Title: WEBO MCP Author: phuongwebo Published: 24 آوریل 2026 Last modified: 29 می 2026 --- جستجوی افزونه‌ها ![](https://ps.w.org/webo-mcp/assets/icon-128x128.png?rev=3514777) # WEBO MCP توسط [phuongwebo](https://profiles.wordpress.org/phuongwebo/) [دانلود](https://downloads.wordpress.org/plugin/webo-mcp.2.4.1.zip) * [جزئیات](https://fa.wordpress.org/plugins/webo-mcp/#description) * [نقد و بررسی‌ها](https://fa.wordpress.org/plugins/webo-mcp/#reviews) * [نصب](https://fa.wordpress.org/plugins/webo-mcp/#installation) * [توسعه](https://fa.wordpress.org/plugins/webo-mcp/#developers) [پشتیبانی](https://wordpress.org/support/plugin/webo-mcp/) ## توضیحات **WEBO MCP** is a WordPress MCP server — a complete **Model Context Protocol** gateway for WordPress. It lets AI agents and MCP-compatible clients (Claude Desktop, Cursor, Windsurf, n8n, and more) call well-defined tools over REST using JSON-RPC, instead of scraping the admin or sharing broad credentials. **Why use WEBO MCP as your WordPress MCP server?** * **Token-optimized unified tools:** every domain exposes two abilities — `*-query`( all reads) and `*-mutate` (all writes) — with a single `action` discriminator.` tools/list` payload is up to 70% smaller than per-operation APIs, which means less of the model’s context window is consumed by tool schemas, lower cost per session, and fewer hallucinated tool names. * Primary router endpoint: `POST /wp-json/mcp/v1/router` * Standard MCP-style flow: `initialize` `tools/list` `tools/call` * Session lifecycle for clients (pass `session_id` or `Mcp-Session-Id` after `initialize`) * Built-in tool registry for common WordPress operations (posts, media, terms, menus, options, and more) * Bundled Abilities API + MCP Adapter integration, with automatic bridging from registered abilities to MCP tools (configurable) * WordPress 7.0/Core-aware bridge mode that uses Core Abilities/API surfaces when available and falls back only when needed * Public tool policy controls (category filters and optional allowlists) plus optional internal tool exposure for private environments * Bounded MCP audit log, optional per-user/role/client tool allowlists, and a read- only administrator health/status tool **Security model (high level)** * MCP access requires a real WordPress user context: Application Password over HTTP Basic, or an existing logged-in session. * Optional site-wide or per-user API key and HMAC can be enabled in Settings as an additional gate (they do not replace WordPress authentication). Do not put the normal WEBO API key in URLs. For clients that cannot send headers, create a short-lived scoped `mcp_token` URL connector token in Settings -> WEBO MCP. * Default access expectations for the router and `GET /wp-json/webo-mcp/v1/tools`: users who are super admins, can `manage_options`, or can `edit_posts`, consistent with typical site operator and editor workflows (filterable). **Client guidance** Always discover tools before calling them: run `tools/list`, pick an exact tool name from the response, validate required arguments, then call `tools/call`. This reduces mistakes and keeps automation predictable in production. **Further documentation and optional integrations** * Project documentation and ecosystem notes: https://webomcp.com * Optional n8n community node (separate package): https://www.npmjs.com/package/ n8n-nodes-webo-mcp * Release notes and migration map: see docs/RELEASE_NOTES_2.1.0.md and docs/MIGRATION_GUIDE_2.1.0. md in the GitHub repository * Cross-addon dispatcher map (granular legacy names removed from discovery): docs/ MCP_TOOL_MIGRATION.md Compatibility note: any MCP-capable client can be used; which large language model runs inside the client is outside this plugin. Standalone core tools included: – Site info – Content (posts/pages): `webo/content- query` (list, get, find-by-url, search-replace, list-revisions, get-revision; with author/date/taxonomy filters) and `webo/content-mutate` (create, update, delete, bulk-update-status, restore-revision) – Users: list – Media: `webo/media-query` ( list with search/MIME/post_id filters, get) and `webo/media-mutate` (upload, update, delete) – Comments: `webo/comment-query` (list, get) and `webo/comment-mutate` ( create, update, delete) – Taxonomy/Terms: `webo/taxonomy-query` (discover, list, get) and `webo/taxonomy-mutate` (create, update, delete) – Nav menus: list menus, list menu items (menu_order, db_id), add menu link from post (explicit post_id + menu_order required) – Plugins: `webo/plugin-query` (installed, active, updates,…) and `webo/plugin-mutate` (install, activate, deactivate; supports child-site `site_id`/` blog_id` activation for network admins) – Health: `webo/health-status` (REST/router status, Application Password support, permalinks, cron, object cache, plugin update summary, WordPress/PHP versions, and redacted MCP config) – Abilities bridge: `webo/ ability-query` and `webo/ability-execute` in default layered mode. Only abilities with `meta.mcp.public === true` are visible and executable through WEBO MCP. – Themes:` webo/theme-query` (installed themes) and `webo/theme-mutate` (install from WordPress. org by