@adsim/wordpress-mcp-server 4.6.0 → 5.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. package/.env.example +18 -0
  2. package/README.md +851 -499
  3. package/companion/mcp-diagnostics.php +1184 -0
  4. package/dxt/manifest.json +715 -98
  5. package/index.js +166 -4786
  6. package/package.json +14 -6
  7. package/src/data/plugin-performance-data.json +59 -0
  8. package/src/shared/api.js +79 -0
  9. package/src/shared/audit.js +39 -0
  10. package/src/shared/context.js +15 -0
  11. package/src/shared/governance.js +98 -0
  12. package/src/shared/utils.js +148 -0
  13. package/src/tools/comments.js +50 -0
  14. package/src/tools/content.js +353 -0
  15. package/src/tools/core.js +114 -0
  16. package/src/tools/editorial.js +634 -0
  17. package/src/tools/fse.js +370 -0
  18. package/src/tools/health.js +160 -0
  19. package/src/tools/index.js +96 -0
  20. package/src/tools/intelligence.js +2082 -0
  21. package/src/tools/links.js +118 -0
  22. package/src/tools/media.js +71 -0
  23. package/src/tools/performance.js +219 -0
  24. package/src/tools/plugins.js +368 -0
  25. package/src/tools/schema.js +417 -0
  26. package/src/tools/security.js +590 -0
  27. package/src/tools/seo.js +1633 -0
  28. package/src/tools/taxonomy.js +115 -0
  29. package/src/tools/users.js +188 -0
  30. package/src/tools/woocommerce.js +1008 -0
  31. package/src/tools/workflow.js +409 -0
  32. package/src/transport/http.js +39 -0
  33. package/tests/unit/helpers/pagination.test.js +43 -0
  34. package/tests/unit/tools/bulkUpdate.test.js +188 -0
  35. package/tests/unit/tools/diagnostics.test.js +397 -0
  36. package/tests/unit/tools/dynamicFiltering.test.js +100 -8
  37. package/tests/unit/tools/editorialIntelligence.test.js +817 -0
  38. package/tests/unit/tools/fse.test.js +548 -0
  39. package/tests/unit/tools/multilingual.test.js +653 -0
  40. package/tests/unit/tools/performance.test.js +351 -0
  41. package/tests/unit/tools/runWorkflow.test.js +150 -0
  42. package/tests/unit/tools/schema.test.js +477 -0
  43. package/tests/unit/tools/security.test.js +695 -0
  44. package/tests/unit/tools/site.test.js +1 -1
  45. package/tests/unit/tools/users.crud.test.js +399 -0
  46. package/tests/unit/tools/validateBlocks.test.js +186 -0
  47. package/tests/unit/tools/visualStaging.test.js +271 -0
  48. package/tests/unit/tools/woocommerce.advanced.test.js +679 -0
package/README.md CHANGED
@@ -3,38 +3,80 @@
3
3
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
4
4
  [![Node.js](https://img.shields.io/badge/Node.js-%3E%3D18-green.svg)](https://nodejs.org/)
5
5
  [![MCP SDK](https://img.shields.io/badge/MCP-SDK-blue.svg)](https://github.com/anthropics/mcp)
6
- [![Tests](https://img.shields.io/badge/tests-767%20passing-brightgreen.svg)](https://github.com/GeorgesAdSim/wordpress-mcp-server/actions)
6
+ [![Tests](https://img.shields.io/badge/tests-1076%20passing-brightgreen.svg)](https://github.com/GeorgesAdSim/wordpress-mcp-server/actions)
7
7
  [![npm](https://img.shields.io/npm/v/@adsim/wordpress-mcp-server.svg)](https://www.npmjs.com/package/@adsim/wordpress-mcp-server)
8
8
 
9
9
  **Enterprise Governance · Audit Trail · Multi-Site · Plugin-Free**
10
10
 
11
11
  The enterprise governance layer for Claude-to-WordPress integrations — secure, auditable, and multi-site.
12
12
 
13
- **v4.6.0 Enterprise** · 92 tools · 767 Vitest tests · GitHub Actions CI · HTTP Streamable transport · MCPB bundle · SEO metadata · SEO audit suite · Content intelligence · Plugin intelligence · Plugin layer (ACF, Elementor) · Plugin & theme management · Revision control · Editorial approval workflow · Destructive confirmation · Internal link analysis · WooCommerce (read + intelligence + write) · Execution controls · JSON audit trail · Multi-site targeting
13
+ **v5.1.0 Enterprise** · 175 tools · ~1101 Vitest tests · GitHub Actions CI
14
+
15
+ ---
16
+
17
+ ## Table of Contents
18
+
19
+ - [Architecture](#architecture)
20
+ - [Why This Server](#why-this-server)
21
+ - [Safety Model](#safety-model)
22
+ - [Data Retention](#data-retention)
23
+ - [Quick Start](#quick-start)
24
+ - [HTTP Streamable Transport](#http-streamable-transport)
25
+ - [MCPB Bundle](#mcpb-bundle--claude-desktop-one-click-install)
26
+ - [Available Tools (175)](#available-tools-175)
27
+ - [Enterprise Controls](#enterprise-controls)
28
+ - [MU-Plugin Companion](#mu-plugin-companion)
29
+ - [SEO Metadata](#seo-metadata)
30
+ - [WooCommerce Setup](#woocommerce-setup)
31
+ - [Testing](#testing)
32
+ - [Structured Audit Log](#structured-audit-log)
33
+ - [Multi-Target](#multi-target)
34
+ - [Health & Reliability](#health--reliability)
35
+ - [Security](#security)
36
+ - [Troubleshooting](#troubleshooting)
37
+ - [Development](#development)
38
+ - [Changelog](#changelog)
39
+ - [Roadmap](#roadmap)
40
+ - [Contributing](#contributing)
41
+ - [License](#license)
42
+ - [Credits](#credits)
14
43
 
15
44
  ---
16
45
 
17
46
  ## Architecture
47
+
18
48
  ```
19
- ┌─────────────────────────┐
20
- Claude Client │ Claude Desktop · Claude Code · Any MCP client
21
- └────────────┬────────────┘
22
- │ MCP Protocol (stdio or HTTP Streamable)
23
- ┌────────────▼────────────┐
24
- WordPress MCP Server │ Node.js · Standalone · No WordPress plugin
25
- ├─────────────────────────┤
26
- Execution Controls Read-only · Draft-only · Plugin mgmt · Type/status allowlists
27
- ├─────────────────────────┤
28
- Audit Logging JSON on stderr · 79 instrumentation points
29
- ├─────────────────────────┤
30
- Rate Limiting Client-side · Configurable per-minute cap
31
- ├─────────────────────────┤
32
- HTTP Transport Bearer auth · Session management · Origin validation
33
- └────────────┬────────────┘
34
- HTTPS + WordPress Application Password (Basic Auth over TLS)
35
- ┌────────────▼────────────┐
36
- WordPress REST API Single site or multi-target
37
- └─────────────────────────┘
49
+ ┌─────────────────────────────┐
50
+ Claude Client │ Claude Desktop · Claude Code · Any MCP client
51
+ └──────────────┬──────────────┘
52
+ │ MCP Protocol (stdio or HTTP Streamable)
53
+ ┌──────────────▼──────────────┐
54
+ WordPress MCP Server │ Node.js · Standalone · No WordPress plugin
55
+ ├─────────────────────────────┤
56
+ index.js (~498 lines) Orchestration only: MCP transport, enterprise controls, dispatch
57
+ ├─────────────────────────────┤
58
+ src/tools/ (18 modules) 175 tool definitions + handlers by category
59
+ ├─────────────────────────────┤
60
+ src/shared/ utils · api · audit · governance · context
61
+ ├─────────────────────────────┤
62
+ src/plugins/ PluginRegistry · ACF · auto-detected via REST namespaces
63
+ ├─────────────────────────────┤
64
+ WP_TOOL_CATEGORIES Filter │ Load only the categories you need (~4-9k tokens vs ~20k)
65
+ ├─────────────────────────────┤
66
+ Execution Controls Read-only · Draft-only · Plugin mgmt · Type/status allowlists
67
+ ├─────────────────────────────┤
68
+ │ Audit Logging │ JSON on stderr · 79+ instrumentation points
69
+ ├─────────────────────────────┤
70
+ │ Rate Limiting │ Client-side · Configurable per-minute cap
71
+ ├─────────────────────────────┤
72
+ │ HTTP Transport │ Bearer auth · Session management · Origin validation
73
+ └──────────────┬──────────────┘
74
+ │ HTTPS + WordPress Application Password (Basic Auth over TLS)
75
+ ┌──────────────▼──────────────┐
76
+ │ WordPress REST API │ Single site or multi-target
77
+ ├─────────────────────────────┤
78
+ │ MCP Diagnostics mu-plugin │ Optional · Debug log · Cron · Schema · Security endpoints
79
+ └─────────────────────────────┘
38
80
  ```
39
81
 
40
82
  ## Why This Server
@@ -45,6 +87,8 @@ In regulated environments — financial services, healthcare, legal, government
45
87
 
46
88
  No composer, no PHP build, no WordPress admin plugin. Point it at any WordPress site with an Application Password, configure your execution policy, and connect your Claude client.
47
89
 
90
+ With 173 tools across 18 categories and `WP_TOOL_CATEGORIES`, agencies can load only the tools they need per deployment — reducing the ListTools context from ~20,000 tokens to as low as ~4,000 tokens, saving cost and improving response quality.
91
+
48
92
  ## Safety Model
49
93
 
