{"id":293340,"date":"2026-04-24T15:59:09","date_gmt":"2026-04-24T15:59:09","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/webo-mcp\/"},"modified":"2026-05-12T16:54:17","modified_gmt":"2026-05-12T16:54:17","slug":"webo-mcp","status":"publish","type":"plugin","link":"https:\/\/hr.wordpress.org\/plugins\/webo-mcp\/","author":23464384,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"2.1.13","stable_tag":"2.1.13","tested":"6.9.4","requires":"6.0","requires_php":"7.4","requires_plugins":null,"header_name":"WEBO MCP","header_author":"Dinh WP","header_description":"MCP (Model Context Protocol) gateway for WordPress: JSON-RPC tools over the REST API for MCP clients.","assets_banners_color":"69877a","last_updated":"2026-05-12 16:54:17","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/webomcp.com","header_author_uri":"https:\/\/dinhwp.com","rating":0,"author_block_rating":0,"active_installs":0,"downloads":467,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"2.0.28":{"tag":"2.0.28","author":"phuongwebo","date":"2026-04-25 08:06:45"},"2.0.29":{"tag":"2.0.29","author":"phuongwebo","date":"2026-04-28 18:29:53"},"2.0.34":{"tag":"2.0.34","author":"phuongwebo","date":"2026-05-04 20:29:27"},"2.0.35":{"tag":"2.0.35","author":"phuongwebo","date":"2026-05-04 20:53:17"},"2.0.40":{"tag":"2.0.40","author":"phuongwebo","date":"2026-05-05 22:31:15"},"2.0.45":{"tag":"2.0.45","author":"phuongwebo","date":"2026-05-08 14:51:09"},"2.1.0":{"tag":"2.1.0","author":"phuongwebo","date":"2026-05-08 16:12:27"},"2.1.10":{"tag":"2.1.10","author":"phuongwebo","date":"2026-05-08 23:36:38"},"2.1.11":{"tag":"2.1.11","author":"phuongwebo","date":"2026-05-12 11:41:34"},"2.1.12":{"tag":"2.1.12","author":"phuongwebo","date":"2026-05-12 13:25:56"},"2.1.13":{"tag":"2.1.13","author":"phuongwebo","date":"2026-05-12 16:54:17"},"2.1.3":{"tag":"2.1.3","author":"phuongwebo","date":"2026-05-08 17:55:21"},"2.1.4":{"tag":"2.1.4","author":"phuongwebo","date":"2026-05-08 18:06:50"},"2.1.9":{"tag":"2.1.9","author":"phuongwebo","date":"2026-05-08 19:35:35"}},"upgrade_notice":{"2.1.13":"<p>Adds core plugin mutation plus child-site plugin activation\/deactivation via <code>site_id<\/code> or <code>blog_id<\/code> for multisite network admins.<\/p>","2.1.12":"<p>Adds MCP audit logging, optional tool allowlists, and an administrator health\/status tool. Existing MCP access remains unchanged unless allowlist enforcement is enabled in Settings.<\/p>","2.1.11":"<p>Recommended security hardening release: MCP tools now enforce object-level post\/media\/term capabilities and only list tools the current user can call.<\/p>","2.1.10":"<p>Registers the missing <strong><code>webo\/plugin-query<\/code><\/strong> tool (plugin inventory and updates via MCP). Recommended for automation that lists pending plugin updates.<\/p>","2.1.9":"<p>Internal refactor (standalone tool bootstrap file only). No MCP tool renaming; safe routine update.<\/p>","2.1.8":"<p>Critical for <code>webo.vn<\/code> \/ multi-BOM REST bodies: fixes BOM sanitizer regex so repeated UTF-8 BOM prefixes are actually removed.<\/p>","2.1.7":"<p>Recommended if MCP\/remote clients still hit <code>Unexpected token<\/code> \/ invalid JSON \u2014 BOM strip now defaults on for <strong>all<\/strong> REST API responses.<\/p>","2.1.6":"<p>Use this if MCP clients still fail JSON parse on <code>discover-abilities<\/code> \/ ability tools \u2014 BOM strip now covers <code>wp-abilities<\/code> REST routes.<\/p>","2.1.5":"<p>If MCP clients still parse-fail on BOM: this release starts the BOM-stripping buffer before <code>rest_api_init<\/code> for MCP-like URLs.<\/p>","2.1.4":"<p>Further hardening for leading-BOM MCP JSON failures: earlier buffer bootstrap on MCP-like REST URLs.<\/p>","2.1.3":"<p>Recommended if MCP clients show JSON parse errors (leading BOM) on <code>tools\/list<\/code> or <code>tools\/call<\/code> \u2014 response body is sanitized for MCP REST routes.<\/p>","2.1.2":"<p>Restores packaged agent <strong><code>skills\/<\/code><\/strong> in the upstream repo clone; upgrade if you rely on Cursor\/Codex skills from GitHub.<\/p>","2.1.1":"<p>Documentation-only refresh: use docs\/MCP_TOOL_MIGRATION.md when mapping old MCP tool names to dispatchers + <code>action<\/code>. No behavioral change vs 2.1.0 expected.<\/p>","2.0.40":"<p>Recommended update for MCP clients that batch process posts or rely on seo\/article-analysis; list-posts pagination and H1\/schema detection are more accurate.<\/p>","2.0.35":"<p>Adds theme discovery and theme switching tools for MCP clients. This release also carries the shortened WordPress.org short description into the new tagged version.<\/p>","2.0.34":"<p>Recommended update if you manage homepage reading settings via MCP; adds safe support for <code>show_on_front<\/code> and <code>page_on_front<\/code> updates.<\/p>","2.0.33":"<p>Documentation-only refresh on WordPress.org listings; recommended if you rely on the plugin directory description for onboarding.<\/p>","2.0.32":"<p>Recommended update for WP 6.9+ sites using Abilities API and MCP adapter integration.<\/p>","2.0.31":"<p>Maintenance update.<\/p>","2.0.30":"<p>Maintenance update.