New: AI assistants can now read plugin settings (sensitive keys redacted) and write to allowlisted WordPress options when enabled. New "Allow AI to write WordPress options" toggle is OFF by default; turn it on under Royal MCP > Settings to opt in.<\/p>","1.3.0":"
Major security and feature update. MCP endpoint now requires API key authentication. Added WooCommerce, GuardPress, and SiteVault integrations (22 new tools). Rate limiting added. Recommended update for all users.<\/p>","1.2.3":"
Security: SSRF protection for outbound requests. WordPress.org compliance fixes.<\/p>","1.2.0":"
Security hardening and MCP spec compliance improvements. Recommended update for all users.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":2},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3448287,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3448287,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3515644,"resolution":"1544x500","location":"assets","locale":""},"banner-772x250.png":{"filename":"banner-772x250.png","revision":3515644,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{"blueprint.json":{"filename":"blueprint.json","revision":3515659,"resolution":false,"location":"assets","locale":"","contents":"{\"$schema\":\"https:\\\/\\\/playground.wordpress.net\\\/blueprint-schema.json\",\"meta\":{\"title\":\"Royal MCP \\u2014 Live Demo\",\"description\":\"Try the Royal MCP security-first Model Context Protocol server live in your browser. API key auth, rate limiting, activity log, and platform config all pre-seeded.\",\"author\":\"royalplugins\",\"categories\":[\"AI & Integration\"]},\"landingPage\":\"\\\/wp-admin\\\/admin.php?page=royal-mcp\",\"preferredVersions\":{\"php\":\"8.2\",\"wp\":\"latest\"},\"phpExtensionBundles\":[\"kitchen-sink\"],\"features\":{\"networking\":true},\"login\":{\"username\":\"admin\",\"password\":\"password\"},\"steps\":[{\"step\":\"setSiteOptions\",\"options\":{\"blogname\":\"Royal MCP Demo\",\"blogdescription\":\"Security-first MCP server for WordPress \\u2014 live preview.\"}},{\"step\":\"installPlugin\",\"pluginData\":{\"resource\":\"wordpress.org\\\/plugins\",\"slug\":\"royal-mcp\"},\"options\":{\"activate\":true}},{\"step\":\"runPHP\",\"code\":\" true,\\n 'api_key' => 'rmcp_demo_' . wp_generate_password( 24, false ),\\n 'platforms' => [\\n 'claude' => [ 'enabled' => true ],\\n 'chatgpt' => [ 'enabled' => true ],\\n 'gemini' => [ 'enabled' => false ],\\n ],\\n 'mcp_servers' => [],\\n] );\\n\\nglobal $wpdb;\\n$table = $wpdb->prefix . 'royal_mcp_logs';\\nif ( $wpdb->get_var( \\\"SHOW TABLES LIKE '{$table}'\\\" ) !== $table ) {\\n return;\\n}\\n\\n\\\/\\\/ Seed representative activity log entries so the Activity Log page isn't empty in the demo.\\n$samples = [\\n [ '-4 hours', 'claude', 'tools\\\/list', 'success', '{\\\"jsonrpc\\\":\\\"2.0\\\",\\\"method\\\":\\\"tools\\\/list\\\",\\\"id\\\":1}', '{\\\"tools\\\":[{\\\"name\\\":\\\"search_posts\\\"},{\\\"name\\\":\\\"get_post\\\"},{\\\"name\\\":\\\"list_products\\\"}]}' ],\\n [ '-3 hours', 'claude', 'tools\\\/call', 'success', '{\\\"method\\\":\\\"tools\\\/call\\\",\\\"params\\\":{\\\"name\\\":\\\"search_posts\\\",\\\"arguments\\\":{\\\"query\\\":\\\"backup\\\"}}}','{\\\"content\\\":[{\\\"type\\\":\\\"text\\\",\\\"text\\\":\\\"Found 12 posts\\\"}]}' ],\\n [ '-2 hours', 'chatgpt', 'resources\\\/list', 'success', '{\\\"method\\\":\\\"resources\\\/list\\\"}', '{\\\"resources\\\":[{\\\"uri\\\":\\\"wp:\\\/\\\/posts\\\"},{\\\"uri\\\":\\\"wp:\\\/\\\/pages\\\"}]}' ],\\n [ '-90 minutes','claude', 'tools\\\/call', 'rate_limited', '{\\\"method\\\":\\\"tools\\\/call\\\",\\\"params\\\":{\\\"name\\\":\\\"get_post\\\",\\\"arguments\\\":{\\\"id\\\":42}}}','{\\\"error\\\":\\\"rate_limit_exceeded\\\",\\\"retry_after\\\":60}' ],\\n [ '-45 minutes','unknown','tools\\\/list', 'unauthorized', '{\\\"method\\\":\\\"tools\\\/list\\\"}', '{\\\"error\\\":\\\"invalid_api_key\\\"}' ],\\n [ '-15 minutes','chatgpt','tools\\\/call', 'success', '{\\\"method\\\":\\\"tools\\\/call\\\",\\\"params\\\":{\\\"name\\\":\\\"list_products\\\"}}','{\\\"content\\\":[{\\\"type\\\":\\\"text\\\",\\\"text\\\":\\\"WooCommerce not installed in demo.