50
94
  This server is designed for safe operation in production environments:
@@ -99,6 +143,10 @@ WP_API_PASSWORD=xxxx xxxx xxxx xxxx xxxx xxxx
99
143
  # Optional: WooCommerce (generate at WooCommerce → Settings → Advanced → REST API)
100
144
  WC_CONSUMER_KEY=ck_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
101
145
  WC_CONSUMER_SECRET=cs_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
146
+
147
+ # Context optimization (optional)
148
+ WP_TOOL_CATEGORIES=seo,content,schema # Load specific categories only
149
+ WP_COMPACT_JSON=true # Compact JSON output (default)
102
150
  ```
103
151
 
104
152
  To generate an Application Password: WordPress Admin → Users → Profile → Application Passwords → Add New.
@@ -161,20 +209,20 @@ npx -y @adsim/wordpress-mcp-server
161
209
 
162
210
  ### HTTP environment variables
163
211
 
164
- | Variable | Default | Description |
165
- |---|---|---|
166
- | `MCP_TRANSPORT` | `stdio` | Set to `http` to enable HTTP Streamable transport |
167
- | `MCP_HTTP_PORT` | `3000` | HTTP server port |
168
- | `MCP_HTTP_HOST` | `127.0.0.1` | Bind address |
169
- | `MCP_AUTH_TOKEN` | _(none)_ | Bearer token for authentication (required in HTTP mode) |
170
- | `MCP_ALLOWED_ORIGINS` | _(none)_ | Comma-separated allowed origins (anti-DNS-rebinding) |
171
- | `MCP_SESSION_TIMEOUT_MS` | `3600000` | Session TTL in milliseconds (1 hour) |
172
- | `MCP_DUAL_MODE` | `false` | Run stdio and HTTP transports simultaneously |
212
+ | Variable | Default | Description |
213
+ |-----------------------|-------------|------------------------------------------------------|
214
+ | `MCP_TRANSPORT` | `stdio` | Set to `http` to enable HTTP Streamable transport |
215
+ | `MCP_HTTP_PORT` | `3000` | HTTP server port |
216
+ | `MCP_HTTP_HOST` | `127.0.0.1` | Bind address |
217
+ | `MCP_AUTH_TOKEN` | _(none)_ | Bearer token for authentication (required in HTTP mode) |
218
+ | `MCP_ALLOWED_ORIGINS` | _(none)_ | Comma-separated allowed origins (anti-DNS-rebinding) |
219
+ | `MCP_SESSION_TIMEOUT_MS` | `3600000` | Session TTL in milliseconds (1 hour) |
220
+ | `MCP_DUAL_MODE` | `false` | Run stdio and HTTP transports simultaneously |
173
221
 
174
222
  ### Health check
175
223
  ```bash
176
224
  curl http://localhost:3000/health
177
- # → { "status": "ok", "version": "4.6.0", "transport": "http" }
225
+ # → { "status": "ok", "version": "4.14.0", "transport": "http" }
178
226
  ```
179
227
 
180
228
  ### Connect an MCP client via HTTP
@@ -214,226 +262,393 @@ Double-click `wordpress-mcp-server.mcpb` — Claude Desktop will prompt for:
214
262
 
215
263
  ---
216
264
 
217
- ## Available Tools (92)
218
-
219
- ### Content Management
220
-
221
- | Tool | Description |
222
- |---|---|
223
- | `wp_list_posts` | List posts with pagination, filtering by status/category/tag/author, and search |
224
- | `wp_get_post` | Get a post by ID with full content, meta fields, and taxonomy info |
225
- | `wp_create_post` | Create a post (defaults to draft). Supports HTML, categories, tags, featured image, meta |
226
- | `wp_update_post` | Update any post field. Only provided fields are modified |
227
- | `wp_delete_post` | Move to trash by default. Permanent deletion requires `force=true`. Returns confirmation token when `WP_CONFIRM_DESTRUCTIVE=true` |
228
- | `wp_search` | Full-text search across all content types |
229
- | `wp_list_pages` | List pages with hierarchy (parent/child), templates, and menu order |
230
- | `wp_get_page` | Get page content, template, and hierarchy info |
231
- | `wp_create_page` | Create a page with parent, template, and menu_order support |
232
- | `wp_update_page` | Update any page field |
233
-
234
- ### Media Library
235
-
236
- | Tool | Description |
237
- |---|---|
238
- | `wp_list_media` | Browse media with type filtering (image/video/audio/document) |
239
- | `wp_get_media` | Get URL, dimensions, alt text, caption, and all available sizes |
240
- | `wp_upload_media` | Upload a file from a public URL to the WordPress media library |
241
-
242
- ### Taxonomies & Structure
243
-
244
- | Tool | Description |
245
- |---|---|
246
- | `wp_list_categories` | List categories with hierarchy, post count, and descriptions |
247
- | `wp_list_tags` | List tags with post count |
248
- | `wp_create_taxonomy_term` | Create a new category or tag |
249
- | `wp_list_post_types` | Discover all registered post types (including custom ones) |
250
- | `wp_list_custom_posts` | List content from any custom post type (products, portfolio, events) |
251
-
252
- ### Engagement
265
+ ## Available Tools (175)
266
+
267
+ ### Content Management (12)
268
+
269
+ | Tool | Description |
270
+ |-------------------|------------------------------------------------------------------------------------------------|
271
+ | `wp_list_posts` | List posts with pagination, filtering by status/category/tag/author, and search |
272
+ | `wp_get_post` | Get a post by ID with full content, meta fields, and taxonomy info |
273
+ | `wp_create_post` | Create a post (defaults to draft). Supports HTML, categories, tags, featured image, meta |
274
+ | `wp_update_post` | Update any post field. Only provided fields are modified |
275
+ | `wp_delete_post` | Move to trash by default. Permanent deletion requires `force=true`. Confirmation token when `WP_CONFIRM_DESTRUCTIVE=true` |
276
+ | `wp_search` | Full-text search across all content types |
277
+ | `wp_list_pages` | List pages with hierarchy (parent/child), templates, and menu order |
278
+ | `wp_get_page` | Get page content, template, and hierarchy info |
279
+ | `wp_create_page` | Create a page with parent, template, and menu_order support |
280
+ | `wp_update_page` | Update any page field |
281
+ | `wp_validate_block_structure` | Validate Gutenberg block HTML before saving. Detects unclosed blocks, malformed JSON, invalid nesting, deprecated blocks |
282
+ | `wp_bulk_update` | Bulk update content across multiple posts/pages. Supports text replacement, meta updates, status changes, content append. Dry-run by default |
283
+
284
+ ### Media Library (3)
285
+
286
+ | Tool | Description |
287
+ |-------------------|--------------------------------------------------------------------------|
288
+ | `wp_list_media` | Browse media with type filtering (image/video/audio/document) |
289
+ | `wp_get_media` | Get URL, dimensions, alt text, caption, and all available sizes |
290
+ | `wp_upload_media` | Upload a file from a public URL to the WordPress media library |
291
+
292
+ ### Taxonomies & Structure (5)
293
+
294
+ | Tool | Description |
295
+ |--------------------------|----------------------------------------------------------------------|
296
+ | `wp_list_categories` | List categories with hierarchy, post count, and descriptions |
297
+ | `wp_list_tags` | List tags with post count |
298
+ | `wp_create_taxonomy_term`| Create a new category or tag |
299
+ | `wp_list_post_types` | Discover all registered post types (including custom ones) |
300
+ | `wp_list_custom_posts` | List content from any custom post type (products, portfolio, events) |
301
+
302
+ ### Engagement (2)
303
+
304
+ | Tool | Description |
305
+ |---------------------|--------------------------------------------------------|
306
+ | `wp_list_comments` | List comments with filtering by post, status, and author |
307
+ | `wp_create_comment` | Create a comment or reply on any post |
308
+
309
+ ### Users & Security (10)
310
+
311
+ > **New in v4.7.0** — Full user CRUD, role/capability inspection, password reset, and application password management.
312
+
313
+ | Tool | Description |
314
+ |-------------------------------------|--------------------------------------------------------------------------------------------|
315
+ | `wp_list_users` | List users with roles, search, pagination. Supports full/summary/ids_only modes |
316
+ | `wp_get_user` | Full user profile: login, email, role, meta, registration date, avatar |
317
+ | `wp_create_user` | Create user with username, email, password, role. Requires `confirm=true`. Write |
318
+ | `wp_update_user` | Update email, display_name, role, bio, meta. Write |
319
+ | `wp_delete_user` | Delete user with mandatory post reassignment. Requires `confirm=true`. Blocked by `WP_DISABLE_DELETE` |
320
+ | `wp_list_user_roles` | All available roles with their capabilities listed |
321
+ | `wp_get_user_capabilities` | Active capabilities for a specific user |
322
+ | `wp_reset_user_password` | Trigger password reset email. Requires mu-plugin companion. Write |
323
+ | `wp_list_user_application_passwords`| List app passwords with name, UUID, created date, last used. Read-only |
324
+ | `wp_revoke_application_password` | Revoke an application password by UUID. Write |
325
+
326
+ ### SEO Metadata (3)
327
+
328
+ Auto-detects Yoast, RankMath, SEOPress, AIOSEO.
329
+
330
+ | Tool | Description |
331
+ |---------------------|----------------------------------------------------------------------------------------------|
332
+ | `wp_get_seo_meta` | Read SEO title, description, focus keyword, canonical, robots, Open Graph |
333
+ | `wp_update_seo_meta`| Update SEO metadata with automatic plugin detection |
334
+ | `wp_audit_seo` | Bulk audit SEO across posts/pages with quality scoring (0-100) and missing fields detection |
335
+
336
+ ### SEO Audit Suite (10) — New in v4.0-v4.2
337
+
338
+ All read-only, always allowed regardless of governance flags.
339
+
340
+ | Tool | Description |
341
+ |-----------------------------------|------------------------------------------------------------------------------------------|
342
+ | `wp_audit_media_seo` | Audit media library for missing alt text, short alt text, and unoptimized filenames |
343
+ | `wp_find_orphan_pages` | Identify posts with no internal links pointing to them, sorted by word count |
344
+ | `wp_audit_heading_structure` | Analyze H1/H2/H3 hierarchy. Detects H1 in body, heading level skips, empty headings |
345
+ | `wp_find_thin_content` | Surface posts below configurable word count threshold with quality scoring |
346
+ | `wp_audit_canonicals` | Validate canonical URLs. Detects missing, mismatched, cross-domain. Multi-plugin support |
347
+ | `wp_analyze_eeat_signals` | E-E-A-T scoring per post (0-100): author bio, dates, citations, structured data |
348
+ | `wp_find_broken_internal_links` | HEAD request link checker. Detects 404s, redirects, timeouts. Configurable batch size |
349
+ | `wp_find_keyword_cannibalization` | Detect posts sharing the same focus keyword. Groups conflicts, flags weakest |
350
+ | `wp_audit_taxonomies` | Taxonomy bloat: unused terms, near-duplicates (Levenshtein), single-post terms |
351
+ | `wp_audit_outbound_links` | External link profile: low-authority domains, missing nofollow, broken URLs |
352
+
353
+ ### Schema.org Intelligence (7) — New in v4.9
354
+
355
+ Generation + injection + local validation end-to-end.
356
+
357
+ | Tool | Description |
358
+ |----------------------------------|--------------------------------------------------------------------------------------------|
359
+ | `wp_generate_schema_article` | Generates Article JSON-LD from post data with `_embed` for author and featured image |
360
+ | `wp_generate_schema_faq` | Detects Q&A from Gutenberg FAQ blocks, RankMath, AIOSEO, `<details>`, or H3+paragraph |
361
+ | `wp_generate_schema_howto` | Detects steps from ordered lists or numbered headings. Extracts totalTime, estimatedCost |
362
+ | `wp_generate_schema_localbusiness`| Pulls business data from ACF, Yoast Local SEO, or WP options |
363
+ | `wp_generate_schema_breadcrumb` | Rebuilds full breadcrumb hierarchy: Home > Category/Parent > Post |
364
+ | `wp_inject_schema` | Injects JSON-LD into `_custom_schema_jsonld` post meta. Supports `dry_run=true`. Requires mu-plugin |
365
+ | `wp_validate_schema_live` | Fetches live URL, extracts all JSON-LD blocks, validates structure and required fields |
366
+
367
+ ### Content Intelligence (16) — New in v4.4
368
+
369
+ All read-only, always allowed regardless of governance flags.
370
+
371
+ | Tool | Description |
372
+ |-------------------------------|------------------------------------------------------------------------------------------|
373
+ | `wp_get_content_brief` | Editorial brief aggregator: SEO + structure + links in 1 call |
374
+ | `wp_extract_post_outline` | H1-H6 outline extraction with category-level pattern analysis |
375
+ | `wp_audit_readability` | Bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis |
376
+ | `wp_audit_update_frequency` | Outdated content detection cross-referenced with SEO scores |
377
+ | `wp_build_link_map` | Internal link matrix with simplified PageRank scoring (0-100) |
378
+ | `wp_audit_anchor_texts` | Anchor text diversity audit: generic, over-optimized, image link detection |
379
+ | `wp_audit_schema_markup` | JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness) |
380
+ | `wp_audit_content_structure` | Editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images |
381
+ | `wp_find_duplicate_content` | TF-IDF cosine similarity for near-duplicate detection with union-find clustering |
382
+ | `wp_find_content_gaps` | Taxonomy under-representation analysis (categories + tags) |
383
+ | `wp_extract_faq_blocks` | FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns |
384
+ | `wp_audit_cta_presence` | CTA detection (6 types) with scoring 0-100 |
385
+ | `wp_extract_entities` | Regex/heuristic named entity extraction (brands, locations, persons, organizations) |
386
+ | `wp_get_publishing_velocity` | Publication cadence by author/category with trend detection |
387
+ | `wp_compare_revisions_diff` | Textual diff between revisions with amplitude scoring |
388
+ | `wp_list_posts_by_word_count` | Posts sorted by length with 6-tier segmentation |
389
+
390
+ ### Editorial Intelligence (6) — New in v4.13
391
+
392
+ Batch processing up to 500 posts, reuses TF-IDF engine. All read-only.
393
+
394
+ | Tool | Description |
395
+ |----------------------------------|------------------------------------------------------------------------------------------|
396
+ | `wp_suggest_content_updates` | Finds stale posts needing updates. Prioritizes by age, outdated date references, thin content |
397
+ | `wp_audit_author_consistency` | Profiles each author: post count, avg word count, frequency, readability, media usage |
398
+ | `wp_build_editorial_calendar` | Analyzes 12 months of history for seasonality, best days, scheduled posts, gaps |
399
+ | `wp_find_pillar_content_gaps` | Identifies topics with 3+ posts without a dedicated pillar page |
400
+ | `wp_audit_internal_link_equity` | Builds link graph, identifies orphans, over-linked pages, equity distribution 0-100 |
401
+ | `wp_suggest_content_cluster` | Clusters content by TF-IDF + cosine similarity around a keyword or post_id seed |
402
+
403
+ ### Multilingual Intelligence EU (6) — New in v4.10
404
+
405
+ WPML · Polylang Pro · Polylang Free (hreflang fallback) · TranslatePress.
406
+
407
+ | Tool | Description |
408
+ |-----------------------------------|----------------------------------------------------------------------------------------|
409
+ | `wp_detect_multilingual_plugin` | Auto-detects WPML > Polylang Pro > Polylang Free > TranslatePress |
410
+ | `wp_list_languages` | Lists configured languages with code, name, locale, URL prefix, flag |
411
+ | `wp_get_post_translations` | Gets all translations with post IDs, titles, URLs, statuses, SEO meta per language |
412
+ | `wp_audit_translation_coverage` | Coverage percentages, missing counts, top 10 untranslated posts by word count |
413
+ | `wp_find_missing_seo_translations`| Finds translated posts missing SEO metadata (title, description, OG) |
414
+ | `wp_sync_seo_meta_translations` | Copies SEO meta from source to translations. `dry_run=true` by default. Write |
415
+
416
+ ### Performance & Core Web Vitals (6) — New in v4.9
417
+
418
+ | Tool | Description |
419
+ |--------------------------------------|----------------------------------------------------------------------------------------|
420
+ | `wp_audit_page_speed` | Google PageSpeed Insights: Core Web Vitals (LCP, CLS, INP, FCP, TTFB), score, opportunities. Requires `PAGESPEED_API_KEY` |
421
+ | `wp_find_render_blocking_resources` | Detects render-blocking `<link>` and `<script>` in `<head>` (excludes defer/async) |
422
+ | `wp_audit_image_optimization` | Media library audit: non-WebP, large files (>100KB), missing alt text |
423
+ | `wp_check_caching_status` | Detects caching plugins (WP Rocket, W3TC, LiteSpeed) and cache HTTP headers |
424
+ | `wp_audit_database_bloat` | Revisions, expired transients, auto-drafts, spam, orphan postmeta. Requires mu-plugin |
425
+ | `wp_get_plugin_performance_impact` | Ranks active plugins by estimated performance impact (~50 plugin database) |
426
+
427
+ ### Security Audit (6) — New in v4.11
428
+
429
+ All read-only. Optional `WPSCAN_API_KEY` for CVE data.
430
+
431
+ | Tool | Description |
432
+ |----------------------------------|------------------------------------------------------------------------------------------|
433
+ | `wp_audit_user_security` | Audits admin accounts: default usernames, inactive accounts, generic emails, missing 2FA |
434
+ | `wp_check_file_permissions` | Checks wp-config.php, .htaccess, uploads/ permissions. Requires mu-plugin |
435
+ | `wp_list_recently_modified_files`| Recently modified files with suspicious detection: PHP in uploads, hex filenames |
436
+ | `wp_audit_plugin_vulnerabilities`| Scans plugins against WPScan API. CVEs with CVSS scores. Without API key: version list |
437
+ | `wp_check_ssl_certificate` | TLS validation (expiry, issuer, SAN), security headers (HSTS, CSP). Grades A+ to F |
438
+ | `wp_audit_login_security` | Login security score /100: XML-RPC, user enumeration, 2FA, brute force protection |
439
+
440
+ ### Site Health & Diagnostics (8) — New in v4.7
441
+
442
+ `wp_get_debug_log` and `wp_get_active_hooks` require mu-plugin companion.
443
+
444
+ | Tool | Description |
445
+ |----------------------------|----------------------------------------------------------------------------------------|
446
+ | `wp_get_site_health_status`| Overall health score (good/recommended/critical) with issue counts by severity |
447
+ | `wp_list_site_health_issues`| All health issues with label, description, severity, and badge |
448
+ | `wp_get_site_health_info` | System info: PHP version, MySQL, memory limit, extensions, WP constants |
449
+ | `wp_get_debug_log` | Read last N lines of `debug.log` filtered by level. Max 500 lines. Requires mu-plugin |
450
+ | `wp_get_cron_events` | List all WP-Cron events with hook, schedule, next run, and overdue detection |
451
+ | `wp_get_transients` | List database transients with key, expiration, size. Filter by expired/active |
452
+ | `wp_check_php_compatibility`| Check each plugin's PHP version requirement vs current PHP |
453
+ | `wp_get_active_hooks` | Inventory of registered actions and filters with callbacks and priorities. Requires mu-plugin |
454
+
455
+ ### Full Site Editing — FSE (26) — New in v4.6
456
+
457
+ **Templates (5)** · **Template Parts (5)** · **Global Styles (3)** · **Block Patterns (4)** · **Navigation Menus (5)** · **Widgets (4)**
458
+
459
+ | Tool | Description |
460
+ |-----------------------------|--------------------------------------------------------------------------|
461
+ | `wp_list_templates` | List all block templates with filtering by post type |
462
+ | `wp_get_template` | Get a single block template by ID |
463
+ | `wp_create_template` | Create a new block template. Write |
464
+ | `wp_update_template` | Update an existing block template. Write |
465
+ | `wp_delete_template` | Delete a block template. Blocked by `WP_DISABLE_DELETE` |
466
+ | `wp_list_template_parts` | List template parts with area filtering (header/footer/general) |
467
+ | `wp_get_template_part` | Get a single template part by ID |
468
+ | `wp_create_template_part` | Create a new template part. Write |
469
+ | `wp_update_template_part` | Update an existing template part. Write |
470
+ | `wp_delete_template_part` | Delete a template part. Blocked by `WP_DISABLE_DELETE` |
471
+ | `wp_get_global_styles` | Get global styles (colors, typography, spacing) by post ID |
472
+ | `wp_update_global_styles` | Update global styles and settings. Write |
473
+ | `wp_get_global_styles_variations` | List available style variations for a theme |
474
+ | `wp_list_block_patterns` | List all registered block patterns |
475
+ | `wp_get_block_pattern` | Get a single block pattern by name |
476
+ | `wp_create_block_pattern` | Create a custom block pattern. Write |
477
+ | `wp_delete_block_pattern` | Delete a custom block pattern. Blocked by `WP_DISABLE_DELETE` |
478
+ | `wp_list_navigation_menus` | List navigation menus with search and status filtering |
479
+ | `wp_get_navigation_menu` | Get a single navigation menu with block content |
480
+ | `wp_create_navigation_menu` | Create a navigation menu. Write |
481
+ | `wp_update_navigation_menu` | Update a navigation menu. Write |
482
+ | `wp_delete_navigation_menu` | Delete a navigation menu. Blocked by `WP_DISABLE_DELETE` |
483
+ | `wp_list_widgets` | List all widgets with sidebar filtering |
484
+ | `wp_get_widget` | Get a single widget with instance settings and rendered output |
485
+ | `wp_update_widget` | Update widget settings or move to another sidebar. Write |
486
+ | `wp_delete_widget` | Delete a widget. Blocked by `WP_DISABLE_DELETE` |
487
+
488
+ ### Plugin Intelligence Layer (up to 7) — New in v4.5-v4.6
489
+
490
+ Activates only when plugin detected via REST namespace discovery. Disable all: `WP_DISABLE_PLUGIN_LAYERS=true`
491
+
492
+ **ACF (Advanced Custom Fields)** — requires `/acf/v3` namespace
493
+
494
+ | Tool | Description |
495
+ |----------------------|--------------------------------------------------------------------------|
496
+ | `acf_get_fields` | Get ACF custom fields for a post/page with key filtering and raw/compact/summary modes |
497
+ | `acf_list_field_groups` | List all configured ACF field groups |
498
+ | `acf_get_field_group`| Get full detail of an ACF field group by ID |
499
+ | `acf_update_fields` | Update ACF custom fields. Write — blocked by `WP_READ_ONLY` |
500
+
501
+ **Elementor** — requires `/elementor/v1` namespace
502
+
503
+ | Tool | Description |
504
+ |-----------------------------|------------------------------------------------------------------------|
