{"id":293340,"date":"2026-04-24T15:59:09","date_gmt":"2026-04-24T15:59:09","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/webo-mcp\/"},"modified":"2026-07-14T20:09:28","modified_gmt":"2026-07-14T20:09:28","slug":"webo-mcp","status":"publish","type":"plugin","link":"https:\/\/gax.wordpress.org\/plugins\/webo-mcp\/","author":23464384,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"2.6.15","stable_tag":"2.6.15","tested":"7.0.1","requires":"6.4","requires_php":"8.0","requires_plugins":null,"header_name":"WEBO MCP","header_author":"Dinh WP","header_description":"MCP (Model Context Protocol) gateway for WordPress: JSON-RPC tools over the REST API for MCP clients.","assets_banners_color":"69877a","last_updated":"2026-07-14 20:09:28","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/webomcp.com","header_author_uri":"https:\/\/webomcp.com","rating":5,"author_block_rating":0,"active_installs":20,"downloads":1753,"num_ratings":3,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"2.0.28":{"tag":"2.0.28","author":"phuongwebo","date":"2026-04-25 08:06:45"},"2.0.29":{"tag":"2.0.29","author":"phuongwebo","date":"2026-04-28 18:29:53"},"2.0.34":{"tag":"2.0.34","author":"phuongwebo","date":"2026-05-04 20:29:27"},"2.0.35":{"tag":"2.0.35","author":"phuongwebo","date":"2026-05-04 20:53:17"},"2.0.40":{"tag":"2.0.40","author":"phuongwebo","date":"2026-05-05 22:31:15"},"2.0.45":{"tag":"2.0.45","author":"phuongwebo","date":"2026-05-08 14:51:09"},"2.1.0":{"tag":"2.1.0","author":"phuongwebo","date":"2026-05-08 16:12:27"},"2.1.10":{"tag":"2.1.10","author":"phuongwebo","date":"2026-07-14 05:12:59"},"2.1.11":{"tag":"2.1.11","author":"phuongwebo","date":"2026-05-12 11:41:34"},"2.1.12":{"tag":"2.1.12","author":"phuongwebo","date":"2026-05-12 13:25:56"},"2.1.13":{"tag":"2.1.13","author":"phuongwebo","date":"2026-05-12 16:54:17"},"2.1.14":{"tag":"2.1.14","author":"phuongwebo","date":"2026-05-13 20:58:26"},"2.1.17":{"tag":"2.1.17","author":"phuongwebo","date":"2026-05-19 16:00:43"},"2.1.19":{"tag":"2.1.19","author":"phuongwebo","date":"2026-05-24 16:15:10"},"2.1.3":{"tag":"2.1.3","author":"phuongwebo","date":"2026-05-08 17:55:21"},"2.1.4":{"tag":"2.1.4","author":"phuongwebo","date":"2026-07-14 05:12:59"},"2.1.9":{"tag":"2.1.9","author":"phuongwebo","date":"2026-07-14 05:12:59"},"2.2.0":{"tag":"2.2.0","author":"phuongwebo","date":"2026-05-27 14:39:20"},"2.2.1":{"tag":"2.2.1","author":"phuongwebo","date":"2026-05-27 20:52:37"},"2.3.0":{"tag":"2.3.0","author":"phuongwebo","date":"2026-05-28 15:27:37"},"2.3.1":{"tag":"2.3.1","author":"phuongwebo","date":"2026-05-29 09:38:59"},"2.3.2":{"tag":"2.3.2","author":"phuongwebo","date":"2026-05-29 17:09:44"},"2.3.3":{"tag":"2.3.3","author":"phuongwebo","date":"2026-05-29 17:39:37"},"2.3.4":{"tag":"2.3.4","author":"phuongwebo","date":"2026-05-29 17:56:19"},"2.3.5":{"tag":"2.3.5","author":"phuongwebo","date":"2026-05-29 18:00:40"},"2.3.6":{"tag":"2.3.6","author":"phuongwebo","date":"2026-05-29 18:16:18"},"2.3.7":{"tag":"2.3.7","author":"phuongwebo","date":"2026-05-29 18:23:27"},"2.4.0":{"tag":"2.4.0","author":"phuongwebo","date":"2026-05-29 18:31:00"},"2.4.1":{"tag":"2.4.1","author":"phuongwebo","date":"2026-05-29 18:33:27"},"2.4.2":{"tag":"2.4.2","author":"phuongwebo","date":"2026-05-29 20:26:04"},"2.4.4":{"tag":"2.4.4","author":"phuongwebo","date":"2026-05-29 22:30:30"},"2.4.5":{"tag":"2.4.5","author":"phuongwebo","date":"2026-06-02 14:58:01"},"2.4.6":{"tag":"2.4.6","author":"phuongwebo","date":"2026-06-04 12:46:25"},"2.4.7":{"tag":"2.4.7","author":"phuongwebo","date":"2026-06-07 05:29:16"},"2.4.8":{"tag":"2.4.8","author":"phuongwebo","date":"2026-06-08 14:24:22"},"2.5.5":{"tag":"2.5.5","author":"phuongwebo","date":"2026-06-18 17:47:14"},"2.5.6":{"tag":"2.5.6","author":"phuongwebo","date":"2026-06-20 04:05:48"},"2.5.7":{"tag":"2.5.7","author":"phuongwebo","date":"2026-06-21 08:31:34"},"2.5.8":{"tag":"2.5.8","author":"phuongwebo","date":"2026-06-22 07:04:32"},"2.5.9":{"tag":"2.5.9","author":"phuongwebo","date":"2026-07-04 02:04:57"},"2.6.10":{"tag":"2.6.10","author":"phuongwebo","date":"2026-07-14 14:27:57"},"2.6.11":{"tag":"2.6.11","author":"phuongwebo","date":"2026-07-14 14:46:56"},"2.6.12":{"tag":"2.6.12","author":"phuongwebo","date":"2026-07-14 16:18:48"},"2.6.13":{"tag":"2.6.13","author":"phuongwebo","date":"2026-07-14 17:08:49"},"2.6.14":{"tag":"2.6.14","author":"phuongwebo","date":"2026-07-14 17:49:51"},"2.6.15":{"tag":"2.6.15","author":"phuongwebo","date":"2026-07-14 20:09:28"},"2.6.3":{"tag":"2.6.3","author":"phuongwebo","date":"2026-07-05 08:47:38"},"2.6.4":{"tag":"2.6.4","author":"phuongwebo","date":"2026-07-05 08:59:00"},"2.6.8":{"tag":"2.6.8","author":"phuongwebo","date":"2026-07-14 05:12:59"},"2.6.9":{"tag":"2.6.9","author":"phuongwebo","date":"2026-07-14 14:02:59"}},"upgrade_notice":{"2.3.2":"<p>Recommended for Claude Desktop and other MCP SDK clients: SSE keepalive, standard tools\/call content format, and safer AI editing via content checkpoint tools.<\/p>","2.3.1":"<p>Recommended compatibility update for installs using SCF or plugins that register abilities during activation.<\/p>","2.2.1":"<p>Recommended compatibility update for sites relying on bundled MCP schema classes or layered ability execution through MCP clients.<\/p>","2.1.23":"<p>Opt-in fix for multisite Elementor\/custom HTML workflows that need trusted administrators to preserve raw HTML tags. Disabled by default.<\/p>","2.1.17":"<p>Adds post password updates to <code>webo\/content-mutate<\/code> for protected content workflows.<\/p>","2.1.14":"<p>Recommended for multisite networks using child-site plugin activation through MCP; fixes WordPress capability checks after <code>switch_to_blog()<\/code>.<\/p>","2.1.13":"<p>Adds core plugin mutation plus child-site plugin activation\/deactivation via <code>site_id<\/code> or <code>blog_id<\/code> for multisite network admins.<\/p>","2.1.12":"<p>Adds MCP audit logging, optional tool allowlists, and an administrator health\/status tool. Existing MCP access remains unchanged unless allowlist enforcement is enabled in Settings.<\/p>","2.1.11":"<p>Recommended security hardening release: MCP tools now enforce object-level post\/media\/term capabilities and only list tools the current user can call.<\/p>","2.1.10":"<p>Registers the missing <strong><code>webo\/plugin-query<\/code><\/strong> tool (plugin inventory and updates via MCP). Recommended for automation that lists pending plugin updates.<\/p>","2.1.9":"<p>Internal refactor (standalone tool bootstrap file only). No MCP tool renaming; safe routine update.<\/p>","2.1.8":"<p>Critical for <code>webo.vn<\/code> \/ multi-BOM REST bodies: fixes BOM sanitizer regex so repeated UTF-8 BOM prefixes are actually removed.<\/p>","2.1.7":"<p>Recommended if MCP\/remote clients still hit <code>Unexpected token<\/code> \/ invalid JSON \u2014 BOM strip now defaults on for <strong>all<\/strong> REST API responses.<\/p>","2.1.6":"<p>Use this if MCP clients still fail JSON parse on <code>discover-abilities<\/code> \/ ability tools \u2014 BOM strip now covers <code>wp-abilities<\/code> REST routes.<\/p>","2.1.5":"<p>If MCP clients still parse-fail on BOM: this release starts the BOM-stripping buffer before <code>rest_api_init<\/code> for MCP-like URLs.<\/p>","2.1.4":"<p>Further hardening for leading-BOM MCP JSON failures: earlier buffer bootstrap on MCP-like REST URLs.<\/p>","2.1.3":"<p>Recommended if MCP clients show JSON parse errors (leading BOM) on <code>tools\/list<\/code> or <code>tools\/call<\/code> \u2014 response body is sanitized for MCP REST routes.<\/p>","2.1.2":"<p>Restores packaged agent <strong><code>skills\/<\/code><\/strong> in the upstream repo clone; upgrade if you rely on Cursor\/Codex skills from GitHub.<\/p>","2.1.1":"<p>Documentation-only refresh: use docs\/MCP_TOOL_MIGRATION.md when mapping old MCP tool names to dispatchers + <code>action<\/code>. No behavioral change vs 2.1.0 expected.<\/p>","2.0.40":"<p>Recommended update for MCP clients that batch process posts or rely on seo\/article-analysis; list-posts pagination and H1\/schema detection are more accurate.<\/p>","2.0.35":"<p>Adds theme discovery and theme switching tools for MCP clients. This release also carries the shortened WordPress.org short description into the new tagged version.<\/p>","2.0.34":"<p>Recommended update if you manage homepage reading settings via MCP; adds safe support for <code>show_on_front<\/code> and <code>page_on_front<\/code> updates.<\/p>","2.0.33":"<p>Documentation-only refresh on WordPress.org listings; recommended if you rely on the plugin directory description for onboarding.<\/p>","2.0.32":"<p>Recommended update for WP 6.9+ sites using Abilities API and MCP adapter integration.<\/p>","2.0.31":"<p>Maintenance update.<\/p>","2.0.30":"<p>Maintenance update.<\/p>","2.0.29":"<p>Maintenance update for runtime stability and cleaner CLI output. If you use WEBO MCP Pro, review\/update the Pro package compatibility notice before deploying this version to production.<\/p>","2.0.28":"<p>WordPress.org compliance update: readme now documents Google Suggest external service usage with Terms\/Privacy links, and nav-menu API loading no longer relies on WPINC.<\/p>","2.0.27":"<p>MCP clients must send WordPress Application Password (HTTP Basic) or use a logged-in session. API key\/HMAC alone are no longer sufficient when calling the router.