->rate_limit_window) {
+            set_transient($transient_key, ['count' => 1, 'start' => time()], $this->rate_limit_window);
+            return true;
+        }
+        $data['count']++;
+        set_transient($transient_key, $data, $this->rate_limit_window);
+        if ($data['count'] > $this->rate_limit_max) {
+            return new \WP_REST_Response([
+                'jsonrpc' => '2.0',
+                'error' => [
+                    'code' => -32600,
+                    'message' => 'Rate limit exceeded. Maximum ' . $this->rate_limit_max . ' requests per minute.',
+                ],
+            ], 429);
+        }
+        return true;
+    }
+    /**
      * Validate Accept header for POST requests
      * Per MCP spec: Client MUST include Accept header with both application/json and text/event-stream
 …
     private function get_tools() {
         return [
+        $tools = [
             // Posts
             ['name' => 'wp_get_posts', 'description' => 'Get WordPress posts', 'inputSchema' => ['type' => 'object', 'properties' => ['per_page' => ['type' => 'integer', 'description' => 'Number of posts (max 100)'], 'search' => ['type' => 'string', 'description' => 'Search term'], 'status' => ['type' => 'string', 'description' => 'Post status (publish, draft, etc)']]]],
 …
             ['name' => 'wp_get_themes', 'description' => 'Get installed themes', 'inputSchema' => ['type' => 'object', 'properties' => new \stdClass()]],
         ];
+        // Conditionally add integration tools
+        $tools = array_merge( $tools, WooIntegration::get_tools() );
+        $tools = array_merge( $tools, GPIntegration::get_tools() );
+        $tools = array_merge( $tools, SVIntegration::get_tools() );
+        return $tools;
+    }
 …
         if ($origin_check !== true) {
             return $origin_check;
+        }
+        // Rate limiting
+        $client_ip = isset($_SERVER['REMOTE_ADDR']) ? sanitize_text_field(wp_unslash($_SERVER['REMOTE_ADDR'])) : '127.0.0.1';
+        $rate_check = $this->check_rate_limit($client_ip);
+        if ($rate_check !== true) {
+            return $rate_check;
+        }
 …
         $response->header('Access-Control-Allow-Origin', '*');
         $response->header('Access-Control-Allow-Methods', 'GET, POST, DELETE, OPTIONS');
         $response->header('Access-Control-Allow-Headers', 'Content-Type, Accept, Mcp-Session-Id');
+        $response->header('Access-Control-Allow-Headers', 'Content-Type, Accept, Mcp-Session-Id, X-Royal-MCP-API-Key');
         $response->header('Access-Control-Max-Age', '86400');
         return $response;
 …
         // Get session ID from header
         $session_id = $request->get_header('Mcp-Session-Id');
+        // For initialize requests, require API key authentication
+        if ($method === 'initialize') {
+            $auth_check = $this->validate_api_key($request);
+            if ($auth_check !== true) {
+                return $auth_check;
+            }
+        }
         // For non-initialize requests, validate session
 …
                     'comment_author' => sanitize_text_field($args['author'] ?? 'Anonymous'),
                     'comment_author_email' => sanitize_email($args['author_email'] ?? ''),
+                    'comment_approved' => 1,
+                ];
+                ];
+                // Respect WordPress comment moderation settings
+                $comment_data['comment_approved'] = wp_allow_comment($comment_data);
                 $comment_id = wp_insert_comment($comment_data);
                 if (!$comment_id) throw new \Exception('Failed to create comment');
+                return ['id' => $comment_id, 'message' => 'Comment created successfully'];
+                $status = $comment_data['comment_approved'] === 1 ? 'approved' : 'pending moderation';
+                return ['id' => $comment_id, 'message' => 'Comment created (' . $status . ')'];
             case 'wp_delete_comment':
 …
                     return [
                         'id' => $u->ID,
-                        'username' => $u->user_login,
-                        'email' => $u->user_email,
                         'display_name' => $u->display_name,
                         'roles' => $u->roles,
 …
                 return [
                     'id' => $user->ID,
-                    'username' => $user->user_login,