slug, switch installed theme) – Theme context: `webo/theme-context` (active theme info, block editor settings, style presets, registered blocks) – Block patterns:` webo/block-patterns` (list/get patterns, list/get synced patterns) – Site stats:` webo/site-stats` (overview, post counts, comment counts, user counts, media stats, activity summary) – Activity log: `webo/activity-log` (list events, summary, clear)– User profile: `webo/user-profile` (get own profile, update display name / bio / preferences) – Site settings: `webo/site-settings` (get and update the 20 most common WordPress options via MCP) – Content search: `webo/content-search` (full-text cross- post-type search with grouped results) – Menus: `webo/menu-query`, `webo/menu-mutate`( navigation menu items; not post/CPT list order) – Post/CPT order (optional): `webo/ reorder-query`, `webo/reorder-mutate` when [Webo Reorder](https://github.com/mrphuong-webo/webo-reorder) is active — see docs/abilities/reorder.md – Options: get/update (safe allowlist only), set site icon/favicon from media – SEO (WordPress post): seo/article-analysis— requires post_id; merges Rank Math meta when available (same data path as webo-rank- math/get-post-seo-meta); optional related-keyword suggestions via outbound request unless no_autocomplete is true Excluded by default in standalone-safe mode: – Bulk/mass execution tools – Plugin/ theme write-management abilities – Multisite-specific abilities ### Privacy This plugin does not phone home or send telemetry. MCP traffic is initiated by clients you configure. Some tools may perform outbound HTTP requests only when a client invokes them (for example seo/article-analysis may request keyword suggestions from a third-party suggest API unless you pass no_autocomplete). The plugin stores the following options in the WordPress database when configured: –` webo_mcp_api_key`: API key used to authenticate MCP requests. – `webo_mcp_hmac_secret`: HMAC secret used to sign and validate MCP requests. – `webo_mcp_url_connector_tokens`: hashed, expirable, revocable URL connector tokens for clients that cannot send headers. Raw tokens are shown once and are not stored. – `webo_mcp_tool_allowlist_enabled` and `webo_mcp_tool_allowlist_rules`: optional administrator-configured MCP tool allowlist policy. – `webo_mcp_audit_log_enabled`, `webo_mcp_audit_log_max_entries`, and `webo_mcp_audit_log`: bounded MCP tool-call audit log settings and compact audit events. Audit entries include user/tool/action/status data, anonymized IPs, and hashed session IDs; they do not store request payloads, API keys, HMAC secrets, or Application Passwords. These options are removed when the plugin is uninstalled via the WordPress Plugins screen. ### External services This plugin can connect to Google Suggest (Autocomplete) when a client calls the` seo/article-analysis` tool and does not set `no_autocomplete` to true. This external request is used to return related keyword suggestions for SEO analysis. Service provider: Google LLC (Google Suggest / Autocomplete API endpoint). Data sent and when: – Sent only when `seo/article-analysis` is called with autocomplete enabled. – Sends the analysis query text to `https://suggestqueries.google.com/complete/ search` as the `q` parameter. – Sends standard HTTP request metadata such as IP address and User-Agent as part of the web request. Terms of Service: https://policies.google.com/terms Privacy Policy: https://policies. google.com/privacy ### Developer Hooks The plugin exposes the following actions and filters for developers: ### Actions * `webo_mcp_register_tools` Fired during plugin bootstrap after standalone tools are registered. Use this to register custom MCP tools from other plugins. ### Filters * `webo_mcp_current_user_can_use_mcp` (bool $allowed, int $user_id) Gate for all MCP REST access. Default: super admin OR `manage_options` OR `edit_posts`. Override to tighten (e.g. super-admin only) in hardened installs. * `webo_mcp_allow_internal_tools` (bool $allow_internal, WP_REST_Request $request) Controls whether internal tools are included in tools/list responses. Defaults to false for public environments. * `webo_mcp_public_categories` (array $categories, WP_REST_Request $request, array $tool) Filters which tool categories are exposed as public. Defaults to array(‘ wordpress’ ). * `webo_mcp_rate_limit_per_hour` (int $limit, string $client, array|null $profile) Adjust effective hourly limit (fallback for both buckets). * `webo_mcp_rate_limit_read_per_hour` / `webo_mcp_rate_limit_mutate_per_hour` ( int $limit, string $client, array|null $profile) Per-bucket limits after admin/ profile resolution. * `webo_mcp_tool_is_mutating` (bool $is_mutating, string $tool_name, array|null $tool_definition, array $arguments) Override mutating classification for rate limits and read-only profiles. * `webo_mcp_tool_arguments_allow_extra` (bool $allow, string $tool_name, array $schema, array $arguments) When true, unknown tool argument keys are passed through (default false). * `webo_mcp_disallow_url_token_query` (bool $disallowed) Block URL connector tokens in query strings (admin setting is the