505
+ | `elementor_list_templates` | List Elementor templates (page, section, block, popup) |
506
+ | `elementor_get_template` | Get full template content and elements. Context-guarded at 50k chars |
507
+ | `elementor_get_page_data` | Elementor editor data: widgets used, elements count |
508
+
509
+ ### Plugin Intelligence (6) — New in v4.5
510
+
511
+ Requires `WP_ENABLE_PLUGIN_INTELLIGENCE=true`. Read-only (except write modes noted).
512
+
513
+ | Tool | Description |
514
+ |---------------------------|------------------------------------------------------------------------------------------|
515
+ | `wp_get_rendered_head` | Fetch real `<head>` HTML via RankMath/Yoast headless endpoint. Compare rendered vs stored |
516
+ | `wp_audit_rendered_seo` | Bulk rendered-vs-stored SEO divergence detection with per-post scoring |
517
+ | `wp_get_pillar_content` | Read or set RankMath cornerstone/pillar flag. Write blocked by `WP_READ_ONLY` |
518
+ | `wp_audit_schema_plugins` | Validate JSON-LD from SEO plugin native fields (rank_math_schema or yoast_head_json) |
519
+ | `wp_get_seo_score` | Read RankMath native SEO score (0-100) with bulk mode distribution stats |
520
+ | `wp_get_twitter_meta` | Read/write Twitter Card meta for RankMath, Yoast, SEOPress. Write blocked by `WP_READ_ONLY` |
521
+
522
+ ### Plugins & Themes (5)
523
+
524
+ | Tool | Description |
525
+ |-----------------------|--------------------------------------------------------------------------------------|
526
+ | `wp_list_plugins` | List installed plugins with status, version, author. Requires `activate_plugins` |
527
+ | `wp_activate_plugin` | Activate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
528
+ | `wp_deactivate_plugin`| Deactivate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
529
+ | `wp_list_themes` | List installed themes with active theme detection |
530
+ | `wp_get_theme` | Get theme details by stylesheet slug |
531
+
532
+ ### Revisions (4)
533
+
534
+ | Tool | Description |
535
+ |----------------------|------------------------------------------------------------------------------------------|
536
+ | `wp_list_revisions` | List revisions of a post or page (metadata only) |
537
+ | `wp_get_revision` | Get a specific revision with full content |
538
+ | `wp_restore_revision`| Restore a post to a previous revision |
539
+ | `wp_delete_revision` | Permanently delete a revision. Blocked by `WP_READ_ONLY`, `WP_DISABLE_DELETE`, `WP_CONFIRM_DESTRUCTIVE` |
540
+
541
+ ### Editorial Workflow & Visual Staging (9) — v3.2 / v4.15 / v5.1
542
+
543
+ Requires `WP_REQUIRE_APPROVAL=true`.
544
+
545
+ | Tool | Description |
546
+ |------------------------|--------------------------------------------------------------------------|
547
+ | `wp_submit_for_review` | Transition a draft post to pending status (author action) |
548
+ | `wp_approve_post` | Transition a pending post to publish (editor/admin action) |
549
+ | `wp_reject_post` | Return a pending post to draft with a mandatory rejection reason |
550
+
551
+ **Visual Staging (5)** — New in v4.15. Requires `WP_VISUAL_STAGING=true` for interception.
253
552
 
254
553
  | Tool | Description |
255
- |---|---|
256
- | `wp_list_comments` | List comments with filtering by post, status, and author |
257
- | `wp_create_comment` | Create a comment or reply on any post |
258
- | `wp_list_users` | List users with roles (read-only) |
554
+ |------|-------------|
555
+ | `wp_create_staging_draft` | Clone a published page/post into a shadow draft for safe editing |
556
+ | `wp_list_staging_drafts` | List all pending staging drafts, optionally filtered by source |
557
+ | `wp_get_staging_preview_url` | Get native WordPress preview URL for a staging draft |
558
+ | `wp_merge_staging_to_live` | Merge validated staging draft content to the live page (two-step) |
559
+ | `wp_discard_staging_draft` | Permanently delete a staging draft without touching the live page |
259
560
 
260
- ### SEO Metadata
561
+ **Workflow Orchestrator (1)** — New in v5.1.
261
562
 
262
563
  | Tool | Description |
263
- |---|---|
264
- | `wp_get_seo_meta` | Read SEO title, description, focus keyword, canonical, robots, Open Graph. Auto-detects Yoast, RankMath, SEOPress, All in One SEO |
265
- | `wp_update_seo_meta` | Update SEO metadata with automatic plugin detection |
266
- | `wp_audit_seo` | Bulk audit SEO across posts/pages with quality scoring (0-100), missing fields detection, and length checks |
267
-
268
- SEO metadata updates are subject to the same enterprise controls and execution policies as all other write operations.
269
-
270
- ### SEO Audit Suite
271
-
272
- > **New in v4.0–v4.2** — Deep technical SEO analysis without requiring any WordPress plugin.
273
-
274
- | Tool | Description |
275
- |---|---|
276
- | `wp_audit_media_seo` | Audit media library for missing alt text, short alt text, and unoptimized filenames. Returns per-image scores and prioritized fix list |
277
- | `wp_find_orphan_pages` | Identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion list |
278
- | `wp_audit_heading_structure` | Analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2 |
279
- | `wp_find_thin_content` | Surface posts below a configurable word count threshold. Scores content quality by word count, heading density, and paragraph structure |
280
- | `wp_audit_canonicals` | Validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, and cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEO |
281
- | `wp_analyze_eeat_signals` | Score E-E-A-T signals per post: author bio presence, publication/update dates, outbound citations, word count, structured data markers. Returns a 0-100 score with a breakdown by dimension |
282
- | `wp_find_broken_internal_links` | Check all internal links in a post via HEAD requests. Returns broken (4xx/5xx), redirected (3xx), and slow links. Configurable batch size and timeout |
283
- | `wp_find_keyword_cannibalization` | Detect posts sharing the same RankMath/Yoast/SEOPress/AIOSEO focus keyword. Groups conflicts by keyword and flags the weakest post by word count |
284
- | `wp_audit_taxonomies` | Identify taxonomy bloat: unused categories/tags, near-duplicate terms via Levenshtein distance, single-post terms, and over-tagged posts |
285
- | `wp_audit_outbound_links` | Analyze external link profile per post. Detects links to low-authority domains, missing rel="nofollow" on sponsored links, and broken external URLs |
286
-
287
- All SEO audit tools are read-only and always allowed regardless of governance flags.
564
+ |------|-------------|
565
+ | `wp_run_workflow` | Execute named or custom tool sequences in a single call. Built-in: seo_audit_and_stage, site_health_report, content_publish_safe, wc_product_audit |
288
566
 
289
- ### Content Intelligence
567
+ ### Internal Link Intelligence (2) — New in v3.3
290
568
 
291
- > **New in v4.4.0** — Deep content analysis and editorial intelligence without any WordPress plugin.
569
+ | Tool | Description |
570
+ |-----------------------------|----------------------------------------------------------------------------------------|
571
+ | `wp_analyze_links` | Audit all internal/external links in a post. HEAD verification per link |
572
+ | `wp_suggest_internal_links` | Semantic link suggestions scored by category, freshness, SEO keyword, title match |
292
573
 
293
- | Tool | Description |
294
- |---|---|
295
- | `wp_get_content_brief` | Editorial brief aggregator: SEO + structure + links in 1 call |
296
- | `wp_extract_post_outline` | H1-H6 outline extraction with category-level pattern analysis |
297
- | `wp_audit_readability` | Bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis |
298
- | `wp_audit_update_frequency` | Outdated content detection cross-referenced with SEO scores |
299
- | `wp_build_link_map` | Internal link matrix with simplified PageRank scoring (0-100) |
300
- | `wp_audit_anchor_texts` | Anchor text diversity audit: generic, over-optimized, image link detection |
301
- | `wp_audit_schema_markup` | JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness) |
302
- | `wp_audit_content_structure` | Editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images |
303
- | `wp_find_duplicate_content` | TF-IDF cosine similarity for near-duplicate detection with union-find clustering |
304
- | `wp_find_content_gaps` | Taxonomy under-representation analysis (categories + tags) |
305
- | `wp_extract_faq_blocks` | FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns |
306
- | `wp_audit_cta_presence` | CTA detection (6 types) with scoring 0-100 |
307
- | `wp_extract_entities` | Regex/heuristic named entity extraction (brands, locations, persons, organizations) |
308
- | `wp_get_publishing_velocity` | Publication cadence by author/category with trend detection |
309
- | `wp_compare_revisions_diff` | Textual diff between revisions with amplitude scoring |
310
- | `wp_list_posts_by_word_count` | Posts sorted by length with 6-tier segmentation |
311
-
312
- All Content Intelligence tools are read-only and always allowed regardless of governance flags.
313
-
314
- ### Plugin Intelligence Layer
315
-
316
- > New in v4.6.0 — Extensible adapter architecture for third-party WordPress plugins. Adapters activate only when the plugin is detected via REST API namespace discovery.
317
-
318
- Disable all plugin tools: `WP_DISABLE_PLUGIN_LAYERS=true`
319
-
320
- **ACF (Advanced Custom Fields)**
574
+ ### WooCommerce Core (6) — New in v3.4
321
575
 
322
- | Tool | Description |
323
- |---|---|
324
- | `acf_get_fields` | Get ACF custom fields for a post/page with key filtering and raw/compact/summary modes |
325
- | `acf_list_field_groups` | List all configured ACF field groups |
326
- | `acf_get_field_group` | Get full detail of an ACF field group by ID |
327
- | `acf_update_fields` | Update ACF custom fields for a post/page. Write — blocked by `WP_READ_ONLY` |
576
+ Requires `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET`.
328
577
 
329
- Requires ACF Pro or ACF Free with REST API enabled (`/acf/v3` namespace).
578
+ | Tool | Description |
579
+ |---------------------|--------------------------------------------------------------------------------------|
580
+ | `wc_list_products` | List products with filtering by status, category, search, and sorting |
581
+ | `wc_get_product` | Get product by ID with full details and variations summary |
582
+ | `wc_list_orders` | List orders with filtering by status, customer, and date |
583
+ | `wc_get_order` | Get order by ID with line items, shipping, billing, and payment details |
584
+ | `wc_list_customers` | List customers with search and role filtering |
585
+ | `wc_price_guardrail`| Analyze a price change for safety (read-only). Returns safe/unsafe |
330
586
 
331
- **Elementor**
587
+ ### WooCommerce Intelligence (4) — New in v3.5
332
588
 
333
- | Tool | Description |
334
- |---|---|
335
- | `elementor_list_templates` | List Elementor templates (page, section, block, popup) with type filtering |
336
- | `elementor_get_template` | Get full Elementor template content and elements. Context-guarded at 50k chars |
337
- | `elementor_get_page_data` | Get Elementor editor data for a post/page: widgets used, elements count |
589
+ | Tool | Description |
590
+ |---------------------------|------------------------------------------------------------------------------------|
591
+ | `wc_inventory_alert` | Identify low-stock and out-of-stock products below threshold, sorted by urgency |
592
+ | `wc_order_intelligence` | Customer purchase history: lifetime value, average order, favourite products |
593
+ | `wc_seo_product_audit` | Audit product listings for SEO issues (descriptions, images, alt text, slugs) |
594
+ | `wc_suggest_product_links`| Suggest WooCommerce products to link from blog posts based on keyword relevance |
338
595
 
339
- Requires Elementor Free or Pro (`/elementor/v1` namespace).
596
+ ### WooCommerce Advanced Intelligence (7) — New in v4.12
340
597
 
341
- ### Plugins
598
+ All read-only.
342
599
 
343
- | Tool | Description |
344
- |---|---|
345
- | `wp_list_plugins` | List installed plugins with status, version, author. Requires Administrator (`activate_plugins` capability) |
346
- | `wp_activate_plugin` | Activate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
347
- | `wp_deactivate_plugin` | Deactivate a plugin. Blocked by `WP_READ_ONLY` and `WP_DISABLE_PLUGIN_MANAGEMENT` |
600
+ | Tool | Description |
601
+ |-------------------------------------|------------------------------------------------------------------------------------|
602
+ | `wc_audit_product_seo` | Product SEO score /100: title, description, slug, image alt, schema presence |
603
+ | `wc_find_abandoned_carts_pattern` | Abandoned cart patterns: hourly/daily trends, top products, revenue loss |
604
+ | `wc_audit_checkout_friction` | Checkout friction score 0-10: guest checkout, required fields, coupon, multi-step |
605
+ | `wc_get_product_performance` | Product metrics with trend comparison: units sold, revenue, refund rate |
606
+ | `wc_audit_stock_alerts` | Out-of-stock and low-stock audit with last sale dates. Includes variations |
607
+ | `wc_find_duplicate_products` | Duplicates by SKU, title/slug Levenshtein similarity. Union-find grouping |
608
+ | `wc_audit_pricing_consistency` | Pricing errors: sale >= regular, zero sale, minimal discounts, expired sales |
348
609
 
349
- ### Themes
610
+ ### WooCommerce Write (3) — New in v3.6
350
611
 
351
- | Tool | Description |
352
- |---|---|
353
- | `wp_list_themes` | List installed themes with active theme detection. Requires `switch_themes` capability |
354
- | `wp_get_theme` | Get theme details by stylesheet slug |
355
-
356
- ### Revisions
612
+ All blocked by `WP_READ_ONLY`.
357
613
 
358
- | Tool | Description |
359
- |---|---|
360
- | `wp_list_revisions` | List revisions of a post or page (metadata only) |
361
- | `wp_get_revision` | Get a specific revision with full content |
362
- | `wp_restore_revision` | Restore a post to a previous revision (plugin-free 2-step approach) |
363
- | `wp_delete_revision` | Permanently delete a revision. Blocked by `WP_READ_ONLY`, `WP_DISABLE_DELETE`, and `WP_CONFIRM_DESTRUCTIVE` |
614
+ | Tool | Description |
615
+ |-----------------------|--------------------------------------------------------------------------------------|
616
+ | `wc_update_product` | Update product fields. Subject to `wc_price_guardrail` threshold enforcement |
617
+ | `wc_update_stock` | Update stock quantity of a product or variation |
618
+ | `wc_update_order_status`| Transition order status (e.g., processing completed) |
364
619
 
365
- ### Editorial Workflow
620
+ ### Operations (3)
366
621
 
367
- > **New in v3.2.0** — Approval workflow for regulated content operations.
368
-
369
- | Tool | Description |
370
- |---|---|
371
- | `wp_submit_for_review` | Transition a draft post to pending status (author action). Blocked by `WP_READ_ONLY` |
372
- | `wp_approve_post` | Transition a pending post to publish (editor/admin action). Blocked by `WP_READ_ONLY` and `WP_DRAFT_ONLY` |
373
- | `wp_reject_post` | Return a pending post to draft with a mandatory rejection reason (editor/admin action). Blocked by `WP_READ_ONLY` |
374
-
375
- The approval workflow is enforced by `WP_REQUIRE_APPROVAL=true`, which blocks direct publish via `wp_update_post` and forces the draft → pending → publish path.
376
-
377
- ### Internal Link Intelligence
378
-
379
- > **New in v3.3.0** — Audit and improve internal linking without auto-insertion.
380
-
381
- | Tool | Description |
382
- |---|---|
383
- | `wp_analyze_links` | Audit all internal and external links in a post. HEAD request verification per link (broken/warning/unknown). Configurable max checks and timeout |
384
- | `wp_suggest_internal_links` | Semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked posts |
385
-
386
- Pre-flight linking workflow: `wp_suggest_internal_links` → user validates → `wp_update_post` (never auto-insert).
387
-
388
- ### WooCommerce
389
-
390
- > **New in v3.4.0–v3.6.0** — Full WooCommerce integration with read, intelligence, and write operations.
391
-
392
- Requires `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET` environment variables. Generate API keys at WooCommerce → Settings → Advanced → REST API.
393
-
394
- | Tool | Description |
395
- |---|---|
396
- | `wc_list_products` | List products with filtering by status, category, search, and sorting by price/popularity |
397
- | `wc_get_product` | Get a product by ID with full details. Includes variations summary for variable products |
398
- | `wc_list_orders` | List orders with filtering by status, customer, and date |
399
- | `wc_get_order` | Get an order by ID with line items, shipping, billing, and payment details |
400
- | `wc_list_customers` | List customers with search and role filtering |
401
- | `wc_get_customer` | Get a customer by ID with full profile, order history summary, and lifetime value |
402
- | `wc_list_coupons` | List coupons with filtering by type, expiry status, and usage |
403
- | `wc_get_coupon` | Get a coupon by ID with full discount rules and usage statistics |
404
- | `wc_sales_report` | Generate sales summary for a date range: revenue, orders, average order value, top products |
405
- | `wc_top_products` | Rank products by revenue, quantity sold, or order count for a given period |
406
- | `wc_price_guardrail` | Analyze a price change for safety (read-only). Returns safe/unsafe based on configurable threshold percentage |
407
- | `wc_update_product` | Update product fields (title, description, price, stock, status). Blocked by `WP_READ_ONLY` and subject to `wc_price_guardrail` thresholds |
408
- | `wc_update_order_status` | Transition order status (e.g., processing → completed). Blocked by `WP_READ_ONLY` |
409
-
410
- All WooCommerce write tools are blocked by `WP_READ_ONLY`. `wc_price_guardrail` is always allowed — it never modifies data.
411
-
412
- ### Operations
413
-
414
- | Tool | Description |
415
- |---|---|
416
- | `wp_set_target` | Switch active WordPress site in multi-target mode |
417
- | `wp_site_info` | Site info, current user, post types, enterprise controls, available targets, and `plugin_layer` (detected plugins, tools count) |
622
+ | Tool | Description |
623
+ |------------------------|--------------------------------------------------------------------------------------|
624
+ | `wp_set_target` | Switch active WordPress site in multi-target mode |
625
+ | `wp_site_info` | Site info, current user, post types, enterprise controls, tool_categories, plugin_layer |
626
+ | `wp_get_site_options` | Read WordPress site settings (title, tagline, language, timezone) via /wp/v2/settings |
418
627
 
419
628
  ---
420
629
 
421
630
  ## Enterprise Controls
422
631
 
423
- Configure execution policy via environment variables. All restrictions are enforced before any API call is made — including SEO metadata, plugin operations, and WooCommerce writes.
424
-
425
- | Control | Default | Effect |
426
- |---|---|---|
427
- | `WP_READ_ONLY` | `false` | Blocks all write operations (create, update, delete, upload, SEO updates, plugin management, WooCommerce writes) |
428
- | `WP_DRAFT_ONLY` | `false` | Restricts to draft and pending statuses only |
429
- | `WP_DISABLE_DELETE` | `false` | Blocks all delete operations (posts + revisions) |
430
- | `WP_DISABLE_PLUGIN_MANAGEMENT` | `false` | Blocks plugin activate/deactivate (list still allowed) |
431
- | `WP_REQUIRE_APPROVAL` | `false` | Blocks direct publish via `wp_update_post`. Forces draft → pending → publish approval workflow |
432
- | `WP_CONFIRM_DESTRUCTIVE` | `false` | Requires a token confirmation before `wp_delete_post` and `wp_delete_revision` execute |
433
- | `WP_ALLOWED_TYPES` | `all` | Restricts to specific post types (e.g., `post,page`) |
434
- | `WP_ALLOWED_STATUSES` | `all` | Restricts to specific statuses (e.g., `draft,pending`) |
435
- | `WP_MAX_CALLS_PER_MINUTE` | unlimited | Client-side rate limiting |
436
- | `WP_AUDIT_LOG` | `on` | Structured JSON audit trail |
632
+ Configure execution policy via environment variables. All restrictions are enforced before any API call is made.
633
+
634
+ | Control | Default | Effect |
635
+ |--------------------------------|-------------|--------------------------------------------------------------------------------|
636
+ | `WP_READ_ONLY` | `false` | Blocks all write operations |
637
+ | `WP_DRAFT_ONLY` | `false` | Restricts to draft and pending statuses only |
638
+ | `WP_DISABLE_DELETE` | `false` | Blocks all delete operations |
639
+ | `WP_DISABLE_PLUGIN_MANAGEMENT` | `false` | Blocks plugin activate/deactivate (list still allowed) |
640
+ | `WP_REQUIRE_APPROVAL` | `false` | Blocks direct publish. Forces draft → pending → publish workflow |
641
+ | `WP_CONFIRM_DESTRUCTIVE` | `false` | Requires token confirmation before delete operations |
642
+ | `WP_VISUAL_STAGING` | `false` | When true, direct edits to published pages are intercepted. AI must use staging workflow: `wp_create_staging_draft` → edit draft → `wp_merge_staging_to_live` |
643
+ | `WP_VALIDATE_BLOCKS` | `false` | When true, auto-validates Gutenberg block structure on `wp_update_post`/`wp_update_page`. Blocks update if errors found |
644
+ | `WP_ALLOWED_TYPES` | `all` | Restricts to specific post types (e.g., `post,page`) |
645
+ | `WP_ALLOWED_STATUSES` | `all` | Restricts to specific statuses (e.g., `draft,pending`) |
646
+ | `WP_MAX_CALLS_PER_MINUTE` | unlimited | Client-side rate limiting |
647
+ | `WP_AUDIT_LOG` | `on` | Structured JSON audit trail |
648
+ | `WP_COMPACT_JSON` | `true` | Compact JSON output (~30% token reduction). `false` for debugging |
649
+ | `WP_TOOL_CATEGORIES` | _(none)_ | Comma-separated categories to expose. Empty = all 173 tools. Always includes `core`. Categories: content · media · taxonomy · engagement · users · seo · schema · intelligence · editorial · fse · plugins · workflow · links · woocommerce · security · performance · health |
650
+ | `PAGESPEED_API_KEY` | _(none)_ | Google PageSpeed Insights API key. Optional — `wp_audit_page_speed` degrades gracefully |
651
+ | `WPSCAN_API_KEY` | _(none)_ | WPScan vulnerability database API key. Optional — free at wpscan.com/register |
437
652
 
438
653
  ### Destructive confirmation flow
439
654
 
@@ -485,10 +700,108 @@ WC_CONSUMER_KEY=ck_xxx
485
700
  WC_CONSUMER_SECRET=cs_xxx
486
701
  ```
487
702
 
