Wp Ultra
БесплатноНе проверенTurns any WordPress site into an MCP server, allowing AI clients to directly control files, database, WP-CLI, PHP, content, and more through declarative abiliti
Описание
Turns any WordPress site into an MCP server, allowing AI clients to directly control files, database, WP-CLI, PHP, content, and more through declarative abilities without writing code.
README
Free, open-source. Turn any WordPress site into a Model Context Protocol server so AI clients (Claude Code, Claude Desktop, Cursor, Gemini CLI) can build and control the whole site — files, SQL, WP-CLI, PHP, content, Elementor, and more — directly, with no relay service in the middle.
Install the plugin, flip a toggle, paste a config into your AI client. That's it. Your data never leaves your server.
Inspired by what closed/paid tools like Novamira do — rebuilt as a free plugin, and pushed further with declarative custom abilities (no plugin code needed), management Hubs, and a crash-recovery sandbox.
✨ The headline: extend the AI's toolset without writing code
Every other tool makes you write a PHP plugin to add a capability. WP-Ultra-MCP lets you (or the AI itself) define a new ability from a tiny .md/JSON recipe — uploaded in the Ability Hub or created over MCP — and it instantly becomes a real tool the AI can call:
---
name: woo-empty-cart
description: Empty a WooCommerce customer's cart
category: custom
run: wp-cli
---
```json
{ "input": { "user_id": { "type": "integer", "required": true } },
"command": ["wc", "cart", "empty", "--user={user_id}"] }
```
Recipe run types: wp-cli · sql (parameter-bound) · php (sandboxed) · http. The AI can even mint its own abilities via the ability-write tool. This is the compounding advantage: an ever-growing library of skills + abilities covering the whole WordPress ecosystem.
Why WP-Ultra-MCP
| WP-Ultra-MCP | Closed/paid alternatives | |
|---|---|---|
| Cost | Free, GPL open-source | Paid, gated features |
| Custom abilities | Declarative .md/JSON — no code |
Write a PHP plugin |
| Data ownership | Your server, your DB | May transit a 3rd-party service |
| Hubs | Ability / Skill / Memory Hubs in wp-admin | Limited |
| Sandbox safety | Crash-recovery safe-mode keeps the site up | Varies |
| Elementor | Schema-driven, server-side (shipped Wave 2) | Often paid-only |
Shipped now
Wave 1 — Core abilities
- Files:
read-file·write-file·edit-file·delete-file·list-directory— jailed to the WP root, executable files sandboxed - Code:
run-wp-cli(arg-array, no shell injection) ·execute-php(sandboxed eval) - Database:
execute-wp-query— parameterized SQL; destructive queries gated behindconfirm: true - Diagnostics:
read-debug-log - Memory:
memory-save·memory-get·memory-list·memory-delete— persistent across sessions - Content:
create-post·update-post·delete-post(+ meta, taxonomy terms, featured image) - Skills:
skill-get·skill-write·skill-edit·skill-delete— reusable markdown prompt docs
Wave 1.5 — Hubs, declarative abilities & sandbox
- Declarative ability engine —
.md/JSON recipes become real MCP abilities at runtime (run: wp-cli|sql|php|http) - Ability Hub — create / upload / edit / delete custom abilities;
ability-write/ability-get/ability-deleteso the AI can manage its own tools - Skill Hub — upload / edit / export
.mdskills, per-skill prompt + agentic toggles, read-only built-ins - Memory Hub — view / add / edit / delete persistent memories
- Sandbox safe-mode — if AI-written PHP triggers a fatal, a sentinel suspends it and keeps the site up, with a one-click recovery
- Connect page — managed Application-Password list + revoke, and per-client setup tabs (Claude Desktop / Claude Code / Cursor / Gemini / generic HTTP)
Wave 2 — Elementor (shipped)
Schema-driven Elementor v4 atomic layout control. Requires Elementor (free or Pro) with the e_atomic_elements experiment enabled.
