Updated: April 1, 2026 By: Marios
There’s a before and after happening in WordPress right now, and most people haven’t noticed yet.
Before: you ask an AI to help with your WordPress site, and it generates generic advice based on its training data. It doesn’t know your site, your content, your plugins, or your products. You copy suggestions, paste them into your dashboard, and hope they work.
After: you connect Claude (or ChatGPT, Cursor, or VS Code) directly to your WordPress site through MCP, and the AI can actually read your posts, create drafts, manage plugins, audit your content, update product descriptions, and execute real actions — all through natural conversation. Not generic advice. Real operations on your real site.
MCP stands for Model Context Protocol. It’s an open standard developed by Anthropic that lets AI assistants communicate with external systems in a structured, authenticated way. WordPress now supports it natively. And setting it up is far simpler than you’d expect.
This guide covers every path to connecting AI agents to your WordPress site — whether you’re on WordPress.com, self-hosted, using a local development environment, or running WooCommerce.
What MCP actually does (and doesn’t do)
Before diving into setup, it’s worth being precise about what MCP enables, because there’s a lot of confusion.
What MCP does: It gives AI agents structured, authenticated access to specific WordPress capabilities. When Claude connects to your site via MCP, it can discover what tools are available (listing posts, creating drafts, checking plugin status), call those tools through a standardized protocol, and return results — all within the AI conversation. The AI doesn’t have raw database access. It can only use capabilities that have been explicitly registered and exposed.
What MCP doesn’t do: It doesn’t give AI agents unrestricted access to your site. MCP respects WordPress’s existing permission system. If the authenticated user doesn’t have permission to delete posts, the AI can’t delete posts through MCP either. Every action goes through capability checks, and abilities must be explicitly marked as public before any AI agent can see them.
Think of it this way: the WordPress AI provider plugins (for Claude, GPT, Gemini) let WordPress talk to AI. MCP lets AI talk to WordPress. The direction reverses — and that changes everything about what’s possible.
Path 1: WordPress.com sites (the easiest setup)
If your site is on WordPress.com, this is a five-minute setup with no technical work.
WordPress.com launched built-in MCP support in early 2026, along with an official Claude connector — the first of its kind from any WordPress host. The integration uses OAuth 2.1 authentication, meaning you authorize the connection through your browser with no API keys or config files.
How to set it up
Log into your WordPress.com dashboard. Hover over your name in the top right and click “My WordPress.com Account.” Click MCP on the profile page. Toggle MCP Access to ON. Optionally, scroll to the Available MCP Tools section and disable any tools you don’t want AI agents to access.
To connect Claude specifically, go to claude.ai, navigate to Connectors, search for WordPress, and follow the authorization flow. Claude will ask permission to access your site — review the permissions, approve, and you’re connected.
For ChatGPT, you’ll need to enable Developer Mode and create a WordPress.com app via the MCP URL. Cursor users can find WordPress in the Cursor MCP Directory and click “Add to Cursor” for automatic configuration.
What you can do once connected
With MCP enabled on WordPress.com, you can have conversations like:
“Show me my site’s traffic for the last 30 days.” Claude pulls real analytics data from your site, not estimates.
“Which posts haven’t been updated in over a year?” Claude checks publish and update dates across your entire site and returns a list.
“Summarize recent comments across my site.” Claude reads your actual comments and surfaces trends.
“Create a draft post about [topic] based on the writing style of my recent articles.” Claude reads your published content, matches your voice, and creates a draft in your editor.
WordPress.com’s MCP currently provides read-only access by default for the Claude connector. Write operations through other MCP tools request confirmation before executing — deleted posts, pages, and media can be recovered from trash for 30 days, but categories and tags are permanent.
Path 2: Self-hosted WordPress with the official MCP Adapter (the standard approach)
For self-hosted WordPress installations, the official MCP Adapter plugin is the canonical way to enable MCP. It bridges WordPress’s Abilities API to the Model Context Protocol, exposing registered abilities as tools that AI agents can discover and execute.
This requires slightly more setup than WordPress.com, but it gives you full control over what’s exposed and how.
What you need
WordPress 7.0 (which includes the Abilities API in core) or WordPress 6.9 with the Abilities API plugin installed separately. The MCP Adapter plugin, available from the WordPress GitHub repository. Node.js 18 or later installed on your local machine (for the remote proxy). An MCP-compatible client like Claude Desktop, Claude Code, Cursor, or VS Code.