-                    'email' => $user->user_email,
                     'display_name' => $user->display_name,
                     'roles' => $user->roles,
 …
             case 'wp_update_post_meta':
+                $result = update_post_meta(intval($args['post_id']), sanitize_text_field($args['key']), $args['value']);
+                $meta_value = $args['value'];
+                if (is_string($meta_value)) {
+                    $meta_value = sanitize_text_field($meta_value);
+                } elseif (is_array($meta_value)) {
+                    $meta_value = array_map('sanitize_text_field', $meta_value);
+                }
+                $result = update_post_meta(intval($args['post_id']), sanitize_text_field($args['key']), $meta_value);
                 return ['message' => 'Post meta updated successfully', 'result' => $result];
 …
                     'description' => get_bloginfo('description'),
                     'url' => home_url(),
-                    'admin_email' => get_bloginfo('admin_email'),
                     'language' => get_locale(),
                     'timezone' => wp_timezone_string(),
                     'wp_version' => get_bloginfo('version'),
-                    'php_version' => phpversion(),
                 ];
 …
             default:
+                // Route to integration handlers
+                if ( strpos( $name, 'wc_' ) === 0 ) {
+                    return WooIntegration::execute_tool( $name, $args );
+                }
+                if ( strpos( $name, 'gp_' ) === 0 ) {
+                    return GPIntegration::execute_tool( $name, $args );
+                }
+                if ( strpos( $name, 'sv_' ) === 0 ) {
+                    return SVIntegration::execute_tool( $name, $args );
+                }
                 throw new \Exception('Unknown tool: ' . esc_html($name));
+        }

royal-mcp/trunk/readme.txt

-                      r3479831
+                      r3495168
 Contributors: royalpluginsteam
 Donate link: https://www.royalplugins.com
 Tags: wordpress mcp, ai integration, claude wordpress, model context protocol, chatgpt wordpress
+Tags: mcp, ai wordpress, claude wordpress, woocommerce ai, wordpress ai integration
 Requires at least: 5.8
 Tested up to: 6.9.3
 Stable tag: 1.2.3
+Tested up to: 6.9
+Stable tag: 1.3.0
 Requires PHP: 7.4
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 WordPress MCP plugin that connects AI platforms like Claude, ChatGPT, and Gemini to your site using Model Context Protocol for secure content access.
+The security-first MCP server for WordPress. Connect Claude, ChatGPT, and Gemini with API key auth, rate limiting, and activity logging.
 == Description ==
+Royal MCP enables AI platforms like Claude, OpenAI, and Google Gemini to securely interact with your WordPress content through the Model Context Protocol (MCP).
+**Key Features:**
+* **Multi-Platform Support** - Connect Claude, OpenAI, Google Gemini, Mistral, Perplexity, Groq, and more
+* **REST API Access** - Expose posts, pages, media, and users to AI platforms
+* **Secure Authentication** - API key authentication protects your endpoints
+* **Activity Logging** - Track all AI interactions with your site
+* **Claude Desktop Integration** - Native MCP connector for Claude Desktop app
+**Supported AI Platforms:**
+* Claude (Anthropic)
+* OpenAI (GPT-4, GPT-3.5)
+* Google Gemini
+* Mistral AI
+* Perplexity
+* Groq
+* Cohere
+* Together AI
+* DeepSeek
+* And more...
+**API Endpoints:**
+* `/wp-json/royal-mcp/v1/posts` - Access posts
+* `/wp-json/royal-mcp/v1/pages` - Access pages
+* `/wp-json/royal-mcp/v1/media` - Access media library
+* `/wp-json/royal-mcp/v1/users` - Access user data (public info only)
+Royal MCP is a security-first Model Context Protocol (MCP) server for WordPress. It gives AI platforms like Claude, ChatGPT, and Google Gemini structured access to your WordPress content — with authentication, rate limiting, and audit logging that most MCP implementations skip entirely.
+According to [recent security research](https://mcpplaygroundonline.com/blog/mcp-server-security-complete-guide-2026), 41% of public MCP servers have no authentication and respond to tool calls without any credentials. Royal MCP takes the opposite approach: every MCP session requires an API key, every request is rate-limited, and every interaction is logged.