elementor-list-widgets— list all registered Elementor widgets; passatomic_only:trueto filter to v4 atomic widgets only (e-heading, e-button, e-image, e-paragraph, e-divider, e-flexbox, e-div-block, …)elementor-get-widget-schema— introspect a widget's full prop schema: each prop's$$type, allowedenumvalues, anddefault; use this before setting any widget to avoid guessingelementor-get-style-schema— introspect the style schema for a widget or container (CSS custom-properties, layout, spacing, typography tokens)elementor-get-content— read a page's Elementor data as a compact element tree; passelement_idto drill into one node's full settingselementor-set-content— replace a page's entire Elementor data array (atomic-safe write that bypasses Document::save, which would strip atomic widgets; clears the CSS cache)elementor-add-element— insert a new element (container or widget) at a given parent and position; plain scalar settings are auto-wrapped into the{$$type,value}form and validated by Elementor's own Props_Parserelementor-edit-element— deep-merge new settings into an existing element without touching sibling propselementor-delete-element— remove an element (and its subtree) from the pageelementor-move-element— relocate an element to a new parent and/or position within the tree
Built-in skill elementor-v4-architect is pre-loaded and teaches the AI the step-by-step atomic workflow: introspect → build → position → read back.
Wave 3 — Elementor design systems (shipped)
Site-wide design control for Elementor v4. Requires Elementor (free or Pro).
elementor-get-design-system— read the active kit's global colors, global typography presets, and design-token variables in one call; use this to understand the current brand palette before making changeselementor-manage-global-colors— set or add brand colors to the kit (e.g.{colors:[{title:"Brand",color:"#0055FF"}], target:"custom"}); each color becomes a--e-global-color-<id>CSS custom property applied site-wide across all pageselementor-manage-variables— list or create Elementor v4 design-token variables (color, font, size types); reference a variable inside any widget or style prop with the shape{ "$$type":"global-color-variable", "value":"e-gv-<id>" }so widgets stay in sync when the token value changeselementor-list-dynamic-tags— list all registered dynamic-tag groups and tags; bind any widget prop to live data with{ "$$type":"dynamic", "value":{ "name":"post-title", "group":"post", "settings":{} } }— ACF, JetEngine, and other field-plugin tags appear here when those plugins are active
The built-in elementor-v4-architect skill is extended with a "Design systems (site-wide)" section that teaches the AI the variable-reference and dynamic-tag binding shapes.
Wave 3.5 — Global classes & interactions (shipped)
Reusable CSS classes and entrance animations for Elementor v4 elements. Requires Elementor (free or Pro); global classes require the e_classes experiment enabled (the elementor-upsert-global-class ability can enable it automatically by passing enable:true).
elementor-list-global-classes— list all existing global classes in the active kitelementor-upsert-global-class— create or update a reusable style class;propsare atomic CSS props (e.g.{ "color":{"$$type":"color","value":"#fff"} }); returns ane-gc-…id usable across any pageelementor-apply-class— add or remove a global class id on any element ({post_id, element_id, class_id}; passremove:trueto detach); changes take effect site-wide wherever the class is appliedelementor-set-interaction— attach an entrance animation to any element ({post_id, element_id, trigger:"scrollIn", effect:"fade"|"slide"|"scale", type:"in", duration:600}); uses Elementor's native interactions system
The built-in elementor-v4-architect skill is extended with a "Reusable classes & animations" section that teaches the AI the class-creation, application, and interaction-setting shapes.
Phase A — Elementor Reliability (shipped)
Reliable Elementor builds — schema validation before every write + server-side render check. Catches silently-dropped atomic props that cause broken designs.
elementor-validate— dry-run schema validation of Elementor pages; validates atomic settings and container layout props; detects silently-dropped properties before they break the designelementor-render-check— server-side render verification: confirms what actually rendered afterset-content/add-element/edit-element/move-element(catches design breakage)- Validate-before-commit: Elementor writes now enforce strict atomic-settings validation (with
force:trueescape hatch); container layout properties always validated to prevent broken designs
Phase B — Elementor Design Tokens (shipped)
Apply a reference's design palette, typography system, and token sizes as Elementor Variables for token-consistent, reference-faithful builds.
