wp-mcp-ultimate
WP MCP Ultimate is a self-contained WordPress plugin that exposes WordPress functionality as an MCP (Model Context Protocol) server with 58 abilities (posts/pages/media/users/plugins/menus/comments/options/system management). It also provides an admin dashboard for generating an Application Password/API key and exporting MCP client configuration snippets, enabling an MCP-compatible AI client to manage WordPress via streamable HTTP transport.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
The README indicates usage of a WordPress Application Password generated via the admin. It does not describe TLS requirements, secret storage/logging practices, or action-level scope/granularity for MCP abilities. Given the wide mutation surface (posts/media/users/plugins), least-privilege and operational safeguards are important.
⚡ Reliability
Best When
You need an MCP-based bridge between WordPress and an MCP-compatible AI client to automate CMS tasks, and you can secure and constrain the generated Application Password/API key.
Avoid When
You cannot restrict agent capabilities or you cannot control/monitor what the AI client will invoke on the MCP server.
Use Cases
- • Letting an MCP-compatible AI agent read and manage WordPress content (create/update posts, pages, and media)
- • Automating moderation workflows (e.g., comments) via AI-assisted MCP actions
- • Managing WordPress site configuration and plugins through AI actions
- • Providing a standardized interface for CMS operations from Claude Code/Claude Desktop/Cursor or other MCP clients
Not For
- • Handling sensitive production admin operations without careful permissioning/review
- • Use in environments without HTTPS/TLS support
- • High-trust environments where the AI agent should not be able to mutate WordPress state
Interface
Authentication
Authentication is described as an Application Password generated in the WordPress admin and used by the MCP client configuration snippet. The README does not state any fine-grained OAuth scopes for MCP actions.
Pricing
GPL plugin; pricing not described.
Agent Metadata
Known Gotchas
- ⚠ AI clients must be configured with the generated Application Password/API key; leaked credentials would grant CMS access.
- ⚠ Because the plugin provides mutation capabilities across many WordPress domains (content/users/plugins), agents should use strict allowlists/approval workflows.
- ⚠ Behavior may depend on WordPress version capabilities; the project mentions an Abilities API polyfill for WordPress < 6.9.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for wp-mcp-ultimate.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.