default source). * `webo_mcp_rest_bom_guard_json_api_requests` (bool $activate, string $uri_raw) Opt-in BOM sanitizer for all `/wp-json/` responses (default false; MCP routes only). * `webo_mcp_bridge_deny_patterns` (array $patterns) Controls which abilities are excluded when auto-bridging abilities into MCP tools (e.g. bulk, plugins/, themes/, multisite/). * `webo_mcp_auto_bridge_abilities` (bool $enabled) Enables or disables automatic bridging of registered abilities into MCP tools. Defaults to true; bridge mode still controls whether the bridge is off, layered, or full. * `webo_mcp_bridge_mode` (string $mode) Controls Abilities bridge mode after the` WEBO_MCP_BRIDGE_MODE` constant and before the stored option. Values: `off`, ` layered`, `full`. Default: `layered`. * `webo_mcp_enable_adapter` (bool $enabled) Enables or disables the bundled WordPress MCP Adapter runtime. Defaults to true. * `webo_mcp_validate_media_fetch_url` (true|\WP_Error $ok, string $url, array $ parsed) Reject unsafe URLs for webo/media-mutate upload action (return WP_Error to block). * `webo_mcp_tool_allowlist_allowed` (bool $allowed, string $tool_name, WP_REST_Request $request, array $params, array $allowed_tools) Filters the optional per-user/ role/client allowlist decision. ### Credits Special thanks to the authors and open source projects that contributed to this plugin: – WordPress (https://wordpress.org) – Abilities API (https://github.com/ WordPress/abilities-api) Reference: https://make.wordpress.org/ai/2025/07/17/abilities- api/ – MCP Adapter (https://github.com/WordPress/mcp-adapter) Reference: https:// make.wordpress.org/ai/2025/07/17/mcp-adapter/ – Composer (https://getcomposer.org)– Other PHP and JS libraries from the community If you use this plugin, please give credit to the authors of these libraries. ### License This plugin is licensed under the GPLv2 or later. See https://www.gnu.org/licenses/ gpl-2.0.html for details. ## نصب 1. Upload the plugin folder to /wp-content/plugins/webo-mcp 2. Run composer install inside the plugin folder 3. Activate the plugin in WordPress Admin 4. Send JSON-RPC requests to POST /wp-json/mcp/v1/router For release packaging, use scripts/build-release.ps1 to create a clean zip with . distignore exclusions. ## سوالات متداول ### Which endpoint should MCP clients use? POST /wp-json/mcp/v1/router ### Where is the official website and the n8n package? The project hub is https://webomcp.com. For n8n, install the community node from npm: https://www.npmjs.com/package/n8n-nodes-webo-mcp ### Can this run WordPress abilities by itself? Yes. On WordPress versions where Core provides the Abilities API, WEBO MCP uses Core and does not load a duplicate bundled Abilities API. On older WordPress versions it falls back to the bundled Composer package. The default bridge mode is `layered`, which exposes compact `webo/ability-query` and `webo/ability-execute` tools instead of one tool per ability. You can set bridge mode to `off`, `layered`, or `full` with `WEBO_MCP_BRIDGE_MODE`, the `webo_mcp_bridge_mode` filter, or the `webo_mcp_bridge_mode` option. ### Which abilities are exposed through WEBO MCP? Only abilities that explicitly set `meta.mcp.public` to true are exposed. Execution also checks the ability permission callback, WEBO allowlist/policy, and scope/risk metadata such as `meta.webo_mcp.scope` and `meta.webo_mcp.risk`. ### How do I migrate from legacy one-operation tool names? Use `tools/list` to discover the dispatcher tool names on your site, then pass the correct `action` (or query/mutate discriminant) for each operation. Use docs/MIGRATION_GUIDE_2.1.0. md for the 2.1.0 rollout narrative and docs/MCP_TOOL_MIGRATION.md for a consolidated addon-by-addon map (Rank Math, Rocket, WooCommerce groups, etc.). ### Can I expose internal tools? Yes, via filter webo_mcp_allow_internal_tools in private environments. ### Can I limit public tools by category? Yes, via filter webo_mcp_public_categories. ### Can I keep only WordPress.org-safe features? Yes. Default bridge rules exclude patterns for bulk, plugins/themes, and multisite abilities. ### Is this plugin suitable for production? Yes, when used with proper authentication, TLS, and a limited tool exposure policy. ### How do I authenticate MCP clients? Use a WordPress **Application Password** (Users Profile Application Passwords) and send it with HTTP Basic Auth (username = WordPress username, password = the application password). You can combine that with the optional **API Key** and ** HMAC** values from Settings WEBO MCP when those fields are set. If a client cannot send headers, create a short-lived scoped URL connector token and pass it as `?mcp_token =...`; it is shown once, stored only as a hash, limited to an explicit tool scope, expirable, and revocable. ### Does WEBO MCP reorder posts and pages? Use **`webo/reorder-query`** and **`webo/reorder-mutate`** when the separate **Webo Reorder** plugin is installed and active. Those tools control post `menu_order` and taxonomy-specific order — not navigation menus. For Appearance Menus, use **` webo/menu-query`** and **`webo/menu-mutate`**. See `docs/abilities/reorder.md` in the plugin repository. ## نقد و بررسی‌ها نقد و بررسی‌ای برای این افزونه یافت نشد. ## توسعه دهندگان و همکاران “WEBO MCP” نرم افزار متن باز است. افراد زیر در این افزونه مشارکت کرده‌اند. مشارکت کنندگان * [ phuongwebo ](https://profiles.wordpress.org/phuongwebo/) [ترجمه “WEBO MCP” به زبان شما.](https://translate.wordpress.org/projects/wp-plugins/webo-mcp) ### علاقه‌ مند به توسعه هستید؟ [Browse the code](https://plugins.trac.wordpress.org/browser/webo-mcp/), check out the [SVN repository](https://plugins.svn.wordpress.org/webo-mcp/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/webo-mcp/) by [RSS](https://plugins.trac.wordpress.org/log/webo-mcp/?limit=100&mode=stop_on_copy&format=rss). ## گزارش تغییرات #### 2.4.1 * Fix: keep `update` in content-query schema so read-tool write guard returns explicit error (args were stripped before handler). #### 2.4.0 * Performance (P3b): `webo/content-query` get/find-by-url/find-by-slug omit `content` and `excerpt` unless `include_content:true` or `include_excerpt:true` — smaller MCP payloads for AI agents. * New: `webo/plugin-mutate` action `upgrade` — update installed plugins from WordPress. org (transient or optional `version`). * Ops: `scripts/verify-security-mcp.ps1` automates session invalid + read-tool write guard checks. #### 2.3.7 * Consistency: `webo/content-query` find-by-url is read-only; reject `update` payload with clear error (use `webo/content-mutate`). * Docs: audit completion plan + live verify report updated; Workstream J completion notes. * Ops: `verify-live-mcp.ps1` works on Windows PowerShell 5 (UTF-8) and checks unified tool response names. #### 2.3.6 * Consistency: unified tool responses (`webo/content-query`, `webo/content-mutate`,` webo/menu-*`, `webo/theme-*`) now set `tool` and `action` to the MCP tool name instead of legacy per-operation names. * Docs: `CONTRACTS.md` lists security and bridge filters from 2.3.3+; README Security model section synced with readme.txt. * Requirement: minimum PHP raised to 8.0 (plugin header and readme). #### 2.3.5 * Security: separate read vs mutate rate limits (Settings Security); agent profiles support read_only, max_read_calls_per_hour, max_mutate_calls_per_hour. * Security: read-only agent profiles block mutating tools and write-scoped abilities. * Security: media upload-from-URL rejects disallowed Content-Type (e.g. text/html). * Docs: expanded Security tab guidance for API key, HMAC, URL tokens, and MCP access filter. #### 2.3.4 * Performance: `webo/site-stats` media action skips upload dir scan unless `include_disk_size: true` (1h transient cache when enabled). * Performance: invalidate `tools/list` cache when bridge mode or allowlist settings change. * Maintenance: weekly cron prunes expired MCP session transients. * Docs: live verify report (`docs/agents/VERIFY_2.3.3.md`) and `scripts/verify- live-mcp.ps1`; checkpoint spec/skill synced for admin edit URL. #### 2.3.3 * Security: admin-configurable MCP tools/call rate limit (Settings Security); agent profiles still override per client. * Security: MCP sessions are bound to the WordPress user that created them on initialize. * Security: tool arguments are stripped to schema keys by default (filter `webo_mcp_tool_arguments_allow_extra` to opt in). * Security: `webo/ability-execute` requires `edit_posts`; media upload-from-URL no longer follows HTTP redirects (SSRF hardening). * Security: optional disallow `?mcp_token=` query auth; optional audit webhook host allowlist. * Performance: short-lived `tools/list` cache per user/policy; audit log batches option writes per request. * Fix: checkpoint create returns admin edit URL instead of public permalink; REST BOM guard defaults to MCP routes only. * Cleanup: remove unused legacy `webo_mcp_public_tool_allowlist` option after migration. #### 2.3.2 * Claude Desktop / MCP SDK: SSE keepalive on `GET /wp-json/mcp/v1/router` (and adapter SSE routes) so supergateway and Claude Desktop no longer drop the transport; sessionless GET returns 405 instead of 400. * Claude Desktop / MCP SDK: `initialize` returns capability objects, sets `Mcp- Session-Id`, and `tools/list` includes `inputSchema`; `tools/call` wraps results in the standard MCP `content[]` text block format. * New tools: `webo/create-content-checkpoint` and `webo/restore-content-checkpoint` for AI-safe backup and rollback of posts, nav menus, and safe site options before bulk MCP writes. * Fix: sync `WEBOMCP_VERSION` with the plugin header so `initialize` reports the correct MCP server version. #### 2.3.1 * Compatibility: fix SCF Abilities API fatal while priming the registry during plugin activation. #### 2.3.0 * New tools: `webo/theme-context` (active theme info, editor settings, style presets, registered blocks), `webo/block-patterns` (list/get patterns and synced patterns),` webo/site-stats` (counts and activity summary), `webo/activity-log` (list, summary, clear), `webo/user-profile` (get/update own profile), `webo/site-settings` (get/ update 20 common WordPress options), `webo/content-search` (cross-post-type full- text search with grouped results). * Enhancement: `webo/comment-mutate` now supports `create` action for creating new comments. * Enhancement: `webo/content-query list` now accepts `author`, `author_name`, ` date_after`, `date_before`, and `tax_query` filters. * Enhancement: `webo/media-query list` now accepts `search`, `mime_type`, `post_id`, and `page` filters; response includes `found`, `pages`, `mime_type`, and `alt_text` fields. * Enhancement: `webo/content-mutate create` and `update` include `_content_warnings` when WordPress filters the submitted content on save. #### 2.2.1 * Compatibility: autoload bundled MCP schema dependency when the external MCP adapter stack is absent. * Router: fix flattened MCP argument coalescing for `webo/ability-execute`. * CI: refresh GitLab pipeline configuration for the 2.2.x release line. #### 2.2.0 * Admin: dedicated **WEBO MCP** top-level menu with Overview, Security, Bridge & Tools, Agents & Connectors, Audit, and Advanced tabs; legacy Settings link redirects. * WordPress 7.0: expanded Core feature detection, Connectors read-bridge (`webo/ connector-query`), WP AI prompt tool (`webo/ai-prompt`), agent profiles, rate limits, audit webhook/CSV export, and multisite network bridge defaults. * WP-CLI: `wp webo-mcp health`, `tools-list`, `revoke-tokens`, `audit-count`. * Dependencies: MCP Adapter ^0.5 (bundled fallback when external adapter absent). #### 2.1.23 * Multisite: add an opt-in Trusted Raw HTML setting so trusted site administrators can preserve Elementor and MCP content containing `script`, `style`, `canvas`,` iframe`, and other raw HTML when explicitly enabled. * Options: allow `webo/get-options` and `webo/update-options` to read and configure the Trusted Raw HTML policy. #### 2.1.22 * Security: replace normal API-key-in-URL support with short-lived scoped `mcp_token` URL connector tokens for clients that cannot send headers. * Security: URL connector tokens are shown once, stored only as hashes, expire automatically, can be revoked, cannot expose internal tools, and are limited by an explicit tool allowlist. * Admin: add Settings -> WEBO MCP controls to generate and revoke URL connector tokens without storing raw secrets. #### 2.1.21 * Superseded by 2.1.22. Do not put the normal WEBO API key in URLs. #### 2.1.20 * Multisite: allow network admins to target child sites with `site_id` / `blog_id` on `webo/content-query`, `webo/content-mutate`, `webo/get-options`, and `webo/ update-options`. #### 2.1.19 * Options: allow `webo/get-options` and `webo/update-options` to manage `html_custom_css` for trusted admin MCP flows. #### 2.1.18 * Integration: register `webo/reorder-query` and `webo/reorder-mutate` MCP tools when the Webo Reorder plugin is active (post/CPT order; not nav menu order). #### 2.1.17 * Enhancement: `webo/content-mutate` can update post passwords for protected content when the authenticated user has permission to edit the post. * Safety: post password updates stay inside the existing content mutation capability checks. #### 2.1.16 * Fix: `webo/content-mutate` can preserve raw block HTML for users with `unfiltered_html`, allowing admin page-builder content and inline styles to be managed through MCP. * Security: users without `unfiltered_html` continue to pass content through the normal WordPress post KSES boundary. #### 2.1.15 * WordPress 7.0 readiness: add defensive feature detection for Abilities API, MCP Adapter, Connectors API, and `wp_supports_ai()`. * Bootstrap: avoid loading duplicate bundled Abilities API or MCP Adapter code when Core/external implementations are already present. * Bridge: add `off`, `layered` (default), and `full` modes. Layered mode exposes compact `webo/ability-query` and `webo/ability-execute` tools so `tools/list` stays small by default. * Security: only bridge abilities with `meta.mcp.public === true`; execution now passes through ability permissions, WEBO policy/allowlist checks, and scope/risk gates. * Health: extend `webo/health-status` with WordPress 7.0/Core AI/MCP compatibility diagnostics. * Themes: extend `webo/theme-mutate` with WordPress.org theme install by slug; optional activation still requires `switch_themes`. #### 2.1.14 * Fix: bridge scoped plugin-management capabilities while network admins activate or deactivate plugins inside a child site. * Keeps child-site plugin toggles explicit through `site_id` / `blog_id` without widening network-wide activation behavior. #### 2.1.13 * Added `webo/plugin-mutate` for WordPress.org plugin install, activation, and deactivation through the core plugin endpoint. * Added `site_id` / `blog_id` support so network admins can activate or deactivate plugins for one multisite child site from the network MCP endpoint. * Safety: rejects conflicting `site_id` / `blog_id` plus `network_activate` / ` network_wide` requests so child-site activation and network-wide activation stay explicit. #### 2.1.12 * Added a bounded, admin-readable MCP audit log for `tools/call` events with user, tool/action, object ID when available, anonymized IP, hashed session ID, status, and compact result/error summaries. * Added optional per-user, per-role, and per-client/Application Password tool allowlists. Enforcement is disabled by