703
+ **Maximum safety** — all governance layers active:
704
+ ```env
705
+ WP_READ_ONLY=false
706
+ WP_REQUIRE_APPROVAL=true
707
+ WP_CONFIRM_DESTRUCTIVE=true
708
+ WP_VISUAL_STAGING=true
709
+ WP_VALIDATE_BLOCKS=true
710
+ ```
711
+
712
+ ### Context optimization profiles
713
+
714
+ Reduce ListTools from ~20k tokens to ~4-9k tokens by loading only the categories you need:
715
+
716
+ ```env
717
+ # SEO Agency — content + SEO focus (~32 tools, ~5k tokens)
718
+ WP_TOOL_CATEGORIES=seo,content,schema,editorial,intelligence
719
+
720
+ # E-commerce — WooCommerce focus (~40 tools, ~7k tokens)
721
+ WP_TOOL_CATEGORIES=woocommerce,seo,performance,content
722
+
723
+ # Content team — writing focus (~30 tools, ~5k tokens)
724
+ WP_TOOL_CATEGORIES=content,editorial,media,engagement,intelligence
725
+
726
+ # DevOps / Security audit (~25 tools, ~4k tokens)
727
+ WP_TOOL_CATEGORIES=security,health,performance,plugins
728
+
729
+ # Developer — FSE + plugins (~40 tools, ~7k tokens)
730
+ WP_TOOL_CATEGORIES=fse,plugins,content,users
731
+
732
+ # Full agency mode — all tools (default)
733
+ # WP_TOOL_CATEGORIES= (empty or unset)
734
+ ```
735
+
488
736
  Blocked actions return a clear error message explaining which control prevented execution, and are logged in the audit trail with status `blocked`.
489
737
 
