Integrates with Automattic services as the package is published under the @automattic namespace and references their wordpress-mcp plugin.
Provides access to WooCommerce functionality through its REST API using customer keys and secrets for authentication.
Serves as a bridge between local MCP clients and remote WordPress servers, enabling communication with WordPress sites via their REST API.
MCP WordPress Remote
A Model Context Protocol (MCP) server for seamless WordPress integration
Connect AI assistants like Claude Desktop to your WordPress sites with multiple authentication methods including OAuth 2.0, JWT tokens, and application passwords.
Features
- MCP Authorization Specification Compliant - Implements MCP Authorization specification 2025-06-18
- OAuth 2.1 with PKCE - Secure authorization code flow with PKCE (RFC 7636)
- Resource Indicators - RFC 8707 compliance for token audience binding
- Dynamic Client Registration - RFC 7591 support for automatic client registration
- Protected Resource Metadata Discovery - RFC 9728 for automatic endpoint discovery
- Multiple Authentication Methods - OAuth 2.1, JWT tokens, and WordPress application passwords
- Persistent Token Storage - OAuth tokens stored securely with automatic validation
- Multi-instance Coordination - Lockfiles prevent authentication conflicts
- Automatic Token Management - Handles validation, refresh, and cleanup
- Enhanced Error Handling - Detailed error messages with proper categorization
- Comprehensive Logging - Structured logging with categories and levels
- Complete MCP Support - Tools, resources, prompts, and more
Quick Start
Installation
Configuration
Add to your MCP client configuration (e.g., Claude Desktop's claude_desktop_config.json
):
First Run
- Start your MCP client (Claude Desktop, etc.)
- Choose authentication method based on your preference:
- OAuth 2.0 (default): Browser opens automatically for authorization
- JWT Token: Set
JWT_TOKEN
environment variable - Application Password: Set
WP_API_USERNAME
andWP_API_PASSWORD
- Start using WordPress features in your AI assistant
WordPress MCP Plugin
You need to install the wordpress-mcp plugin on your WordPress website and enable MCP Functionality in Settings > MCP Settings.
Authentication Methods
1. OAuth 2.1 (Recommended - MCP Compliant)
OAuth 2.1 provides the most secure and user-friendly experience with full MCP Authorization specification compliance.
For Self-Hosted WordPress Sites:
MCP Authorization Specification Features:
- OAuth 2.1 authorization code flow with PKCE (RFC 7636)
- Resource Indicators (RFC 8707) for token audience binding
- Dynamic Client Registration (RFC 7591) when supported
- Protected Resource Metadata Discovery (RFC 9728)
- Authorization Server Metadata Discovery (RFC 8414)
Benefits:
- Full compliance with MCP Authorization specification 2025-06-18
- Enhanced security with PKCE protection
- One-time browser authorization
- Tokens stored securely with automatic validation
- Automatic endpoint discovery
- No need to manage passwords
- Automatic expiration handling
2. JWT Token Authentication
For server-to-server authentication or when OAuth is not available.
3. WordPress Application Passwords (Legacy)
Uses WordPress username and application password for basic authentication.
To create an application password:
- Go to your WordPress admin dashboard
- Navigate to Users > Profile
- Scroll down to "Application Passwords"
- Create a new application password for MCP access
Advanced Configuration
Custom OAuth Settings
WooCommerce Integration
For WooCommerce-specific tools and reports:
Environment Variables
Variable | Description | Default | Required |
---|---|---|---|
WP_API_URL | WordPress site URL | - | ✅ |
OAUTH_ENABLED | Enable OAuth authentication | true | - |
OAUTH_CALLBACK_PORT | OAuth callback port | 7665 | - |
OAUTH_HOST | OAuth callback hostname | 127.0.0.1 | - |
WP_OAUTH_CLIENT_ID | Custom OAuth client ID | - | - |
OAuth Endpoints | |||
OAUTH_AUTHORIZE_ENDPOINT | OAuth authorization endpoint | - | ✅ (for custom OAuth) |
OAUTH_TOKEN_ENDPOINT | OAuth token endpoint | - | ✅ (for custom OAuth) |
OAUTH_AUTHENTICATE_ENDPOINT | OAuth authenticate endpoint | - | - |
MCP OAuth 2.1 Settings | |||
OAUTH_FLOW_TYPE | OAuth flow type (authorization_code or implicit) | authorization_code | - |
OAUTH_USE_PKCE | Use PKCE (required for OAuth 2.1) | true | - |
OAUTH_DYNAMIC_REGISTRATION | Enable dynamic client registration | true | - |
OAUTH_RESOURCE_INDICATOR | Use resource indicators (RFC 8707) | true | - |
Configuration | |||
WP_MCP_CONFIG_DIR | Config directory override | ~/.mcp-auth | - |
LOG_FILE | Log file path | - | - |
LOG_LEVEL | Log level (0-3) | 2 | - |
Legacy Authentication | |||
JWT_TOKEN | JWT token for authentication | - | - |
WP_API_USERNAME | WordPress username (legacy) | - | - |
WP_API_PASSWORD | WordPress app password (legacy) | - | - |
WOO_CUSTOMER_KEY | WooCommerce consumer key | - | - |
WOO_CUSTOMER_SECRET | WooCommerce consumer secret | - | - |
Disable OAuth
To use only JWT or Basic Auth:
Development Mode
For development and testing, you can use the local repository:
Setup
- Clone the repository:
- Install dependencies:
- Build the project:
Configuration
Configure your MCP client to use the local version:
Development Workflow
- Watch mode:
npm run build:watch
- Automatically rebuilds on file changes - Testing:
npm test
- Run the test suite - Type checking:
npm run check
- Run TypeScript and Prettier checks
Token Management
OAuth Token Storage
Tokens are automatically stored in:
Manual Management
Token Security
- Secure file permissions (600) on all token files
- Automatic token validation before each request
- Expired token cleanup during startup
- Version isolation - each version stores tokens separately
Multi-Instance Support
The proxy automatically coordinates between multiple instances:
- Lockfiles prevent simultaneous OAuth flows
- Process coordination ensures only one authentication at a time
- Graceful waiting when another instance is authenticating
- Automatic cleanup of stale locks
If you see "waiting for other instance" messages, this is normal behavior.
