MCP WordPress Server

wp_create_application_password

Generate application passwords for WordPress users to enable secure API access for external applications, managing authentication credentials programmatically.

Instructions

Creates a new application password for a user.

Input Schema

TableJSON Schema

Name	Required	Description
`site`	No	The ID of the WordPress site to target (from mcp-wordpress.config.json). Required if multiple sites are configured.
`user_id`	Yes	The ID of the user to create the password for.
`app_name`	Yes	The name of the application this password is for.

Implementation Reference

src/tools/site.ts:95-113 (registration)

Tool registration and schema definition in SiteTools.getTools() array. Specifies name, description, input parameters (user_id: number required, app_name: string required), and binds the handler function.

{
  name: "wp_create_application_password",
  description: "Creates a new application password for a user.",
  parameters: [
    {
      name: "user_id",
      type: "number",
      required: true,
      description: "The ID of the user to create the password for.",
    },
    {
      name: "app_name",
      type: "string",
      required: true,
      description: "The name of the application this password is for.",
    },
  ],
  handler: this.handleCreateApplicationPassword.bind(this),
},

src/tools/site.ts:243-259 (handler)

The primary handler function that implements the tool logic. Parses parameters, invokes WordPressClient.createApplicationPassword(), formats a user-friendly response with the generated password (shown only once), and handles errors.

public async handleCreateApplicationPassword(
  client: WordPressClient,
  params: Record<string, unknown>,
): Promise<unknown> {
  try {
    const { user_id, app_name } = params as { user_id: number; app_name: string };
    const result = await client.createApplicationPassword(user_id, app_name);
    const content =
      "✅ **Application password created successfully!**\n\n" +
      `**Name:** ${result.name}\n` +
      `**Password:** \`${result.password}\`\n\n` +
      "**IMPORTANT:** This password is shown only once. Please save it securely.";
    return content;
  } catch (_error) {
    throw new Error(`Failed to create application password: ${getErrorMessage(_error)}`);
  }
}

src/client/operations/site.ts:60-68 (helper)

Low-level implementation in SiteOperations that performs the actual WP REST API POST request to /users/{userId}/application-passwords with {name, app_id?} payload.

async createApplicationPassword(
  userId: number | "me",
  name: string,
  appId?: string,
): Promise<WordPressApplicationPassword> {
  const data: Record<string, unknown> = { name };
  if (appId) data.app_id = appId;
  return this.client.post<WordPressApplicationPassword>(`users/${userId}/application-passwords`, data);
}

src/client/api.ts:1094-1100 (helper)

Proxy method in WordPressClient that delegates to SiteOperations.createApplicationPassword.

async createApplicationPassword(
  userId: number | "me",
  name: string,
  appId?: string,
): Promise<WordPressApplicationPassword> {
  return this.siteOps.createApplicationPassword(userId, name, appId);
}

Tool Definition Quality

C2.9/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries full burden for behavioral disclosure. While 'creates' implies a write operation, it doesn't specify whether this requires admin permissions, what happens on success/failure, whether the password is displayed only once, or any rate limits. For a security-sensitive operation like password creation, this is insufficient.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that gets straight to the point with zero wasted words. It's appropriately sized for a straightforward creation operation and front-loads the essential information.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool that creates application passwords (a security-sensitive write operation) with no annotations and no output schema, the description is inadequate. It doesn't explain what the tool returns, what permissions are required, or any security implications. The context demands more comprehensive disclosure.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The description mentions creating a password 'for a user' which aligns with the user_id parameter, but doesn't add meaningful context beyond what's already in the schema descriptions. With 100% schema description coverage, the baseline is 3, and the description doesn't significantly enhance parameter understanding.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('creates') and resource ('new application password for a user'), making the purpose immediately understandable. However, it doesn't differentiate from sibling tools like 'wp_get_application_passwords' or 'wp_delete_application_password' beyond the obvious verb difference.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. There's no mention of prerequisites (like authentication requirements), when this operation is appropriate, or how it relates to sibling tools like 'wp_get_application_passwords' or 'wp_delete_application_password'.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/docdyhr/mcp-wordpress'

If you have feedback or need assistance with the MCP directory API, please join our Discord server