490
738
  ---
491
739
 
740
+ ## MU-Plugin Companion
741
+
742
+ Some tools require the optional MCP Diagnostics companion mu-plugin to access data not available via the WordPress REST API.
743
+
744
+ ### Installation
745
+ ```bash
746
+ cp companion/mcp-diagnostics.php /path/to/wp-content/mu-plugins/
747
+ ```
748
+
749
+ ### Exposed endpoints
750
+
751
+ **Diagnostics** — require `manage_options`
752
+
753
+ | Endpoint | Method | Description |
754
+ |---------------------------------------------|--------|------------------------------------------|
755
+ | `/mcp-diagnostics/v1/debug-log` | GET | Last N lines of `debug.log` by level |
756
+ | `/mcp-diagnostics/v1/cron-events` | GET | All scheduled WP-Cron events |
757
+ | `/mcp-diagnostics/v1/transients` | GET | Database transients with expiration/size |
758
+ | `/mcp-diagnostics/v1/hooks` | GET | Registered actions and filters |
759
+
760
+ **Security** — require `manage_options`
761
+
762
+ | Endpoint | Method | Description |
763
+ |---------------------------------------------|--------|------------------------------------------|
764
+ | `/mcp-diagnostics/v1/user-activity` | GET | Admin last login timestamps |
765
+ | `/mcp-diagnostics/v1/file-permissions` | GET | Critical file permission checks |
766
+ | `/mcp-diagnostics/v1/modified-files` | GET | Recently modified file listing |
767
+
768
+ **Performance** — requires `manage_options`
769
+
770
+ | Endpoint | Method | Description |
771
+ |---------------------------------------------|--------|------------------------------------------|
772
+ | `/mcp-diagnostics/v1/database-bloat` | GET | Database bloat analysis |
773
+
774
+ **WooCommerce** — requires `manage_options`
775
+
776
+ | Endpoint | Method | Description |
777
+ |---------------------------------------------|--------|------------------------------------------|
778
+ | `/mcp-diagnostics/v1/wc-abandoned-carts` | GET | Abandoned cart data from available sources|
779
+
780
+ **Schema** — requires `edit_posts`
781
+
782
+ | Endpoint | Method | Description |
783
+ |---------------------------------------------|--------|------------------------------------------|
784
+ | `/mcp-diagnostics/v1/schema/{post_id}` | GET | Read `_custom_schema_jsonld` meta |
785
+ | `/mcp-diagnostics/v1/schema/{post_id}` | POST | Write schema meta. Blocked by `WP_READ_ONLY` |
786
+ | `/mcp-diagnostics/v1/schema/{post_id}` | DELETE | Remove schema meta. Blocked by `WP_READ_ONLY` |
787
+
788
+ **Polylang Free** — public (no auth required)
789
+
790
+ | Endpoint | Method | Description |
791
+ |------------------------------------------------------|--------|----------------------------------|
792
+ | `/mcp-diagnostics/v1/polylang/languages` | GET | Polylang languages list |
793
+ | `/mcp-diagnostics/v1/polylang/translations/{post_id}`| GET | Post translations by language |
794
+
795
+ **Users** — requires `manage_options`
796
+
797
+ | Endpoint | Method | Description |
798
+ |---------------------------------------------|--------|------------------------------------------|
799
+ | `/mcp-diagnostics/v1/password-reset` | POST | Trigger password reset email |
800
+
801
+ All endpoints require manage_options capability (Administrator) unless noted. No endpoint modifies data except POST `/schema/{post_id}` and POST `/password-reset` — both blocked when `WP_READ_ONLY=true`.
802
+
803
+ ---
804
+
492
805
  ## SEO Metadata
493
806
 
494
807
  The SEO tools auto-detect which SEO plugin is installed on your WordPress site and use the correct meta fields automatically.
@@ -504,14 +817,14 @@ Supported plugins:
504
817
 
505
818
  `wp_audit_seo` scores each post on a 100-point scale:
506
819
 
507
- | Check | Penalty |
508
- |---|---|
509
- | Missing SEO title | -30 |
510
- | SEO title too short (< 30 chars) or too long (> 60 chars) | -10 |
511
- | Missing meta description | -30 |
820
+ | Check | Penalty |
821
+ |--------------------------------------------------------------|---------|
822
+ | Missing SEO title | -30 |
823
+ | SEO title too short (< 30 chars) or too long (> 60 chars) | -10 |
824
+ | Missing meta description | -30 |
512
825
  | Meta description too short (< 120 chars) or too long (> 160 chars) | -10 |
513
- | Missing focus keyword | -20 |
514
- | Focus keyword not in SEO title | -10 |
826
+ | Missing focus keyword | -20 |
827
+ | Focus keyword not in SEO title | -10 |
515
828
 
516
829
  ### Exposing SEO Meta Fields (Required)
517
830
 
@@ -519,7 +832,7 @@ Most SEO plugins store their data in WordPress post meta fields that are not exp
519
832
 
520
833
  Add the following code to your theme's `functions.php` (Appearance → Theme File Editor → functions.php) or — preferably — create a custom mini-plugin (see below).
521
834
 
522
- > ⚠️ **Important:** When pasting code into `functions.php`, make sure the file starts with exactly `<?php` — no extra characters before it. A stray character (like `<<?php`) will break the WordPress REST API by injecting invalid output before JSON responses, causing `Unexpected token '<'` errors in MCP.
835
+ > **Important:** When pasting code into `functions.php`, make sure the file starts with exactly `<?php` — no extra characters before it. A stray character (like `<<?php`) will break the WordPress REST API by injecting invalid output before JSON responses, causing `Unexpected token '<'` errors in MCP.
523
836
 
