cPanel WordPress MCP

A minimal MCP server for managing one cPanel account from Claude Code: subdomains, files, and WordPress via Softaculous. Runs locally over stdio; your cPanel token stays on the machine running it.

Subdomains and files

• create_subdomain — adds a subdomain via cPanel UAPI

• delete_subdomain — removes a subdomain via cPanel API2, optionally its docroot too

• list_files — lists the contents of a directory on the account

• delete_path — deletes a folder under public_html (guarded)

WordPress / Softaculous

• install_wordpress — installs WordPress via Softaculous

• uninstall_wordpress — removes a WordPress install (files and database)

• list_installations — lists Softaculous app installs (id, app, url, path)

• get_install_details — details for one install (no passwords)

• clone_wordpress — clones an install to another domain/subdomain (act=sclone)

• backup_wordpress — takes a backup (files + database)

• list_backups — lists Softaculous backups

Destructive tools (uninstall_wordpress, delete_subdomain, delete_path) ask for confirmation via MCP elicitation before running.

Not yet shipped: staging, push-to-live, restore, upgrade and auto-update are prototyped but not verified, so they are not in the connector yet.

Requirements

• Claude Code and Node 18 or newer (the server uses built-in fetch).

• A cPanel API token (next section).

Related MCP server: MCP WordPress Server

Create a cPanel API token

In the cPanel account (not WHM): Security > Manage API Tokens > Create Token.

• Give it a name like claude-mcp.

• Set an expiry date. Renew it rather than leaving it open ended.

• Copy the token now. cPanel only shows it once.

These tokens are not feature scoped: the token can do anything the account can, so treat it like a password and revoke it the moment you stop using it.

Install

One line. It runs the server straight from GitHub via npx — no clone, no npm account. Fill in your four values and run it, or hand the finished line to a teammate:

claude mcp add cpanel-wp --scope user --env CPANEL_HOST=server.host.com --env CPANEL_USER=youruser --env CPANEL_TOKEN=yourtoken --env CPANEL_PASSWORD=yourpass -- npx -y github:chris-bangmedia/cpanel-mcp#v1.1.1

Then open Claude Code and run /mcp — cpanel-wp should show as connected.

Notes:

• Each teammate needs only Claude Code and Node 18+ installed first.

• --scope user makes the server available in all of their projects. #v1.1.1 pins the version, so everyone runs the same build; bump the tag in the command after each release (or drop it to track main).

• The values are saved in each person's own Claude config (~/.claude.json). This account is staging only and backed up hourly, so a shared token is fine; use per-person tokens if you want to revoke access individually.

• Destructive tools ask for an "are you sure" confirmation. Respond promptly, since a slow response can time the call out.

Configuration (environment variables)

Required:

• CPANEL_HOST — the server hostname, not the website domain. Use the hostname with a valid SSL cert on port 2083, otherwise the TLS check fails.

• CPANEL_USER — the cPanel account username.

• CPANEL_TOKEN — the API token from above.

• CPANEL_PASSWORD — the account login password. Needed only for the Softaculous tools (install_wordpress, uninstall_wordpress, clone_wordpress, backup_wordpress): Softaculous runs as a cPanel frontend app and rejects token auth, so the server mints a short-lived session with the password. The subdomain and file tools don't need it.

Optional:

• CPANEL_PORT — defaults to 2083

• CPANEL_THEME — defaults to jupiter. Only change if your cPanel uses a different theme and Softaculous calls return a non-JSON error.

• WP_ADMIN_USER / WP_ADMIN_EMAIL — prefill the WordPress install prompt. There is no default password; it's entered fresh at install time.

Using it

Create a WordPress site on a new subdomain:

1. create_subdomain with subdomain blog, root domain example.com

2. install_wordpress with domain blog.example.com, directory empty

In Claude you'd just say: "create the subdomain blog.example.com then install WordPress on it".

If the client supports MCP elicitation (Claude Code does), install_wordpress asks for the admin username, password and email at install time, and the destructive tools show an "are you sure" confirmation naming the exact action before they run.

Tear one down (reverse order, so the docroot and database get cleaned up):

1. uninstall_wordpress with domain blog.example.com (removes files and database)

2. delete_subdomain with subdomain blog, root domain example.com, and remove_docroot: true to also delete the folder

delete_path and delete_subdomain's docroot removal only ever touch a folder under public_html, never public_html itself or the home dir.

Troubleshooting

• Non-JSON response from Softaculous — wrong CPANEL_THEME. Check the theme name in the cPanel URL and set it.

• Non-JSON / 401 from cPanel — wrong host, user or token, or the token expired.

• TLS / certificate error — you're hitting a hostname without a matching cert. Use the proper server hostname.

Local development

Clone the repo and run npm install. The committed .mcp.json runs node server.js and reads your CPANEL_* values from the environment (set them in your shell), so opening the folder in Claude Code loads your local copy instead of the published version.