Step 1: Install the MCP Adapter
In your WordPress admin, go to Plugins → Add New. The MCP Adapter can be installed by uploading the zip file from the GitHub releases page. Once installed, activate it. The plugin registers a default MCP server and exposes three core adapter abilities: discovering available abilities, executing abilities, and getting site information.
Step 2: Create an Application Password
Go to Users → Your Profile → Application Passwords. Enter a name like “MCP Connection” and click Add New Application Password. Copy the generated password — you’ll need it for the client configuration. This password authenticates the MCP proxy’s HTTP requests to your WordPress site.
Step 3: Configure your AI client
The MCP Adapter uses a two-part architecture: the plugin runs on your WordPress site and listens for requests, while a local proxy runs on your computer and translates MCP protocol messages into HTTP calls.
For Claude Desktop, open Settings → Developer → Edit Config and add:
json
{
"mcpServers": {
"my-wordpress-site": {
"command": "npx",
"args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
"env": {
"WP_API_URL": "https://your-site.com/",
"WP_API_USERNAME": "your-admin-username",
"WP_API_PASSWORD": "your-application-password"
}
}
}
}Replace the URL, username, and password with your actual values. Save the config, quit Claude Desktop, and reopen it.
For Claude Code, the command is:
claude mcp add --transport stdio my-wordpress -- npx -y @automattic/mcp-wordpress-remote@latestThen set the environment variables for your site URL and credentials.
Step 4: Test the connection
Open a new conversation in Claude Desktop and ask: “What posts are on my WordPress site?” Claude will call the MCP server, discover the available abilities, execute a query through the WordPress REST API, and return a formatted list of your actual posts.
Important: abilities must be explicitly exposed
This is the most common setup confusion. The MCP Adapter doesn’t expose everything by default. Abilities must be explicitly marked with meta.mcp.public = true before any AI agent can see or use them. This default-deny model is the correct security posture — it prevents accidental exposure of sensitive functionality.
The core adapter comes with basic abilities (site info, ability discovery). For content creation, plugin management, or WooCommerce operations, you need an abilities provider plugin. The AI Experiments plugin is the easiest way to get a working set of content management abilities. Install it, and your MCP connection immediately gains the ability to create, read, update, and list posts.
Path 3: InstaWP managed MCP (the zero-friction option)
If the self-hosted setup feels like too many moving parts, InstaWP offers a managed MCP server that collapses the entire process to a single toggle.
When you enable MCP on an InstaWP site, the platform automatically installs the MCP plugin, generates a secure 64-character authentication token, creates your unique connection URL, and activates the SSE (Server-Sent Events) transport. No JSON configuration, no Application Password creation, no proxy setup.
How to set it up
In the InstaWP dashboard, click your site name to open Site Details. In the left sidebar, click MCP. Toggle “Enable MCP” to ON. Copy the generated MCP server URL.
In Claude Desktop, go to Settings → Connectors, click “Add Custom Connector,” paste your MCP URL, and save. Start a new conversation and ask Claude something about your site.
The standout advantage of InstaWP’s approach is that MCP works on sandbox and staging sites, not just production. This means you can connect Claude to a test environment, run real operations, verify the results, and know nothing on a live client site is at risk. For agencies managing multiple client sites, this is the safest way to experiment with MCP workflows.
Path 4: AI Engine as MCP server (the plugin approach)
If you’re already running AI Engine on your WordPress site, you might not need the official MCP Adapter at all. AI Engine has built its own MCP server implementation that exposes a broader set of tools out of the box.
AI Engine turns your WordPress site into an MCP server that lets AI agents browse content, edit posts, manage media, upload files, and — if you enable it — execute SQL queries and interact with WooCommerce operations including products, orders, inventory, customers, reviews, and analytics.
The setup varies depending on your AI client, but the general process is: enable MCP in AI Engine’s settings, generate an authentication token, and configure your client to connect to AI Engine’s MCP endpoint. AI Engine supports both STDIO transport (for local development) and Streamable HTTP transport (for remote connections from tools like Claude Code).
AI Engine’s MCP implementation is more opinionated than the official MCP Adapter — it comes with built-in tools rather than requiring you to register abilities separately. For non-developers who want MCP working quickly, this is often the fastest path.