+= Why Security Matters for MCP =
+MCP gives AI agents the ability to read, create, update, and delete your WordPress content. Without proper authentication, anyone who discovers your MCP endpoint can:
+* Read all your posts, pages, and media
+* Create or delete content
+* Access user data and plugin information
+* Overwhelm your server with rapid-fire requests
+Royal MCP prevents all of this with API key authentication on session initialization, timing-safe key comparison, per-IP rate limiting (60 requests/minute), and a full activity log of every MCP interaction.
+= 37+ MCP Tools Built In =
+**WordPress Core (37 tools):**
+* Posts — create, read, update, delete, search, count
+* Pages — full CRUD with parent page support
+* Media — library browsing, metadata, deletion
+* Comments — create (respects moderation settings), read, delete
+* Users — display names and roles (emails and usernames are not exposed)
+* Categories & Tags — create, assign, delete, count
+* Menus — list menus and menu items
+* Post Meta — read, update, delete custom fields
+* Site Info — site name, description, WordPress version, timezone
+* Plugins & Themes — list installed plugins and themes with active status
+* Search — full-text content search across post types
+* Options — read allowlisted safe options only
+= Plugin Integrations (Conditional) =
+Royal MCP automatically detects compatible plugins and adds specialized MCP tools. No configuration needed — if the plugin is active, the tools appear.
+**WooCommerce Integration (9 tools):**
+When WooCommerce is active, AI agents can manage your store:
+* Browse and search products by category, status, or type
+* Create and update products with prices, SKUs, stock levels
+* View orders, order details, and update order status
+* List customers with order count and total spent
+* Get store statistics — revenue, order count, average order value by period
+**GuardPress Integration (7 tools):**
+When GuardPress is active, AI agents can monitor your site security:
+* Get current security score and grade with factor breakdown
+* View security statistics — failed logins, blocked IPs, alerts
+* Run vulnerability scans and review results
+* List blocked IP addresses and failed login attempts
+* Browse the security audit log filtered by severity
+**SiteVault Integration (6 tools):**
+When SiteVault is active, AI agents can manage your backups:
+* List available backups filtered by status or type
+* Trigger new backups (full, database, files, plugins, themes)
+* Check backup progress in real time
+* View backup statistics — total size, last backup, counts
+* List and review backup schedules
+= Works Alongside WordPress Core MCP =
+WordPress is building MCP support into core via the Abilities API. Royal MCP complements this by providing security controls that the core implementation does not include — API key authentication, rate limiting, activity logging, and sensitive data filtering. When the Abilities API ships, Royal MCP will continue to provide the security layer, plugin integrations, and WooCommerce tools that core does not cover.
+= Supported AI Platforms =
+* **Claude (Anthropic)** — Full MCP support via Claude Desktop, Claude Code, and VS Code
+* **OpenAI / ChatGPT** — GPT-4o, GPT-4 Turbo, GPT-3.5 Turbo
+* **Google Gemini** — Gemini 1.5 Pro, 1.5 Flash
+* **Groq** — Llama 3.3, Mixtral, Gemma 2
+* **Azure OpenAI** — Azure-hosted OpenAI deployments
+* **AWS Bedrock** — Claude, Llama, Titan models
+* **Ollama / LM Studio** — Local self-hosted models (no external data transmission)
+* **Custom MCP Servers** — Connect to any MCP-compatible endpoint
+= MCP Spec Compliance =
+Royal MCP implements the [MCP 2025-03-26 Streamable HTTP transport specification](https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http):
+* Single `/mcp` endpoint for all JSON-RPC communication
+* POST for client messages, GET for server-sent events, DELETE for session termination
+* Cryptographically secure session IDs with transient-based storage
+* Origin header validation to prevent DNS rebinding attacks
+* Proper CORS handling for browser-based MCP clients
 == External Services ==
 …
 This plugin connects to third-party AI services to enable AI platforms to interact with your WordPress content. **No data is transmitted until you explicitly configure and enable a platform connection.**
 **What data is sent:** Your WordPress content (posts, pages, media metadata) as requested by the connected AI platform.
 **When data is sent:** Only when you have configured a platform with API credentials AND enabled that platform connection AND the AI platform makes a request.