524
837
  **RankMath:**
525
838
  ```php
@@ -708,13 +1021,13 @@ If you see your SEO fields in the `meta` object, the configuration is working.
708
1021
 
709
1022
  ### Troubleshooting SEO Fields
710
1023
 
711
- | Symptom | Cause | Fix |
712
- |---|---|---|
713
- | `wp_audit_seo` returns empty SEO data | Meta fields not exposed via REST API | Add `register_post_meta()` code above |
714
- | `Unexpected token '<'` on all MCP calls | Stray character before `<?php` in `functions.php` | Remove any characters before `<?php` |
715
- | SEO fields visible but all null | SEO plugin not yet configured on those posts | Set titles/descriptions in RankMath/Yoast editor |
716
- | No SEO plugin detected | Plugin constant not matched | Verify your SEO plugin is active |
717
- | Fields lost after theme update | Code was in `functions.php` | Use the MCP SEO Bridge plugin instead |
1024
+ | Symptom | Cause | Fix |
1025
+ |--------------------------------------|------------------------------------------|-------------------------------------------------|
1026
+ | `wp_audit_seo` returns empty SEO data | Meta fields not exposed via REST API | Add `register_post_meta()` code above |
1027
+ | `Unexpected token '<'` on all calls | Stray character before `<?php` | Remove any characters before `<?php` |
1028
+ | SEO fields visible but all null | SEO plugin not yet configured on posts | Set titles/descriptions in RankMath/Yoast editor|
1029
+ | No SEO plugin detected | Plugin constant not matched | Verify your SEO plugin is active |
1030
+ | Fields lost after theme update | Code was in `functions.php` | Use the MCP SEO Bridge plugin instead |
718
1031
 
719
1032
  ---
720
1033
 
@@ -743,57 +1056,74 @@ WC_PRICE_GUARDRAIL_THRESHOLD=20 # percentage — changes above this require ex
743
1056
 
744
1057
  ## Testing
745
1058
 
746
- 767 unit tests covering all 92 tools — zero network calls, fully mocked.
1059
+ 57 test files · 1061 unit tests covering all 173 tools — zero network calls, fully mocked.
1060
+
747
1061
  ```bash
748
1062
  npm test # run all tests (vitest)
749
1063
  npm run test:watch # watch mode
750
1064
  npm run test:coverage # coverage report
751
1065
  ```
752
1066
 
753
- | Test file | Scope | Tests |
754
- |---|---|---|
755
- | `governance.test.js` | All governance flags + combinations including `WP_REQUIRE_APPROVAL` and `WP_CONFIRM_DESTRUCTIVE` | 30 |
756
- | `posts.test.js` | list, get, create, update, delete, search | 18 |
757
- | `pages.test.js` | list, get, create, update | 12 |
758
- | `media.test.js` | list, get, upload | 14 |
759
- | `taxonomies.test.js` | categories, tags, create term | 16 |
760
- | `comments.test.js` | list, create | 12 |
761
- | `users.test.js` | list | 7 |
762
- | `search.test.js` | search, post types, custom posts | 10 |
763
- | `seo.test.js` | get, update, audit | 12 |
764
- | `plugins.test.js` | list, activate, deactivate | 16 |
765
- | `themes.test.js` | list, get | 8 |
766
- | `revisions.test.js` | list, get, restore, delete | 17 |
767
- | `editorial.test.js` | submit_for_review, approve, reject | 15 |
768
- | `links.test.js` | analyze_links, suggest_internal_links | 16 |
769
- | `woocommerce.test.js` | products, orders, customers, coupons, reports, write, guardrail | 40 |
770
- | `auditMediaSeo.test.js` | media alt text audit, filename scoring | 12 |
771
- | `findOrphanPages.test.js` | inbound link detection, exclusion list | 10 |
772
- | `auditHeadingStructure.test.js` | H1/H2/H3 hierarchy, level skips, keyword detection | 12 |
773
- | `findThinContent.test.js` | word count threshold, heading density | 10 |
774
- | `auditCanonicals.test.js` | canonical validation, mismatch detection, multi-plugin | 12 |
775
- | `analyzeEeatSignals.test.js` | E-E-A-T scoring, author bio, citations, structured data | 12 |
776
- | `findBrokenInternalLinks.test.js` | HEAD request batching, 4xx/3xx detection | 12 |
777
- | `findKeywordCannibalization.test.js` | focus keyword conflicts, multi-plugin detection | 10 |
778
- | `auditTaxonomies.test.js` | Levenshtein duplicates, unused terms, over-tagging | 12 |
779
- | `auditOutboundLinks.test.js` | external link profile, nofollow detection | 10 |
780
- | `contentAnalyzer.test.js` | readability, TF-IDF, cosine similarity, entities, text diff | 44 |
781
- | `contentIntelligence.test.js` | 16 content intelligence tools: brief, outline, readability, update frequency, link map, anchor texts, schema, structure, duplicates, gaps, FAQ, CTA, entities, velocity, revisions diff, word count | 125 |
782
- | `site.test.js` | site info, set target | 5 |
783
- | `transport/http.test.js` | HTTP transport, Bearer auth, sessions | 10 |
784
- | `pluginDetector.test.js` | SEO plugin detection, rendered head, HTML head parsing | 13 |
785
- | `pluginIntelligence.test.js` | 6 plugin intelligence tools: rendered head, rendered SEO audit, pillar content, schema plugins, SEO score, Twitter meta | 48 |
786
- | `dxt/manifest.test.js` | MCPB manifest validation, 86 tools declared | 10 |
787
- | `dynamicFiltering.test.js` | WooCommerce/editorial/plugin-intelligence filtering, combined counts, callable when filtered | 9 |
788
- | `outputCompression.test.js` | mode=full/summary/ids_only for 10 listing tools (pages, media, comments, categories, tags, users, custom posts, plugins, themes, revisions) | 30 |
789
- | `siteOptions.test.js` | wp_get_site_options: all options, key filtering, 403, audit log, not blocked by WP_READ_ONLY | 5 |
790
- | `plugins/registry.test.js` | PluginRegistry: ACF/Elementor detection, empty namespaces, WP_DISABLE_PLUGIN_LAYERS, getSummary | 6 |
791
- | `plugins/contextGuard.test.js` | applyContextGuard: under threshold, truncation, raw bypass, stderr log | 4 |
792
- | `plugins/iPluginAdapter.test.js` | validateAdapter: complete adapter, missing id, missing getTools | 3 |
793
- | `plugins/acf/acfAdapter.test.js` | ACF read tools: get fields, filter, contextGuard, 404, list groups, get group, audit log | 10 |
794
- | `plugins/acf/acfAdapter.write.test.js` | ACF write: update fields, WP_READ_ONLY blocking, validation, 404/403, audit log | 8 |
795
- | `plugins/elementor/elementorAdapter.test.js` | Elementor adapter: list/get templates, page data, contextGuard, validation, namespace detection, audit log | 10 |
796
- | `pluginLayer.test.js` | Plugin Layer integration: listTools, callTool routing, wp_site_info, WP_DISABLE_PLUGIN_LAYERS, no collisions | 8 |
1067
+ | Test file | Scope | Tests |
1068
+ |----------------------------------|------------------------------------------------------------------------------------------------|-------|
1069
+ | `governance.test.js` | All governance flags + combinations including `WP_REQUIRE_APPROVAL` and `WP_CONFIRM_DESTRUCTIVE` | 30 |
1070
+ | `posts.test.js` | list, get, create, update, delete, search | 18 |
1071
+ | `pages.test.js` | list, get, create, update | 12 |
1072
+ | `media.test.js` | list, get, upload | 14 |
1073
+ | `taxonomies.test.js` | categories, tags, create term | 16 |
1074
+ | `comments.test.js` | list, create | 12 |
1075
+ | `users.test.js` | list | 7 |
1076
+ | `users.crud.test.js` | get, create, update, delete, roles, capabilities, password reset, app passwords | — |
1077
+ | `search.test.js` | search, post types, custom posts | 10 |
1078
+ | `seo.test.js` | get, update, audit | 12 |
1079
+ | `plugins.test.js` | list, activate, deactivate | 16 |
1080
+ | `themes.test.js` | list, get | 8 |
1081
+ | `revisions.test.js` | list, get, restore, delete | 17 |
1082
+ | `editorial.test.js` | submit_for_review, approve, reject | 15 |
1083
+ | `links.test.js` | analyze_links, suggest_internal_links | 16 |
1084
+ | `woocommerce.test.js` | products, orders, customers, write, guardrail | 40 |
1085
+ | `woocommerce.advanced.test.js` | product SEO, abandoned carts, checkout friction, performance, stock, duplicates, pricing | 37 |
1086
+ | `auditMediaSeo.test.js` | media alt text audit, filename scoring | 12 |
1087
+ | `findOrphanPages.test.js` | inbound link detection, exclusion list | 10 |
1088
+ | `auditHeadingStructure.test.js` | H1/H2/H3 hierarchy, level skips, keyword detection | 12 |
1089
+ | `findThinContent.test.js` | word count threshold, heading density | 10 |
1090
+ | `auditCanonicals.test.js` | canonical validation, mismatch detection, multi-plugin | 12 |
1091
+ | `analyzeEeatSignals.test.js` | E-E-A-T scoring, author bio, citations, structured data | 12 |
1092
+ | `findBrokenInternalLinks.test.js`| HEAD request batching, 4xx/3xx detection | 12 |
1093
+ | `findKeywordCannibalization.test.js` | focus keyword conflicts, multi-plugin detection | 10 |
1094
+ | `auditTaxonomies.test.js` | Levenshtein duplicates, unused terms, over-tagging | 12 |
1095
+ | `auditOutboundLinks.test.js` | external link profile, nofollow detection | 10 |
1096
+ | `contentAnalyzer.test.js` | readability, TF-IDF, cosine similarity, entities, text diff | 44 |
1097
+ | `contentIntelligence.test.js` | 16 content intelligence tools | 125 |
1098
+ | `pluginIntelligence.test.js` | 6 plugin intelligence tools | 48 |
1099
+ | `editorialIntelligence.test.js` | 6 editorial intelligence tools | 37 |
1100
+ | `fse.test.js` | FSE templates, template parts, global styles, patterns, navigation, widgets | |
1101
+ | `diagnostics.test.js` | Site health, debug log, cron, transients, PHP compat, hooks | |
1102
+ | `performance.test.js` | Page speed, render blocking, image optimization, caching, database bloat, plugin impact | |
1103
+ | `schema.test.js` | Schema generation, injection, live validation | |
1104
+ | `multilingual.test.js` | Plugin detection, languages, translations, coverage, SEO translations | |
1105
+ | `security.test.js` | User security, file permissions, modified files, vulnerabilities, SSL, login security | 37 |
1106
+ | `dynamicFiltering.test.js` | WooCommerce/editorial/plugin-intelligence/category filtering, combined counts | 19 |
1107
+ | `outputCompression.test.js` | mode=full/summary/ids_only for 10 listing tools | 30 |
1108
+ | `site.test.js` | site info, set target | 5 |
1109
+ | `siteOptions.test.js` | wp_get_site_options: all options, key filtering, 403, audit log | 5 |
1110
+ | `destructive.test.js` | Destructive confirmation flow | 12 |
1111
+ | `helpers/pagination.test.js` | buildPaginationMeta: total_pages, has_more, next_page | 5 |
1112
+ | `transport/http.test.js` | HTTP transport, Bearer auth, sessions | 10 |
1113
+ | `pluginDetector.test.js` | SEO plugin detection, rendered head, HTML head parsing | 13 |
1114
+ | `dxt/manifest.test.js` | MCPB manifest validation | 10 |
1115
+ | `contentCompressor.test.js` | Content compression and field filtering | — |
1116
+ | `plugins/registry.test.js` | PluginRegistry: ACF/Elementor detection, WP_DISABLE_PLUGIN_LAYERS | 6 |
1117
+ | `plugins/contextGuard.test.js` | applyContextGuard: threshold, truncation, raw bypass | 4 |
1118
+ | `plugins/iPluginAdapter.test.js` | validateAdapter: complete adapter, missing fields | 3 |
1119
+ | `plugins/acf/acfAdapter.test.js` | ACF read tools: fields, filter, contextGuard, groups | 10 |
1120
+ | `plugins/acf/acfAdapter.write.test.js` | ACF write: update fields, WP_READ_ONLY blocking | 8 |
1121
+ | `plugins/elementor/elementorAdapter.test.js` | Elementor: templates, page data, contextGuard | 10 |
1122
+ | `pluginLayer.test.js` | Plugin Layer integration: listTools, callTool routing | 8 |
1123
+ | `perTargetControls.test.js` | Per-target governance controls | — |
1124
+ | `approval.test.js` | Approval workflow integration | — |
1125
+ | `woocommerceIntelligence.test.js` | WooCommerce intelligence tools | — |
1126
+ | `woocommerceWrite.test.js` | WooCommerce write tools | — |
797
1127
 
798
1128
  Each test verifies: success response shape, governance blocking (write tools), HTTP error handling (403/404), and audit log entries.
799
1129
 
@@ -802,9 +1132,10 @@ Each test verifies: success response shape, governance blocking (write tools), H
802
1132
  ## Structured Audit Log
803
1133
 
804
1134
  Every tool invocation is recorded as a JSON event on stderr — ready for ingestion into Datadog, Splunk, CloudWatch, Langfuse, ELK, or any JSON-compatible pipeline.
1135
+
805
1136
  ```json
806
1137
  {
807
- "timestamp": "2026-02-19T18:42:00.000Z",
1138
+ "timestamp": "2026-03-11T10:42:00.000Z",
808
1139
  "tool": "wp_create_post",
809
1140
  "target": 1234,
810
1141
  "target_type": "post",
@@ -817,20 +1148,20 @@ Every tool invocation is recorded as a JSON event on stderr — ready for ingest
817
1148
  }
818
1149
  ```
819
1150
 
820
- 79 instrumentation points across all tools. Three status types: `success`, `error`, `blocked`.
821
-
822
- | Field | Description |
823
- |---|---|
824
- | `timestamp` | ISO 8601 |
825
- | `tool` | Tool name invoked |
826
- | `target` | Resource ID when applicable |
827
- | `target_type` | Resource type (post, page, media, comment, category, tag, plugin, theme, revision, product, order, customer, coupon) |
828
- | `action` | Operation: list, read, create, update, trash, permanent_delete, upload, search, switch_target, read_seo, update_seo, audit_seo, activate, deactivate, restore, submit_review, approve, reject, analyze_links, suggest_links, guardrail, audit_media_seo, find_orphans, audit_headings, find_thin_content, audit_canonicals, analyze_eeat, find_broken_links, find_cannibalization, audit_taxonomies, audit_outbound_links, content_brief, extract_outline, audit_readability, audit_update_frequency, build_link_map, audit_anchor_texts, audit_schema, audit_content_structure, find_duplicates, find_content_gaps, extract_faq, audit_cta, extract_entities, publishing_velocity, compare_revisions, list_by_word_count |
829
- | `status` | `success`, `error`, or `blocked` |
830
- | `latency_ms` | Execution time |
831
- | `site` | Active target name |
832
- | `params` | Sanitized parameters (content fields truncated) |
833
- | `error` | Error detail or null |
1151
+ 79+ instrumentation points across all tools. Three status types: `success`, `error`, `blocked`.
1152
+
1153
+ | Field | Description |
1154
+ |---------------|------------------------------------------|
1155
+ | `timestamp` | ISO 8601 |
1156
+ | `tool` | Tool name invoked |
1157
+ | `target` | Resource ID when applicable |
1158
+ | `target_type` | Resource type |
1159
+ | `action` | Operation performed |
1160
+ | `status` | `success`, `error`, or `blocked` |
1161
+ | `latency_ms` | Execution time |
1162
+ | `site` | Active target name |
1163
+ | `params` | Sanitized parameters (content truncated) |
1164
+ | `error` | Error detail or null |
834
1165
 
835
1166
  ---
836
1167
 
@@ -875,11 +1206,11 @@ Switch targets during a session with `wp_set_target`. All available sites and th
875
1206
 
876
1207
  The server performs a health check on startup: REST API connectivity, user authentication, and role verification. During operation: automatic retry with exponential backoff (configurable, default 3 attempts), request timeout (default 30s), rate limit handling (respects 429 + retry-after), and contextual error messages with diagnosis guidance.
877
1208
 
878
- | Setting | Default | Description |
879
- |---|---|---|
880
- | `WP_MCP_VERBOSE` | `false` | Debug-level logging |
881
- | `WP_MCP_TIMEOUT` | `30000` | Request timeout (ms) |
882
- | `WP_MCP_MAX_RETRIES` | `3` | Max retry attempts |
1209
+ | Setting | Default | Description |
1210
+ |----------------------|---------|----------------------------|
1211
+ | `WP_MCP_VERBOSE` | `false` | Debug-level logging |
1212
+ | `WP_MCP_TIMEOUT` | `30000` | Request timeout (ms) |
1213
+ | `WP_MCP_MAX_RETRIES` | `3` | Max retry attempts |
883
1214
 
884
1215
  ---
885
1216
 
@@ -890,7 +1221,7 @@ The server performs a health check on startup: REST API connectivity, user authe
890
1221
  - Credentials never logged — audit trail sanitizes all sensitive data
891
1222
  - No credentials in code — `.env` or environment variables only
892
1223
  - Instant revocation — Application Passwords can be revoked from WordPress admin
893
- - Traceable requests — custom `User-Agent: WordPress-MCP-Server/4.6.0`
1224
+ - Traceable requests — custom `User-Agent: WordPress-MCP-Server/4.14.0`
894
1225
  - Bearer token auth in HTTP mode — timing-safe comparison, no token in logs
895
1226
  - Origin validation in HTTP mode — anti-DNS-rebinding protection
896
1227
 
@@ -898,33 +1229,39 @@ The server performs a health check on startup: REST API connectivity, user authe
898
1229
 
899
1230
  ## Troubleshooting
900
1231
 
901
- | Issue | Solution |
902
- |---|---|
903
- | `401 Unauthorized` | Verify username and Application Password |
904
- | `403 Forbidden` | Check WordPress user role and capabilities |
905
- | `404 Not Found` | Verify `WP_API_URL` and REST API availability |
906
- | `Unexpected token '<'` | Stray character before `<?php` in `functions.php` — see SEO Troubleshooting |
907
- | `Blocked: READ-ONLY mode` | Disable `WP_READ_ONLY` to allow writes |
908
- | `Blocked: DRAFT-ONLY mode` | Only draft/pending allowed. Check `WP_DRAFT_ONLY` |
909
- | `Blocked: PLUGIN MANAGEMENT` | Disable `WP_DISABLE_PLUGIN_MANAGEMENT` to allow activate/deactivate |
910
- | `Blocked: APPROVAL REQUIRED` | `WP_REQUIRE_APPROVAL=true` — use `wp_submit_for_review` then `wp_approve_post` |
911
- | Confirmation token required | `WP_CONFIRM_DESTRUCTIVE=true` — pass the returned token on a second call within 60s |
912
- | `401 Unauthorized (HTTP mode)` | Set `MCP_AUTH_TOKEN` and pass `Authorization: Bearer <token>` |
913
- | `403 Forbidden (HTTP mode)` | Check `MCP_ALLOWED_ORIGINS` includes your client origin |
914
- | WooCommerce 401 | Verify `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET` |
915
- | WooCommerce 403 | API key needs Read/Write permissions for write tools |
916
- | Rate limit exceeded | Adjust `WP_MAX_CALLS_PER_MINUTE` |
917
- | Timeout | Increase `WP_MCP_TIMEOUT` or check server |
918
- | Site not found | Verify site key in `WP_TARGETS_JSON` or file |
919
- | No SEO plugin detected | Install Yoast, RankMath, SEOPress, or AIOSEO |
920
- | SEO meta fields empty | Add `register_post_meta()` code or install MCP SEO Bridge plugin — see Exposing SEO Meta Fields |
921
- | `wp_find_broken_internal_links` slow | Reduce `batchSize` parameter or increase `timeoutMs` |
922
- | `wp_audit_outbound_links` empty | External HEAD requests blocked by your server firewall |
923
- | Server not starting | Check Node.js 18+ is installed: `node --version` |
1232
+ | Issue | Solution |
1233
+ |------------------------------------------|---------------------------------------------------------------------------------------|
1234
+ | `401 Unauthorized` | Verify username and Application Password |
1235
+ | `403 Forbidden` | Check WordPress user role and capabilities |
1236
+ | `404 Not Found` | Verify `WP_API_URL` and REST API availability |
1237
+ | `Unexpected token '<'` | Stray character before `<?php` in `functions.php` — see SEO Troubleshooting |
1238
+ | `Blocked: READ-ONLY mode` | Disable `WP_READ_ONLY` to allow writes |
1239
+ | `Blocked: DRAFT-ONLY mode` | Only draft/pending allowed. Check `WP_DRAFT_ONLY` |
1240
+ | `Blocked: PLUGIN MANAGEMENT` | Disable `WP_DISABLE_PLUGIN_MANAGEMENT` to allow activate/deactivate |
1241
+ | `Blocked: APPROVAL REQUIRED` | Use `wp_submit_for_review` then `wp_approve_post` |
1242
+ | Confirmation token required | `WP_CONFIRM_DESTRUCTIVE=true` — pass returned token within 60s |
1243
+ | `401 Unauthorized (HTTP mode)` | Set `MCP_AUTH_TOKEN` and pass `Authorization: Bearer <token>` |
1244
+ | `403 Forbidden (HTTP mode)` | Check `MCP_ALLOWED_ORIGINS` includes your client origin |
1245
+ | WooCommerce 401 | Verify `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET` |
1246
+ | WooCommerce 403 | API key needs Read/Write permissions for write tools |
1247
+ | Rate limit exceeded | Adjust `WP_MAX_CALLS_PER_MINUTE` |
1248
+ | Timeout | Increase `WP_MCP_TIMEOUT` or check server |
1249
+ | Site not found | Verify site key in `WP_TARGETS_JSON` or file |
1250
+ | No SEO plugin detected | Install Yoast, RankMath, SEOPress, or AIOSEO |
1251
+ | SEO meta fields empty | Add `register_post_meta()` code or install MCP SEO Bridge plugin |
1252
+ | `PAGESPEED_API_KEY` missing | `wp_audit_page_speed` returns partial data. Add key to .env |
1253
+ | `WPSCAN_API_KEY` missing | `wp_audit_plugin_vulnerabilities` lists plugins without CVEs. Set key for full scan |
1254
+ | mu-plugin not installed | Debug log / file permissions / abandoned carts return error. Copy `companion/mcp-diagnostics.php` to `mu-plugins/` |
1255
+ | No multilingual plugin | `wp_list_languages` returns site default only. Install WPML, Polylang, or TranslatePress |
1256
+ | `WP_TOOL_CATEGORIES` unknown category | Only core tools exposed. Check category names in README |
1257
+ | Schema not rendering in `<head>` | `wp_inject_schema` succeeded but schema not in output. Install mu-plugin companion |
1258
+ | `wp_find_broken_internal_links` slow | Reduce `batchSize` parameter or increase `timeoutMs` |
1259
+ | Server not starting | Check Node.js 18+ is installed: `node --version` |
924
1260
 
925
1261
  ---
926
1262
 
927
1263
  ## Development
1264
+
928
1265
  ```bash
929
1266
  # Clone the repository
930
1267
  git clone https://github.com/GeorgesAdSim/wordpress-mcp-server.git
@@ -963,227 +1300,242 @@ npx @modelcontextprotocol/inspector node index.js
963
1300
 