<\/p>","2.0.26":"<p>Adds seo\/article-analysis for post-level SEO diagnostics (optional outbound suggest API; set no_autocomplete to skip).<\/p>","2.0.7":"<p>Readme and GitHub README now link webomcp.com and the n8n-nodes-webo-mcp npm package.<\/p>","2.0.6":"<p>License declaration aligned between readme and main plugin file for WordPress.org review.<\/p>","2.0.5":"<p>Plugin header updates for Plugin Check and WordPress.org tooling (@wordpress-plugin, GPLv2 license slug).<\/p>","2.0.4":"<p>Plugin header formatting for WordPress.org Plugin Check (Description, Version, License).<\/p>","2.0.3":"<p>Plugin Check and packaging fixes; upload the release zip from scripts\/build-release.ps1 for WordPress.org.<\/p>","2.0.2":"<p>Packaging and readme updates for WordPress.org review. Always upload the zip from scripts\/build-release.ps1, not the raw git folder.<\/p>","2.0.0":"<p>Major rename: reinstall from folder webo-mcp (or deploy to new path), then activate WEBO MCP. Settings are preserved via migration.<\/p>","1.1.1":"<p>Recommended update to fix tools\/call validation for core tools with no input.<\/p>","1.0.2":"<p>Recommended update to support active plugin verification via MCP tool.<\/p>","1.0.1":"<p>Recommended update to refresh plugin metadata and improve tools\/list compatibility.<\/p>","1.0.0":"<p>Initial public release of WEBO MCP (formerly WEBO WordPress MCP).<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":3},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3514777,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3514777,"resolution":"1544x500","location":"assets","locale":"","width":1544,"height":500}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.0.28","2.0.29","2.0.34","2.0.35","2.0.40","2.0.45","2.1.0","2.1.10","2.1.11","2.1.12","2.1.13","2.1.14","2.1.17","2.1.19","2.1.3","2.1.4","2.1.9","2.2.0","2.2.1","2.3.0","2.3.1","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.4.0","2.4.1","2.4.2","2.4.4","2.4.5","2.4.6","2.4.7","2.4.8","2.5.5","2.5.6","2.5.7","2.5.8","2.5.9","2.6.10","2.6.11","2.6.12","2.6.13","2.6.14","2.6.15","2.6.3","2.6.4","2.6.8","2.6.9"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"MCP endpoint working in a REST client (initialize)","2":"tools\/list response with public tools","3":"tools\/call response for a WordPress tool"}},"plugin_section":[],"plugin_tags":[232494,569,69473,242115,253991],"plugin_category":[],"plugin_contributors":[261006],"plugin_business_model":[],"class_list":["post-293340","plugin","type-plugin","status-publish","hentry","plugin_tags-ai-agent","plugin_tags-automation","plugin_tags-json-rpc","plugin_tags-mcp","plugin_tags-model-context-protocol","plugin_contributors-phuongwebo","plugin_committers-phuongwebo"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/webo-mcp\/assets\/icon-128x128.png?rev=3514777","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>WEBO MCP<\/strong> is a WordPress MCP server \u2014 a complete <strong>Model Context Protocol<\/strong> gateway for WordPress. It lets AI agents and MCP-compatible clients (Claude Desktop, Cursor, Windsurf, n8n, and more) call well-defined tools over REST using JSON-RPC, instead of scraping the admin or sharing broad credentials.<\/p>\n\n<p>Official WEBO MCP website, documentation, and ecosystem hub: https:\/\/webomcp.com<\/p>\n\n<p><strong>Why use WEBO MCP as your WordPress MCP server?<\/strong><\/p>\n\n<ul>\n<li><strong>Token-optimized unified tools:<\/strong> every domain exposes two abilities \u2014 <code>*-query<\/code> (all reads) and <code>*-mutate<\/code> (all writes) \u2014 with a single <code>action<\/code> discriminator. <code>tools\/list<\/code> payload is up to 70% smaller than per-operation APIs, which means less of the model's context window is consumed by tool schemas, lower cost per session, and fewer hallucinated tool names.<\/li>\n<li>Primary router endpoint: <code>POST \/wp-json\/mcp\/v1\/router<\/code><\/li>\n<li>Standard MCP-style flow: <code>initialize<\/code> \u2192 <code>tools\/list<\/code> \u2192 <code>tools\/call<\/code><\/li>\n<li>Session lifecycle for clients (pass <code>session_id<\/code> or <code>Mcp-Session-Id<\/code> after <code>initialize<\/code>)<\/li>\n<li>Built-in tool registry for common WordPress operations (posts, media, terms, menus, options, and more)<\/li>\n<li>Bundled Abilities API + MCP Adapter integration, with automatic bridging from registered abilities to MCP tools (configurable)<\/li>\n<li>WordPress 7.0\/Core-aware bridge mode that uses Core Abilities\/API surfaces when available and falls back only when needed<\/li>\n<li>Public tool policy controls (category filters and optional allowlists) plus optional internal tool exposure for private environments<\/li>\n<li>Bounded MCP audit log, optional per-user\/role\/client tool allowlists, and a read-only administrator health\/status tool<\/li>\n<\/ul>\n\n<p><strong>Security model (high level)<\/strong><\/p>\n\n<ul>\n<li>MCP access requires a real WordPress user context: Application Password over HTTP Basic, or an existing logged-in session.<\/li>\n<li>Optional site-wide or per-user API key and HMAC can be enabled in Settings as an additional gate (they do not replace WordPress authentication). Generate\/rotate from Settings \u2192 Security; by default they are skipped for Application Password and Bearer clients unless you enable \u201cRequire for App Password \/ Bearer\u201d. Do not put the normal WEBO API key in URLs. For clients that cannot send headers, create a short-lived scoped <code>mcp_token<\/code> URL connector token in Settings -&gt; WEBO MCP.<\/li>\n<li>Default access expectations for the router and <code>GET \/wp-json\/webo-mcp\/v1\/tools<\/code>: users who are super admins, can <code>manage_options<\/code>, or can <code>edit_posts<\/code>, consistent with typical site operator and editor workflows (filterable).<\/li>\n<\/ul>\n\n<p><strong>Client guidance<\/strong><\/p>\n\n<p>Always discover tools before calling them: run <code>tools\/list<\/code>, pick an exact tool name from the response, validate required arguments, then call <code>tools\/call<\/code>. This reduces mistakes and keeps automation predictable in production.<\/p>\n\n<p><strong>Further documentation and optional integrations<\/strong><\/p>\n\n<ul>\n<li>Official website, documentation, and ecosystem notes: https:\/\/webomcp.com<\/li>\n<li>Optional n8n community node (separate package): https:\/\/www.npmjs.com\/package\/n8n-nodes-webo-mcp<\/li>\n<li>Release notes and migration map: see docs\/RELEASE_NOTES_2.1.0.md and docs\/MIGRATION_GUIDE_2.1.0.md in the GitHub repository<\/li>\n<li>Cross-addon dispatcher map (granular legacy names removed from discovery): docs\/MCP_TOOL_MIGRATION.md<\/li>\n<\/ul>\n\n<p>Compatibility note: any MCP-capable client can be used; which large language model runs inside the client is outside this plugin.<\/p>\n\n<p>Standalone core tools included:\n- Site info\n- Content (posts\/pages): <code>webo\/content-query<\/code> (list, get, find-by-url, search-replace, list-revisions, get-revision; with author\/date\/taxonomy filters) and <code>webo\/content-mutate<\/code> (create, update, delete, bulk-update-status, restore-revision, change-author)\n- Users: <code>webo\/list-users<\/code> and <code>webo\/user-mutate<\/code> (add-to-blog, set-role)\n- Media: <code>webo\/media-query<\/code> (list with search\/MIME\/post_id filters, get) and <code>webo\/media-mutate<\/code> (upload, update, delete)\n- Comments: <code>webo\/comment-query<\/code> (list, get) and <code>webo\/comment-mutate<\/code> (create, update, delete)\n- Taxonomy\/Terms: <code>webo\/taxonomy-query<\/code> (discover, list, get) and <code>webo\/taxonomy-mutate<\/code> (create, update, delete)\n- Nav menus: list menus, list menu items (menu_order, db_id), add menu link from post (explicit post_id + menu_order required)\n- Plugins: <code>webo\/plugin-query<\/code> (installed, active, updates, \u2026) and <code>webo\/plugin-mutate<\/code> (install, activate, deactivate; supports child-site <code>site_id<\/code> \/ <code>blog_id<\/code> activation for network admins)\n- Health: <code>webo\/health-status<\/code> (REST\/router status, Application Password support, permalinks, cron, object cache, plugin update summary, WordPress\/PHP versions, and redacted MCP config)\n- Client health: <code>webo\/client-health-report<\/code> (score 0\u2013100, grade A\u2013D, Markdown scoreboard for agency clients; hybrid foundation for Pro collectors later)\n- 404 logs: <code>webo\/get-404-logs<\/code> (read-only Rank Math \/ Redirection 404 monitor: url, hits, accessed, referrer)\n- Abilities bridge: <code>webo\/ability-query<\/code> and <code>webo\/ability-execute<\/code> in default layered mode. Only abilities with <code>meta.mcp.public === true<\/code> are visible and executable through WEBO MCP.