<\/p>","2.0.29":"<p>Maintenance update for runtime stability and cleaner CLI output. If you use WEBO MCP Pro, review\/update the Pro package compatibility notice before deploying this version to production.<\/p>","2.0.28":"<p>WordPress.org compliance update: readme now documents Google Suggest external service usage with Terms\/Privacy links, and nav-menu API loading no longer relies on WPINC.<\/p>","2.0.27":"<p>MCP clients must send WordPress Application Password (HTTP Basic) or use a logged-in session. API key\/HMAC alone are no longer sufficient when calling the router.<\/p>","2.0.26":"<p>Adds seo\/article-analysis for post-level SEO diagnostics (optional outbound suggest API; set no_autocomplete to skip).<\/p>","2.0.7":"<p>Readme and GitHub README now link webomcp.com and the n8n-nodes-webo-mcp npm package.<\/p>","2.0.6":"<p>License declaration aligned between readme and main plugin file for WordPress.org review.<\/p>","2.0.5":"<p>Plugin header updates for Plugin Check and WordPress.org tooling (@wordpress-plugin, GPLv2 license slug).<\/p>","2.0.4":"<p>Plugin header formatting for WordPress.org Plugin Check (Description, Version, License).<\/p>","2.0.3":"<p>Plugin Check and packaging fixes; upload the release zip from scripts\/build-release.ps1 for WordPress.org.<\/p>","2.0.2":"<p>Packaging and readme updates for WordPress.org review. Always upload the zip from scripts\/build-release.ps1, not the raw git folder.<\/p>","2.0.0":"<p>Major rename: reinstall from folder webo-mcp (or deploy to new path), then activate WEBO MCP. Settings are preserved via migration.<\/p>","1.1.1":"<p>Recommended update to fix tools\/call validation for core tools with no input.<\/p>","1.0.2":"<p>Recommended update to support active plugin verification via MCP tool.<\/p>","1.0.1":"<p>Recommended update to refresh plugin metadata and improve tools\/list compatibility.<\/p>","1.0.0":"<p>Initial public release of WEBO MCP (formerly WEBO WordPress MCP).<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3514777,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3514777,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.0.28","2.0.29","2.0.34","2.0.35","2.0.40","2.0.45","2.1.0","2.1.10","2.1.11","2.1.12","2.1.13","2.1.3","2.1.4","2.1.9"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"MCP endpoint working in a REST client (initialize)","2":"tools\/list response with public tools","3":"tools\/call response for a WordPress tool"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[2353,1556,569,69473,242115],"plugin_category":[],"plugin_contributors":[261006],"plugin_business_model":[],"class_list":["post-293340","plugin","type-plugin","status-publish","hentry","plugin_tags-ai","plugin_tags-api","plugin_tags-automation","plugin_tags-json-rpc","plugin_tags-mcp","plugin_contributors-phuongwebo","plugin_committers-phuongwebo"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/webo-mcp\/assets\/icon-128x128.png?rev=3514777","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>WEBO MCP is a standalone MCP gateway for WordPress. It lets compatible clients call well-defined tools over REST using JSON-RPC, instead of scraping the admin or sharing broad credentials beyond what you intend.<\/p>\n\n<p><strong>What you get<\/strong><\/p>\n\n<ul>\n<li><strong>Token-optimized unified tools:<\/strong> every domain exposes two abilities \u2014 <code>*-query<\/code> (all reads) and <code>*-mutate<\/code> (all writes) \u2014 with a single <code>action<\/code> discriminator. <code>tools\/list<\/code> payload is up to 70% smaller than per-operation APIs, which means less of the model's context window is consumed by tool schemas, lower cost per session, and fewer hallucinated tool names.<\/li>\n<li>Primary router endpoint: <code>POST \/wp-json\/mcp\/v1\/router<\/code><\/li>\n<li>Standard MCP-style flow: <code>initialize<\/code> \u2192 <code>tools\/list<\/code> \u2192 <code>tools\/call<\/code><\/li>\n<li>Session lifecycle for clients (pass <code>session_id<\/code> or <code>Mcp-Session-Id<\/code> after <code>initialize<\/code>)<\/li>\n<li>Built-in tool registry for common WordPress operations (posts, media, terms, menus, options, and more)<\/li>\n<li>Bundled Abilities API + MCP Adapter integration, with automatic bridging from registered abilities to MCP tools (configurable)<\/li>\n<li>Public tool policy controls (category filters and optional allowlists) plus optional internal tool exposure for private environments<\/li>\n<li>Bounded MCP audit log, optional per-user\/role\/client tool allowlists, and a read-only administrator health\/status tool<\/li>\n<\/ul>\n\n<p><strong>Security model (high level)<\/strong><\/p>\n\n<ul>\n<li>MCP access requires a real WordPress user context: Application Password over HTTP Basic, or an existing logged-in session.<\/li>\n<li>Optional site-wide or per-user API key and HMAC can be enabled in Settings as an additional gate (they do not replace WordPress authentication).<\/li>\n<li>Default access expectations for the router and <code>GET \/wp-json\/webo-mcp\/v1\/tools<\/code>: users who are super admins, can <code>manage_options<\/code>, or can <code>edit_posts<\/code>, consistent with typical site operator and editor workflows (filterable).