MCP Expose Abilities

Let AI assistants edit your WordPress site via MCP.

Tested up to: 6.9
Stable tag: 3.0.38
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

What It Does

This plugin exposes WordPress functionality through MCP (Model Context Protocol), enabling AI assistants to directly interact with your WordPress site. No more copy-pasting between chat and admin.

Example: "Fix the phone numbers in these 25 articles to be clickable tel: links." - Done in 30 seconds, all 25 articles.

The Real Workflow

In practice, the human should not have to memorize the whole ecosystem.

The normal pattern is:

point Codex or another MCP-capable agent to this repository
let the agent read the README and wiki
let the agent work out the required stack and relevant add-ons
give the agent a clear task with boundaries

The human's job is mostly to describe the goal.
The agent's job is to figure out the mechanics.

Why This Feels Different

Most WordPress AI demos still leave you doing the boring part yourself.

This ecosystem is different because the agent can actually do the work inside WordPress:

fix repetitive content issues across many pages
update menus, media, plugins, comments, and options
work with real builder and plugin ecosystems like Elementor, GeneratePress, Rank Math, and Wordfence
handle the kind of site maintenance people usually postpone because it is repetitive and dull

That changes the experience from:

Here is what you should do in wp-admin

to:

Tell the agent what needs doing, and let it carry out the work

Before vs After

Before

ask the AI what to do
copy the answer into WordPress by hand
click through wp-admin for the repetitive bits
lose momentum because the task is boring
postpone the cleanup, maintenance, or optimization work again

After

tell the agent what needs doing
let it inspect the site directly
let it make the targeted change
verify the result
move on to the next useful improvement instead of getting stuck in admin drudgery

That difference is the whole point of this ecosystem.

Who It Is For

This is a good fit for:

agencies managing many WordPress sites
companies with repetitive content and operations work
organizations that want AI to do real maintenance, not just generate text
technical teams that are tired of copy-paste workflows between chat and wp-admin

It is especially useful when work gets postponed simply because the manual version is boring.

If you want the more specific buyer case, start here:

Who Benefits Most

Documentation

For setup and troubleshooting beyond the quick start, use the wiki:

If you are using an AI agent, the simplest instruction is often just:

Read https://github.com/bjornfix/mcp-expose-abilities and figure out the stack before making changes.

Start Here

If you are new to the stack, use this order:

Install Abilities API
Install MCP Adapter
Install MCP Expose Abilities (this plugin)
Confirm you can list and execute core abilities
Add only the vendor-specific plugins you actually need

If you skip step 4 and start installing add-ons immediately, troubleshooting gets harder than it needs to be.

What You Actually Need

For a minimal working setup, you only need:

WordPress 6.9+
PHP 8.0+
Abilities API
MCP Adapter
MCP Expose Abilities (this plugin)

Everything else in the ecosystem is optional.

5-Minute Setup

Install and activate the required plugins:
- Abilities API: https://github.com/WordPress/abilities-api/releases/latest
- MCP Adapter: https://github.com/WordPress/mcp-adapter
- MCP Expose Abilities: download the latest release from this repo
Verify the Abilities API plugin is installed as wp-content/plugins/abilities-api/abilities-api.php
Activate all three plugins in WordPress
Confirm the MCP adapter route is reachable on your site
Run a simple read-only ability first, such as listing posts or reading a page

First Success Check

Before adding Elementor, Cloudflare, Gmail, or anything else, confirm the core stack works.

Good first tests:

list posts
get a page by ID
list menus
list installed plugins

If those work, the stack is wired correctly. If they do not, fix the core stack before adding add-ons.