+**What data is sent:** Your WordPress content (posts, pages, media metadata) as requested by the connected AI platform through authenticated MCP tool calls.
+**When data is sent:** Only when you have configured a platform with API credentials AND enabled that platform connection AND the AI platform makes an authenticated request.
 **Supported services and their policies:**
 * **Anthropic Claude** - Used for Claude AI integration
+* **Anthropic Claude** — Used for Claude AI integration
   [Terms of Service](https://www.anthropic.com/legal/consumer-terms) | [Privacy Policy](https://www.anthropic.com/legal/privacy)
 * **OpenAI** - Used for ChatGPT/GPT-4 integration
+* **OpenAI** — Used for ChatGPT/GPT-4 integration
   [Terms of Use](https://openai.com/policies/terms-of-use) | [Privacy Policy](https://openai.com/policies/privacy-policy)
 * **Google Gemini** - Used for Gemini AI integration
+* **Google Gemini** — Used for Gemini AI integration
   [Terms of Service](https://ai.google.dev/terms) | [Privacy Policy](https://policies.google.com/privacy)
 * **Groq** - Used for Groq LPU inference
+* **Groq** — Used for Groq LPU inference
   [Terms of Service](https://groq.com/terms-of-use/) | [Privacy Policy](https://groq.com/privacy-policy/)
 * **Microsoft Azure OpenAI** - Used for Azure-hosted OpenAI models
+* **Microsoft Azure OpenAI** — Used for Azure-hosted OpenAI models
   [Terms of Service](https://azure.microsoft.com/en-us/support/legal/) | [Privacy Policy](https://privacy.microsoft.com/en-us/privacystatement)
 * **AWS Bedrock** - Used for AWS-hosted AI models
+* **AWS Bedrock** — Used for AWS-hosted AI models
   [Terms of Service](https://aws.amazon.com/service-terms/) | [Privacy Policy](https://aws.amazon.com/privacy/)
 * **Ollama / LM Studio** - Local self-hosted models (no external data transmission)
 * **Custom MCP Servers** - User-configured servers (data sent to user-specified endpoints only)
+* **Ollama / LM Studio** — Local self-hosted models (no external data transmission)
+* **Custom MCP Servers** — User-configured servers (data sent to user-specified endpoints only)
 == Installation ==
 …
 . Activate the plugin through the 'Plugins' menu in WordPress
 . Go to Royal MCP → Settings to configure
+. Add your AI platform(s) and enter API keys
+. Copy your WordPress API key and REST URL for use in AI clients
+. Copy your API key — you will need this to authenticate MCP connections
+. Add your AI platform(s) and enter their API keys
+. In your AI client (Claude Desktop, VS Code, etc.), configure the MCP server URL and API key
+Full setup guides for each platform are available at [royalplugins.com/support/royal-mcp/](https://royalplugins.com/support/royal-mcp/).
 == Frequently Asked Questions ==
+= What is MCP? =
+Model Context Protocol (MCP) is a standard for connecting AI assistants to external data sources. It allows AI platforms to securely access your WordPress content.
+= Is my data secure? =
+Yes. All API endpoints require authentication via API key. Activity logging tracks all requests. No data is sent to external servers without your explicit configuration.
+= Which AI platforms are supported? =
+Claude, OpenAI, Google Gemini, Mistral, Perplexity, Groq, Cohere, Together AI, DeepSeek, and any platform supporting REST API connections.
+= How do I connect Claude to WordPress? =
+Install Royal MCP, go to Royal MCP → Settings, select Claude as your platform, and enter your Anthropic API key. The plugin provides a REST API endpoint URL and authentication key that you paste into Claude Desktop's MCP configuration. Full setup guide at royalplugins.com/support/royal-mcp/.
+= Can I use ChatGPT with WordPress? =
+Yes! Royal MCP supports OpenAI's GPT-4 and GPT-3.5 models. Configure your OpenAI API key in the plugin settings, and ChatGPT can access your WordPress posts, pages, and media through the Model Context Protocol.
+= What is Model Context Protocol for WordPress? =
+Model Context Protocol (MCP) is an open standard that lets AI assistants securely read and interact with external data sources. Royal MCP implements this protocol for WordPress, giving AI platforms like Claude, ChatGPT, and Gemini structured access to your site content through authenticated REST API endpoints.