<\/li>\n<\/ul>\n\n<p><strong>Client guidance<\/strong><\/p>\n\n<p>Always discover tools before calling them: run <code>tools\/list<\/code>, pick an exact tool name from the response, validate required arguments, then call <code>tools\/call<\/code>. This reduces mistakes and keeps automation predictable in production.<\/p>\n\n<p><strong>Further documentation and optional integrations<\/strong><\/p>\n\n<ul>\n<li>Project documentation and ecosystem notes: https:\/\/webomcp.com<\/li>\n<li>Optional n8n community node (separate package): https:\/\/www.npmjs.com\/package\/n8n-nodes-webo-mcp<\/li>\n<li>Release notes and migration map: see docs\/RELEASE_NOTES_2.1.0.md and docs\/MIGRATION_GUIDE_2.1.0.md in the GitHub repository<\/li>\n<li>Cross-addon dispatcher map (granular legacy names removed from discovery): docs\/MCP_TOOL_MIGRATION.md<\/li>\n<\/ul>\n\n<p>Compatibility note: any MCP-capable client can be used; which large language model runs inside the client is outside this plugin.<\/p>\n\n<p>Standalone core tools included:\n- Site info\n- Content (posts\/pages): <code>webo\/content-query<\/code> (list, get, find-by-url, search-replace, list-revisions, get-revision) and <code>webo\/content-mutate<\/code> (create, update, delete, bulk-update-status, restore-revision)\n- Users: list\n- Media: <code>webo\/media-query<\/code> (list, get) and <code>webo\/media-mutate<\/code> (upload, update, delete)\n- Comments: <code>webo\/comment-query<\/code> (list, get) and <code>webo\/comment-mutate<\/code> (update, delete)\n- Taxonomy\/Terms: <code>webo\/taxonomy-query<\/code> (discover, list, get) and <code>webo\/taxonomy-mutate<\/code> (create, update, delete)\n- Nav menus: list menus, list menu items (menu_order, db_id), add menu link from post (explicit post_id + menu_order required)\n- Plugins: <code>webo\/plugin-query<\/code> (installed, active, updates, \u2026) and <code>webo\/plugin-mutate<\/code> (install, activate, deactivate; supports child-site <code>site_id<\/code> \/ <code>blog_id<\/code> activation for network admins)\n- Health: <code>webo\/health-status<\/code> (REST\/router status, Application Password support, permalinks, cron, object cache, plugin update summary, WordPress\/PHP versions, and redacted MCP config)\n- Themes: <code>webo\/theme-query<\/code>, <code>webo\/theme-mutate<\/code>\n- Menus: <code>webo\/menu-query<\/code>, <code>webo\/menu-mutate<\/code>\n- Options: get\/update (safe allowlist only), set site icon\/favicon from media\n- SEO (WordPress post): seo\/article-analysis \u2014 requires post_id; merges Rank Math meta when available (same data path as webo-rank-math\/get-post-seo-meta); optional related-keyword suggestions via outbound request unless no_autocomplete is true<\/p>\n\n<p>Excluded by default in standalone-safe mode:\n- Bulk\/mass execution tools\n- Plugin\/theme write-management abilities\n- Multisite-specific abilities<\/p>\n\n<h3>Privacy<\/h3>\n\n<p>This plugin does not phone home or send telemetry. MCP traffic is initiated by clients you configure. Some tools may perform outbound HTTP requests only when a client invokes them (for example seo\/article-analysis may request keyword suggestions from a third-party suggest API unless you pass no_autocomplete).<\/p>\n\n<p>The plugin stores the following options in the WordPress database when configured:\n- <code>webo_mcp_api_key<\/code>: API key used to authenticate MCP requests.\n- <code>webo_mcp_hmac_secret<\/code>: HMAC secret used to sign and validate MCP requests.\n- <code>webo_mcp_tool_allowlist_enabled<\/code> and <code>webo_mcp_tool_allowlist_rules<\/code>: optional administrator-configured MCP tool allowlist policy.\n- <code>webo_mcp_audit_log_enabled<\/code>, <code>webo_mcp_audit_log_max_entries<\/code>, and <code>webo_mcp_audit_log<\/code>: bounded MCP tool-call audit log settings and compact audit events. Audit entries include user\/tool\/action\/status data, anonymized IPs, and hashed session IDs; they do not store request payloads, API keys, HMAC secrets, or Application Passwords.<\/p>\n\n<p>These options are removed when the plugin is uninstalled via the WordPress Plugins screen.<\/p>\n\n<h3>External services<\/h3>\n\n<p>This plugin can connect to Google Suggest (Autocomplete) when a client calls the <code>seo\/article-analysis<\/code> tool and does not set <code>no_autocomplete<\/code> to true. This external request is used to return related keyword suggestions for SEO analysis.<\/p>\n\n<p>Service provider: Google LLC (Google Suggest \/ Autocomplete API endpoint).<\/p>\n\n<p>Data sent and when:\n- Sent only when <code>seo\/article-analysis<\/code> is called with autocomplete enabled.\n- Sends the analysis query text to <code>https:\/\/suggestqueries.google.com\/complete\/search<\/code> as the <code>q<\/code> parameter.\n- Sends standard HTTP request metadata such as IP address and User-Agent as part of the web request.<\/p>\n\n<p>Terms of Service: https:\/\/policies.google.com\/terms\nPrivacy Policy: https:\/\/policies.google.com\/privacy<\/p>\n\n<h3>Developer Hooks<\/h3>\n\n<p>The plugin exposes the following actions and filters for developers:<\/p>\n\n<h3>Actions<\/h3>\n\n<ul>\n<li><code>webo_mcp_register_tools<\/code>\nFired during plugin bootstrap after standalone tools are registered. Use this to register custom MCP tools from other plugins.