default to preserve existing access until an administrator opts in. * Added read-only administrator tool `webo/health-status` covering REST/router status, Application Password support, permalinks, cron, object cache, plugin update summary, WordPress/PHP versions, and redacted MCP config status. #### 2.1.11 * Security: enforce object-level capabilities for MCP content/media mutations, including `edit_post`, `delete_post`, publish/private status changes, and taxonomy- specific term capabilities. * Security: filter read tools by `read_post` and hide tools from `tools/list` when the authenticated user lacks the tool capability. * Hardening: use WordPress safe HTTP validation for optional Google Suggest requests in `seo/article-analysis`. #### 2.1.10 * Fix: register **`webo/plugin-query`** in `Standalone_Tools` so MCP clients can list plugin updates (`query=updates`, optional `refresh=true`) and other inspection modes. * Bootstrap: prime `WP_Abilities_Registry` at `init:2` so `wp_abilities_api_init` runs before MCP bootstrap (`init:20`), preventing `_doing_it_wrong` when abilities register on `webo_mcp_register_tools`. #### 2.1.9 * Refactor: move built-in MCP tool registration into `inc/bootstrap/class-standalone- tools.php` (smaller bootstrap; same tool names). * Maintainer: broaden `.gitignore` (composer `vendor/bin/`, Cursor local config, scratch files); ship `scripts/` helpers and `docs/WPORG_REVIEW_REPLY_2.0.28.md`; keep `composer.json` production-only. #### 2.1.8 * BOM guard: fix PCRE — use `^(?:\xEF\xBB\xBF)+` so **multiple** UTF-8 BOMs are stripped (the old `^\xEF\xBB\xBF+` only repeated the final `0xBF` byte, breaking responses such as `wp/v2/types` on `webo.vn` for MCP clients). #### 2.1.7 * BOM guard: sanitize **all** REST API requests (`/wp-json/…`, `wp-json.php`, `? rest_route=`) by default (`webo_mcp_rest_bom_guard_json_api_requests` filter to disable). #### 2.1.6 * BOM guard: treat **Abilities API** REST URLs (`wp-abilities/v1`) the same as MCP router URLs — `@automattic/mcp-wordpress-remote` calls discover/execute over` wp-abilities`, which previously skipped the sanitizer. #### 2.1.5 * BOM guard: also start the sanitizer on `plugins_loaded` and `init` at priority`- 999999` when the request URI looks MCP (covers BOM echoed before `rest_api_init`). #### 2.1.4 * BOM guard: start output buffer at `rest_api_init` priority 0 when Request-URI/` rest_route` looks like MCP (catches BOM printed before routing); loop-strip repeated BOM/FEFF; filter `webo_mcp_rest_bom_guard_enabled` to disable. #### 2.1.3 * REST: strip accidental UTF-8 BOM / stray U+FEFF before JSON on MCP routes so clients no longer fail JSON parse with `Unexpected token` (defensive `ob_start` handler on `rest_pre_dispatch`). #### 2.1.2 * Restore the versioned **`skills/`** subtree in the Git repository (guides and ability-specific SKILL.md files referenced from README.md), matching the documented` npx skills add` workflows. * Add **`webo-mcp-ultimo-domain-dns-cf`** skill index entry (Ultimo checking-dns + Cloudflare checklist). * skills/README.md: document **WP Rocket** skill (`cache-query` / `cache-mutate` unified tools). #### 2.1.1 * Documentation: add docs/MCP_TOOL_MIGRATION.md (cross-addon dispatcher map; Rank Math + Rocket public-vs-internal discovery, WooCommerce query/mutate tool names). * Readme (GitHub + WordPress.org): align examples with `webo/content-query`, document` meta.mcp.public` visibility for bridged abilities, link migration doc; sync standalone tool bullets (menus, themes, plugins). #### 2.1.0 * **Token optimization — ecosystem-wide enum-dispatch unification.** All WEBO MCP addons now follow the same query/mutate pattern as the core plugin, replacing one-tool-per-operation APIs with unified abilities that accept an `action` argument: - **webo-mcp-woocommerce:** 27 individual tools 10 unified tools (`webo/woo- query-products`, `webo/woo-mutate-products`, `webo/woo-query-orders`, `webo/ woo-mutate-orders`, `webo/woo-query-customers`, `webo/woo-mutate-customers`,` webo/woo-query-coupons`, `webo/woo-mutate-coupons`, `webo/woo-query-store`,` webo/woo-mutate-store`). - **webo-mcp-rank-math:** 18 individual tools 10 unified `webo-rank-math/*- query`/`*-mutate` abilities; granular abilities may stay MCP-internal (see addon `wp_register_ability_args`). - **webo-mcp-rocket:** 9 individual tools 2 unified tools (`webo-rocket/cache- query`, `webo-rocket/cache-mutate`). * **Impact:** with core and addons active the total tool count visible in `tools/ list` drops from ~79+ to ~34. A smaller tool list means the model picks tools faster, uses less context budget per request, and makes fewer tool-name errors. * **Pattern:** each unified ability requires one `action` string that is dispatched server-side via PHP `match()`. All existing handler logic is preserved — only the registration surface changes. * Updated skills documentation for webo-mcp-ability-woocommerce, webo-mcp-ability- rank-math, webo-mcp-ability-rocket, and webo-mcp-guide. #### 2.0.45 * Refactor: unify media tools into `webo/media-query` (list, get) and `webo/media- mutate` (upload, update, delete); removes 5 legacy media