+= Does this work with Claude Desktop? =
+Yes! Royal MCP includes native Claude Desktop MCP connector settings for easy integration.
+= What is MCP and why does my WordPress site need it? =
+Model Context Protocol (MCP) is an open standard created by Anthropic that lets AI assistants interact with external data sources. Without MCP, AI tools like Claude or ChatGPT can only work with content you copy and paste into them. With Royal MCP installed, these AI platforms can directly read your WordPress posts, create new content, manage your WooCommerce products, check your security status, and trigger backups — all through a structured, authenticated protocol.
+= How is Royal MCP different from other WordPress MCP plugins? =
+Security. Most MCP plugins — and 41% of all public MCP servers — have no authentication at all. Royal MCP requires an API key for every session, rate-limits requests to prevent abuse, logs every interaction for audit purposes, and filters sensitive data (emails, PHP version, admin credentials) from responses. We built this plugin with the same security standards we apply to GuardPress, our WordPress security plugin used on thousands of sites.
+= Will WordPress core make this plugin unnecessary? =
+No. WordPress is adding MCP support through the Abilities API, which will allow plugins to register "abilities" that AI agents can call. Royal MCP complements this by adding security controls (API key auth, rate limiting, activity logging), plugin-specific integrations (WooCommerce, GuardPress, SiteVault), and sensitive data filtering that the core implementation does not include.
+= Does Royal MCP work with WooCommerce? =
+Yes. When WooCommerce is active, Royal MCP automatically adds 9 additional MCP tools for product management (create, update, search), order management (view, update status), customer data, and store statistics. No additional configuration is needed — the tools appear automatically in the MCP tools list.
+= How do I connect Claude Desktop to WordPress? =
+Install Royal MCP, go to Royal MCP → Settings, and copy your API key and MCP server URL. In Claude Desktop, add a new MCP server configuration with the URL and include the `X-Royal-MCP-API-Key` header with your API key. Full step-by-step guide at [royalplugins.com/support/royal-mcp/](https://royalplugins.com/support/royal-mcp/).
+= Is my content safe? =
+Royal MCP is designed with defense in depth. API key authentication is required for all MCP sessions. Rate limiting prevents abuse (60 requests per minute per IP). Activity logging records every tool call. Sensitive data is filtered — user emails, usernames, admin email, and PHP version are never exposed through MCP. Comment creation respects your WordPress moderation settings. Post meta values are sanitized before storage. And the plugin starts disabled by default — nothing is accessible until you explicitly enable it.
+= Can I use local AI models instead of cloud services? =
+Yes. Royal MCP supports Ollama and LM Studio for fully local AI inference. When using local models, no data leaves your server — the AI model runs on your own hardware and communicates with WordPress through the MCP protocol on localhost.
+= What happens if I uninstall Royal MCP? =
+Royal MCP performs a clean uninstall. All plugin options, database tables (activity logs), transients, and user meta are removed. No orphaned data is left behind.