<\/li>\n<\/ul>\n\n<h3>Filters<\/h3>\n\n<ul>\n<li><p><code>webo_mcp_current_user_can_use_mcp<\/code> (bool $allowed, int $user_id)\nGate for all MCP REST access. Default: super admin OR <code>manage_options<\/code> OR <code>edit_posts<\/code>. Override to tighten (e.g. super-admin only) in hardened installs.<\/p><\/li>\n<li><p><code>webo_mcp_allow_internal_tools<\/code> (bool $allow_internal, WP_REST_Request $request)\nControls whether internal tools are included in tools\/list responses. Defaults to false for public environments.<\/p><\/li>\n<li><p><code>webo_mcp_public_categories<\/code> (array $categories, WP_REST_Request $request, array $tool)\nFilters which tool categories are exposed as public. Defaults to array( 'wordpress' ).<\/p><\/li>\n<li><p><code>webo_mcp_public_tool_allowlist<\/code> (array $names, WP_REST_Request $request, array $tool)\nOptional allowlist of specific tool names that are always considered public.<\/p><\/li>\n<li><p><code>webo_mcp_bridge_deny_patterns<\/code> (array $patterns)\nControls which abilities are excluded when auto-bridging abilities into MCP tools (e.g. bulk, plugins\/, themes\/, multisite\/).<\/p><\/li>\n<li><p><code>webo_mcp_auto_bridge_abilities<\/code> (bool $enabled)\nEnables or disables automatic bridging of registered abilities into MCP tools. Defaults to true.<\/p><\/li>\n<li><p><code>webo_mcp_enable_adapter<\/code> (bool $enabled)\nEnables or disables the bundled WordPress MCP Adapter runtime. Defaults to true.<\/p><\/li>\n<li><p><code>webo_mcp_validate_media_fetch_url<\/code> (true|\\WP_Error $ok, string $url, array $parsed)\nReject unsafe URLs for webo\/media-mutate upload action (return WP_Error to block).<\/p><\/li>\n<li><p><code>webo_mcp_tool_allowlist_allowed<\/code> (bool $allowed, string $tool_name, WP_REST_Request $request, array $params, array $allowed_tools)\nFilters the optional per-user\/role\/client allowlist decision.<\/p><\/li>\n<\/ul>\n\n<h3>Credits<\/h3>\n\n<p>Special thanks to the authors and open source projects that contributed to this plugin:\n- WordPress (https:\/\/wordpress.org)\n- Abilities API (https:\/\/github.com\/WordPress\/abilities-api)\n  Reference: https:\/\/make.wordpress.org\/ai\/2025\/07\/17\/abilities-api\/\n- MCP Adapter (https:\/\/github.com\/WordPress\/mcp-adapter)\n  Reference: https:\/\/make.wordpress.org\/ai\/2025\/07\/17\/mcp-adapter\/\n- Composer (https:\/\/getcomposer.org)\n- Other PHP and JS libraries from the community<\/p>\n\n<p>If you use this plugin, please give credit to the authors of these libraries.<\/p>\n\n<h3>License<\/h3>\n\n<p>This plugin is licensed under the GPLv2 or later.\nSee https:\/\/www.gnu.org\/licenses\/gpl-2.0.html for details.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin folder to \/wp-content\/plugins\/webo-mcp<\/li>\n<li>Run composer install inside the plugin folder<\/li>\n<li>Activate the plugin in WordPress Admin<\/li>\n<li>Send JSON-RPC requests to POST \/wp-json\/mcp\/v1\/router<\/li>\n<\/ol>\n\n<p>For release packaging, use scripts\/build-release.ps1 to create a clean zip with .distignore exclusions.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"which%20endpoint%20should%20mcp%20clients%20use%3F\"><h3>Which endpoint should MCP clients use?<\/h3><\/dt>\n<dd><p>POST \/wp-json\/mcp\/v1\/router<\/p><\/dd>\n<dt id=\"where%20is%20the%20official%20website%20and%20the%20n8n%20package%3F\"><h3>Where is the official website and the n8n package?<\/h3><\/dt>\n<dd><p>The project hub is https:\/\/webomcp.com. For n8n, install the community node from npm: https:\/\/www.npmjs.com\/package\/n8n-nodes-webo-mcp<\/p><\/dd>\n<dt id=\"can%20this%20run%20wordpress%20abilities%20by%20itself%3F\"><h3>Can this run WordPress abilities by itself?<\/h3><\/dt>\n<dd><p>Yes. This plugin bundles Abilities API via Composer and auto-bridges registered abilities to MCP tools. You can disable auto-bridge with filter webo_mcp_auto_bridge_abilities set to false.<\/p><\/dd>\n<dt id=\"how%20do%20i%20migrate%20from%20legacy%20one-operation%20tool%20names%3F\"><h3>How do I migrate from legacy one-operation tool names?<\/h3><\/dt>\n<dd><p>Use <code>tools\/list<\/code> to discover the dispatcher tool names on your site, then pass the correct <code>action<\/code> (or query\/mutate discriminant) for each operation. Use docs\/MIGRATION_GUIDE_2.1.0.md for the 2.1.0 rollout narrative and docs\/MCP_TOOL_MIGRATION.md for a consolidated addon-by-addon map (Rank Math, Rocket, WooCommerce groups, etc.).<\/p><\/dd>\n<dt id=\"can%20i%20expose%20internal%20tools%3F\"><h3>Can I expose internal tools?<\/h3><\/dt>\n<dd><p>Yes, via filter webo_mcp_allow_internal_tools in private environments.<\/p><\/dd>\n<dt id=\"can%20i%20limit%20public%20tools%20by%20category%3F\"><h3>Can I limit public tools by category?<\/h3><\/dt>\n<dd><p>Yes, via filter webo_mcp_public_categories.<\/p><\/dd>\n<dt id=\"can%20i%20keep%20only%20wordpress.org-safe%20features%3F\"><h3>Can I keep only WordPress.org-safe features?