964
1301
  ## Changelog
965
1302
 
966
- ### v4.6.0 (2026-02-22) — Plugin Intelligence Layer
1303
+ ### v5.1.0 (2026-03-11) — Workflow Orchestrator
1304
+
1305
+ - `wp_run_workflow`: execute named or custom tool sequences in a single call
1306
+ - 4 built-in workflows: seo_audit_and_stage, site_health_report, content_publish_safe, wc_product_audit
1307
+ - Template variables: {{key}} resolved from context
1308
+ - dry_run mode: preview execution plan before running
1309
+ - stop_on_error control: abort or continue on step failure
1310
+ - 175 tools · ~1101 Vitest tests
1311
+
1312
+ ### v5.0.0 (2026-03-11) — Modular Architecture
1313
+
1314
+ - Refactored monolithic index.js (~9000 lines) into 18 tool modules + 4 shared modules
1315
+ - Zero functional changes — all 180 tools and 1093 tests unchanged
1316
+ - New structure: `src/tools/*.js` (18 category modules) + `src/shared/*.js` (context, utils, governance, api) + `src/plugins/registry.js`
1317
+ - `handleToolCall` reduced from ~8000-line switch/case to modular dispatch (~40 lines)
1318
+ - Foundation for `wp_run_workflow` (v5.1.0)
1319
+
1320
+ ### v4.20.0 (2026-03-11) — Block Validation
1321
+
1322
+ - `wp_validate_block_structure`: validate Gutenberg block HTML (unclosed blocks, malformed JSON, invalid nesting, deprecated blocks)
1323
+ - `WP_VALIDATE_BLOCKS`: optional guard on `wp_update_post`/`wp_update_page` — blocks save if invalid structure
1324
+ - 180 tools · ~1093 Vitest tests
1325
+
1326
+ ### v4.19.0 (2026-03-11) — Bulk Update
1327
+
1328
+ - `wp_bulk_update`: bulk update content across multiple posts/pages with dry-run safety
1329
+ - Supports: `replace_text`, `update_meta`, `update_status`, `append_content` operations
1330
+ - Two-step safety: `dry_run=true` (default) → preview, then `confirm=true` to execute
1331
+ - Batch processing with configurable `batch_size` and `limit` (max 500)
1332
+ - 179 tools · ~1084 Vitest tests
1333
+
1334
+ ### v4.15.0 (2026-03-11) — Visual Staging (5 tools)
1335
+
1336
+ - `wp_create_staging_draft`: clone live page to shadow draft
1337
+ - `wp_list_staging_drafts`: list all pending staging drafts
1338
+ - `wp_get_staging_preview_url`: native WordPress preview URL
1339
+ - `wp_merge_staging_to_live`: merge validated draft to production
1340
+ - `wp_discard_staging_draft`: discard without touching live page
1341
+ - `WP_VISUAL_STAGING`: automatic interception on `wp_update_post`/`wp_update_page`
1342
+ - Completes the enterprise governance triad
1343
+ - 178 tools · ~1076 Vitest tests
1344
+
1345
+ ### v4.14.0 (2026-03-11) — Editorial Intelligence Advanced
1346
+
1347
+ 6 new editorial analysis tools for content-driven teams. All read-only, batch-optimized up to 500 posts.
1348
+
1349
+ - `wp_suggest_content_updates` — stale content detection with outdated date references
1350
+ - `wp_audit_author_consistency` — author profiling with deviation analysis
1351
+ - `wp_build_editorial_calendar` — seasonality, best publishing days, gap detection
1352
+ - `wp_find_pillar_content_gaps` — topics with 3+ posts without pillar page
1353
+ - `wp_audit_internal_link_equity` — link graph with orphan/over-linked detection
1354
+ - `wp_suggest_content_cluster` — TF-IDF cosine similarity clustering
1355
+ - 1061 Vitest unit tests · 173 tools
1356
+
1357
+ ### v4.12.0 — WooCommerce Advanced Intelligence
1358
+
1359
+ 7 new WooCommerce analytics tools for agencies. All read-only.
1360
+
1361
+ - `wc_audit_product_seo` — product SEO scoring /100
1362
+ - `wc_find_abandoned_carts_pattern` — abandoned cart analysis (3 data source adapters)
1363
+ - `wc_audit_checkout_friction` — checkout friction scoring 0-10
1364
+ - `wc_get_product_performance` — product metrics with period comparison
1365
+ - `wc_audit_stock_alerts` — out-of-stock audit with variation support
1366
+ - `wc_find_duplicate_products` — duplicate detection by SKU and Levenshtein similarity
1367
+ - `wc_audit_pricing_consistency` — pricing error detection
1368
+
1369
+ ### v4.11.0 — Security Audit
1370
+
1371
+ 6 new security audit tools. All read-only.
1372
+
1373
+ - `wp_audit_user_security` — admin account risk assessment
1374
+ - `wp_check_file_permissions` — critical file permission checks
1375
+ - `wp_list_recently_modified_files` — suspicious file modification detection
1376
+ - `wp_audit_plugin_vulnerabilities` — WPScan CVE scanning
1377
+ - `wp_check_ssl_certificate` — TLS and security header grading
1378
+ - `wp_audit_login_security` — login security scoring /100
1379
+
1380
+ ### v4.10.0 — Multilingual Intelligence EU
1381
+
1382
+ 6 new multilingual tools. WPML, Polylang Pro, Polylang Free, TranslatePress.
1383
+
1384
+ - `wp_detect_multilingual_plugin` — auto-detection with priority fallback
1385
+ - `wp_list_languages` — language listing with post counts
1386
+ - `wp_get_post_translations` — translation mapping across all plugins
1387
+ - `wp_audit_translation_coverage` — coverage percentages and missing counts
1388
+ - `wp_find_missing_seo_translations` — SEO metadata gaps in translations
1389
+ - `wp_sync_seo_meta_translations` — cross-language SEO meta sync (dry_run default)
1390
+
1391
+ ### v4.9.0 — Schema.org Intelligence
1392
+
1393
+ 7 new schema tools: generation + injection + validation.
1394
+
1395
+ - `wp_generate_schema_article/faq/howto/localbusiness/breadcrumb` — 5 schema generators
1396
+ - `wp_inject_schema` — JSON-LD injection with dry_run support
1397
+ - `wp_validate_schema_live` — live URL validation against Google requirements
1398
+
1399
+ ### v4.8.0 — Performance & Core Web Vitals
1400
+
1401
+ 6 new performance tools + complete user management (10 tools).
967
1402
 