\n- Themes: <code>webo\/theme-query<\/code> (installed themes) and <code>webo\/theme-mutate<\/code> (install from WordPress.org by slug, switch installed theme)\n- Theme context: <code>webo\/theme-context<\/code> (active theme info, block editor settings, style presets, registered blocks)\n- Block patterns: <code>webo\/block-patterns<\/code> (list\/get patterns, list\/get synced patterns)\n- Site stats: <code>webo\/site-stats<\/code> (overview, post counts, comment counts, user counts, media stats, activity summary)\n- Activity log: <code>webo\/activity-log<\/code> (list events, summary, clear)\n- User profile: <code>webo\/user-profile<\/code> (get own profile, update display name \/ bio \/ preferences)\n- Site settings: <code>webo\/site-settings<\/code> (get and update the 20 most common WordPress options via MCP)\n- Content search: <code>webo\/content-search<\/code> (full-text cross-post-type search with grouped results)\n- Menus: <code>webo\/menu-query<\/code>, <code>webo\/menu-mutate<\/code> (navigation menu items; not post\/CPT list order)\n- Post\/CPT order (optional): <code>webo\/reorder-query<\/code>, <code>webo\/reorder-mutate<\/code> when <a href=\"https:\/\/github.com\/mrphuong-webo\/webo-reorder\">Webo Reorder<\/a> is active \u2014 see docs\/abilities\/reorder.md\n- Options: get\/update (safe allowlist only), set site icon\/favicon from media\n- SEO (WordPress post): seo\/article-analysis \u2014 requires post_id; merges Rank Math meta when available (same data path as webo-rank-math\/get-post-seo-meta); optional related-keyword suggestions via outbound request unless no_autocomplete is true<\/p>\n\n<p>Excluded by default in standalone-safe mode:\n- Bulk\/mass execution tools\n- Plugin\/theme write-management abilities\n- Multisite-specific abilities<\/p>\n\n<h3>Privacy<\/h3>\n\n<p>This plugin does not phone home or send telemetry. MCP traffic is initiated by clients you configure. Some tools may perform outbound HTTP requests only when a client invokes them (for example seo\/article-analysis may request keyword suggestions from a third-party suggest API unless you pass no_autocomplete).<\/p>\n\n<p>The plugin stores the following options in the WordPress database when configured:\n- <code>webo_mcp_api_key<\/code>: API key used to authenticate MCP requests.\n- <code>webo_mcp_hmac_secret<\/code>: HMAC secret used to sign and validate MCP requests.\n- <code>webo_mcp_require_secondary_credentials<\/code>: when enabled, also require API key\/HMAC for Application Password and Bearer clients (off by default so standard connectors are not blocked).\n- <code>webo_mcp_url_connector_tokens<\/code>: hashed, expirable, revocable URL connector tokens for clients that cannot send headers. Raw tokens are shown once and are not stored.\n- <code>webo_mcp_tool_allowlist_enabled<\/code> and <code>webo_mcp_tool_allowlist_rules<\/code>: optional administrator-configured MCP tool allowlist policy.\n- <code>webo_mcp_audit_log_enabled<\/code>, <code>webo_mcp_audit_log_max_entries<\/code>, and <code>webo_mcp_audit_log<\/code>: bounded MCP tool-call audit log settings and compact audit events. Audit entries include user\/tool\/action\/status data, anonymized IPs, and hashed session IDs; they do not store request payloads, API keys, HMAC secrets, or Application Passwords.\n- <code>webo_mcp_installed_at<\/code> and <code>webo_mcp_review_notice<\/code>: local timestamps\/state for an optional WordPress.org review request notice (not sent off-site; dismissible).<\/p>\n\n<p>These options are removed when the plugin is uninstalled via the WordPress Plugins screen.<\/p>\n\n<h3>External services<\/h3>\n\n<p>This plugin can connect to Google Suggest (Autocomplete) when a client calls the <code>seo\/article-analysis<\/code> tool and does not set <code>no_autocomplete<\/code> to true. This external request is used to return related keyword suggestions for SEO analysis.<\/p>\n\n<p>Service provider: Google LLC (Google Suggest \/ Autocomplete API endpoint).<\/p>\n\n<p>Data sent and when:\n- Sent only when <code>seo\/article-analysis<\/code> is called with autocomplete enabled.\n- Sends the analysis query text to <code>https:\/\/suggestqueries.google.com\/complete\/search<\/code> as the <code>q<\/code> parameter.\n- Sends standard HTTP request metadata such as IP address and User-Agent as part of the web request.<\/p>\n\n<p>Terms of Service: https:\/\/policies.google.com\/terms\nPrivacy Policy: https:\/\/policies.google.com\/privacy<\/p>\n\n<h3>Developer Hooks<\/h3>\n\n<p>The plugin exposes the following actions and filters for developers:<\/p>\n\n<h3>Actions<\/h3>\n\n<ul>\n<li><code>webo_mcp_register_tools<\/code>\nFired during plugin bootstrap after standalone tools are registered. Use this to register custom MCP tools from other plugins.<\/li>\n<\/ul>\n\n<h3>Filters<\/h3>\n\n<ul>\n<li><p><code>webo_mcp_current_user_can_use_mcp<\/code> (bool $allowed, int $user_id)\nGate for all MCP REST access. Default: super admin OR <code>manage_options<\/code> OR <code>edit_posts<\/code>. Override to tighten (e.g. super-admin only) in hardened installs.<\/p><\/li>\n<li><p><code>webo_mcp_secondary_credentials_exempt<\/code> (bool $exempt, WP_REST_Request $request)\nWhen true, skip optional API key \/ HMAC after WordPress auth. Default true for Application Password (Basic) and Bearer sessions unless Settings \u2192 Security \u2192 \u201cRequire for App Password \/ Bearer\u201d is enabled. Return false to always enforce <code>X-WEBO-*<\/code> headers.<\/p><\/li>\n<li><p><code>webo_mcp_allow_internal_tools<\/code> (bool $allow_internal, WP_REST_Request $request)\nControls whether internal tools are included in tools\/list responses. Defaults to false for public environments.<\/p><\/li>\n<li><p><code>webo_mcp_public_categories<\/code> (array $categories, WP_REST_Request $request, array $tool)\nFilters which tool categories are exposed as public. Defaults to array( 'wordpress' ).<\/p><\/li>\n<li><p><code>webo_mcp_rate_limit_per_hour<\/code> (int $limit, string $client, array|null $profile)\nAdjust effective hourly limit (fallback for both buckets).<\/p><\/li>\n<li><p><code>webo_mcp_rate_limit_read_per_hour<\/code> \/ <code>webo_mcp_rate_limit_mutate_per_hour<\/code> (int $limit, string $client, array|null $profile)\nPer-bucket limits after admin\/profile resolution.<\/p><\/li>\n<li><p><code>webo_mcp_tool_is_mutating<\/code> (bool $is_mutating, string $tool_name, array|null $tool_definition, array $arguments)\nOverride mutating classification for rate limits and read-only profiles.<\/p><\/li>\n<li><p><code>webo_mcp_tool_arguments_allow_extra<\/code> (bool $allow, string $tool_name, array $schema, array $arguments)\nWhen true, unknown tool argument keys are passed through (default false).<\/p><\/li>\n<li><p><code>webo_mcp_disallow_url_token_query<\/code> (bool $disallowed)\nBlock URL connector tokens in query strings (admin setting is the default source).<\/p><\/li>\n<li><p><code>webo_mcp_rest_bom_guard_json_api_requests<\/code> (bool $activate, string $uri_raw)\nOpt-in BOM sanitizer for all <code>\/wp-json\/<\/code> responses (default false; MCP routes only).<\/p><\/li>\n<li><p><code>webo_mcp_bridge_deny_patterns<\/code> (array $patterns)\nControls which abilities are excluded when auto-bridging abilities into MCP tools (e.g. bulk, themes\/, multisite\/).<\/p><\/li>\n<li><p><code>webo_mcp_auto_bridge_abilities<\/code> (bool $enabled)\nEnables or disables automatic bridging of registered abilities into MCP tools. Defaults to true; bridge mode still controls whether the bridge is off, layered, or full.<\/p><\/li>\n<li><p><code>webo_mcp_bridge_mode<\/code> (string $mode)\nControls Abilities bridge mode after the <code>WEBO_MCP_BRIDGE_MODE<\/code> constant and before the stored option. Values: <code>off<\/code>, <code>layered<\/code>, <code>full<\/code>. Default: <code>layered<\/code>.<\/p><\/li>\n<li><p><code>webo_mcp_enable_adapter<\/code> (bool $enabled)\nEnables or disables the bundled WordPress MCP Adapter runtime. Defaults to true.<\/p><\/li>\n<li><p><code>webo_mcp_validate_media_fetch_url<\/code> (true|\\WP_Error $ok, string $url, array $parsed)\nReject unsafe URLs for webo\/media-mutate upload action (return WP_Error to block).<\/p><\/li>\n<li><p><code>webo_mcp_tool_allowlist_allowed<\/code> (bool $allowed, string $tool_name, WP_REST_Request $request, array $params, array $allowed_tools)\nFilters the optional per-user\/role\/client allowlist decision.<\/p><\/li>\n<\/ul>\n\n<h3>Credits<\/h3>\n\n<p>Special thanks to the authors and open source projects that contributed to this plugin:\n- WordPress (https:\/\/wordpress.org)\n- Abilities API (https:\/\/github.com\/WordPress\/abilities-api)\n  Reference: https:\/\/make.wordpress.org\/ai\/2025\/07\/17\/abilities-api\/\n- MCP Adapter (https:\/\/github.com\/WordPress\/mcp-adapter)\n  Reference: https:\/\/make.wordpress.org\/ai\/2025\/07\/17\/mcp-adapter\/\n- Composer (https:\/\/getcomposer.org)\n- Other PHP and JS libraries from the community<\/p>\n\n<p>If you use this plugin, please give credit to the authors of these libraries.<\/p>\n\n<h3>License<\/h3>\n\n<p>This plugin is licensed under the GPLv2 or later.\nSee https:\/\/www.gnu.org\/licenses\/gpl-2.0.html for details.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin folder to \/wp-content\/plugins\/webo-mcp<\/li>\n<li>Run composer install inside the plugin folder<\/li>\n<li>Activate the plugin in WordPress Admin<\/li>\n<li>Send JSON-RPC requests to POST \/wp-json\/mcp\/v1\/router<\/li>\n<\/ol>\n\n<p>For release packaging, use scripts\/build-release.ps1 to create a clean zip with .distignore exclusions.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt id=\"which%20endpoint%20should%20mcp%20clients%20use%3F\"><h3>Which endpoint should MCP clients use?<\/h3><\/dt>\n<dd><p>POST \/wp-json\/mcp\/v1\/router<\/p><\/dd>\n<dt id=\"where%20is%20the%20official%20website%20and%20the%20n8n%20package%3F\"><h3>Where is the official website and the n8n package?<\/h3><\/dt>\n<dd><p>The project hub is https:\/\/webomcp.com. For n8n, install the community node from npm: https:\/\/www.npmjs.com\/package\/n8n-nodes-webo-mcp<\/p><\/dd>\n<dt id=\"is%20webomcp.com%20the%20official%20webo%20mcp%20website%3F\"><h3>Is webomcp.com the official WEBO MCP website?<\/h3><\/dt>\n<dd><p>Yes. The official WEBO MCP website, documentation hub, and ecosystem landing page is https:\/\/webomcp.com.<\/p><\/dd>\n<dt id=\"can%20this%20run%20wordpress%20abilities%20by%20itself%3F\"><h3>Can this run WordPress abilities by itself?<\/h3><\/dt>\n<dd><p>Yes. On WordPress versions where Core provides the Abilities API, WEBO MCP uses Core and does not load a duplicate bundled Abilities API. On older WordPress versions it falls back to the bundled Composer package. The default bridge mode is <code>layered<\/code>, which exposes compact <code>webo\/ability-query<\/code> and <code>webo\/ability-execute<\/code> tools instead of one tool per ability. You can set bridge mode to <code>off<\/code>, <code>layered<\/code>, or <code>full<\/code> with <code>WEBO_MCP_BRIDGE_MODE<\/code>, the <code>webo_mcp_bridge_mode<\/code> filter, or the <code>webo_mcp_bridge_mode<\/code> option.<\/p><\/dd>\n<dt id=\"which%20abilities%20are%20exposed%20through%20webo%20mcp%3F\"><h3>Which abilities are exposed through WEBO MCP?<\/h3><\/dt>\n<dd><p>Only abilities that explicitly set <code>meta.mcp.public<\/code> to true are exposed. Execution also checks the ability permission callback, WEBO allowlist\/policy, and scope\/risk metadata such as <code>meta.webo_mcp.scope<\/code> and <code>meta.webo_mcp.risk<\/code>.<\/p><\/dd>\n<dt id=\"how%20do%20i%20migrate%20from%20legacy%20one-operation%20tool%20names%3F\"><h3>How do I migrate from legacy one-operation tool names?<\/h3><\/dt>\n<dd><p>Use <code>tools\/list<\/code> to discover the dispatcher tool names on your site, then pass the correct <code>action<\/code> (or query\/mutate discriminant) for each operation. Use docs\/MIGRATION_GUIDE_2.1.0.md for the 2.1.0 rollout narrative and docs\/MCP_TOOL_MIGRATION.md for a consolidated addon-by-addon map (Rank Math, Rocket, WooCommerce groups, etc.).<\/p><\/dd>\n<dt id=\"can%20i%20expose%20internal%20tools%3F\"><h3>Can I expose internal tools?<\/h3><\/dt>\n<dd><p>Yes, via filter webo_mcp_allow_internal_tools in private environments.<\/p><\/dd>\n<dt id=\"can%20i%20limit%20public%20tools%20by%20category%3F\"><h3>Can I limit public tools by category?<\/h3><\/dt>\n<dd><p>Yes, via filter webo_mcp_public_categories.<\/p><\/dd>\n<dt id=\"can%20i%20keep%20only%20wordpress.org-safe%20features%3F\"><h3>Can I keep only WordPress.org-safe features?<\/h3><\/dt>\n<dd><p>Yes. Default bridge rules exclude patterns for bulk, themes, and multisite abilities.<\/p><\/dd>\n<dt id=\"is%20this%20plugin%20suitable%20for%20production%3F\"><h3>Is this plugin suitable for production?<\/h3><\/dt>\n<dd><p>Yes, when used with proper authentication, TLS, and a limited tool exposure policy.<\/p><\/dd>\n<dt id=\"how%20do%20i%20authenticate%20mcp%20clients%3F\"><h3>How do I authenticate MCP clients?<\/h3><\/dt>\n<dd><p>Use a WordPress <strong>Application Password<\/strong> (Users \u2192 Profile \u2192 Application Passwords) and send it with HTTP Basic Auth (username = WordPress username, password = the application password). Optional <strong>API Key<\/strong> (<code>X-WEBO-API-KEY<\/code>) and <strong>HMAC<\/strong> (<code>X-WEBO-TIMESTAMP<\/code> + <code>X-WEBO-SIGNATURE<\/code>) are managed under Settings \u2192 WEBO MCP \u2192 Security (generate\/rotate; secrets are shown once). By default those optional headers are <strong>not<\/strong> required for Application Password or Bearer clients; enable \u201cRequire for App Password \/ Bearer\u201d if your client can send <code>X-WEBO-*<\/code> headers. HMAC signature: <code>sha256=<\/code> + HMAC-SHA256( <code>timestamp + \".\" + raw_body<\/code>, secret ), skew \u2264 300s. If a client cannot send headers, create a short-lived scoped URL connector token and pass it as <code>?mcp_token=...<\/code>; it is shown once, stored only as a hash, limited to an explicit tool scope, expirable, and revocable.<\/p><\/dd>\n<dt id=\"does%20webo%20mcp%20reorder%20posts%20and%20pages%3F\"><h3>Does WEBO MCP reorder posts and pages?<\/h3><\/dt>\n<dd><p>Use <strong><code>webo\/reorder-query<\/code><\/strong> and <strong><code>webo\/reorder-mutate<\/code><\/strong> when the separate <strong>Webo Reorder<\/strong> plugin is installed and active. Those tools control post <code>menu_order<\/code> and taxonomy-specific order \u2014 not navigation menus. For Appearance \u2192 Menus, use <strong><code>webo\/menu-query<\/code><\/strong> and <strong><code>webo\/menu-mutate<\/code><\/strong>. See <code>docs\/abilities\/reorder.md<\/code> in the plugin repository.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>2.6.15<\/h4>\n\n<ul>\n<li>Feature: <code>webo\/site-settings<\/code> export actions \u2014 <code>export<\/code> (safe options table dump), <code>export-general<\/code>, and <code>export-all<\/code> (General\/Reading\/Writing\/Discussion\/Media\/Permalinks\/Privacy). Secrets and transients omitted.<\/li>\n<\/ul>\n\n<h4>2.6.14<\/h4>\n\n<ul>\n<li>Fix: emit MCP <code>annotations.readOnlyHint<\/code> so ChatGPT can distinguish read vs write tools; make set-featured-image idempotent when thumbnail already set; honor site_id\/blog_id; match agent allowlists across slash\/underscore names.<\/li>\n<\/ul>\n\n<h4>2.6.13<\/h4>\n\n<ul>\n<li>Fix: add discoverable <code>webo\/set-featured-image<\/code> and steer media-query \/ content-mutate fallbacks when ChatGPT does not load <code>webo-content\/set-featured-image<\/code>.<\/li>\n<\/ul>\n\n<h4>2.6.12<\/h4>\n\n<ul>\n<li>Security: Generate \/ rotate \/ clear API Key and HMAC Secret without echoing stored secrets; HMAC client header guidance; optional enforce for Application Password and Bearer clients.<\/li>\n<li>Fix: <code>webo\/media-query<\/code> list\/get returns <code>attachment_id<\/code>, <code>edit_url<\/code>, and <code>filename<\/code> for featured-image and mutate workflows.<\/li>\n<\/ul>\n\n<h4>2.6.11<\/h4>\n\n<ul>\n<li>Added: gentle WordPress.org review request for administrators after 7 days (Plugins screen and WEBO MCP settings only; dismissible \/ snoozeable).<\/li>\n<\/ul>\n\n<h4>2.6.10<\/h4>\n\n<ul>\n<li>Added: Website Health score (0\u2013100) and letter grade A\u2013D on <code>webo\/security-audit<\/code> and <code>webo\/client-health-report<\/code>, with a Markdown scoreboard for agency clients.<\/li>\n<li>Note: hybrid foundation only \u2014 Cloudflare, Redis deep stats, backup age, PDF export, and core checksums remain planned for WEBO MCP Pro.<\/li>\n<\/ul>\n\n<h4>2.6.9<\/h4>\n\n<ul>\n<li>Added: read-only <code>webo\/get-404-logs<\/code> to list URL, hits, last accessed time, and referrer from Rank Math 404 Monitor or the Redirection plugin (no wp-admin required).<\/li>\n<\/ul>\n\n<h4>2.6.8<\/h4>\n\n<ul>\n<li>Added: <code>webo\/user-mutate<\/code> with <code>add-to-blog<\/code> (multisite) and <code>set-role<\/code> actions for promoting existing users.<\/li>\n<li>Added: <code>webo\/content-mutate<\/code> action <code>change-author<\/code> to reassign post authors with <code>edit_others_posts<\/code> checks.<\/li>\n<li>Dev: unit coverage for user-mutate and change-author dry-run\/execute paths.<\/li>\n<\/ul>\n\n<h4>2.6.7<\/h4>\n\n<ul>\n<li>Fix: expose the new content-query list filters in the tool schema so App\/connector calls keep <code>category<\/code>, <code>taxonomy<\/code>\/<code>term<\/code>, <code>parent<\/code>, and <code>template<\/code> arguments instead of stripping them.<\/li>\n<\/ul>\n\n<h4>2.6.6<\/h4>\n\n<ul>\n<li>Added: <code>webo\/content-query<\/code> list filters for <code>post_type<\/code> arrays, <code>category<\/code>, <code>taxonomy<\/code>\/<code>term<\/code>, <code>parent<\/code>, and page <code>template<\/code> so AI clients can select service pages\/posts before SEO batches.<\/li>\n<li>Dev: add unit coverage for shorthand content query filters.<\/li>\n<\/ul>\n\n<h4>2.6.5<\/h4>\n\n<ul>\n<li>Fix: centralize mutation write-mode parsing with <code>MutationGuard<\/code> so <code>dry_run=false<\/code>, <code>false<\/code>, <code>0<\/code>, and <code>\"0\"<\/code> execute instead of being forced back to previews.<\/li>\n<li>Fix: <code>force=true<\/code> now confirms guarded operations only and no longer turns a preview into a write by itself.<\/li>\n<li>Dev: standard mutation responses include <code>ok<\/code>, <code>executed<\/code>, <code>dry_run<\/code>, and structured diff fields for safer AI client handling.<\/li>\n<\/ul>\n\n<h4>2.6.4<\/h4>\n\n<ul>\n<li>Fix: map Rank Math, GSC\/Search Console, SEO audit, and interlinking tool families to semantic SEO capabilities for AI workflow planning.<\/li>\n<li>Fix: treat <code>seo.internal-links<\/code> as an optional SEO Autopilot capability so disabling an interlinks addon does not block core Rank Math\/GSC dry-runs.<\/li>\n<li>Readme: highlight the official WEBO MCP website at https:\/\/webomcp.com for WordPress.org visitors.<\/li>\n<\/ul>\n\n<h4>2.6.3<\/h4>\n\n<ul>\n<li>Added: <code>webo\/run-workflow<\/code> MCP tool so registered workflows can run from the gate and create execution history records.<\/li>\n<li>Added: workflow runner validation for availability, callable callbacks, and missing workflow ids.<\/li>\n<\/ul>\n\n<h4>2.6.2<\/h4>\n\n<ul>\n<li>Added: execution history for workflow and AI runs, including caller, inputs, changed posts, SEO\/schema changes, submitted URLs, duration, status, and rollback checkpoint metadata.<\/li>\n<li>Added: <code>webo\/execution-history<\/code> tool with list, get, and rollback actions.<\/li>\n<li>Added: SEO Autopilot run history with automatic checkpoints and rollback metadata.<\/li>\n<\/ul>\n\n<h4>2.6.1<\/h4>\n\n<ul>\n<li>Fix: accept camelCase MCP arguments such as <code>dryRun<\/code> and <code>pluginFile<\/code> for snake_case tool schemas.<\/li>\n<li>Fix: plugin manager now honors <code>dry_run=false<\/code> and string <code>\"false\"<\/code> when executing activate\/deactivate mutations.<\/li>\n<\/ul>\n\n<h4>2.6.0<\/h4>\n\n<ul>\n<li>Added: vNext capability registry, workflow registry, event bus, queue engine, checkpoint service, AI planner, recommendation engine, and plugin manager service.<\/li>\n<li>Added: SEO Autopilot skeleton workflow with report-only, dry-run, and auto modes.<\/li>\n<li>Added: SDK documentation and sample addon for capabilities, workflows, events, and queue integration.<\/li>\n<li>Fix: keep <code>WEBOMCP_VERSION<\/code> in sync with the plugin header for accurate MCP initialize metadata.<\/li>\n<\/ul>\n\n<h4>2.5.7<\/h4>\n\n<ul>\n<li>QA: add output contracts and multisite context coverage for MCP tools.<\/li>\n<li>Fix: suppress multisite option DB errors in health scans.<\/li>\n<li>Security: mask PII\/secrets in comment spam analysis and audit\/usage outputs.<\/li>\n<li>Added: security audit checks for theme updates, common admin logins, and search visibility.<\/li>\n<\/ul>\n\n<h4>2.5.6<\/h4>\n\n<ul>\n<li>Added: plugin conflict analysis, plugin health dry-run upgrades, security audit, multisite health, SEO cluster draft, task planning, comment moderation, CLI tool testing, and client health report tools.<\/li>\n<li>Added: grouped audit and usage reporting by tool, user, client, and session.<\/li>\n<li>Fix: normalize ability scope\/risk metadata, hide broken abilities from discovery, and restore safe content-mutate dry-run defaults.<\/li>\n<\/ul>\n\n<h4>2.5.5<\/h4>\n\n<ul>\n<li>Fix: Suppress WP 6.9 <code>_doing_it_wrong<\/code> notices when optional addon abilities (e.g. webo-ultimo\/*) are not registered \u2014 use <code>wp_has_ability()<\/code> via <code>webo_mcp_get_ability()<\/code>.<\/li>\n<li>Fix: Prime Abilities registry at <code>init:2<\/code> so <code>wp_abilities_api_init<\/code> runs before MCP tool registration.<\/li>\n<li>Fix: Hide and block MCP tools whose <code>ability_name<\/code> is not registered.<\/li>\n<\/ul>\n\n<h4>2.5.4<\/h4>\n\n<ul>\n<li>Fix: ChatGPT upload tools return structured <code>{ ok, attachment_id, url, edit_url }<\/code> success and <code>{ ok, error_code, debug }<\/code> errors.<\/li>\n<li>Fix: <code>webo-media\/upload-chatgpt-file<\/code> declares <code>openai\/fileParams<\/code> on <code>file_path<\/code> and accepts plain file objects without client-side ValueError.<\/li>\n<li>Added: <code>webo-media\/upload-chatgpt-file-id<\/code> for direct <code>file_id<\/code> + optional <code>download_url<\/code> uploads.<\/li>\n<li>Added: <code>file_id<\/code> and <code>download_url<\/code> top-level args on <code>webo-media\/upload-file<\/code>.<\/li>\n<\/ul>\n\n<h4>2.5.3<\/h4>\n\n<ul>\n<li>Added: <code>webo-media\/upload-chatgpt-file<\/code> helper tool for direct ChatGPT <code>{ download_url, file_id }<\/code> uploads.<\/li>\n<li>Fix: <code>webo-media\/upload-file<\/code> detects unre rewritten <code>\/mnt\/data\/<\/code> paths and prefers rewritten file objects from <code>file<\/code> or <code>file_path<\/code>.<\/li>\n<\/ul>\n\n<h4>2.5.2<\/h4>\n\n<ul>\n<li>Fix: <code>webo-media\/upload-file<\/code> accepts <code>file_path<\/code> as a string sandbox path (openai\/fileParams rewrite) and <code>file<\/code> as a connector payload object with download_url\/file_id.<\/li>\n<\/ul>\n\n<h4>2.5.1<\/h4>\n\n<ul>\n<li>Fix: <code>webo-media\/upload-file<\/code> declares <code>openai\/fileParams<\/code> for ChatGPT sandbox file rewrite and accepts mounted <code>file<\/code> references via <code>download_url<\/code>.<\/li>\n<li>MCP: expose tool <code>_meta<\/code> and OpenAI file object schemas in <code>tools\/list<\/code> for connector file bridge compatibility.<\/li>\n<\/ul>\n\n<h4>2.5.0<\/h4>\n\n<ul>\n<li>Added: <code>webo-media\/upload-file<\/code> public write tool for ChatGPT sandbox\/local file uploads via <code>file_data<\/code> (base64), <code>file_path<\/code>, or <code>file_id<\/code>.<\/li>\n<li>Added: <code>webo-content\/publish-post<\/code> public write tool to publish a post and return its permalink.<\/li>\n<li>Updated: <code>webo-content\/set-featured-image<\/code> now returns <code>updated: true<\/code> for the media bridge workflow.<\/li>\n<\/ul>\n\n<h4>2.4.9<\/h4>\n\n<ul>\n<li>Added: <code>webo-media\/upload<\/code> public write tool for media uploads from base64\/data-URI\/file URL payloads with optional title, alt, and caption.<\/li>\n<li>Added: <code>webo-content\/set-featured-image<\/code> public write tool to set a post featured image and return <code>featured_image_url<\/code>.<\/li>\n<\/ul>\n\n<h4>2.4.8<\/h4>\n\n<ul>\n<li>Release: publish the latest direct content creation tools and router\/policy compatibility fixes to WordPress.org SVN.<\/li>\n<\/ul>\n\n<h4>2.4.7<\/h4>\n\n<ul>\n<li>Added: <code>webo-content\/create-post<\/code> and <code>webo-content\/update-post-status<\/code> public write tools for direct ChatGPT draft creation and status updates.<\/li>\n<li>Metadata: update WEBO MCP website and author links to https:\/\/webomcp.com for the WordPress.org release.<\/li>\n<\/ul>\n\n<h4>2.4.6<\/h4>\n\n<ul>\n<li>Fix: <code>webo\/content-mutate<\/code> no longer defaults create\/update and other direct write actions to dry-run preview mode; explicit <code>dry_run:true<\/code> still previews those actions, while <code>search-replace<\/code> keeps its safe preview-by-default behavior.<\/li>\n<\/ul>\n\n<h4>2.4.5<\/h4>\n\n<ul>\n<li>Bridge: expose public plugin-prefixed abilities in <code>webo\/ability-query<\/code> and full bridge discovery (removed default <code>plugins\/<\/code> deny pattern).<\/li>\n<li>New: hub connector pairing endpoints and shared-secret authentication flow (<code>\/wp-json\/webo-mcp\/v1\/health<\/code>, <code>\/pair<\/code>, <code>\/disconnect<\/code>) for WEBO MCP Hub integration.<\/li>\n<\/ul>\n\n<h4>2.4.4<\/h4>\n\n<ul>\n<li>Admin: redesigned WEBO MCP settings UI \u2014 dashboard stat tiles, card layout, copy-to-clipboard fields, and Logs &amp; Usage tab with LLM metering controls.<\/li>\n<\/ul>\n\n<h4>2.4.3<\/h4>\n\n<ul>\n<li>New: hybrid LLM usage metering (report-only, no quotas). Prefers client-reported <code>params._meta.llm_usage<\/code>; falls back to MCP payload byte estimate (~4 bytes\/token).<\/li>\n<li>New: <code>webo\/usage-stats<\/code> tool \u2014 summary, recent, session, task, record, clear.<\/li>\n<li>New: <code>notifications\/usage<\/code> JSON-RPC method for explicit client usage reports without a tools\/call.<\/li>\n<\/ul>\n\n<h4>2.4.1<\/h4>\n\n<ul>\n<li>Fix: keep <code>update<\/code> in content-query schema so read-tool write guard returns explicit error (args were stripped before handler).<\/li>\n<\/ul>\n\n<h4>2.4.0<\/h4>\n\n<ul>\n<li>Performance: <code>webo\/content-query<\/code> get\/find-by-url\/find-by-slug omit <code>content<\/code> and <code>excerpt<\/code> unless <code>include_content:true<\/code> or <code>include_excerpt:true<\/code> \u2014 smaller MCP payloads for AI agents.<\/li>\n<li>New: <code>webo\/plugin-mutate<\/code> action <code>upgrade<\/code> \u2014 update installed plugins from WordPress.org (transient or optional <code>version<\/code>).<\/li>\n<\/ul>\n\n<h4>2.3.7<\/h4>\n\n<ul>\n<li>Security: <code>webo\/content-query<\/code> find-by-url is read-only; reject <code>update<\/code> payload with clear error (use <code>webo\/content-mutate<\/code>).<\/li>\n<\/ul>\n\n<h4>2.3.6<\/h4>\n\n<ul>\n<li>Consistency: unified tool responses (<code>webo\/content-query<\/code>, <code>webo\/content-mutate<\/code>, <code>webo\/menu-*<\/code>, <code>webo\/theme-*<\/code>) now set <code>tool<\/code> and <code>action<\/code> to the MCP tool name instead of legacy per-operation names.<\/li>\n<li>Requirement: minimum PHP raised to 8.0 (plugin header and readme).<\/li>\n<\/ul>\n\n<h4>2.3.5<\/h4>\n\n<ul>\n<li>Security: separate read vs mutate rate limits (Settings \u2192 Security); agent profiles support read_only, max_read_calls_per_hour, max_mutate_calls_per_hour.<\/li>\n<li>Security: read-only agent profiles block mutating tools and write-scoped abilities.<\/li>\n<li>Security: media upload-from-URL rejects disallowed Content-Type (e.g. text\/html).<\/li>\n<li>Settings: expanded Security tab guidance for API key, HMAC, URL tokens, and MCP access filter.<\/li>\n<\/ul>\n\n<h4>2.3.4<\/h4>\n\n<ul>\n<li>Performance: <code>webo\/site-stats<\/code> media action skips upload dir scan unless <code>include_disk_size: true<\/code> (1h transient cache when enabled).<\/li>\n<li>Performance: invalidate <code>tools\/list<\/code> cache when bridge mode or allowlist settings change.<\/li>\n<li>Maintenance: weekly cron prunes expired MCP session transients.<\/li>\n<\/ul>\n\n<h4>2.3.3<\/h4>\n\n<ul>\n<li>Security: admin-configurable MCP tools\/call rate limit (Settings \u2192 Security); agent profiles still override per client.<\/li>\n<li>Security: MCP sessions are bound to the WordPress user that created them on initialize.<\/li>\n<li>Security: tool arguments are stripped to schema keys by default (filter <code>webo_mcp_tool_arguments_allow_extra<\/code> to opt in).<\/li>\n<li>Security: <code>webo\/ability-execute<\/code> requires <code>edit_posts<\/code>; media upload-from-URL no longer follows HTTP redirects (SSRF hardening).<\/li>\n<li>Security: optional disallow <code>?mcp_token=<\/code> query auth; optional audit webhook host allowlist.<\/li>\n<li>Performance: short-lived <code>tools\/list<\/code> cache per user\/policy; audit log batches option writes per request.<\/li>\n<li>Fix: checkpoint create returns admin edit URL instead of public permalink; REST BOM guard defaults to MCP routes only.<\/li>\n<\/ul>\n\n<h4>2.3.2<\/h4>\n\n<ul>\n<li>Claude Desktop \/ MCP SDK: SSE keepalive on <code>GET \/wp-json\/mcp\/v1\/router<\/code> (and adapter SSE routes) so supergateway and Claude Desktop no longer drop the transport; sessionless GET returns 405 instead of 400.<\/li>\n<li>Claude Desktop \/ MCP SDK: <code>initialize<\/code> returns capability objects, sets <code>Mcp-Session-Id<\/code>, and <code>tools\/list<\/code> includes <code>inputSchema<\/code>; <code>tools\/call<\/code> wraps results in the standard MCP <code>content[]<\/code> text block format.<\/li>\n<li>New tools: <code>webo\/create-content-checkpoint<\/code> and <code>webo\/restore-content-checkpoint<\/code> for AI-safe backup and rollback of posts, nav menus, and safe site options before bulk MCP writes.<\/li>\n<li>Fix: sync <code>WEBOMCP_VERSION<\/code> with the plugin header so <code>initialize<\/code> reports the correct MCP server version.<\/li>\n<\/ul>\n\n<h4>2.3.1<\/h4>\n\n<ul>\n<li>Compatibility: fix SCF Abilities API fatal while priming the registry during plugin activation.<\/li>\n<\/ul>\n\n<h4>2.3.0<\/h4>\n\n<ul>\n<li>New tools: <code>webo\/theme-context<\/code> (active theme info, editor settings, style presets, registered blocks), <code>webo\/block-patterns<\/code> (list\/get patterns and synced patterns), <code>webo\/site-stats<\/code> (counts and activity summary), <code>webo\/activity-log<\/code> (list, summary, clear), <code>webo\/user-profile<\/code> (get\/update own profile), <code>webo\/site-settings<\/code> (get\/update 20 common WordPress options), <code>webo\/content-search<\/code> (cross-post-type full-text search with grouped results).<\/li>\n<li>Enhancement: <code>webo\/comment-mutate<\/code> now supports <code>create<\/code> action for creating new comments.<\/li>\n<li>Enhancement: <code>webo\/content-query list<\/code> now accepts <code>author<\/code>, <code>author_name<\/code>, <code>date_after<\/code>, <code>date_before<\/code>, and <code>tax_query<\/code> filters.<\/li>\n<li>Enhancement: <code>webo\/media-query list<\/code> now accepts <code>search<\/code>, <code>mime_type<\/code>, <code>post_id<\/code>, and <code>page<\/code> filters; response includes <code>found<\/code>, <code>pages<\/code>, <code>mime_type<\/code>, and <code>alt_text<\/code> fields.<\/li>\n<li>Enhancement: <code>webo\/content-mutate create<\/code> and <code>update<\/code> include <code>_content_warnings<\/code> when WordPress filters the submitted content on save.<\/li>\n<\/ul>\n\n<h4>2.2.1<\/h4>\n\n<ul>\n<li>Compatibility: autoload bundled MCP schema dependency when the external MCP adapter stack is absent.<\/li>\n<li>Router: fix flattened MCP argument coalescing for <code>webo\/ability-execute<\/code>.<\/li>\n<\/ul>\n\n<h4>2.2.0<\/h4>\n\n<ul>\n<li>Admin: dedicated <strong>WEBO MCP<\/strong> top-level menu with Overview, Security, Bridge &amp; Tools, Agents &amp; Connectors, Audit, and Advanced tabs; legacy Settings link redirects.<\/li>\n<li>WordPress 7.0: expanded Core feature detection, Connectors read-bridge (<code>webo\/connector-query<\/code>), WP AI prompt tool (<code>webo\/ai-prompt<\/code>), agent profiles, rate limits, audit webhook\/CSV export, and multisite network bridge defaults.<\/li>\n<li>WP-CLI: <code>wp webo-mcp health<\/code>, <code>tools-list<\/code>, <code>revoke-tokens<\/code>, <code>audit-count<\/code>.<\/li>\n<li>Dependencies: MCP Adapter ^0.5 (bundled fallback when external adapter absent).<\/li>\n<\/ul>\n\n<h4>2.1.23<\/h4>\n\n<ul>\n<li>Multisite: add an opt-in Trusted Raw HTML setting so trusted site administrators can preserve Elementor and MCP content containing <code>script<\/code>, <code>style<\/code>, <code>canvas<\/code>, <code>iframe<\/code>, and other raw HTML when explicitly enabled.<\/li>\n<li>Options: allow <code>webo\/get-options<\/code> and <code>webo\/update-options<\/code> to read and configure the Trusted Raw HTML policy.<\/li>\n<\/ul>\n\n<h4>2.1.22<\/h4>\n\n<ul>\n<li>Security: replace normal API-key-in-URL support with short-lived scoped <code>mcp_token<\/code> URL connector tokens for clients that cannot send headers.<\/li>\n<li>Security: URL connector tokens are shown once, stored only as hashes, expire automatically, can be revoked, cannot expose internal tools, and are limited by an explicit tool allowlist.<\/li>\n<li>Admin: add Settings -&gt; WEBO MCP controls to generate and revoke URL connector tokens without storing raw secrets.<\/li>\n<\/ul>\n\n<h4>2.1.21<\/h4>\n\n<ul>\n<li>Superseded by 2.1.22. Do not put the normal WEBO API key in URLs.<\/li>\n<\/ul>\n\n<h4>2.1.20<\/h4>\n\n<ul>\n<li>Multisite: allow network admins to target child sites with <code>site_id<\/code> \/ <code>blog_id<\/code> on <code>webo\/content-query<\/code>, <code>webo\/content-mutate<\/code>, <code>webo\/get-options<\/code>, and <code>webo\/update-options<\/code>.<\/li>\n<\/ul>\n\n<h4>2.1.19<\/h4>\n\n<ul>\n<li>Options: allow <code>webo\/get-options<\/code> and <code>webo\/update-options<\/code> to manage <code>html_custom_css<\/code> for trusted admin MCP flows.<\/li>\n<\/ul>\n\n<h4>2.1.18<\/h4>\n\n<ul>\n<li>Integration: register <code>webo\/reorder-query<\/code> and <code>webo\/reorder-mutate<\/code> MCP tools when the Webo Reorder plugin is active (post\/CPT order; not nav menu order).<\/li>\n<\/ul>\n\n<h4>2.1.17<\/h4>\n\n<ul>\n<li>Enhancement: <code>webo\/content-mutate<\/code> can update post passwords for protected content when the authenticated user has permission to edit the post.<\/li>\n<li>Safety: post password updates stay inside the existing content mutation capability checks.<\/li>\n<\/ul>\n\n<h4>2.1.16<\/h4>\n\n<ul>\n<li>Fix: <code>webo\/content-mutate<\/code> can preserve raw block HTML for users with <code>unfiltered_html<\/code>, allowing admin page-builder content and inline styles to be managed through MCP.<\/li>\n<li>Security: users without <code>unfiltered_html<\/code> continue to pass content through the normal WordPress post KSES boundary.<\/li>\n<\/ul>\n\n<h4>2.1.15<\/h4>\n\n<ul>\n<li>WordPress 7.0 readiness: add defensive feature detection for Abilities API, MCP Adapter, Connectors API, and <code>wp_supports_ai()<\/code>.<\/li>\n<li>Bootstrap: avoid loading duplicate bundled Abilities API or MCP Adapter code when Core\/external implementations are already present.<\/li>\n<li>Bridge: add <code>off<\/code>, <code>layered<\/code> (default), and <code>full<\/code> modes. Layered mode exposes compact <code>webo\/ability-query<\/code> and <code>webo\/ability-execute<\/code> tools so <code>tools\/list<\/code> stays small by default.<\/li>\n<li>Security: only bridge abilities with <code>meta.mcp.public === true<\/code>; execution now passes through ability permissions, WEBO policy\/allowlist checks, and scope\/risk gates.<\/li>\n<li>Health: extend <code>webo\/health-status<\/code> with WordPress 7.0\/Core AI\/MCP compatibility diagnostics.<\/li>\n<li>Themes: extend <code>webo\/theme-mutate<\/code> with WordPress.org theme install by slug; optional activation still requires <code>switch_themes<\/code>.<\/li>\n<\/ul>\n\n<h4>2.1.14<\/h4>\n\n<ul>\n<li>Fix: bridge scoped plugin-management capabilities while network admins activate or deactivate plugins inside a child site.<\/li>\n<li>Keeps child-site plugin toggles explicit through <code>site_id<\/code> \/ <code>blog_id<\/code> without widening network-wide activation behavior.<\/li>\n<\/ul>\n\n<h4>2.1.13<\/h4>\n\n<ul>\n<li>Added <code>webo\/plugin-mutate<\/code> for WordPress.org plugin install, activation, and deactivation through the core plugin endpoint.<\/li>\n<li>Added <code>site_id<\/code> \/ <code>blog_id<\/code> support so network admins can activate or deactivate plugins for one multisite child site from the network MCP endpoint.<\/li>\n<li>Safety: rejects conflicting <code>site_id<\/code> \/ <code>blog_id<\/code> plus <code>network_activate<\/code> \/ <code>network_wide<\/code> requests so child-site activation and network-wide activation stay explicit.<\/li>\n<\/ul>\n\n<h4>2.1.12<\/h4>\n\n<ul>\n<li>Added a bounded, admin-readable MCP audit log for <code>tools\/call<\/code> events with user, tool\/action, object ID when available, anonymized IP, hashed session ID, status, and compact result\/error summaries.<\/li>\n<li>Added optional per-user, per-role, and per-client\/Application Password tool allowlists. Enforcement is disabled by default to preserve existing access until an administrator opts in.<\/li>\n<li>Added read-only administrator tool <code>webo\/health-status<\/code> covering REST\/router status, Application Password support, permalinks, cron, object cache, plugin update summary, WordPress\/PHP versions, and redacted MCP config status.<\/li>\n<\/ul>\n\n<h4>2.1.11<\/h4>\n\n<ul>\n<li>Security: enforce object-level capabilities for MCP content\/media mutations, including <code>edit_post<\/code>, <code>delete_post<\/code>, publish\/private status changes, and taxonomy-specific term capabilities.<\/li>\n<li>Security: filter read tools by <code>read_post<\/code> and hide tools from <code>tools\/list<\/code> when the authenticated user lacks the tool capability.<\/li>\n<li>Hardening: use WordPress safe HTTP validation for optional Google Suggest requests in <code>seo\/article-analysis<\/code>.<\/li>\n<\/ul>\n\n<h4>2.1.10<\/h4>\n\n<ul>\n<li>Fix: register <strong><code>webo\/plugin-query<\/code><\/strong> in <code>Standalone_Tools<\/code> so MCP clients can list plugin updates (<code>query=updates<\/code>, optional <code>refresh=true<\/code>) and other inspection modes.<\/li>\n<li>Bootstrap: prime <code>WP_Abilities_Registry<\/code> at <code>init:2<\/code> so <code>wp_abilities_api_init<\/code> runs before MCP bootstrap (<code>init:20<\/code>), preventing <code>_doing_it_wrong<\/code> when abilities register on <code>webo_mcp_register_tools<\/code>.<\/li>\n<\/ul>\n\n<h4>2.1.9<\/h4>\n\n<ul>\n<li>Refactor: move built-in MCP tool registration into <code>inc\/bootstrap\/class-standalone-tools.php<\/code> (smaller bootstrap; same tool names).<\/li>\n<li>Maintainer: broaden <code>.gitignore<\/code> (composer <code>vendor\/bin\/<\/code>, Cursor local config, scratch files); ship <code>scripts\/<\/code> helpers and <code>docs\/WPORG_REVIEW_REPLY_2.0.28.md<\/code>; keep <code>composer.json<\/code> production-only.<\/li>\n<\/ul>\n\n<h4>2.1.8<\/h4>\n\n<ul>\n<li>BOM guard: fix PCRE \u2014 use <code>^(?:\\xEF\\xBB\\xBF)+<\/code> so <strong>multiple<\/strong> UTF-8 BOMs are stripped (the old <code>^\\xEF\\xBB\\xBF+<\/code> only repeated the final <code>0xBF<\/code> byte, breaking responses such as <code>wp\/v2\/types<\/code> on <code>webo.vn<\/code> for MCP clients).<\/li>\n<\/ul>\n\n<h4>2.1.7<\/h4>\n\n<ul>\n<li>BOM guard: sanitize <strong>all<\/strong> REST API requests (<code>\/wp-json\/\u2026<\/code>, <code>wp-json.php<\/code>, <code>?rest_route=<\/code>) by default (<code>webo_mcp_rest_bom_guard_json_api_requests<\/code> filter to disable).<\/li>\n<\/ul>\n\n<h4>2.1.6<\/h4>\n\n<ul>\n<li>BOM guard: treat <strong>Abilities API<\/strong> REST URLs (<code>wp-abilities\/v1<\/code>) the same as MCP router URLs \u2014 <code>@automattic\/mcp-wordpress-remote<\/code> calls discover\/execute over <code>wp-abilities<\/code>, which previously skipped the sanitizer.<\/li>\n<\/ul>\n\n<h4>2.1.5<\/h4>\n\n<ul>\n<li>BOM guard: also start the sanitizer on <code>plugins_loaded<\/code> and <code>init<\/code> at priority <code>-999999<\/code> when the request URI looks MCP (covers BOM echoed before <code>rest_api_init<\/code>).<\/li>\n<\/ul>\n\n<h4>2.1.4<\/h4>\n\n<ul>\n<li>BOM guard: start output buffer at <code>rest_api_init<\/code> priority 0 when Request-URI\/<code>rest_route<\/code> looks like MCP (catches BOM printed before routing); loop-strip repeated BOM\/FEFF; filter <code>webo_mcp_rest_bom_guard_enabled<\/code> to disable.<\/li>\n<\/ul>\n\n<h4>2.1.3<\/h4>\n\n<ul>\n<li>REST: strip accidental UTF-8 BOM \/ stray U+FEFF before JSON on MCP routes so clients no longer fail JSON parse with <code>Unexpected token<\/code> (defensive <code>ob_start<\/code> handler on <code>rest_pre_dispatch<\/code>).<\/li>\n<\/ul>\n\n<h4>2.1.2<\/h4>\n\n<ul>\n<li>Restore the versioned <strong><code>skills\/<\/code><\/strong> subtree in the Git repository (guides and ability-specific SKILL.md files referenced from README.md), matching the documented <code>npx skills add<\/code> workflows.<\/li>\n<li>Add <strong><code>webo-mcp-ultimo-domain-dns-cf<\/code><\/strong> skill index entry (Ultimo checking-dns + Cloudflare checklist).<\/li>\n<li>skills\/README.md: document <strong>WP Rocket<\/strong> skill (<code>cache-query<\/code> \/ <code>cache-mutate<\/code> unified tools).<\/li>\n<\/ul>\n\n<h4>2.1.1<\/h4>\n\n<ul>\n<li>Documentation: add docs\/MCP_TOOL_MIGRATION.md (cross-addon dispatcher map; Rank Math + Rocket public-vs-internal discovery, WooCommerce query\/mutate tool names).<\/li>\n<li>Readme (GitHub + WordPress.org): align examples with <code>webo\/content-query<\/code>, document <code>meta.mcp.public<\/code> visibility for bridged abilities, link migration doc; sync standalone tool bullets (menus, themes, plugins).<\/li>\n<\/ul>\n\n<h4>2.1.0<\/h4>\n\n<ul>\n<li><strong>Token optimization \u2014 ecosystem-wide enum-dispatch unification.<\/strong> All WEBO MCP addons now follow the same query\/mutate pattern as the core plugin, replacing one-tool-per-operation APIs with unified abilities that accept an <code>action<\/code> argument:\n\n<ul>\n<li><strong>webo-mcp-woocommerce:<\/strong> 27 individual tools \u2192 10 unified tools (<code>webo\/woo-query-products<\/code>, <code>webo\/woo-mutate-products<\/code>, <code>webo\/woo-query-orders<\/code>, <code>webo\/woo-mutate-orders<\/code>, <code>webo\/woo-query-customers<\/code>, <code>webo\/woo-mutate-customers<\/code>, <code>webo\/woo-query-coupons<\/code>, <code>webo\/woo-mutate-coupons<\/code>, <code>webo\/woo-query-store<\/code>, <code>webo\/woo-mutate-store<\/code>).<\/li>\n<li><strong>webo-mcp-rank-math:<\/strong> 18 individual tools \u2192 10 unified <code>webo-rank-math\/*-query<\/code>\/<code>*-mutate<\/code> abilities; granular abilities may stay MCP-internal (see addon <code>wp_register_ability_args<\/code>).<\/li>\n<li><strong>webo-mcp-rocket:<\/strong> 9 individual tools \u2192 2 unified tools (<code>webo-rocket\/cache-query<\/code>, <code>webo-rocket\/cache-mutate<\/code>).<\/li>\n<\/ul><\/li>\n<li><strong>Impact:<\/strong> with core and addons active the total tool count visible in <code>tools\/list<\/code> drops from ~79+ to ~34. A smaller tool list means the model picks tools faster, uses less context budget per request, and makes fewer tool-name errors.<\/li>\n<li><strong>Pattern:<\/strong> each unified ability requires one <code>action<\/code> string that is dispatched server-side via PHP <code>match()<\/code>. All existing handler logic is preserved \u2014 only the registration surface changes.<\/li>\n<li>Updated skills documentation for webo-mcp-ability-woocommerce, webo-mcp-ability-rank-math, webo-mcp-ability-rocket, and webo-mcp-guide.<\/li>\n<\/ul>\n\n<h4>2.0.45<\/h4>\n\n<ul>\n<li>Refactor: unify media tools into <code>webo\/media-query<\/code> (list, get) and <code>webo\/media-mutate<\/code> (upload, update, delete); removes 5 legacy media tools.<\/li>\n<li>Refactor: unify taxonomy\/term tools into <code>webo\/taxonomy-query<\/code> (discover, list, get) and <code>webo\/taxonomy-mutate<\/code> (create, update, delete); removes 6 legacy term tools.<\/li>\n<li>Refactor: unify comment tools into <code>webo\/comment-query<\/code> (list, get) and <code>webo\/comment-mutate<\/code> (update, delete); removes 4 legacy comment tools.<\/li>\n<li>Refactor: unify post\/content tools into <code>webo\/content-query<\/code> and <code>webo\/content-mutate<\/code>; removes 17 legacy post tools.<\/li>\n<li>Refactor: replace <code>webo\/list-active-plugins<\/code> with unified <code>webo\/plugin-query<\/code> (list, get, activate, deactivate).<\/li>\n<li>All unified tools normalize the <code>id<\/code> field as the primary response identifier; domain aliases (attachment_id, term_id, comment_id) are kept for backward compatibility.<\/li>\n<li>SEO: improved Unicode word count using Unicode ranges for multilingual content; non-spaced scripts (CJK, Thai) now estimate word count via character-based heuristics.<\/li>\n<\/ul>\n\n<h4>2.0.44<\/h4>\n\n<ul>\n<li>SEO readability: estimate word count for non-spaced scripts (CJK, Thai, Khmer) via character-based heuristics.<\/li>\n<\/ul>\n\n<h4>2.0.43<\/h4>\n\n<ul>\n<li>SEO readability: count Unicode title and meta description lengths correctly for non-ASCII characters.<\/li>\n<\/ul>\n\n<h4>2.0.42<\/h4>\n\n<ul>\n<li>SEO readability: count Unicode words correctly for multilingual content.<\/li>\n<\/ul>\n\n<h4>2.0.41<\/h4>\n\n<ul>\n<li>Media\/site settings: add <code>webo\/set-site-icon<\/code> to set the WordPress site icon\/favicon from an existing image attachment.<\/li>\n<\/ul>\n\n<h4>2.0.40<\/h4>\n\n<ul>\n<li>MCP post tools: add page, offset, orderby, and order support to webo\/list-posts responses for reliable batch processing.<\/li>\n<li>SEO analyzer: infer the WordPress post title as the primary H1 when content omits an H1, and include Article JSON-LD from post\/Rank Math metadata for more accurate schema checks.<\/li>\n<\/ul>\n\n<h4>2.0.39<\/h4>\n\n<ul>\n<li>Options: allow safe permalink\/category\/tag base updates through MCP and flush rewrite rules after URL setting changes.<\/li>\n<\/ul>\n\n<h4>2.0.38<\/h4>\n\n<ul>\n<li>MCP post tools: preserve safe HTML for post content\/excerpt arguments so SEO headings, lists, tables, and images can be authored through create\/update calls.