<\/h3><\/dt>\n<dd><p>Yes. Default bridge rules exclude patterns for bulk, plugins\/themes, and multisite abilities.<\/p><\/dd>\n<dt id=\"is%20this%20plugin%20suitable%20for%20production%3F\"><h3>Is this plugin suitable for production?<\/h3><\/dt>\n<dd><p>Yes, when used with proper authentication, TLS, and a limited tool exposure policy.<\/p><\/dd>\n<dt id=\"how%20do%20i%20authenticate%20mcp%20clients%3F\"><h3>How do I authenticate MCP clients?<\/h3><\/dt>\n<dd><p>Use a WordPress <strong>Application Password<\/strong> (Users \u2192 Profile \u2192 Application Passwords) and send it with HTTP Basic Auth (username = WordPress username, password = the application password). You can combine that with the optional <strong>API Key<\/strong> and <strong>HMAC<\/strong> values from Settings \u2192 WEBO MCP when those fields are set.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>2.1.13<\/h4>\n\n<ul>\n<li>Added <code>webo\/plugin-mutate<\/code> for WordPress.org plugin install, activation, and deactivation through the core plugin endpoint.<\/li>\n<li>Added <code>site_id<\/code> \/ <code>blog_id<\/code> support so network admins can activate or deactivate plugins for one multisite child site from the network MCP endpoint.<\/li>\n<li>Safety: rejects conflicting <code>site_id<\/code> \/ <code>blog_id<\/code> plus <code>network_activate<\/code> \/ <code>network_wide<\/code> requests so child-site activation and network-wide activation stay explicit.<\/li>\n<\/ul>\n\n<h4>2.1.12<\/h4>\n\n<ul>\n<li>Added a bounded, admin-readable MCP audit log for <code>tools\/call<\/code> events with user, tool\/action, object ID when available, anonymized IP, hashed session ID, status, and compact result\/error summaries.<\/li>\n<li>Added optional per-user, per-role, and per-client\/Application Password tool allowlists. Enforcement is disabled by default to preserve existing access until an administrator opts in.<\/li>\n<li>Added read-only administrator tool <code>webo\/health-status<\/code> covering REST\/router status, Application Password support, permalinks, cron, object cache, plugin update summary, WordPress\/PHP versions, and redacted MCP config status.<\/li>\n<\/ul>\n\n<h4>2.1.11<\/h4>\n\n<ul>\n<li>Security: enforce object-level capabilities for MCP content\/media mutations, including <code>edit_post<\/code>, <code>delete_post<\/code>, publish\/private status changes, and taxonomy-specific term capabilities.<\/li>\n<li>Security: filter read tools by <code>read_post<\/code> and hide tools from <code>tools\/list<\/code> when the authenticated user lacks the tool capability.<\/li>\n<li>Hardening: use WordPress safe HTTP validation for optional Google Suggest requests in <code>seo\/article-analysis<\/code>.<\/li>\n<\/ul>\n\n<h4>2.1.10<\/h4>\n\n<ul>\n<li>Fix: register <strong><code>webo\/plugin-query<\/code><\/strong> in <code>Standalone_Tools<\/code> so MCP clients can list plugin updates (<code>query=updates<\/code>, optional <code>refresh=true<\/code>) and other inspection modes.<\/li>\n<li>Bootstrap: prime <code>WP_Abilities_Registry<\/code> at <code>init:2<\/code> so <code>wp_abilities_api_init<\/code> runs before MCP bootstrap (<code>init:20<\/code>), preventing <code>_doing_it_wrong<\/code> when abilities register on <code>webo_mcp_register_tools<\/code>.<\/li>\n<\/ul>\n\n<h4>2.1.9<\/h4>\n\n<ul>\n<li>Refactor: move built-in MCP tool registration into <code>inc\/bootstrap\/class-standalone-tools.php<\/code> (smaller bootstrap; same tool names).<\/li>\n<li>Maintainer: broaden <code>.gitignore<\/code> (composer <code>vendor\/bin\/<\/code>, Cursor local config, scratch files); ship <code>scripts\/<\/code> helpers and <code>docs\/WPORG_REVIEW_REPLY_2.0.28.md<\/code>; keep <code>composer.json<\/code> production-only.<\/li>\n<\/ul>\n\n<h4>2.1.8<\/h4>\n\n<ul>\n<li>BOM guard: fix PCRE \u2014 use <code>^(?:\\xEF\\xBB\\xBF)+<\/code> so <strong>multiple<\/strong> UTF-8 BOMs are stripped (the old <code>^\\xEF\\xBB\\xBF+<\/code> only repeated the final <code>0xBF<\/code> byte, breaking responses such as <code>wp\/v2\/types<\/code> on <code>webo.vn<\/code> for MCP clients).<\/li>\n<\/ul>\n\n<h4>2.1.7<\/h4>\n\n<ul>\n<li>BOM guard: sanitize <strong>all<\/strong> REST API requests (<code>\/wp-json\/\u2026<\/code>, <code>wp-json.php<\/code>, <code>?rest_route=<\/code>) by default (<code>webo_mcp_rest_bom_guard_json_api_requests<\/code> filter to disable).<\/li>\n<\/ul>\n\n<h4>2.1.6<\/h4>\n\n<ul>\n<li>BOM guard: treat <strong>Abilities API<\/strong> REST URLs (<code>wp-abilities\/v1<\/code>) the same as MCP router URLs \u2014 <code>@automattic\/mcp-wordpress-remote<\/code> calls discover\/execute over <code>wp-abilities<\/code>, which previously skipped the sanitizer.<\/li>\n<\/ul>\n\n<h4>2.1.5<\/h4>\n\n<ul>\n<li>BOM guard: also start the sanitizer on <code>plugins_loaded<\/code> and <code>init<\/code> at priority <code>-999999<\/code> when the request URI looks MCP (covers BOM echoed before <code>rest_api_init<\/code>).<\/li>\n<\/ul>\n\n<h4>2.1.4<\/h4>\n\n<ul>\n<li>BOM guard: start output buffer at <code>rest_api_init<\/code> priority 0 when Request-URI\/<code>rest_route<\/code> looks like MCP (catches BOM printed before routing); loop-strip repeated BOM\/FEFF; filter <code>webo_mcp_rest_bom_guard_enabled<\/code> to disable.