elementor-apply-design-tokens— create color, font, and size Variables from a perceived reference's palette, typography, and sizes; returns refs in the form{$$type,value}for use in atomic-build workflows
Phase B2 — Elementor Blueprints (shipped)
Insert ready-made structural section skeletons — navbar, hero, feature-grid, CTA, footer — with fresh ids, layout, and placeholder copy (no styling). Style them afterward with design tokens + global classes.
elementor-list-blueprints— list available built-in blueprint skeletons with descriptionselementor-insert-blueprint— insert a blueprint skeleton at a given parent and position; re-ids for the page, validates, and writes atomically. Carries layout + placeholder text only; style with tokens + classes
Wave 4a — Gutenberg core block control (shipped)
Positional-path block tree ops for Gutenberg posts and pages. Core WordPress APIs only — no browser tab required.
gutenberg-get-content— read a post's block tree as a compact JSON array (type, attrs, innerBlocks)gutenberg-list-blocks— list all registered block types available on the site (namespace/name + title)gutenberg-get-block-schema— introspect a block type's full attribute schema and default values; use this before inserting to avoid guessing propsgutenberg-insert-block— insert a new block at a positional path inside a post's block tree; best-effort attribute validation with unknown-block warning; every write is audit-loggedgutenberg-update-block— deep-merge new attributes into an existing block at a given path without touching sibling propsgutenberg-delete-block— remove a block (and its innerBlocks subtree) from a postgutenberg-move-block— relocate a block from one positional path to another within the same post
Tip: insert container blocks (group/columns/etc.) via block.markup (raw block HTML) rather than the structured form, so wrapper markup is preserved.
Wave 4b — Gutenberg patterns + reusable blocks (shipped)
Reuse WordPress's built-in primitives for fast page building.
gutenberg-list-patterns— list registered block patterns (name, title, categories), filterable by search/categorygutenberg-insert-pattern— insert a pattern's blocks into a post at a positional parent path + positiongutenberg-manage-reusable-block— create/update/get/list synced (reusable) blocks (wp_block); reference one into a post via acore/blockblock
Wave 6 — WooCommerce store control (shipped)
Full WooCommerce store control — 22 abilities covering the complete store lifecycle. Requires WooCommerce active.
Products (8)
woo-store-status— check WooCommerce availability and store configuration before starting store workwoo-list-products— list products with filtering (status, type, category, search, stock); pagination supportedwoo-get-product— read a single product's full data (price, stock, images, attributes, variations summary)woo-upsert-product— create or update a product (simple, variable, grouped, external); schema-validated via the WooCommerce CRUD APIwoo-delete-product— delete or trash a product by IDwoo-manage-variation— create, update, or delete a variation on a variable product (price, stock, attributes, images)woo-manage-product-category— create, update, delete, or list product categories; supports parent hierarchy and thumbnailwoo-manage-attribute— create, update, delete, or list global product attributes and their terms
Orders (5)
woo-list-orders— list orders with filtering (status, customer, date range); HPOS-safewoo-get-order— read a single order's full data (line items, billing, shipping, status history)woo-create-order— create a new order programmatically (customer, line items, shipping, billing)woo-update-order— update order status, notes, or metadata; HPOS-safe writewoo-refund-order— issue a full or partial refund on an order with optional line-item breakdown
Customers (3)
woo-list-customers— list customers with search and paginationwoo-get-customer— read a customer's full profile, billing/shipping addresses, and order statswoo-upsert-customer— create or update a customer account (billing, shipping, role, meta)
Marketing & Config (4)
woo-manage-coupon— create, update, delete, or list discount coupons (percent/fixed-cart/fixed-product, usage limits, expiry)woo-get-settings— read whitelisted store settings (currency, tax, checkout) and payment gateway listwoo-update-settings— update whitelisted store settings; toggle payment gateway enabled/disabledwoo-manage-review— create, update, approve, delete, or list product reviews
Reports (1)
woo-get-reports— fetch sales summary, top-selling products, and low-stock reports with optional date range
Storefront bridge (1)
woo-insert-product-block— insert a WooCommerce product shortcode block into any Gutenberg (core/shortcode) or Elementor page; accepts product IDs, slugs, or category filters
Built-in skill woocommerce-architect encodes the store-building loop: check status → perceive existing data → build with schema-validated CRUD → verify.