Troubleshooting
Authentication Issues
OAuth browser doesn't open:
- Check if port 3000 is available
- Try a different port with
OAUTH_CALLBACK_PORT
- Manually open the URL shown in logs
OAuth authorization fails:
- Verify WordPress site has MCP plugin installed and enabled
- Check WordPress admin user permissions
- Try clearing tokens and re-authenticating
JWT authentication fails:
- Verify JWT token is valid and not expired
- Check token format and encoding
- Ensure WordPress site supports JWT authentication
Basic Auth fails:
- Verify username and application password
- Check application password is active
- Ensure user has sufficient permissions
Connection Issues
API endpoint not found:
- Verify WordPress MCP plugin is installed and activated
- Check plugin is enabled in WordPress admin
- Confirm
WP_API_URL
is correct
Permission denied:
- Check user permissions in WordPress
- Verify authentication credentials
- Review WordPress user roles
Port Conflicts
If port 3000 is already in use:
Multi-instance Messages
"Waiting for other instance" messages are normal when multiple MCP clients start simultaneously. The system coordinates authentication to prevent conflicts.
Log Analysis
Enable detailed logging:
Log levels:
0
- Errors only1
- Warnings and errors2
- Info, warnings, and errors (default)3
- Debug, info, warnings, and errors
Security Features
- Secure OAuth flow with state parameters and PKCE
- Token encryption with secure file permissions
- Automatic validation before each API request
- Expired token cleanup and refresh handling
- Multi-instance coordination prevents authentication conflicts
Why Use MCP WordPress Remote?
- Multiple Authentication Methods - Choose what works best for your setup
- Enhanced Security - OAuth 2.0 with persistent token storage
- Better User Experience - One-time setup with automatic token management
- Multi-Instance Support - Works reliably with multiple MCP clients
- Comprehensive Logging - Detailed logs for troubleshooting
- Easy Setup - No global installation required with npx
Requirements
- Node.js 22+ (required for fetch API support)
- WordPress site with wordpress-mcp plugin
- WordPress user account with appropriate permissions
License
GPL v2 or later
Contributing
Contributions welcome! This project is maintained by Automattic Inc.
Support
- Issues: GitHub Issues
- Documentation: Check the troubleshooting section above
- WordPress MCP Plugin: Plugin Repository
Need help? Check the troubleshooting section or open an issue.
This server cannot be installed
remote-capable server
The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.
Acts as a bridge between local MCP clients and WordPress websites, enabling communication with WordPress through simple REST API requests rather than keeping open connections.
Related MCP Servers
- -securityAlicense-qualityThis MCP server connects clients with Shopify store data, enabling retrieval of product and customer information via exposed tools.Last updated -4PythonMIT License
- -securityFlicense-qualityThis is an MCP server that facilitates building tools for interacting with various APIs and workflows, supporting Python-based development with potential for customizable prompts and user configurations.Last updated -Python
- -securityAlicense-qualityWooCommerce MCP Server enables interaction with WooCommerce stores through the WordPress REST API. It provides comprehensive tools for managing all aspects of products, orders, customers, shipping, taxes, discounts, and store configuration using JSON-RPC 2.0 protocol.Last updated -56JavaScriptMIT License
- -securityAlicense-qualityA proxy service that connects MCP clients to remote MCP servers, allowing users to use server keys from MCP.so to access remote resources without running their own server.Last updated -373TypeScriptMIT License