<\/li>\n<\/ul>\n\n<h4>2.1.3<\/h4>\n\n<ul>\n<li>REST: strip accidental UTF-8 BOM \/ stray U+FEFF before JSON on MCP routes so clients no longer fail JSON parse with <code>Unexpected token<\/code> (defensive <code>ob_start<\/code> handler on <code>rest_pre_dispatch<\/code>).<\/li>\n<\/ul>\n\n<h4>2.1.2<\/h4>\n\n<ul>\n<li>Restore the versioned <strong><code>skills\/<\/code><\/strong> subtree in the Git repository (guides and ability-specific SKILL.md files referenced from README.md), matching the documented <code>npx skills add<\/code> workflows.<\/li>\n<li>Add <strong><code>webo-mcp-ultimo-domain-dns-cf<\/code><\/strong> skill index entry (Ultimo checking-dns + Cloudflare checklist).<\/li>\n<li>skills\/README.md: document <strong>WP Rocket<\/strong> skill (<code>cache-query<\/code> \/ <code>cache-mutate<\/code> unified tools).<\/li>\n<\/ul>\n\n<h4>2.1.1<\/h4>\n\n<ul>\n<li>Documentation: add docs\/MCP_TOOL_MIGRATION.md (cross-addon dispatcher map; Rank Math + Rocket public-vs-internal discovery, WooCommerce query\/mutate tool names).<\/li>\n<li>Readme (GitHub + WordPress.org): align examples with <code>webo\/content-query<\/code>, document <code>meta.mcp.public<\/code> visibility for bridged abilities, link migration doc; sync standalone tool bullets (menus, themes, plugins).<\/li>\n<\/ul>\n\n<h4>2.1.0<\/h4>\n\n<ul>\n<li><strong>Token optimization \u2014 ecosystem-wide enum-dispatch unification.<\/strong> All WEBO MCP addons now follow the same query\/mutate pattern as the core plugin, replacing one-tool-per-operation APIs with unified abilities that accept an <code>action<\/code> argument:\n\n<ul>\n<li><strong>webo-mcp-woocommerce:<\/strong> 27 individual tools \u2192 10 unified tools (<code>webo\/woo-query-products<\/code>, <code>webo\/woo-mutate-products<\/code>, <code>webo\/woo-query-orders<\/code>, <code>webo\/woo-mutate-orders<\/code>, <code>webo\/woo-query-customers<\/code>, <code>webo\/woo-mutate-customers<\/code>, <code>webo\/woo-query-coupons<\/code>, <code>webo\/woo-mutate-coupons<\/code>, <code>webo\/woo-query-store<\/code>, <code>webo\/woo-mutate-store<\/code>).<\/li>\n<li><strong>webo-mcp-rank-math:<\/strong> 18 individual tools \u2192 10 unified <code>webo-rank-math\/*-query<\/code>\/<code>*-mutate<\/code> abilities; granular abilities may stay MCP-internal (see addon <code>wp_register_ability_args<\/code>).<\/li>\n<li><strong>webo-mcp-rocket:<\/strong> 9 individual tools \u2192 2 unified tools (<code>webo-rocket\/cache-query<\/code>, <code>webo-rocket\/cache-mutate<\/code>).<\/li>\n<\/ul><\/li>\n<li><strong>Impact:<\/strong> with core and addons active the total tool count visible in <code>tools\/list<\/code> drops from ~79+ to ~34. A smaller tool list means the model picks tools faster, uses less context budget per request, and makes fewer tool-name errors.<\/li>\n<li><strong>Pattern:<\/strong> each unified ability requires one <code>action<\/code> string that is dispatched server-side via PHP <code>match()<\/code>. All existing handler logic is preserved \u2014 only the registration surface changes.<\/li>\n<li>Updated skills documentation for webo-mcp-ability-woocommerce, webo-mcp-ability-rank-math, webo-mcp-ability-rocket, and webo-mcp-guide.<\/li>\n<\/ul>\n\n<h4>2.0.45<\/h4>\n\n<ul>\n<li>Refactor: unify media tools into <code>webo\/media-query<\/code> (list, get) and <code>webo\/media-mutate<\/code> (upload, update, delete); removes 5 legacy media tools.<\/li>\n<li>Refactor: unify taxonomy\/term tools into <code>webo\/taxonomy-query<\/code> (discover, list, get) and <code>webo\/taxonomy-mutate<\/code> (create, update, delete); removes 6 legacy term tools.<\/li>\n<li>Refactor: unify comment tools into <code>webo\/comment-query<\/code> (list, get) and <code>webo\/comment-mutate<\/code> (update, delete); removes 4 legacy comment tools.<\/li>\n<li>Refactor: unify post\/content tools into <code>webo\/content-query<\/code> and <code>webo\/content-mutate<\/code>; removes 17 legacy post tools.<\/li>\n<li>Refactor: replace <code>webo\/list-active-plugins<\/code> with unified <code>webo\/plugin-query<\/code> (list, get, activate, deactivate).<\/li>\n<li>All unified tools normalize the <code>id<\/code> field as the primary response identifier; domain aliases (attachment_id, term_id, comment_id) are kept for backward compatibility.<\/li>\n<li>SEO: improved Unicode word count using Unicode ranges for multilingual content; non-spaced scripts (CJK, Thai) now estimate word count via character-based heuristics.<\/li>\n<\/ul>\n\n<h4>2.0.44<\/h4>\n\n<ul>\n<li>SEO readability: estimate word count for non-spaced scripts (CJK, Thai, Khmer) via character-based heuristics.<\/li>\n<\/ul>\n\n<h4>2.0.43<\/h4>\n\n<ul>\n<li>SEO readability: count Unicode title and meta description lengths correctly for non-ASCII characters.<\/li>\n<\/ul>\n\n<h4>2.0.42<\/h4>\n\n<ul>\n<li>SEO readability: count Unicode words correctly for multilingual content.<\/li>\n<\/ul>\n\n<h4>2.0.41<\/h4>\n\n<ul>\n<li>Media\/site settings: add <code>webo\/set-site-icon<\/code> to set the WordPress site icon\/favicon from an existing image attachment.