Wave 7 — SEO (shipped)
Full on-site SEO control — 19 abilities. Works with Yoast SEO or Rank Math (auto-detected) or a built-in native mode when neither is active.
Foundation (4)
seo-status— detect the active SEO plugin (Yoast / Rank Math / native), confirm readiness, and report site-level SEO configseo-get-meta— read on-page SEO meta for any post: title, description, focus keyword, robots directives, and Open Graph fieldsseo-set-meta— write on-page SEO meta (title, description, focus keyword, robots, OG title/description/image) for any post via the active plugin's own API or native metaseo-analyze-page— score a post's SEO: title + meta-desc length, keyword density, readability, internal links, image alt coverage; returns an actionable recommendations list
Linking + Research (7)
seo-suggest-internal-links— suggest relevant internal-link opportunities for a post based on keyword overlap with other published postsseo-insert-internal-link— insert an internal link anchor into a post's Gutenberg content at the best-match phrase locationseo-link-audit— audit internal and external links across one post or the whole site: broken links, nofollow usage, orphan pagesseo-keyword-research— analyse keyword opportunities using on-site data (post titles, meta, headings, search-console if available) and AI scoring; no external paid API requiredseo-content-gap— identify topics covered by the site that are thin or missing compared to a target keyword listseo-competitor-analysis— compare the site's content coverage and keyword footprint against a given competitor URL (on-site fetch + AI analysis; no external SEO-API dependency)seo-optimize-content— rewrite or augment a post's content to improve keyword placement, heading structure, and readability score; returns a diff-style suggestion
Technical + Local (5)
seo-manage-sitemap— read, regenerate, or toggle the XML sitemap (Yoast / Rank Math / WP native); return the current sitemap URL and post-type inclusion settingsseo-manage-robots— read or write therobots.txtvirtual file; validate directives before writingseo-manage-redirects— create, update, delete, or list 301/302 redirects via Yoast Premium, Rank Math, or a lightweight native storeseo-manage-schema— add, update, or remove JSON-LD schema blocks (Article, FAQ, HowTo, BreadcrumbList, etc.) on any postseo-manage-local-business— create or update a LocalBusiness JSON-LD schema (name, address, geo, hours, phone) for local SEO
Audit + Setup (3)
seo-site-audit— run a site-wide SEO audit: missing meta, duplicate titles, pages blocked by robots, posts with no internal links, images missing alt text; returns a prioritised issues listseo-bulk-set-meta— apply a meta template rule to multiple posts in a single call; dry-run by default (apply: trueto commit), bounded bylimitseo-quick-setup— apply Google-recommended baseline settings in one call: set homepage meta, enable sitemap, setblog_public, configure permalinks; idempotent
Built-in skill seo-architect encodes the ranking loop: audit → keyword-research → on-page meta → internal linking → schema → technical SEO → verify.
Wave 8 — Content Core (shipped)
The everyday-WordPress layer — 17 abilities so the AI never falls back to raw SQL for basic work.