Modular Architecture

Version 3.0 introduced a modular architecture. The core plugin provides WordPress-native abilities, while vendor-specific features are available as separate add-on plugins:

Plugin	Abilities	Description
MCP Expose Abilities (core)	66	WordPress core: content, menus, users, media, widgets, plugins, options, comments, taxonomy, system
MCP Abilities - Filesystem	11	File operations with security hardening
MCP Abilities - Elementor	40	Elementor page builder integration
MCP Abilities - GeneratePress	26	GeneratePress theme + GenerateBlocks
MCP Abilities - Cloudflare	4	Cloudflare cache management
MCP Abilities - Google Workspace	16	Gmail API via Workspace service account
MCP Abilities - Rank Math	23	Rank Math SEO metadata access
MCP Abilities - Wordfence	11	Wordfence security status + blocks
MCP Abilities - Brevo	22	Brevo contacts, lists, campaigns
MCP Abilities - Advanced Ads	17	Advanced Ads management
MCP Abilities - Toolset	38	Toolset post types, custom fields, taxonomies, relationships
MCP Abilities - SitePress	10	WPML translation mapping, language-switcher recovery, and QA checks
MCP Abilities - Formidable	6	Formidable Forms settings, usage tracing, styles, and CSS cache controls

Total ecosystem: 285 abilities

Install only what you need. Running GeneratePress? Install that add-on. Don't use Elementor? Skip it.

Requirements

WordPress 6.9+
PHP 8.0+
Abilities API plugin (WordPress core team)
MCP Adapter plugin (WordPress core team)
Use the official Abilities API release ZIP (abilities-api.zip) so it installs as wp-content/plugins/abilities-api/abilities-api.php

WordPress Compatibility

Requires WordPress 6.9 or newer
Tested up to WordPress 6.9
Requires PHP 8.0 or newer
Maintained against the WordPress 6.9 release line together with the supported add-on plugins

Installation

Install and activate the required plugins:
- Abilities API (official release ZIP): https://github.com/WordPress/abilities-api/releases/latest
- MCP Adapter: https://github.com/WordPress/mcp-adapter
Download the latest release from Releases
Upload via WordPress Admin → Plugins → Add New → Upload Plugin
Activate the plugin
(Optional) Install add-on plugins for vendor-specific features

Which Add-On Should I Install?

Install add-ons only when your site actually uses that product:

Elementor site: install mcp-abilities-elementor
GeneratePress / GenerateBlocks site: install mcp-abilities-generatepress
Cloudflare-managed site: install mcp-abilities-cloudflare
Gmail / Workspace automation: install mcp-abilities-workspace
Rank Math site: install mcp-abilities-rankmath
Wordfence site: install mcp-abilities-wordfence
Brevo site: install mcp-abilities-brevo
Toolset site: install mcp-abilities-toolset
WPML site: install mcp-abilities-sitepress
Formidable Forms site: install mcp-abilities-formidable

Do not install every add-on by default. Most sites only need one or two.

Common Failure Pattern

The most common onboarding mistake is treating this like one plugin instead of a stack.

When something does not work, check in this order:

Is Abilities API active?
Is MCP Adapter active?
Is MCP Expose Abilities active?
Does the core plugin work without any add-ons?
Is the vendor plugin itself installed and active?
Only then debug the specific add-on

Recent Changes

3.0.38

Added date support to content/update-post for updating local post publish dates.
Added post meta support via content/create-post, content/update-post, meta/update-post-meta, and meta/delete-post-meta.
Security: post meta writes now check per-key edit_post_meta / delete_post_meta capabilities before modifying metadata.

3.0.37

Docs: removed the stray Claude mention from the README workflow wording.

3.0.36

Fixed plugins/search-directory so WordPress.org search results are populated correctly when the API returns array-shaped plugin rows.
Fixed plugins/list-updates so it accepts no-argument execution through the MCP proxy like the older null-safe list abilities.

3.0.35

Added plugins/search-directory to search the official WordPress.org plugin directory from MCP.
Added plugins/install-directory to install WordPress.org plugins by slug.
Added plugins/list-updates and plugins/update for WordPress-native plugin update discovery and execution.
Added plugins/switch to toggle between installed plugins with rollback if the target activation fails.

3.0.34

Docs: added a clearer GitHub onboarding path with Start Here, setup order, first-success checks, and add-on selection guidance.
Docs: added explicit WordPress and PHP compatibility notes.
Docs: corrected ecosystem add-on and ability counts, including the Formidable add-on and the current Elementor and Rank Math totals.
Docs: replaced the stale hardcoded Abilities API ZIP URL with the generic latest-release link.
Docs: fixed the GitHub release badge so it follows the actual latest release.

3.0.33

Validates local plugin ZIP signatures before unzip so corrupted plugins/upload or plugins/upload-base64 payloads fail with a direct ZIP-validation error.
Intended to pair with the MCP proxy HTTP transport fix that raises the default JSON body limit for large base64 plugin uploads.

Core Plugin Abilities (66)

Content Management (23)

Ability	Description
`content/list-posts`	List posts with filtering by status, category, author, search
`content/get-post`	Get single post by ID or slug
`content/get-next-post`	Find the next existing post after an ID, even when IDs have gaps
`content/create-post`	Create new post, including `featured_image_id`
`content/update-post`	Update existing post, including `featured_image_id`
`content/delete-post`	Delete post (trash or permanent)
`content/patch-post`	Find/replace in post content
`content/list-pages`	List pages with filtering
`content/get-page`	Get single page by ID or slug
`content/create-page`	Create new page, including `featured_image_id`
`content/update-page`	Update existing page, including `featured_image_id`
`content/delete-page`	Delete page
`content/patch-page`	Find/replace in page content
`content/list-categories`	List all categories
`content/create-category`	Create new category
`content/update-category`	Update existing category
`content/list-tags`	List all tags
`content/create-tag`	Create new tag
`content/list-media`	List media items
`content/list-users`	List users
`content/search`	Search across posts, pages, media
`content/list-revisions`	List revisions for a post/page
`content/get-revision`	Get specific revision details

Menu Management (7)

Ability	Description
`menus/list`	List all menus and theme locations
`menus/get-items`	Get items from a menu
`menus/create`	Create new menu
`menus/add-item`	Add item to menu
`menus/update-item`	Update menu item
`menus/delete-item`	Delete menu item
`menus/assign-location`	Assign menu to theme location

User Management (5)

Ability	Description
`users/list`	List users with roles
`users/get`	Get user by ID, login, or email
`users/create`	Create new user
`users/update`	Update user
`users/delete`	Delete user (can reassign content)

Media Library (4)

Ability	Description
`media/upload`	Upload media from URL
`media/get`	Get media item details and sizes
`media/update`	Update title, alt, caption
`media/delete`	Delete media item

Widget Management (3)

Ability	Description
`widgets/list-sidebars`	List all widget areas
`widgets/get-sidebar`	Get widgets in a sidebar
`widgets/list-available`	List available widget types

Plugin Management (11)

Ability	Description
`plugins/upload`	Upload plugin from URL
`plugins/upload-base64`	Upload plugin from local file (base64 or zip path)
`plugins/search-directory`	Search the official WordPress.org plugin directory
`plugins/install-directory`	Install plugin from the official WordPress.org plugin directory by slug
`plugins/list`	List installed plugins
`plugins/list-updates`	List available plugin updates
`plugins/update`	Update an installed plugin
`plugins/activate`	Activate installed plugin
`plugins/deactivate`	Deactivate active plugin
`plugins/switch`	Activate one plugin and deactivate one or more others
`plugins/delete`	Delete inactive plugin

Comments (6)

Ability	Description
`comments/list`	List comments with filtering
`comments/get`	Get single comment details
`comments/create`	Create top-level comment
`comments/reply`	Reply to existing comment
`comments/update-status`	Update comment status (approve, spam, trash)
`comments/delete`	Delete comment

Options (3)

Ability	Description
`options/get`	Get option value
`options/update`	Update option (protected options blocked)
`options/list`	List all options

System (3)

Ability	Description
`system/get-transient`	Get transient value
`system/debug-log`	Read debug.log file
`system/toggle-debug`	Toggle WP_DEBUG, WP_DEBUG_LOG, WP_DEBUG_DISPLAY

Taxonomy Utilities (1)

Ability	Description
`taxonomy/associate-with-post-type`	Associate a taxonomy with a post type and persist the mapping

Add-on Plugin Abilities

Filesystem (mcp-abilities-filesystem) - 11 abilities

Ability	Description
`filesystem/get-changelog`	Get plugin/theme changelog
`filesystem/read-file`	Read file contents (security hardened)
`filesystem/write-file`	Write file (PHP code blocked)
`filesystem/append-file`	Append to file
`filesystem/list-directory`	List directory contents
`filesystem/delete-file`	Delete file (creates backup)
`filesystem/delete-directory`	Delete directory (optional recursive)
`filesystem/file-info`	Get file metadata
`filesystem/create-directory`	Create directory
`filesystem/copy-file`	Copy file
`filesystem/move-file`	Move/rename file

Elementor (mcp-abilities-elementor) - 40 abilities

See the add-on readme for the full list. Common abilities:

Ability	Description
`elementor/get-data`	Get Elementor JSON for a page
`elementor/update-data`	Replace Elementor JSON
`elementor/patch-data`	Find/replace in Elementor JSON
`elementor/update-element`	Update specific element by ID
`elementor/list-templates`	List saved templates
`elementor/clear-cache`	Clear CSS cache

GeneratePress (mcp-abilities-generatepress) - 26 abilities

See the add-on readme for the full list. Common abilities:

Ability	Description
`generatepress/get-settings`	Get theme settings
`generatepress/update-settings`	Update theme settings
`generatepress/get-typography`	Get typography rules and font manager
`generatepress/list-elements`	List GeneratePress Elements
`generatepress/list-modules`	List module statuses
`generateblocks/get-global-styles`	Get global styles
`generateblocks/update-global-styles`	Update global styles
`generateblocks/clear-cache`	Clear CSS cache

Cloudflare (mcp-abilities-cloudflare) - 4 abilities

Ability	Description
`cloudflare/clear-cache`	Clear Cloudflare cache (entire site or specific URLs)
`cloudflare/get-zone`	Get resolved Cloudflare zone context
`cloudflare/get-development-mode`	Read development mode status
`cloudflare/set-development-mode`	Enable/disable development mode

Google Workspace (mcp-abilities-workspace) - 16 abilities

Ability	Description
`gmail/configure`	Set up Gmail API service account credentials
`gmail/status`	Check API connection status and configuration
`gmail/list-labels`	List labels
`gmail/get-label`	Get label by ID
`gmail/create-label`	Create label
`gmail/update-label`	Update label
`gmail/delete-label`	Delete label
`gmail/list`	List inbox messages with filtering
`gmail/list-threads`	List threads
`gmail/get`	Get full email content by ID
`gmail/get-thread`	Get thread details
`gmail/get-attachment`	Fetch attachment as base64
`gmail/send`	Send email with HTML, attachments, CC, BCC
`gmail/modify`	Modify labels (archive, mark read/unread, etc.)
`gmail/reply`	Reply to an existing email thread
`email/send`	Send email via WordPress wp_mail (non-Gmail fallback)

Usage with MCP Clients

1. Create Application Password

WordPress Admin → Users → Your Profile → Application Passwords

2. Add MCP Server

Configure your MCP client to connect to:

https://yoursite.com/wp-json/mcp/mcp-adapter-default-server

Use HTTP transport with a Basic Auth header generated from your WordPress username and application password.

3. Start Using

Your MCP client can now edit your WordPress site through conversation.

Examples

Create a new page

{
  "ability_name": "content/create-page",
  "parameters": {
    "title": "About Us",
    "content": "<!-- wp:paragraph --><p>Hello world!</p><!-- /wp:paragraph -->",
    "status": "publish"
  }
}

Add menu item

{
  "ability_name": "menus/add-item",
  "parameters": {
    "menu_id": 5,
    "title": "Contact",
    "url": "/contact/"
  }
}

Upload media from URL

{
  "ability_name": "media/upload",
  "parameters": {
    "url": "https://example.com/image.jpg",
    "title": "Hero Image",
    "alt_text": "Beautiful sunset"
  }
}

Batch find/replace

{
  "ability_name": "content/patch-post",
  "parameters": {
    "id": 123,
    "find": "+44 203 3181 832",
    "replace": "<a href=\"tel:+442033181832\">+44 203 3181 832</a>"
  }
}

Security

Authentication required - Uses WordPress application passwords
Permission checks - Every ability verifies user capabilities
Your server - AI connects to your site, you control access
Protected options - Critical settings blocked from modification
Filesystem hardening - PHP code detection, path traversal protection (in add-on)

Architecture

Three-plugin stack plus optional add-ons:

Abilities API - Framework for registering abilities (WordPress core team)
MCP Adapter - MCP protocol layer (WordPress core team)
MCP Expose Abilities (this plugin) - Core WordPress abilities
Add-on plugins (optional) - Vendor-specific abilities

Changelog

3.0.38

Added: content/update-post now supports updating the local post date with the date parameter
Added: post meta support via content/create-post, content/update-post, meta/update-post-meta, and meta/delete-post-meta
Security: post meta writes now check per-key edit_post_meta / delete_post_meta capabilities before modifying metadata

3.0.37

Docs: removed the stray Claude mention from the GitHub README workflow wording

3.0.36

Fixed: plugins/search-directory now handles WordPress.org directory rows correctly when plugin data is returned as arrays instead of objects
Fixed: plugins/list-updates now accepts no-argument execution through the MCP proxy like the other null-safe list abilities

3.0.35

Added: plugins/search-directory to search the official WordPress.org plugin directory from MCP
Added: plugins/install-directory to install plugins from the official WordPress.org directory by slug
Added: plugins/list-updates and plugins/update for WordPress-native plugin update discovery and execution
Added: plugins/switch to toggle between installed plugins with rollback if the target activation fails

3.0.34

Docs: added a clearer GitHub onboarding path with Start Here, setup order, first-success checks, and add-on selection guidance
Docs: added explicit WordPress and PHP compatibility notes
Docs: corrected ecosystem add-on and ability counts, including the Formidable add-on and the current Elementor and Rank Math totals
Docs: replaced the stale hardcoded Abilities API ZIP URL with the generic latest-release link
Docs: fixed the GitHub release badge so it follows the actual latest release

3.0.33

Fixed: plugin upload paths now validate local ZIP signatures before unzip so corrupted payloads fail with a direct ZIP-validation error
Improved: pairs with proxy-side HTTP JSON limit hardening so larger plugins/upload-base64 requests are not rejected or truncated at the MCP proxy layer

3.0.31

Fixed: featured-image create/update paths are now idempotent when the requested image is already assigned

3.0.30

Fixed: plugins/upload and plugins/upload-base64 now fall back to copy_dir() when filesystem move() fails after unzip
Improved: plugin install failures now include the underlying filesystem context

3.0.29

Fixed: content/update-post now clears stale invalid assigned page-template metadata before unrelated post updates
Fixed: content/update-page now clears stale invalid assigned templates on update and validates explicit template input
Fixed: content/create-page now validates explicit page-template slugs before saving them

3.0.28

Added featured_image_id support to post/page create and update abilities
Added featured_image_id to content/get-post and content/get-page

3.0.27

Fixed: content/get-next-post now applies the after_id floor correctly by allowing the query filter to run

3.0.26

Added: content/get-next-post to find the next existing post after an ID, even when IDs have gaps
Improved: content/list-posts now accepts case-insensitive order values and friendly orderby aliases like id and slug
Improved: content/get-post now accepts post_type for slug lookups and returns clearer missing-post context

3.0.25

Fixed: users/delete now loads wp-admin/includes/user.php before calling wp_delete_user() in REST/MCP contexts

3.0.24

Performance: debug log reader now tails file content instead of loading full files
Security: options/get blocks sensitive option names (tokens, keys, secrets)
Schema: output schemas added for comments and taxonomy-association abilities

3.0.23

Added: content/update-category ability
Fixed: Translator comment for placeholder string in post type validation
Fixed: Stable tag alignment with plugin version

3.0.17

Fixed: Use literal text domain in translation calls
Fixed: Add translators comments for placeholder strings

3.0.16

Added: include_totals flag plus has_more/returned output for list-posts/list-pages/list-media to avoid expensive counts by default

3.0.15

Added: plugins/upload-base64 now accepts zip_path for server-local zip installs
Fixed: no-params abilities accept null input (menus/list, widgets/list-sidebars, widgets/list-available)

3.0.14

Fixed: plugins/delete now loads core file helpers before deletion

3.0.13

Added: Shared pagination normalization for core list abilities

3.0.12

Fixed: plugins/upload now loads WordPress download helpers in non-admin contexts

3.0.11

Added: plugins/upload-base64 ability for local file uploads

3.0.10

Added: content/create-category ability

3.0.9

Security: Added per-item capability checks for content, media, users, and comments

3.0.8

Added: plugins/activate ability to activate installed plugins
Added: plugins/deactivate ability to deactivate active plugins

3.0.7

Improved: All 47 ability descriptions now include parameter hints

3.0.6

Added: comments/create ability for top-level comments

3.0.5

Added: plugins/delete ability to remove inactive plugins

3.0.4

Fixed: Use WP_Filesystem API instead of native PHP functions
Fixed: Replaced wp_get_sidebars_widgets with direct option call

3.0.3

Added: Revisions abilities (content/list-revisions, content/get-revision)
Added: Comments abilities (list, get, create, reply, update-status, delete)
Added: author_id parameter for content creation

3.0.0

Breaking: Modular architecture - vendor-specific abilities moved to add-on plugins
Core plugin now contains only WordPress-native abilities
Add-on plugins: Filesystem (10), Elementor (6), GeneratePress (5), Cloudflare (1), Google Workspace (8)
Cleaner installation - install only what you need

2.2.12

Security: Added protected options blocklist (active_plugins, siteurl, admin_email, etc.)
Security: Prevents accidental site breakage via options/update

2.2.11

Security: Added UTF-7 and UTF-16 encoding bypass detection
Security: Blocks encoded PHP injection attempts

2.2.10

Security: Major filesystem security hardening
Security: PHP code detection in file writes
Security: Path traversal protection
Security: Restricted to wp-content directory

2.1.0

Added: Filesystem abilities
Added: Options abilities
Added: System abilities
Added: Cloudflare cache clear ability
Added: elementor/update-element for targeted element updates

2.0.0

Added: Menu, User, Media, Widget, Page abilities

1.0.0

Initial release

Contributing

PRs welcome! For vendor-specific abilities, consider creating an add-on plugin.

License

GPL-2.0+

Author

Devenia - We've been doing SEO and web development since 1993.

Star and Share

If this ecosystem saves you time, gives your team a saner way to handle WordPress work, or helps you finally get through the repetitive maintenance nobody wants to do, please:

star the repo
share it with people running WordPress sites
point them to the wiki so they can see what the ecosystem can actually do

Why do it?

Because this is good for the WordPress ecosystem as a whole. The more people use agent-friendly open WordPress tooling, the more of the boring but important work actually gets done instead of sitting in a backlog forever.