\\\"}]}' ],\\n];\\n\\nforeach ( $samples as $row ) {\\n list( $ago, $server, $action, $status, $req, $res ) = $row;\\n $wpdb->insert( $table, [\\n 'timestamp' => gmdate( 'Y-m-d H:i:s', strtotime( $ago ) ),\\n 'mcp_server' => $server,\\n 'action' => $action,\\n 'request_data' => $req,\\n 'response_data' => $res,\\n 'status' => $status,\\n ] );\\n}\\n\"}]}"}},"all_blocks":[],"tagged_versions":["1.2.2","1.2.3","1.3.0","1.4.0","1.4.1","1.4.4","1.4.5","1.4.6","1.4.7"],"block_files":[],"assets_screenshots":{"screenshot-1.jpg":{"filename":"screenshot-1.jpg","revision":3439404,"resolution":"1","location":"assets","locale":""},"screenshot-1.png":{"filename":"screenshot-1.png","revision":3515644,"resolution":"1","location":"assets","locale":""},"screenshot-2.jpg":{"filename":"screenshot-2.jpg","revision":3439404,"resolution":"2","location":"assets","locale":""},"screenshot-3.jpg":{"filename":"screenshot-3.jpg","revision":3439404,"resolution":"3","location":"assets","locale":""},"screenshot-4.jpg":{"filename":"screenshot-4.jpg","revision":3439404,"resolution":"4","location":"assets","locale":""},"screenshot-5.jpg":{"filename":"screenshot-5.jpg","revision":3439404,"resolution":"5","location":"assets","locale":""},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3497937,"resolution":"6","location":"assets","locale":""}},"screenshots":{"1":"Main settings page with API key and platform overview","2":"AI platform configuration with connection testing","3":"Activity log showing authenticated MCP requests","4":"Claude Desktop MCP connector setup","5":"WooCommerce product management via Claude","6":"OAuth consent screen for Claude Desktop connector"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[2353,216196,229563,242115,260626],"plugin_category":[],"plugin_contributors":[253970],"plugin_business_model":[],"class_list":["post-274400","plugin","type-plugin","status-publish","hentry","plugin_tags-ai","plugin_tags-chatgpt","plugin_tags-claude","plugin_tags-mcp","plugin_tags-mcp-server","plugin_contributors-royalpluginsteam","plugin_committers-royalpluginsteam"],"banners":{"banner":"https:\/\/ps.w.org\/royal-mcp\/assets\/banner-772x250.png?rev=3515644","banner_2x":"https:\/\/ps.w.org\/royal-mcp\/assets\/banner-1544x500.png?rev=3515644","banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/royal-mcp\/assets\/icon-128x128.png?rev=3448287","icon_2x":"https:\/\/ps.w.org\/royal-mcp\/assets\/icon-256x256.png?rev=3448287","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/royal-mcp\/assets\/screenshot-1.png?rev=3515644","caption":"Main settings page with API key and platform overview"},{"src":"https:\/\/ps.w.org\/royal-mcp\/assets\/screenshot-2.jpg?rev=3439404","caption":"AI platform configuration with connection testing"},{"src":"https:\/\/ps.w.org\/royal-mcp\/assets\/screenshot-3.jpg?rev=3439404","caption":"Activity log showing authenticated MCP requests"},{"src":"https:\/\/ps.w.org\/royal-mcp\/assets\/screenshot-4.jpg?rev=3439404","caption":"Claude Desktop MCP connector setup"},{"src":"https:\/\/ps.w.org\/royal-mcp\/assets\/screenshot-5.jpg?rev=3439404","caption":"WooCommerce product management via Claude"},{"src":"https:\/\/ps.w.org\/royal-mcp\/assets\/screenshot-6.png?rev=3497937","caption":"OAuth consent screen for Claude Desktop connector"}],"raw_content":"\n
https:\/\/youtu.be\/8Wbr0ReLpok<\/p>\n\n
Royal MCP is a security-first Model Context Protocol (MCP) server for WordPress. It gives AI platforms like Claude, ChatGPT, and Google Gemini structured access to your WordPress content \u2014 with authentication, rate limiting, and audit logging that most MCP implementations skip entirely.<\/p>\n\n
According to recent security research<\/a>, 41% of public MCP servers have no authentication and respond to tool calls without any credentials. Royal MCP takes the opposite approach: every MCP session requires an API key, every request is rate-limited, and every interaction is logged.<\/p>\n\n MCP gives AI agents the ability to read, create, update, and delete your WordPress content. Without proper authentication, anyone who discovers your MCP endpoint can:<\/p>\n\n Royal MCP prevents all of this with API key authentication on session initialization, timing-safe key comparison, per-IP rate limiting (60 requests\/minute), and a full activity log of every MCP interaction.<\/p>\n\n WordPress Core (41 tools):<\/strong><\/p>\n\n Royal MCP automatically detects compatible plugins and adds specialized MCP tools. No configuration needed \u2014 if the plugin is active, the tools appear.<\/p>\n\n WooCommerce Integration (9 tools):<\/strong>\nWhen WooCommerce is active, AI agents can manage your store:<\/p>\n\n GuardPress Integration (7 tools):<\/strong>\nWhen GuardPress is active, AI agents can monitor your site security:<\/p>\n\n SiteVault Integration (6 tools):<\/strong>\nWhen SiteVault is active, AI agents can manage your backups:<\/p>\n\n WordPress 6.9 shipped the Abilities API in November 2025 \u2014 a primitive that lets plugins register typed capabilities AI agents can call. Core ships three default abilities (site info, user info, environment info) and the Royal MCP is a complete, production-ready MCP server that predates the official adapter. It runs the full Streamable HTTP transport, enforces API key authentication on every request, ships OAuth 2.0 for Claude Desktop's native connector flow, rate-limits per-IP, redacts sensitive data, and logs every interaction. Out of the box it includes 41+ tools for WordPress core operations plus integrations for WooCommerce, GuardPress, and SiteVault.<\/p>\n\n Royal MCP implements the MCP 2025-03-26 Streamable HTTP transport specification<\/a>:<\/p>\n\n This plugin connects to third-party AI services to enable AI platforms to interact with your WordPress content. No data is transmitted until you explicitly configure and enable a platform connection.<\/strong><\/p>\n\n What data is sent:<\/strong> Your WordPress content (posts, pages, media metadata) as requested by the connected AI platform through authenticated MCP tool calls.<\/p>\n\n When data is sent:<\/strong> Only when you have configured a platform with API credentials AND enabled that platform connection AND the AI platform makes an authenticated request.<\/p>\n\n Supported services and their policies:<\/strong><\/p>\n\n Anthropic Claude<\/strong> \u2014 Used for Claude AI integration\nTerms of Service<\/a> | Privacy Policy<\/a><\/p><\/li>\n OpenAI<\/strong> \u2014 Used for ChatGPT\/GPT-4 integration\nTerms of Use<\/a> | Privacy Policy<\/a><\/p><\/li>\n Google Gemini<\/strong> \u2014 Used for Gemini AI integration\nTerms of Service<\/a> | Privacy Policy<\/a><\/p><\/li>\n Groq<\/strong> \u2014 Used for Groq LPU inference\nTerms of Service<\/a> | Privacy Policy<\/a><\/p><\/li>\n Microsoft Azure OpenAI<\/strong> \u2014 Used for Azure-hosted OpenAI models\nTerms of Service<\/a> | Privacy Policy<\/a><\/p><\/li>\n AWS Bedrock<\/strong> \u2014 Used for AWS-hosted AI models\nTerms of Service<\/a> | Privacy Policy<\/a><\/p><\/li>\n Ollama \/ LM Studio<\/strong> \u2014 Local self-hosted models (no external data transmission)<\/p><\/li>\n Custom MCP Servers<\/strong> \u2014 User-configured servers (data sent to user-specified endpoints only)<\/p><\/li>\n<\/ul>\n\n\nWhy Security Matters for MCP<\/h4>\n\n
\n
41+ MCP Tools Built In<\/h4>\n\n
\n
Plugin Integrations (Conditional)<\/h4>\n\n
\n
\n
\n
Royal MCP and the WordPress Core Abilities API<\/h4>\n\n
wordpress\/mcp-adapter<\/code> package bridges abilities to the MCP protocol.<\/p>\n\nSupported AI Platforms<\/h4>\n\n
\n
MCP Spec Compliance<\/h4>\n\n
\n
\/mcp<\/code> endpoint for all JSON-RPC communication<\/li>\nExternal Services<\/h3>\n\n
\n
\n
royal-mcp<\/code> folder to \/wp-content\/plugins\/<\/code><\/li>\n