tools. * Refactor: unify taxonomy/term tools into `webo/taxonomy-query` (discover, list, get) and `webo/taxonomy-mutate` (create, update, delete); removes 6 legacy term tools. * Refactor: unify comment tools into `webo/comment-query` (list, get) and `webo/ comment-mutate` (update, delete); removes 4 legacy comment tools. * Refactor: unify post/content tools into `webo/content-query` and `webo/content- mutate`; removes 17 legacy post tools. * Refactor: replace `webo/list-active-plugins` with unified `webo/plugin-query`( list, get, activate, deactivate). * All unified tools normalize the `id` field as the primary response identifier; domain aliases (attachment_id, term_id, comment_id) are kept for backward compatibility. * SEO: improved Unicode word count using Unicode ranges for multilingual content; non-spaced scripts (CJK, Thai) now estimate word count via character-based heuristics. #### 2.0.44 * SEO readability: estimate word count for non-spaced scripts (CJK, Thai, Khmer) via character-based heuristics. #### 2.0.43 * SEO readability: count Unicode title and meta description lengths correctly for non-ASCII characters. #### 2.0.42 * SEO readability: count Unicode words correctly for multilingual content. #### 2.0.41 * Media/site settings: add `webo/set-site-icon` to set the WordPress site icon/ favicon from an existing image attachment. #### 2.0.40 * MCP post tools: add page, offset, orderby, and order support to webo/list-posts responses for reliable batch processing. * SEO analyzer: infer the WordPress post title as the primary H1 when content omits an H1, and include Article JSON-LD from post/Rank Math metadata for more accurate schema checks. #### 2.0.39 * Options: allow safe permalink/category/tag base updates through MCP and flush rewrite rules after URL setting changes. #### 2.0.38 * MCP post tools: preserve safe HTML for post content/excerpt arguments so SEO headings, lists, tables, and images can be authored through create/update calls. #### 2.0.35 * New site-management tools: `webo/list-themes` and `webo/switch-theme` for discovering installed themes and switching the active theme by stylesheet slug. * Readme: release includes the shortened WordPress.org short description, keeping the short description under the 150 character import limit. #### 2.0.34 * Options: allow `webo/update-options` and `webo/get-options` to handle `show_on_front` and `page_on_front`. * Safety: validate `show_on_front` as `posts|page` and ensure `page_on_front` references a valid Page ID (or 0). #### 2.0.33 * Readme: refresh WordPress.org-facing description for clarity; lead with product value and protocol workflow, move ecosystem links to a secondary section. #### 2.0.32 * Fix: avoid WP 6.9 Abilities API incorrect-usage notices by hardening adapter category/ability registration order and late-boot recovery. * Docs: add AGENTS.md workflow guidance and prioritize guide-first structure in README/readme.txt. #### 2.0.31 * Maintenance: version bump. #### 2.0.30 * Maintenance: version bump. #### 2.0.29 * Reliability: harden MCP adapter bootstrap and schema type handling (supports array/nullable type definitions safely). * WP-CLI noise reduction: register core mcp-adapter abilities before bridge wiring and suppress default adapter server bootstrap in CLI mode to avoid false missing- ability errors. * Release notice: users running WEBO MCP Pro should update Pro package compatibility notes from the official docs/release channel before production rollout. #### 2.0.28 * WordPress.org review fixes: added explicit `External services` disclosure for Google Suggest/Autocomplete used by `seo/article-analysis` (service purpose, transmitted query data and request metadata, conditions, Terms and Privacy links). * Compatibility: removed use of `WPINC` for nav-menu API loading; now load nav- menu API via explicit core include paths with availability checks to reduce environment- specific path issues. #### 2.0.27 * Security (WordPress.org guidelines): MCP router no longer maps API keys or HMAC to arbitrary user accounts. All requests require WordPress Application Password( Basic Auth) or an existing logged-in session; optional site API key and HMAC apply only after authentication. * Readme: Contributors includes phuongwebo; clarify authentication in description and FAQ. #### 2.0.26 * New MCP tool seo/article-analysis (category seo, edit_posts): WordPress-only on-page SEO signals for a post via post_id — rendered content, Rank Math merge, readability, issues, content_gaps. Agent documentation: skills/webo-mcp-seo-article/ SKILL.md in the GitHub repo (not bundled in the WordPress.org zip). * Readme: Stable tag sync, privacy note for optional outbound tool requests. #### 2.0.25 * list-posts: document defaults (publish + post type post); response includes applied filters so empty results are easier to explain. Models should pass status draft( etc.) and post_type page when listing those. #### 2.0.24 * Nav menus: list-nav-menu-locations response includes note explaining slug vs label; MCP descriptions tell models to call this tool first to discover theme_location keys. #### 2.0.23 * Nav menus: list-nav-menus