 == Screenshots ==
 . Main settings page with plugin overview
 . AI platform settings and API key configuration
 . Activity log showing API requests
 . Claude Desktop MCP connector configuration
 . Claude MCP connection verification
+. Main settings page with API key and platform overview
+. AI platform configuration with connection testing
+. Activity log showing authenticated MCP requests
+. Claude Desktop MCP connector setup
+. WooCommerce product management via Claude
 == Changelog ==
+= 1.3.0 =
+* New: WooCommerce integration — 9 MCP tools for products, orders, customers, and store stats (auto-detected)
+* New: GuardPress integration — 7 MCP tools for security score, scans, firewall logs, and audit trail (auto-detected)
+* New: SiteVault integration — 6 MCP tools for backup management, scheduling, and progress tracking (auto-detected)
+* Security: MCP endpoint now requires API key authentication via X-Royal-MCP-API-Key header
+* Security: Added rate limiting (60 requests/minute per IP) to prevent abuse and accidental DoS
+* Security: API key comparison uses timing-safe hash_equals() to prevent timing attacks
+* Security: Sanitized wp_update_post_meta values before storage
+* Security: Comments created via MCP now respect WordPress moderation settings
+* Security: Removed admin_email and php_version from wp_get_site_info response
+* Security: Removed user_login and user_email from wp_get_users/wp_get_user responses
+* Improved: CORS headers include X-Royal-MCP-API-Key for cross-origin MCP clients
 = 1.2.3 =
 * Security: Added SSRF protection — validates all outbound URLs against private/reserved IP ranges and unsafe schemes
+* Security: Added SSRF protection — validates all outbound URLs against private/reserved IP ranges
 * Fixed: Text domain changed from 'wp-royal-mcp' to 'royal-mcp' to match plugin slug
+* Fixed: Menu slugs updated from 'wp-royal-mcp' to 'royal-mcp' for WP.org compliance
+* Fixed: Installation instructions updated to reference correct folder name
+* Improved: REST API permission callbacks now include explanatory comments for reviewers
+* Improved: Custom MCP server placeholder text clarified
+* Compatibility: Tested up to WordPress 6.9.3
+* Fixed: Menu slugs updated for WP.org compliance
+* Improved: REST API permission callbacks include explanatory comments for reviewers
+* Compatibility: Tested up to WordPress 6.9
 = 1.2.2 =
 * Added: Documentation link on Plugins page (Settings | Documentation)
 * Added: Documentation banner on settings page with link to support docs
+* Added: Documentation banner on settings page
 = 1.2.1 =
 * Fixed: Claude Connector setup guide link displaying raw HTML instead of clickable link
+* Fixed: Claude Connector setup guide link displaying raw HTML
 = 1.2.0 =
+* Security: Added Origin header validation to prevent DNS rebinding attacks
+* Security: Added session ID format validation (ASCII visible characters only)
+* Improved: MCP 2025-03-26 spec compliance for Streamable HTTP transport
+* Improved: Proper Accept header validation on POST requests
+* Improved: Session management with proper 400/404 responses per MCP spec
+* Improved: GET stream handler with proper SSE headers
+* Improved: DELETE session handler for explicit session termination
+* Fixed: Platform model selector not retaining saved value in admin settings
+* Security: Origin header validation to prevent DNS rebinding attacks
+* Security: Session ID format validation (ASCII visible characters only)
+* Improved: MCP 2025-03-26 Streamable HTTP spec compliance
 * Added: Filter hook `royal_mcp_allowed_origins` for custom origin allowlist
 = 1.1.0 =
 * Added multi-platform AI support
+* Added multi-platform AI support (Claude, OpenAI, Gemini, Groq, Azure, Bedrock)
 * Added Claude Desktop MCP connector
 * Added activity logging
-* Improved admin interface
 * Added connection testing
 …
 == Upgrade Notice ==
+= 1.3.0 =
+Major security and feature update. MCP endpoint now requires API key authentication. Added WooCommerce, GuardPress, and SiteVault integrations (22 new tools). Rate limiting added. Recommended update for all users.
 = 1.2.3 =
+Security: SSRF protection for outbound requests. WordPress.org compliance fixes. Tested with WordPress 6.9.3.
+= 1.2.2 =
+Added documentation links for easier access to setup guides and support.
+Security: SSRF protection for outbound requests. WordPress.org compliance fixes.
 = 1.2.0 =
 Security hardening and MCP spec compliance improvements. Recommended update for all users.
-= 1.1.0 =
-Major update with multi-platform support and Claude Desktop integration.

royal-mcp/trunk/royal-mcp.php

-                      r3479831
+                      r3495168
  * Plugin URI: https://royalplugins.com/support/royal-mcp/
  * Description: Integrate Model Context Protocol (MCP) servers with WordPress to enable LLM interactions with your site
  * Version: 1.2.3
+ * Version: 1.3.0
  * Author: Royal Plugins
  * Author URI: https://www.royalplugins.com
 …
 // Define plugin constants
 define('ROYAL_MCP_VERSION', '1.2.3');
+define('ROYAL_MCP_VERSION', '1.3.0');
 define('ROYAL_MCP_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('ROYAL_MCP_PLUGIN_URL', plugin_dir_url(__FILE__));

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory