A specialized WooCommerce-focused MCP plugin based on the official WordPress MCP by Automattic. This enhanced version implements the Model Context Protocol (MCP) specifically optimized for WooCommerce stores, providing AI models with comprehensive e-commerce functionality through standardized interfaces.
🔧 Based on Official Automattic Plugin: This is a customized version of the official WordPress MCP plugin by Automattic, specifically enhanced and optimized for WooCommerce functionality, including intelligent product search, enhanced product data with direct links, and specialized e-commerce tools.
- 🛒 WooCommerce Specialized: Enhanced e-commerce tools with intelligent product search
- 🔗 Product Links: All product tools include direct permalinks for seamless user experience
- 🔄 Dual Transport Protocols: STDIO and HTTP-based (Streamable) transports
- 🔐 JWT Authentication: Secure token-based authentication with management UI
- 🎛️ Admin Interface: React-based token management and settings dashboard
- 🤖 AI-Friendly APIs: JSON-RPC 2.0 compliant endpoints for AI integration
- 🏗️ Extensible Architecture: Custom tools, resources, and prompts support
- 🔌 WordPress Feature API: Adapter for standardized WordPress functionality
- 🧪 Experimental REST API CRUD Tools: Generic tools for any WordPress REST API endpoint
- 🧪 Comprehensive Testing: 200+ test cases covering all protocols and authentication
- ⚡ High Performance: Optimized routing and caching mechanisms
- 🔒 Enterprise Security: Multi-layer authentication and audit logging
The plugin implements a dual transport architecture:
WOO MCP Plugin
├── Transport Layer
│ ├── McpStdioTransport (/wp/v2/wpmcp)
│ └── McpStreamableTransport (/wp/v2/wpmcp/streamable)
├── Authentication
│ └── JWT Authentication System
├── WooCommerce Tools
│ ├── Intelligent Product Search
│ ├── Product Management with Links
│ ├── Category & Brand Tools
│ └── Enhanced E-commerce Features
├── Method Handlers
│ ├── Tools, Resources, Prompts
│ └── System & Initialization
└── Admin Interface
└── React-based Token Management
| Protocol | Endpoint | Format | Authentication | Use Case |
|---|---|---|---|---|
| STDIO | /wp/v2/wpmcp |
WordPress-style | JWT + App Passwords | Legacy compatibility |
| Streamable | /wp/v2/wpmcp/streamable |
JSON-RPC 2.0 | JWT only | Modern AI clients |
- Download
wordpress-mcp.zipfrom releases - Upload to
/wp-content/plugins/wordpress-mcpdirectory - Activate through WordPress admin 'Plugins' menu
- Navigate to
Settings > WOO MCPto configure
cd wp-content/plugins/
git clone https://github.com/Automattic/wordpress-mcp.git
cd wordpress-mcp
composer install --no-dev
npm install && npm run build- Go to
Settings > WOO MCP > Authentication Tokens - Select token duration (1-24 hours) or never
- Click "Generate New Token"
- Copy the token for use in your MCP client
Claude Desktop Configuration using mcp-wordpress-remote proxy
Add to your Claude Desktop claude_desktop_config.json:
{
"mcpServers": {
"woo-mcp": {
"command": "npx",
"args": [ "-y", "@automattic/mcp-wordpress-remote@latest" ],
"env": {
"WP_API_URL": "https://your-site.com/",
"JWT_TOKEN": "your-jwt-token-here",
"LOG_FILE": "optional-path-to-log-file"
}
}
}
}{
"mcpServers": {
"woo-mcp": {
"command": "npx",
"args": [ "-y", "@automattic/mcp-wordpress-remote@latest" ],
"env": {
"WP_API_URL": "https://your-site.com/",
"WP_API_USERNAME": "your-username",
"WP_API_PASSWORD": "your-application-password",
"LOG_FILE": "optional-path-to-log-file"
}
}
}
}Add to your VS Code MCP settings:
{
"servers": {
"woo-mcp": {
"type": "http",
"url": "https://your-site.com/wp-json/wp/v2/wpmcp/streamable",
"headers": {
"Authorization": "Bearer your-jwt-token-here"
}
}
}
}# Using JWT Token with proxy
npx @modelcontextprotocol/inspector \
-e WP_API_URL=https://your-site.com/ \
-e JWT_TOKEN=your-jwt-token-here \
npx @automattic/mcp-wordpress-remote@latest
# Using Application Password with proxy
npx @modelcontextprotocol/inspector \
-e WP_API_URL=https://your-site.com/ \
-e WP_API_USERNAME=your-username \
-e WP_API_PASSWORD=your-application-password \
npx @automattic/mcp-wordpress-remote@latestTo use with Claude.ai Desktop, add this configuration to your claude_desktop_config.json:
PHP Version (requires PHP installed):
{
"mcpServers": {
"woocommerce": {
"command": "php",
"args": [ "/path/to/your/woo-mcp/mcp-proxy.php" ]
}
}
}Node.js Version (requires Node.js installed):
{
"mcpServers": {
"woocommerce": {
"command": "node",
"args": [ "/path/to/your/woo-mcp/mcp-proxy.js" ]
}
}
}This plugin works seamlessly with MCP-compatible clients in two ways:
Via Proxy:
- mcp-wordpress-remote - Official MCP client with enhanced features
- Claude Desktop with proxy configuration for full WordPress and WooCommerce support
- Any MCP client using the STDIO transport protocol
Direct Streamable Transport:
- VS Code MCP Extension connecting directly to
/wp/v2/wpmcp/streamable - Custom HTTP-based MCP implementations using JSON-RPC 2.0
- Any client supporting HTTP transport with JWT authentication
The streamable transport provides a direct JSON-RPC 2.0 compliant endpoint, while the proxy offers additional features like WooCommerce integration, enhanced logging, and compatibility with legacy authentication methods.
| Method | Description | Transport Support |
|---|---|---|
initialize |
Initialize MCP session | Both |
tools/list |
List available tools | Both |
tools/call |
Execute a tool | Both |
resources/list |
List available resources | Both |
resources/read |
Read resource content | Both |
prompts/list |
List available prompts | Both |
prompts/get |
Get prompt template | Both |
When enabled via Settings > WOO MCP > Enable REST API CRUD Tools, the plugin provides three powerful generic tools that can interact with any WordPress REST API endpoint:
| Tool Name | Description | Type |
|---|---|---|
list_api_functions |
Discover all available WordPress REST API endpoints | Read |
get_function_details |
Get detailed metadata for specific endpoint/method | Read |
run_api_function |
Execute any REST API function with CRUD operations | Action |
- Discovery: Use
list_api_functionsto see all available endpoints - Inspection: Use
get_function_detailsto understand required parameters - Execution: Use
run_api_functionto perform CRUD operations
- User Capabilities: All operations respect current user permissions
- Settings Control: Individual CRUD operations can be disabled in settings:
- Enable Create Tools (POST operations)
- Enable Update Tools (PATCH/PUT operations)
- Enable Delete Tools (DELETE operations)
- Automatic Filtering: Excludes sensitive endpoints (JWT auth, oembed, autosaves, revisions)
- Universal Access: Works with any WordPress REST API endpoint, including custom post types and third-party plugins
- AI-Friendly: Provides discovery and introspection capabilities for AI agents
- Standards Compliant: Uses standard HTTP methods (GET, POST, PATCH, DELETE)
- Permission Safe: Inherits WordPress user capabilities and respects endpoint permissions
wp-content/plugins/wordpress-mcp/
├── includes/ # PHP classes
│ ├── Core/ # Transport and core logic
│ ├── Auth/ # JWT authentication
│ ├── Tools/ # MCP tools
│ ├── Resources/ # MCP resources
│ ├── Prompts/ # MCP prompts
│ └── Admin/ # Settings interface
├── src/ # React components
│ └── settings/ # Admin UI components
├── tests/ # Test suite
│ └── phpunit/ # PHPUnit tests
└── docs/ # Documentation
You can extend the MCP functionality by adding custom tools through your own plugins or themes. Create a new tool class in your plugin or theme:
<?php
declare(strict_types=1);
namespace Automattic\WordpressMcp\Tools;
class MyCustomTool {
public function register(): void {
add_action('wp_mcp_register_tools', [$this, 'register_tool']);
}
public function register_tool(): void {
WPMCP()->register_tool([
'name' => 'my_custom_tool',
'description' => 'My custom tool description',
'inputSchema' => [
'type' => 'object',
'properties' => [
'param1' => ['type' => 'string', 'description' => 'Parameter 1']
],
'required' => ['param1']
],
'callback' => [$this, 'execute'],
]);
}
public function execute(array $args): array {
// Your tool logic here
return ['result' => 'success'];
}
}You can extend the MCP functionality by adding custom resources through your own plugins or themes. Create a new resource class in your plugin or theme:
<?php
declare(strict_types=1);
namespace Automattic\WordpressMcp\Resources;
class MyCustomResource {
public function register(): void {
add_action('wp_mcp_register_resources', [$this, 'register_resource']);
}
public function register_resource(): void {
WPMCP()->register_resource([
'uri' => 'custom://my-resource',
'name' => 'My Custom Resource',
'description' => 'Custom resource description',
'mimeType' => 'application/json',
'callback' => [$this, 'get_content'],
]);
}
public function get_content(): array {
return ['contents' => [/* resource data */]];
}
}Run the comprehensive test suite:
# Run all tests
vendor/bin/phpunit
# Run specific test suites
vendor/bin/phpunit tests/phpunit/McpStdioTransportTest.php
vendor/bin/phpunit tests/phpunit/McpStreamableTransportTest.php
vendor/bin/phpunit tests/phpunit/JwtAuthTest.php
# Run with coverage
vendor/bin/phpunit --coverage-html coverage/# Development build
npm run dev
# Production build
npm run build
# Watch mode
npm run startFor comprehensive security documentation and audit information, see the /security directory.
- Token Management: Use shortest expiration time needed (1-24 hours) or never
- User Permissions: Tokens inherit user capabilities
- Secure Storage: Never commit tokens to repositories
- Regular Cleanup: Revoke unused tokens promptly
- Access Control: Streamable transport requires admin privileges
- CRUD Operations: Only enable create/update/delete tools when necessary
- Experimental Features: Use REST API CRUD tools with caution in production environments
- ✅ JWT signature validation
- ✅ Token expiration and revocation
- ✅ User capability inheritance
- ✅ Secure secret key generation
- ✅ Audit logging for security events
- ✅ Protection against malformed requests
The plugin includes extensive testing:
- Transport Testing: Both STDIO and Streamable protocols
- Authentication Testing: JWT generation, validation, and revocation
- Integration Testing: Cross-transport comparison
- Security Testing: Edge cases and malformed requests
- Performance Testing: Load and stress testing
View detailed testing documentation in tests/README.md.
// wp-config.php
define('WPMCP_JWT_SECRET_KEY', 'your-secret-key');
define('WPMCP_DEBUG', true); // Enable debug loggingAccess via Settings > WOO MCP:
- Enable/Disable MCP: Toggle plugin functionality
- Transport Configuration: Configure STDIO/Streamable transports
- Feature Toggles: Enable/disable specific tools and resources
- CRUD Operation Controls: Granular control over create, update, and delete operations
- Experimental Features: Enable REST API CRUD Tools (experimental functionality)
- Authentication Settings: JWT token management
The plugin provides granular control over CRUD operations:
- Enable Create Tools: Allow POST operations via MCP tools
- Enable Update Tools: Allow PATCH/PUT operations via MCP tools
- Enable Delete Tools:
⚠️ Allow DELETE operations via MCP tools (use with caution) - Enable REST API CRUD Tools: 🧪 Enable experimental generic REST API access tools
We welcome contributions! Please see our Contributing Guidelines.
- Clone the repository
- Run
composer installfor PHP dependencies - Run
npm installfor JavaScript dependencies - Set up WordPress test environment
- Run tests with
vendor/bin/phpunit
- API Reference: docs/api/
- Architecture Guide: docs/architecture.md
- Security Guide: docs/security.md
- Testing Guide: tests/README.md
For support and questions:
- 📖 Documentation: docs/README.md
- 🐛 Bug Reports: GitHub Issues
- 💬 Discussions: GitHub Discussions
- ✉️ Contact: Reach out to the maintainers
This project is licensed under the GPL v2 or later.
Built with ❤️ by Automattic for the WordPress and AI communities.