<\/li>\n<\/ul>\n\n<h4>2.0.35<\/h4>\n\n<ul>\n<li>New site-management tools: <code>webo\/list-themes<\/code> and <code>webo\/switch-theme<\/code> for discovering installed themes and switching the active theme by stylesheet slug.<\/li>\n<li>Readme: release includes the shortened WordPress.org short description, keeping the short description under the 150 character import limit.<\/li>\n<\/ul>\n\n<h4>2.0.34<\/h4>\n\n<ul>\n<li>Options: allow <code>webo\/update-options<\/code> and <code>webo\/get-options<\/code> to handle <code>show_on_front<\/code> and <code>page_on_front<\/code>.<\/li>\n<li>Safety: validate <code>show_on_front<\/code> as <code>posts|page<\/code> and ensure <code>page_on_front<\/code> references a valid Page ID (or 0).<\/li>\n<\/ul>\n\n<h4>2.0.33<\/h4>\n\n<ul>\n<li>Readme: refresh WordPress.org-facing description for clarity; lead with product value and protocol workflow, move ecosystem links to a secondary section.<\/li>\n<\/ul>\n\n<h4>2.0.32<\/h4>\n\n<ul>\n<li>Fix: avoid WP 6.9 Abilities API incorrect-usage notices by hardening adapter category\/ability registration order and late-boot recovery.<\/li>\n<\/ul>\n\n<h4>2.0.29<\/h4>\n\n<ul>\n<li>Reliability: harden MCP adapter bootstrap and schema type handling (supports array\/nullable type definitions safely).<\/li>\n<li>WP-CLI noise reduction: register core mcp-adapter abilities before bridge wiring and suppress default adapter server bootstrap in CLI mode to avoid false missing-ability errors.<\/li>\n<li>Release notice: users running WEBO MCP Pro should update Pro package compatibility notes from the official docs\/release channel before production rollout.<\/li>\n<\/ul>\n\n<h4>2.0.28<\/h4>\n\n<ul>\n<li>WordPress.org review fixes: added explicit <code>External services<\/code> disclosure for Google Suggest\/Autocomplete used by <code>seo\/article-analysis<\/code> (service purpose, transmitted query data and request metadata, conditions, Terms and Privacy links).<\/li>\n<li>Compatibility: removed use of <code>WPINC<\/code> for nav-menu API loading; now load nav-menu API via explicit core include paths with availability checks to reduce environment-specific path issues.<\/li>\n<\/ul>\n\n<h4>2.0.27<\/h4>\n\n<ul>\n<li>Security (WordPress.org guidelines): MCP router no longer maps API keys or HMAC to arbitrary user accounts. All requests require WordPress Application Password (Basic Auth) or an existing logged-in session; optional site API key and HMAC apply only after authentication.<\/li>\n<li>Readme: Contributors includes phuongwebo; clarify authentication in description and FAQ.<\/li>\n<\/ul>\n\n<h4>2.0.26<\/h4>\n\n<ul>\n<li>New MCP tool seo\/article-analysis (category seo, edit_posts): WordPress-only on-page SEO signals for a post via post_id \u2014 rendered content, Rank Math merge, readability, issues, content_gaps. Agent documentation: skills\/webo-mcp-seo-article\/SKILL.md in the GitHub repo (not bundled in the WordPress.org zip).<\/li>\n<li>Readme: Stable tag sync, privacy note for optional outbound tool requests.<\/li>\n<\/ul>\n\n<h4>2.0.25<\/h4>\n\n<ul>\n<li>list-posts: document defaults (publish + post type post); response includes applied filters so empty results are easier to explain. Models should pass status draft (etc.) and post_type page when listing those.<\/li>\n<\/ul>\n\n<h4>2.0.24<\/h4>\n\n<ul>\n<li>Nav menus: list-nav-menu-locations response includes note explaining slug vs label; MCP descriptions tell models to call this tool first to discover theme_location keys.<\/li>\n<\/ul>\n\n<h4>2.0.23<\/h4>\n\n<ul>\n<li>Nav menus: list-nav-menus response includes menu_id (same as term_id) and clearer MCP tool descriptions so clients list menus without asking users for menu_id first.<\/li>\n<\/ul>\n\n<h4>2.0.22<\/h4>\n\n<ul>\n<li>Nav menus: if create-nav-menu \/ create-nav-menu-for-location targets a name that already exists, reuse the existing menu term and continue (reused_existing_menu in JSON). Return a clear error if core nav-menu.php cannot be loaded. Expanded primary fallback slugs (primary-menu, header-menu, mobile). assign-nav-menu-to-location accepts menu_name when menu_id is omitted (assigned_via_menu_name in response).<\/li>\n<\/ul>\n\n<h4>2.0.21<\/h4>\n\n<ul>\n<li>Nav menus: resolve theme location when slug primary is missing (single registered slot, or common slugs main\/header\/menu-1\/navigation). Load wp-includes\/nav-menu.php before wp_create_nav_menu in REST context. Response field theme_location_resolution indicates how the slug was chosen.<\/li>\n<\/ul>\n\n<h4>2.0.20<\/h4>\n\n<ul>\n<li>Access: MCP router gate allows <code>manage_options<\/code> and <code>edit_posts<\/code> (Editors, site admins on multisite), not only <code>is_super_admin<\/code>; fixes list-nav-menus \/ tools\/call failing for non-administrator users. Multisite API key\/HMAC falls back to first site Administrator if no Super Admin login exists. Error code <code>webo_mcp_access_denied<\/code> replaces misleading super-admin-only message.<\/li>\n<\/ul>\n\n<h4>2.0.15<\/h4>\n\n<ul>\n<li>Nav menus: list-nav-menus, list-nav-menu-items (db_id, menu_order, object_id, parent_db_id), add-nav-menu-item-from-post with required post_id, post_type, and menu_order (explicit developer values; no auto placement).<\/li>\n<\/ul>\n\n<h4>2.0.14<\/h4>\n\n<ul>\n<li>Security: MCP JSON-RPC router, SecurityHelper, tools discovery, and internal-tool policy default to network Super Admin on multisite (<code>is_super_admin<\/code>). Single-site installs use WordPress core\u2019s <code>is_super_admin()<\/code> behavior (typically full administrators). Global API key\/HMAC elevates to the first Super Admin user on multisite.<\/li>\n<\/ul>\n\n<h4>2.0.7<\/h4>\n\n<ul>\n<li>Readme: highlight https:\/\/webomcp.com and n8n community node https:\/\/www.npmjs.com\/package\/n8n-nodes-webo-mcp; short description and FAQ; README.md aligned.<\/li>\n<\/ul>\n\n<h4>2.0.6<\/h4>\n\n<ul>\n<li>License: plugin header uses the same wording as readme.txt (\"GPL v2 or later\") to satisfy WordPress.org declared-license checks.<\/li>\n<\/ul>\n\n<h4>2.0.5<\/h4>\n\n<ul>\n<li>Plugin header: @wordpress-plugin marker for strict scanners; License line uses GPLv2 or later slug (Plugin Handbook).<\/li>\n<\/ul>\n\n<h4>2.0.4<\/h4>\n\n<ul>\n<li>Plugin header: handbook field order, shorter Description line, License text \"GPL v2 or later\", Domain Path for translations.<\/li>\n<\/ul>\n\n<h4>2.0.3<\/h4>\n\n<ul>\n<li>WordPress.org \/ Plugin Check: include composer.json when vendor is bundled; replace unlink with wp_delete_file for temp uploads; remove load_plugin_textdomain (core loads translations); resolve API key usermeta via get_users instead of direct $wpdb; readme short description, allowed Tags, Stable tag sync.<\/li>\n<\/ul>\n\n<h4>2.0.2<\/h4>\n\n<ul>\n<li>WordPress.org packaging: release zip excludes dotfiles and all .github trees; readme Tested up to 6.9.<\/li>\n<\/ul>\n\n<h4>2.0.1<\/h4>\n\n<ul>\n<li>Hardening: HMAC auth passes REST permission layer; SSRF guard for upload-media-from-url; paginated search-replace (max 500 posts per call); sanitized safe option updates; removed duplicate unused settings class.<\/li>\n<\/ul>\n\n<h4>2.0.0<\/h4>\n\n<ul>\n<li>Plugin renamed to WEBO MCP; folder and main file: webo-mcp\/webo-mcp.php.<\/li>\n<li>Text domain, REST namespace webo-mcp\/v1, hooks webo_mcp_* (breaking for custom code using old hook names).<\/li>\n<li>Options and API-key usermeta migrate automatically from webo-wordpress-mcp keys on first load.<\/li>\n<\/ul>\n\n<h4>1.1.1<\/h4>\n\n<ul>\n<li>Added empty input_schema definitions for core\/get-user-info and core\/get-environment-info.<\/li>\n<li>Fixes MCP tools\/call validation errors when invoking these no-input core tools.<\/li>\n<\/ul>\n\n<h4>1.0.2<\/h4>\n\n<ul>\n<li>Added new read-only tool: webo\/list-active-plugins.<\/li>\n<li>Enables MCP clients to verify active plugins with capability check.<\/li>\n<\/ul>\n\n<h4>1.0.1<\/h4>\n\n<ul>\n<li>Metadata refresh release to ensure dependency headers are reloaded correctly.<\/li>\n<li>tools\/list compatibility improvements for include_internal aliases and legacy endpoint support.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial stable public release.<\/li>\n<li>MCP JSON-RPC router with initialize, tools\/list, tools\/call.<\/li>\n<li>Tool registry integration and public visibility policy controls.<\/li>\n<li>Session management and optional API key\/HMAC security.<\/li>\n<\/ul>","raw_excerpt":"WordPress MCP server for AI agents and automation, with JSON-RPC tools over REST for Claude, Cursor, n8n, and MCP clients.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/293340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=293340"}],"author":[{"embeddable":true,"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/phuongwebo"}],"wp:attachment":[{"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=293340"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=293340"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=293340"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=293340"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=293340"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/gax.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=293340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}