response includes menu_id (same as term_id) and clearer MCP tool descriptions so clients list menus without asking users for menu_id first. #### 2.0.22 * Nav menus: if create-nav-menu / create-nav-menu-for-location targets a name that already exists, reuse the existing menu term and continue (reused_existing_menu in JSON). Return a clear error if core nav-menu.php cannot be loaded. Expanded primary fallback slugs (primary-menu, header-menu, mobile). assign-nav-menu-to- location accepts menu_name when menu_id is omitted (assigned_via_menu_name in response). #### 2.0.21 * Nav menus: resolve theme location when slug primary is missing (single registered slot, or common slugs main/header/menu-1/navigation). Load wp-includes/nav-menu. php before wp_create_nav_menu in REST context. Response field theme_location_resolution indicates how the slug was chosen. #### 2.0.20 * Access: MCP router gate allows `manage_options` and `edit_posts` (Editors, site admins on multisite), not only `is_super_admin`; fixes list-nav-menus / tools/ call failing for non-administrator users. Multisite API key/HMAC falls back to first site Administrator if no Super Admin login exists. Error code `webo_mcp_access_denied` replaces misleading super-admin-only message. #### 2.0.15 * Nav menus: list-nav-menus, list-nav-menu-items (db_id, menu_order, object_id, parent_db_id), add-nav-menu-item-from-post with required post_id, post_type, and menu_order (explicit developer values; no auto placement). #### 2.0.14 * Security: MCP JSON-RPC router, SecurityHelper, tools discovery, and internal- tool policy default to network Super Admin on multisite (`is_super_admin`). Single- site installs use WordPress core’s `is_super_admin()` behavior (typically full administrators). Global API key/HMAC elevates to the first Super Admin user on multisite. #### 2.0.7 * Readme: highlight https://webomcp.com and n8n community node https://www.npmjs. com/package/n8n-nodes-webo-mcp; short description and FAQ; README.md aligned. #### 2.0.6 * License: plugin header uses the same wording as readme.txt (“GPL v2 or later”) to satisfy WordPress.org declared-license checks. #### 2.0.5 * Plugin header: @wordpress-plugin marker for strict scanners; License line uses GPLv2 or later slug (Plugin Handbook). #### 2.0.4 * Plugin header: handbook field order, shorter Description line, License text “ GPL v2 or later”, Domain Path for translations. #### 2.0.3 * WordPress.org / Plugin Check: include composer.json when vendor is bundled; replace unlink with wp_delete_file for temp uploads; remove load_plugin_textdomain (core loads translations); resolve API key usermeta via get_users instead of direct $wpdb; readme short description, allowed Tags, Stable tag sync. #### 2.0.2 * WordPress.org packaging: release zip excludes dotfiles and all .github trees; readme Tested up to 6.9. #### 2.0.1 * Hardening: HMAC auth passes REST permission layer; SSRF guard for upload-media- from-url; paginated search-replace (max 500 posts per call); sanitized safe option updates; removed duplicate unused settings class. #### 2.0.0 * Plugin renamed to WEBO MCP; folder and main file: webo-mcp/webo-mcp.php. * Text domain, REST namespace webo-mcp/v1, hooks webo_mcp_* (breaking for custom code using old hook names). * Options and API-key usermeta migrate automatically from webo-wordpress-mcp keys on first load. #### 1.1.1 * Added empty input_schema definitions for core/get-user-info and core/get-environment- info. * Fixes MCP tools/call validation errors when invoking these no-input core tools. #### 1.0.2 * Added new read-only tool: webo/list-active-plugins. * Enables MCP clients to verify active plugins with capability check. #### 1.0.1 * Metadata refresh release to ensure dependency headers are reloaded correctly. * tools/list compatibility improvements for include_internal aliases and legacy endpoint support. #### 1.0.0 * Initial stable public release. * MCP JSON-RPC router with initialize, tools/list, tools/call. * Tool registry integration and public visibility policy controls. * Session management and optional API key/HMAC security. ## اطلاعات * نگارش **2.4.1** * Last updated **18 دقیقه پیش** * نصب‌های فعال **کمتر از 10** * نگارش وردپرس ** 6.4 یا بالاتر ** * Tested up to **7.0** * نگارش PHP ** 8.0 یا بالاتر ** * زبان * [English (US)](https://wordpress.org/plugins/webo-mcp/) * Tags * [AI agent](https://fa.wordpress.org/plugins/tags/ai-agent/)[automation](https://fa.wordpress.org/plugins/tags/automation/) [json rpc](https://fa.wordpress.org/plugins/tags/json-rpc/)[mcp](https://fa.wordpress.org/plugins/tags/mcp/) [model context protocol](https://fa.wordpress.org/plugins/tags/model-context-protocol/) * [نمایش پیشرفته](https://fa.wordpress.org/plugins/webo-mcp/advanced/) ## امتیازها هنوز هیچ نقدی ارسال نشده است. [Your review](https://wordpress.org/support/plugin/webo-mcp/reviews/#new-post) [مشاهده همه بررسی‌ها](https://wordpress.org/support/plugin/webo-mcp/reviews/) ## مشارکت کنندگان * [ phuongwebo ](https://profiles.wordpress.org/phuongwebo/) ## پشتیبانی چیزی برای گفتن دارید؟ نیاز به کمک دارید؟ [مشاهده انجمن پشتیبانی](https://wordpress.org/support/plugin/webo-mcp/)