- Posts:
list-posts(filter by type/status/meta/taxonomy/search, paginated) ·get-post(full read incl. meta + terms) ·search-content(full-text with highlight snippets) ·duplicate-post(Elementor-safe clone) - Structure:
manage-term(taxonomy terms CRUD) ·register-cpt/register-taxonomy(persisted declarative registration) ·manage-menu(menus, nested items, theme locations) - Media:
media-list·media-get·media-update(alt text!) ·media-delete - Site:
manage-comment(moderate/reply) ·option-get/option-set(secret-name deny + self-lockout guard) ·list-users·site-snapshot— one call returns the whole site orientation (theme, plugins, content counts, users, menus, detected builders) so an AI session starts informed
Wave 9 — Site Ops + FSE (shipped)
- Ops:
export-content/import-content(WXR) ·manage-cron·search-replace(serialized-data-safe, dry-run default) ·maintenance-mode·site-health(core Site Health tests) ·db-snapshot— create/list/restore/delete gzip DB snapshots before risky changes - Block-theme design (FSE):
theme-json-get/theme-json-set(global styles user layer) ·manage-template(FSE templates + parts) ·custom-css
Wave 10 — Forms + Audits (shipped)
- Forms (unified adapter):
form-status·form-list·form-get-entries·form-create— one API across Contact Form 7, WPForms, Gravity Forms, Fluent Forms, unified field types mapped to each plugin's native format - Audits:
security-audit(core/users/salts/updates checks) ·performance-audit(autoload bloat, transients, revisions, cache detection — scored 0-100)
Wave 11 — Ecosystem (shipped)
- Bricks Builder (foundation):
bricks-status·bricks-list-elements·bricks-get-content(compact tree) ·bricks-set-content(validated write) - Multilingual:
translation-status·duplicate-to-language— WPML / Polylang auto-detected - WooCommerce extras:
woo-manage-shipping-zone·woo-manage-tax-rate·woo-manage-payment-gateway(secrets always masked) - Devtools:
send-email·render-page(fatal-marker + title/h1 probe of any URL) ·list-registry(post types, taxonomies, shortcodes, roles, hooks, image sizes, REST routes) ·purge-cache(WP Rocket / LiteSpeed / W3TC / Super Cache / Autoptimize / Elementor unified)
Wave 12 — Platform (shipped)
self-update— the AI checks GitHub for a newer release and applies it in place (confirm-gated); new releases also appear natively in the wp-admin Plugins page like any other plugin update
Wave 13 — Async jobs (shipped)
job-start/job-status/job-list/job-cancel— long operations (whole-DBsearch-replace, site-widebulk-post-meta,site-audit) run in the background via WP-Cron, one slice per tick, so they finish instead of dying on a request timeout. Progress is reported as processed/total/percent; jobs are cancellable; the handler registry is filterable for future job types.
Wave 14 — Universal undo (shipped)
undo-list/undo-restore/undo-last— reversible mutations auto-snapshot their before-state into a capped ring buffer (option-set, custom CSS, theme.json global styles, term updates), so the AI can roll any of them back on demand. Extends the post-revisioncontent-restoreto targets WordPress keeps no revisions for.
Wave 15 — Playbooks (shipped)
playbook-run/playbook-save/playbook-list/playbook-delete— chain many abilities into one declarative multi-step run ("set up a whole blog" as a single command). A step's result feeds the next via{steps.<save_as>.<path>}tokens (a lone token keeps its type, so a post id stays an integer), and{input.*}fills playbook inputs. Supports dry-run, per-step continue-on-error, and saved reusable playbooks.
Wave 16 — Event triggers / webhooks (shipped)
trigger-create/trigger-list/trigger-delete/trigger-log— react to the site. Register a trigger on a WordPress event (post published/updated, comment, user registration, WooCommerce order placed / status change, form submission across CF7/WPForms/Gravity/Fluent) that POSTs the payload to a webhook (optional HMAC signature), auto-runs a saved playbook with the event data as inputs, or logs it for the AI to poll. Delivery is async via WP-Cron, so a slow endpoint never blocks checkout or publish.