<\/li>\n<\/ul>\n\n<h4>2.0.40<\/h4>\n\n<ul>\n<li>MCP post tools: add page, offset, orderby, and order support to webo\/list-posts responses for reliable batch processing.<\/li>\n<li>SEO analyzer: infer the WordPress post title as the primary H1 when content omits an H1, and include Article JSON-LD from post\/Rank Math metadata for more accurate schema checks.<\/li>\n<\/ul>\n\n<h4>2.0.39<\/h4>\n\n<ul>\n<li>Options: allow safe permalink\/category\/tag base updates through MCP and flush rewrite rules after URL setting changes.<\/li>\n<\/ul>\n\n<h4>2.0.38<\/h4>\n\n<ul>\n<li>MCP post tools: preserve safe HTML for post content\/excerpt arguments so SEO headings, lists, tables, and images can be authored through create\/update calls.<\/li>\n<\/ul>\n\n<h4>2.0.35<\/h4>\n\n<ul>\n<li>New site-management tools: <code>webo\/list-themes<\/code> and <code>webo\/switch-theme<\/code> for discovering installed themes and switching the active theme by stylesheet slug.<\/li>\n<li>Readme: release includes the shortened WordPress.org short description, keeping the short description under the 150 character import limit.<\/li>\n<\/ul>\n\n<h4>2.0.34<\/h4>\n\n<ul>\n<li>Options: allow <code>webo\/update-options<\/code> and <code>webo\/get-options<\/code> to handle <code>show_on_front<\/code> and <code>page_on_front<\/code>.<\/li>\n<li>Safety: validate <code>show_on_front<\/code> as <code>posts|page<\/code> and ensure <code>page_on_front<\/code> references a valid Page ID (or 0).<\/li>\n<\/ul>\n\n<h4>2.0.33<\/h4>\n\n<ul>\n<li>Readme: refresh WordPress.org-facing description for clarity; lead with product value and protocol workflow, move ecosystem links to a secondary section.<\/li>\n<\/ul>\n\n<h4>2.0.32<\/h4>\n\n<ul>\n<li>Fix: avoid WP 6.9 Abilities API incorrect-usage notices by hardening adapter category\/ability registration order and late-boot recovery.<\/li>\n<li>Docs: add AGENTS.md workflow guidance and prioritize guide-first structure in README\/readme.txt.<\/li>\n<\/ul>\n\n<h4>2.0.31<\/h4>\n\n<ul>\n<li>Maintenance: version bump.<\/li>\n<\/ul>\n\n<h4>2.0.30<\/h4>\n\n<ul>\n<li>Maintenance: version bump.<\/li>\n<\/ul>\n\n<h4>2.0.29<\/h4>\n\n<ul>\n<li>Reliability: harden MCP adapter bootstrap and schema type handling (supports array\/nullable type definitions safely).<\/li>\n<li>WP-CLI noise reduction: register core mcp-adapter abilities before bridge wiring and suppress default adapter server bootstrap in CLI mode to avoid false missing-ability errors.<\/li>\n<li>Release notice: users running WEBO MCP Pro should update Pro package compatibility notes from the official docs\/release channel before production rollout.<\/li>\n<\/ul>\n\n<h4>2.0.28<\/h4>\n\n<ul>\n<li>WordPress.org review fixes: added explicit <code>External services<\/code> disclosure for Google Suggest\/Autocomplete used by <code>seo\/article-analysis<\/code> (service purpose, transmitted query data and request metadata, conditions, Terms and Privacy links).<\/li>\n<li>Compatibility: removed use of <code>WPINC<\/code> for nav-menu API loading; now load nav-menu API via explicit core include paths with availability checks to reduce environment-specific path issues.<\/li>\n<\/ul>\n\n<h4>2.0.27<\/h4>\n\n<ul>\n<li>Security (WordPress.org guidelines): MCP router no longer maps API keys or HMAC to arbitrary user accounts. All requests require WordPress Application Password (Basic Auth) or an existing logged-in session; optional site API key and HMAC apply only after authentication.<\/li>\n<li>Readme: Contributors includes phuongwebo; clarify authentication in description and FAQ.<\/li>\n<\/ul>\n\n<h4>2.0.26<\/h4>\n\n<ul>\n<li>New MCP tool seo\/article-analysis (category seo, edit_posts): WordPress-only on-page SEO signals for a post via post_id \u2014 rendered content, Rank Math merge, readability, issues, content_gaps. Agent documentation: skills\/webo-mcp-seo-article\/SKILL.md in the GitHub repo (not bundled in the WordPress.org zip).<\/li>\n<li>Readme: Stable tag sync, privacy note for optional outbound tool requests.<\/li>\n<\/ul>\n\n<h4>2.0.25<\/h4>\n\n<ul>\n<li>list-posts: document defaults (publish + post type post); response includes applied filters so empty results are easier to explain. Models should pass status draft (etc.) and post_type page when listing those.<\/li>\n<\/ul>\n\n<h4>2.0.24<\/h4>\n\n<ul>\n<li>Nav menus: list-nav-menu-locations response includes note explaining slug vs label; MCP descriptions tell models to call this tool first to discover theme_location keys.<\/li>\n<\/ul>\n\n<h4>2.0.23<\/h4>\n\n<ul>\n<li>Nav menus: list-nav-menus response includes menu_id (same as term_id) and clearer MCP tool descriptions so clients list menus without asking users for menu_id first.<\/li>\n<\/ul>\n\n<h4>2.0.22<\/h4>\n\n<ul>\n<li>Nav menus: if create-nav-menu \/ create-nav-menu-for-location targets a name that already exists, reuse the existing menu term and continue (reused_existing_menu in JSON). Return a clear error if core nav-menu.php cannot be loaded. Expanded primary fallback slugs (primary-menu, header-menu, mobile). assign-nav-menu-to-location accepts menu_name when menu_id is omitted (assigned_via_menu_name in response).