Path 5: WordPress Playground MCP (for development and testing)
This one is specifically for developers and experimenters. WordPress Playground — the browser-based WordPress environment — now has its own MCP server that lets AI coding agents read files, execute PHP, install plugins, and navigate pages directly in a Playground instance.
How to connect
For Claude Code:
claude mcp add --transport stdio --scope user wordpress-playground -- npx -y @wp-playground/mcpThe --scope user flag makes the server available across all your projects. Open Playground in your browser — the agent provides the exact URL when it connects.
Once connected, you can ask your AI agent to install a plugin, test a code change, audit a configuration, or build a feature — and it operates directly on the Playground instance. This is the safest possible environment for AI-driven WordPress work, since Playground instances are disposable and self-contained.
Path 6: WooCommerce MCP (for store operations)
WooCommerce has its own MCP integration that exposes store-specific operations as abilities. This is currently a developer preview, but it already supports product management (create, read, update, list), order management (read, update, list), customer management, and analytics retrieval.
The architecture follows the same pattern as the core MCP setup: AI client → local proxy → WordPress MCP server → WooCommerce Abilities → WooCommerce Core. Authentication uses WooCommerce REST API keys, and all operations respect WooCommerce’s existing permission system.
For store owners, this means conversations like: “Show me all orders from the last week that haven’t shipped yet.” “Update the description for product SKU-1234 to emphasize the new feature we launched.” “What are my top 10 products by revenue this month?” These aren’t hypothetical — they work today with the WooCommerce MCP developer preview.
Security: what you need to think about
MCP gives AI agents real access to your real site. That’s the point — but it’s also the risk. Here are the non-negotiable security practices.
Use least-privilege roles. Create a dedicated WordPress user for MCP connections with only the capabilities the AI needs. Don’t use your admin account credentials for MCP connections in production.
Start read-only. Begin with abilities that only read data — listing posts, checking analytics, reviewing comments. Add write capabilities only after you’re comfortable with how the AI uses them.
Use staging first. Always test MCP workflows on a staging or local site before connecting to production. InstaWP and WordPress Playground both provide safe environments for this.
Monitor the activity. Plugins like Royal MCP add authentication, rate limiting (60 requests per minute per IP), and full activity logging — every MCP tool call is recorded. If you’re running MCP on a production site, this kind of observability layer is essential.
Rotate credentials. Application Passwords and JWT tokens should be rotated regularly. The official MCP Adapter generates tokens with limited validity (1-24 hours) by default — don’t extend this unless you have a specific reason.
Abilities are default-deny. The MCP Adapter only exposes abilities that are explicitly marked as public. Don’t blanket-enable everything. Expose only the specific abilities your workflow requires.
Which path should you choose?
For WordPress.com users: use the built-in MCP support. It’s the simplest, most secure option, and it’s already there.
For agencies and freelancers managing client sites: start with InstaWP’s managed MCP on staging environments. Test workflows safely before touching production.
For self-hosted site owners who want full control: install the official MCP Adapter plugin and configure the remote proxy. This is the most flexible and future-proof option, since it’s built on the same Abilities API that’s moving into WordPress core.
For developers who want to experiment: use WordPress Playground MCP. It’s disposable, instant, and risk-free.
For WooCommerce store owners: check the WooCommerce MCP developer preview if you want AI-assisted store management. Pair it with either the official MCP Adapter or AI Engine for the connection layer.
For non-technical users who want quick results: install AI Engine, enable its built-in MCP server, and connect Claude Desktop. This skips the Abilities API complexity and gives you a working MCP connection with built-in tools.
What’s next for WordPress and MCP
MCP support in WordPress is moving fast. The Abilities API shipped in WordPress 6.9, the MCP Adapter is stabilizing and will eventually merge into core, and WordPress 7.0 (April 9, 2026) brings the AI Client SDK into core alongside the Connectors UI.
Plugin developers are already building MCP abilities into their products. The WordPress Plugin Directory now has its own MCP server — meaning AI coding agents can connect to WordPress.org directly to check plugin guidelines, validate readmes, and prepare submissions.
The direction is clear: WordPress is becoming a platform that AI agents can operate, not just a platform that uses AI for text generation. The sites that set up MCP now will have a meaningful operational advantage as these tools mature over the next 12 months.
The setup takes 5-15 minutes depending on which path you choose. The workflows it enables will save you hours every week.