Waves 25–28 — Roadmap completion (shipped)
- 🛒 WooCommerce:
woo-export-products/woo-import-products(CSV, dry-run) ·woo-manage-subscription·woo-manage-booking·woo-insights(abandoned checkouts, stock alerts, repeat customers) ·woo-manage-email - 🌐 Site Ops+:
site-backup(files + DB archive) ·staging-clone(subdirectory staging, new table prefix, serialized-safe URL rewrite) ·multisite-manage·manage-server-rules(marker-block .htaccess presets) ·activity-log(+ login tracking) - 📊 Marketing:
form-forward(submissions with field values → any webhook/CRM) ·social-autopost·newsletter-status/subscribe(MailPoet / MC4WP) ·analytics-report(GA4 + Search Console via Site Kit) ·seo-indexnow·seo-404-log - 🤖 AI-Native:
skill-sync(community skills from GitHub) ·site-brain(one-call session orientation) ·error-reports(structured fatals with fix suggestions) ·usage-stats+ wp-admin dashboard
Wave 24 — Content & Fields completion (shipped)
field-manage-rows— deep row ops on ACF/SCF repeater, flexible-content, and group fields (get/set/add/update/delete by index)media-generate— an image from url/base64 or a server-side OpenAI prompt → media library + alt + featured image, one callmedia-edit-image·media-bulk-alt— ordered resize/crop/rotate/convert/quality ops via WP_Image_Editor; find images missing alt text and fill them in bulktranslation-set-content— write AI-translated content to a duplicated translation, including JSON-safe find→replace inside Elementor datacontent-calendar— see the publishing schedule grouped by day, reschedule one post, or spread drafts evenly
Wave 23 — JetEngine (shipped)
jetengine-status·jetengine-manage-cpt·jetengine-manage-taxonomy·jetengine-manage-meta-box— full CRUD over JetEngine's content model: CPTs and taxonomies (native tables, auto-built labels, validated meta fields in JetEngine's field shape, built-in-row protection), standalone meta boxes attached to any post type, plus relations/listings inventory. Verified against a live JetEngine 3.4.6 install.
Wave 22 — Bricks deep (shipped)
bricks-add-element·bricks-edit-element·bricks-delete-element·bricks-move-element·bricks-validate·bricks-get-element-schema·bricks-manage-global-class·bricks-insert-blueprint— the same reliability arc Elementor got, adapted to Bricks' flat dual-linked structure (parent pointers + children lists kept consistent both ways, every mutation re-validated before writing, moves cycle-guarded, deletes take the subtree). Global classes CRUD + apply, five structural blueprints, and control-schema introspection from Bricks' own registry.
Wave 21 — Divi / Beaver Builder / Oxygen foundation (shipped)
pagebuilder-status·pagebuilder-get-content·pagebuilder-set-content·pagebuilder-list-elements— one unified surface over three more builders (auto-detected driver). Divi shortcode trees are parsed/serialized with balance validation; Beaver Builder's flat node map round-trips as a nested tree with id/parent/module validation; Oxygen 4 JSON component trees are validated and written (3.x read-only). Graceful when no builder is installed.
Wave 20 — Elementor Pro surface (shipped)
elementor-pro-status·elementor-manage-library·elementor-manage-popup·elementor-form-submissions— theme-builder templates (create headers/footers/singles/archives + display conditions in Pro's native format), popups (friendly triggers: on_click, page_load delay, scroll %, exit intent, inactivity → Pro's native display settings), and Pro form submissions (distinct forms, filtered lists with flattened field values, mark-read/delete). Verified against a live Elementor Pro 4.1.2 install; degrades gracefully without Pro.
Wave 19 — One-call page cloner (shipped)
elementor-clone-url— build a whole Elementor page from a reference in one call. The AI looks at a URL/screenshot and passes a structured brief (design tokens + sections with real content); the server mints token Variables, composes adaptive blueprint sections, applies section colors via global classes, validates strictly, writes atomically, and returns a render-check + preview URL. Aurlmode auto-extracts a rough brief from static HTML as a starting point.
Wave 18 — Custom widget generator (shipped)
create-atomic-widget/list-atomic-widgets/delete-atomic-widget— the AI mints REAL Elementor v4 atomic widgets from a declarative spec (props: string/textarea/html/number/boolean/select/image/link + optional Twig/CSS). Generated PHP class + Twig template land underwp-content/wpultra-widgets/and register aswpu-<name>— placeable, editable, and stylable like any core widget. Correct-by-construction (no caller PHP accepted) and crash-quarantined: a widget that fatals is skipped and flagged, never white-screens the site. Compounds withability-write: the AI mints both its own tools and its own widgets.
Wave 17 — Access control (shipped)
manage-access— grant non-admin roles a limited set of abilities/categories, and rate-limit any ability (per-minute, per ability/category/default; admins throttled too, to cap runaway loops). Two-layer enforcement: a relaxed baseline permission plus a per-ability gate on WordPress core'swp_before_execute_ability. The policy editor stays admin-only, so a granted role can never widen its own access. Empty by default → unchanged admin-only behaviour.