<\/li>\n<\/ul>\n\n<h4>2.0.21<\/h4>\n\n<ul>\n<li>Nav menus: resolve theme location when slug primary is missing (single registered slot, or common slugs main\/header\/menu-1\/navigation). Load wp-includes\/nav-menu.php before wp_create_nav_menu in REST context. Response field theme_location_resolution indicates how the slug was chosen.<\/li>\n<\/ul>\n\n<h4>2.0.20<\/h4>\n\n<ul>\n<li>Access: MCP router gate allows <code>manage_options<\/code> and <code>edit_posts<\/code> (Editors, site admins on multisite), not only <code>is_super_admin<\/code>; fixes list-nav-menus \/ tools\/call failing for non-administrator users. Multisite API key\/HMAC falls back to first site Administrator if no Super Admin login exists. Error code <code>webo_mcp_access_denied<\/code> replaces misleading super-admin-only message.<\/li>\n<\/ul>\n\n<h4>2.0.15<\/h4>\n\n<ul>\n<li>Nav menus: list-nav-menus, list-nav-menu-items (db_id, menu_order, object_id, parent_db_id), add-nav-menu-item-from-post with required post_id, post_type, and menu_order (explicit developer values; no auto placement).<\/li>\n<\/ul>\n\n<h4>2.0.14<\/h4>\n\n<ul>\n<li>Security: MCP JSON-RPC router, SecurityHelper, tools discovery, and internal-tool policy default to network Super Admin on multisite (<code>is_super_admin<\/code>). Single-site installs use WordPress core\u2019s <code>is_super_admin()<\/code> behavior (typically full administrators). Global API key\/HMAC elevates to the first Super Admin user on multisite.<\/li>\n<\/ul>\n\n<h4>2.0.7<\/h4>\n\n<ul>\n<li>Readme: highlight https:\/\/webomcp.com and n8n community node https:\/\/www.npmjs.com\/package\/n8n-nodes-webo-mcp; short description and FAQ; README.md aligned.<\/li>\n<\/ul>\n\n<h4>2.0.6<\/h4>\n\n<ul>\n<li>License: plugin header uses the same wording as readme.txt (\"GPL v2 or later\") to satisfy WordPress.org declared-license checks.<\/li>\n<\/ul>\n\n<h4>2.0.5<\/h4>\n\n<ul>\n<li>Plugin header: @wordpress-plugin marker for strict scanners; License line uses GPLv2 or later slug (Plugin Handbook).<\/li>\n<\/ul>\n\n<h4>2.0.4<\/h4>\n\n<ul>\n<li>Plugin header: handbook field order, shorter Description line, License text \"GPL v2 or later\", Domain Path for translations.<\/li>\n<\/ul>\n\n<h4>2.0.3<\/h4>\n\n<ul>\n<li>WordPress.org \/ Plugin Check: include composer.json when vendor is bundled; replace unlink with wp_delete_file for temp uploads; remove load_plugin_textdomain (core loads translations); resolve API key usermeta via get_users instead of direct $wpdb; readme short description, allowed Tags, Stable tag sync.<\/li>\n<\/ul>\n\n<h4>2.0.2<\/h4>\n\n<ul>\n<li>WordPress.org packaging: release zip excludes dotfiles and all .github trees; readme Tested up to 6.9.<\/li>\n<\/ul>\n\n<h4>2.0.1<\/h4>\n\n<ul>\n<li>Hardening: HMAC auth passes REST permission layer; SSRF guard for upload-media-from-url; paginated search-replace (max 500 posts per call); sanitized safe option updates; removed duplicate unused settings class.<\/li>\n<\/ul>\n\n<h4>2.0.0<\/h4>\n\n<ul>\n<li>Plugin renamed to WEBO MCP; folder and main file: webo-mcp\/webo-mcp.php.<\/li>\n<li>Text domain, REST namespace webo-mcp\/v1, hooks webo_mcp_* (breaking for custom code using old hook names).<\/li>\n<li>Options and API-key usermeta migrate automatically from webo-wordpress-mcp keys on first load.<\/li>\n<\/ul>\n\n<h4>1.1.1<\/h4>\n\n<ul>\n<li>Added empty input_schema definitions for core\/get-user-info and core\/get-environment-info.<\/li>\n<li>Fixes MCP tools\/call validation errors when invoking these no-input core tools.<\/li>\n<\/ul>\n\n<h4>1.0.2<\/h4>\n\n<ul>\n<li>Added new read-only tool: webo\/list-active-plugins.<\/li>\n<li>Enables MCP clients to verify active plugins with capability check.<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Metadata refresh release to ensure dependency headers are reloaded correctly.<\/li>\n<li>tools\/list compatibility improvements for include_internal aliases and legacy endpoint support.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial stable public release.<\/li>\n<li>MCP JSON-RPC router with initialize, tools\/list, tools\/call.<\/li>\n<li>Tool registry integration and public visibility policy controls.<\/li>\n<li>Session management and optional API key\/HMAC security.<\/li>\n<\/ul>","raw_excerpt":"Token-optimized MCP gateway for WordPress: unified query\/mutate tools cut context-window usage by up to 70% vs. per-operation APIs.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/293340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=293340"}],"author":[{"embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/phuongwebo"}],"wp:attachment":[{"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=293340"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=293340"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=293340"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=293340"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=293340"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/hr.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=293340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}