Planned
Deeper Bricks authoring (schema-driven like the Elementor arc), JetEngine, form entries export, IndexNow. The goal: literally do everything in WordPress through AI.
Install & connect
- Install: download the release ZIP (or clone) and put the
wp-ultra-mcp/directory — including its bundledvendor/— intowp-content/plugins/, then activate it. (Requires WordPress 6.6+ and PHP 8.0+. Nocomposer installneeded —vendor/is bundled.) - Enable: wp-admin → WP-Ultra-MCP → toggle AI control on.
- App password: click Generate application password, copy it (shown once).
- Connect: on the same page, pick your AI client tab and paste the shown config. For the npx-bridge clients:
{
"mcpServers": {
"wp-ultra-mcp": {
"command": "npx",
"args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
"env": {
"WP_API_URL": "https://YOUR-SITE/wp-json/mcp/wpultra",
"WP_API_USERNAME": "your-wp-username",
"WP_API_PASSWORD": "the application password"
}
}
}
}
The MCP endpoint exposes three meta-tools — discover-abilities, get-ability-info, execute-ability — and the AI uses them to introspect and run any ability. Auth is standard WordPress Application Passwords; revoke anytime from the Connect page.
Security model
Full power, bounded blast radius. Every privileged ability requires the plugin to be enabled AND the user to have manage_options (super-admin on multisite). SQL is always $wpdb->prepared; destructive verbs need confirm: true. File writes are jailed to the WP root and executable files confined to a sandbox dir. WP-CLI runs as an argument array (no shell string). The sandbox safe-mode suspends AI-written PHP after a fatal so a bad write can't take the site down.
Repository layout
wp-ultra-mcp/ ← the WordPress plugin (install this)
wp-ultra-mcp.php plugin entry point
includes/
abilities/ one PHP file per built-in ability
recipes/ declarative-ability engine (parser, executor, CPT)
admin/ Connect page + Ability/Skill/Memory Hubs
skills/ memory/ sandbox/ helpers.php bootstrap-mcp.php
vendor/ bundled wordpress/mcp-adapter (GPL)
bin/ deploy.ps1, build-zip.ps1
tests/ zero-dependency PHP test harness (run with: php tests/<name>.test.php)
docs/superpowers/ design specs & implementation plans
Develop
# run the PHP test suite — any PHP 8.x CLI; no dependencies
# bash: for f in tests/*.test.php; do php "$f"; done
# powershell: Get-ChildItem tests\*.test.php | % { php $_.FullName }
# deploy into a local site for live testing
powershell -File wp-ultra-mcp\bin\deploy.ps1
# build a distributable release zip (vendor bundled)
powershell -File wp-ultra-mcp\bin\build-zip.ps1
Contributions welcome — new built-in abilities and skills especially. Open an issue or PR.
License
GPL-2.0-or-later. WP-Ultra-MCP bundles the wordpress/mcp-adapter and wordpress/php-mcp-schema packages (also GPL-2.0-or-later). Free to use, modify, and redistribute.
Установка Wp Ultra
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/mdnishath/wp-ultra-mcpFAQ
Wp Ultra MCP бесплатный?
Да, Wp Ultra MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Wp Ultra?
Нет, Wp Ultra работает без API-ключей и переменных окружения.
Wp Ultra — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Wp Ultra в Claude Desktop, Claude Code или Cursor?
Открой Wp Ultra на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
wenb1n-dev/SmartDB_MCP
A universal database MCP server supporting simultaneous connections to multiple databases. It provides tools for database operations, health analysis, SQL optim
автор: wenb1n-devPostgres Server
This server enables interaction with PostgreSQL databases through the Model Context Protocol, optimized for the AWS Bedrock AgentCore Runtime. It provides tools
автор: madhurprashPostgres
Query your database in natural language
автор: AnthropicPostgreSQL
Read-only database access with schema inspection.
автор: modelcontextprotocolCompare Wp Ultra with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории data