968
- Extensible adapter architecture for third-party WordPress plugins. Adapters activate only when their plugin is detected via REST API namespace discovery zero overhead when plugins are absent.
1403
+ - `wp_audit_page_speed`Google PageSpeed Insights integration
1404
+ - `wp_find_render_blocking_resources` — render-blocking detection
1405
+ - `wp_audit_image_optimization` — media optimization audit
1406
+ - `wp_check_caching_status` — caching plugin detection
1407
+ - `wp_audit_database_bloat` — database health analysis
1408
+ - `wp_get_plugin_performance_impact` — plugin performance ranking
1409
+ - User CRUD: `wp_get_user`, `wp_create_user`, `wp_update_user`, `wp_delete_user`
1410
+ - User security: `wp_list_user_roles`, `wp_get_user_capabilities`, `wp_reset_user_password`, `wp_list_user_application_passwords`, `wp_revoke_application_password`
969
1411
 
970
- **Architecture:**
971
- - `src/plugins/registry.js` — PluginRegistry with automatic plugin detection via REST namespaces. `WP_DISABLE_PLUGIN_LAYERS=true` disables all plugin tools
972
- - `src/plugins/contextGuard.js` — LLM context overflow protection: automatic truncation at 50k chars with truncation metadata
973
- - `src/plugins/IPluginAdapter.js` — Adapter contract interface: id, namespace, riskLevel, contextConfig, getTools, handleTool
974
- - `wp_site_info` now reports `plugin_layer` (detected plugins, available tools count)
1412
+ ### v4.7.0 — Site Health & Diagnostics + FSE
975
1413
 
976
- **ACF Adapter:**
977
- - `acf_get_fields` — ACF custom fields with key filtering, raw/compact/summary modes
978
- - `acf_list_field_groups` — all configured field groups
979
- - `acf_get_field_group` — field group detail by ID
980
- - `acf_update_fields` — update custom fields. Blocked by `WP_READ_ONLY`. riskLevel: "medium"
1414
+ 26 FSE tools + 8 diagnostics tools + companion mu-plugin.
981
1415
 
982
- **Elementor Adapter (read-only):**
983
- - `elementor_list_templates` templates with type filter (page/section/block/popup)
984
- - `elementor_get_template` full template content, context-guarded at 50k chars
985
- - `elementor_get_page_data` — widgets used, elements count, Elementor status per post
1416
+ - Full Site Editing: templates, template parts, global styles, block patterns, navigation menus, widgets
1417
+ - Site Health: status, issues, system info
1418
+ - Diagnostics: debug log, cron events, transients, PHP compatibility, active hooks
1419
+ - `companion/mcp-diagnostics.php` — mu-plugin for data not available via REST API
986
1420
 
987
- 767 Vitest unit tests · 92 tools
1421
+ ### v4.6.0 Plugin Intelligence Layer
988
1422
 
989
- ### v4.5.1 (2026-02-21) Context Optimization
1423
+ Extensible adapter architecture for third-party plugins.
990
1424
 
991
- LLM context reduction across all 85 tools — zero breaking changes.
1425
+ - `src/plugins/registry.js` PluginRegistry with REST namespace discovery
1426
+ - ACF adapter: `acf_get_fields`, `acf_list_field_groups`, `acf_get_field_group`, `acf_update_fields`
1427
+ - Elementor adapter: `elementor_list_templates`, `elementor_get_template`, `elementor_get_page_data`
1428
+ - `wp_site_info` reports `plugin_layer` (detected plugins, tools count)
992
1429
 
993
- **Dynamic filtering:**
994
- - `getFilteredTools()` hides WooCommerce (13), editorial (3), and plugin intelligence (6) tools when their env vars are absent
995
- - `listTools` returns only exposed tools; `callTool` still handles all 85
996
- - `wp_site_info` now reports `tools_total`, `tools_exposed`, `filtered_out`
1430
+ ### v4.5.1 — Context Optimization
997
1431
 
998
- **LLM-optimized descriptions:**
999
- - All 85 tool descriptions rewritten: `"Use when [TRIGGER]. [ACTION]. [Read-only | Write — blocked by X]. [Hint: optional]"`
1432
+ LLM context reduction across all tools — zero breaking changes.
1000
1433
 
1001
- **Schema compact:**
1002
- - Redundant `description` fields removed from `inputSchema` properties (id, per_page, page, status with enum, search, force, post_type with enum, etc.)
1434
+ - `WP_COMPACT_JSON` — compact JSON output (~30% token reduction)
1435
+ - `WP_TOOL_CATEGORIES` category-based tool filtering (18 categories)
1436
+ - Pagination `has_more` metadata on 10 listing tools
1437
+ - 53 property descriptions trimmed (~446 tokens saved)
1438
+ - `getFilteredTools()` — dynamic tool filtering by env vars
1003
1439
 
1004
- **Output compression (`mode` parameter):**
1005
- - 10 listing tools gain `mode` param: `full` (default), `summary` (key fields only), `ids_only` (flat array)
1006
- - wp_list_pages, wp_list_media, wp_list_comments, wp_list_categories, wp_list_tags, wp_list_users, wp_list_custom_posts, wp_list_plugins, wp_list_themes, wp_list_revisions
1440
+ ### v4.5.0 — Plugin Intelligence (RankMath + Yoast)
1007
1441
 
1008
- 713 Vitest unit tests · 85 tools
1442
+ 6 new tools exploiting native SEO plugin API endpoints.
1009
1443
 
1010
- ### v4.5.0 (2026-02-21) Plugin Intelligence (RankMath + Yoast)
1444
+ - `wp_get_rendered_head`rendered `<head>` fetching via RankMath/Yoast
1445
+ - `wp_audit_rendered_seo` — bulk rendered vs stored SEO comparison
1446
+ - `wp_get_pillar_content` — RankMath cornerstone flag
1447
+ - `wp_audit_schema_plugins` — JSON-LD validation from plugin fields
1448
+ - `wp_get_seo_score` — RankMath native SEO score
1449
+ - `wp_get_twitter_meta` — Twitter Card meta management
1011
1450
 
1012
- 6 new tools exploiting native RankMath and Yoast SEO API endpoints for rendered head analysis, schema validation, and social meta management.
1451
+ ### v4.4.0 Content Intelligence
1013
1452
 
1014
- **New shared module:**
1015
- - `src/pluginDetector.js` — SEO plugin auto-detection via REST API namespace discovery (cached), rendered head fetching, HTML head parsing
1453
+ 16 new read-only analysis tools.
1016
1454
 
1017
- **Rendered SEO Analysis:**
1018
- - `wp_get_rendered_head` fetch the real `<head>` HTML via RankMath `/rankmath/v1/getHead` or Yoast `/yoast/v1/get_head` endpoints, compare rendered vs stored meta
1019
- - `wp_audit_rendered_seo` bulk audit rendered vs stored SEO meta divergences with per-post scoring (title/description/canonical/robots/schema mismatches)
1455
+ - `src/contentAnalyzer.js` — shared engine: readability, TF-IDF, cosine similarity, entity extraction
1456
+ - Editorial: content brief, outline, readability, update frequency, link map, anchor texts
1457
+ - Technical: schema markup, content structure, duplicate detection, content gaps
1458
+ - Advanced: FAQ extraction, CTA detection, entity extraction, publishing velocity, revision diff, word count
1020
1459
 
1021
- **Plugin-Native Features:**
1022
- - `wp_get_pillar_content` — read/write RankMath `rank_math_pillar_content` cornerstone flag. Write mode blocked by `WP_READ_ONLY`
1023
- - `wp_audit_schema_plugins` — validate JSON-LD schemas from plugin native fields (`rank_math_schema` or Yoast `yoast_head_json`). Checks required fields per @type
1024
- - `wp_get_seo_score` — read RankMath native SEO score (0-100) with bulk mode distribution stats
1025
- - `wp_get_twitter_meta` — read/write Twitter Card meta (title, description, image) for RankMath, Yoast, and SEOPress. Write mode blocked by `WP_READ_ONLY`
1460
+ ### v4.2.0 — SEO Audit Suite (Sprint 3)
1026
1461
 
1027
- 674 Vitest unit tests · 85 tools
1462
+ - `wp_find_broken_internal_links`, `wp_find_keyword_cannibalization`, `wp_audit_taxonomies`, `wp_audit_outbound_links`
1028
1463
 
1029
- ### v4.4.0 (2026-02-21) Content Intelligence
1464
+ ### v4.1.0 — SEO Audit Suite (Sprint 2)
1030
1465
 
1031
- 16 new read-only analysis tools for deep content intelligence without any WordPress plugin.
1466
+ - `wp_find_thin_content`, `wp_audit_canonicals`, `wp_analyze_eeat_signals`
1032
1467
 
1033
- **Foundations:**
1034
- - `src/contentAnalyzer.js` — shared analysis engine: readability (Flesch-Kincaid FR), TF-IDF, cosine similarity, entity extraction, text diff, content structure detection
1035
- - `wp_get_content_brief` — editorial brief aggregator (SEO + structure + links in 1 call)
1036
- - `wp_extract_post_outline` — H1-H6 outline extraction with category-level pattern analysis
1468
+ ### v4.0.0 — SEO Audit Suite (Sprint 1)
1037
1469
 
1038
- **SEO Advanced:**
1039
- - `wp_audit_readability` — bulk Flesch-Kincaid FR scoring with transition word and passive voice analysis
1040
- - `wp_audit_update_frequency` — outdated content detection cross-referenced with SEO scores
1041
- - `wp_build_link_map` — internal link matrix with simplified PageRank scoring (0-100)
1470
+ - `wp_audit_media_seo`, `wp_find_orphan_pages`, `wp_audit_heading_structure`
1042
1471
 
1043
- **Technical Quality:**
1044
- - `wp_audit_anchor_texts` — anchor text diversity audit: generic, over-optimized, image link detection
1045
- - `wp_audit_schema_markup` — JSON-LD schema.org detection and validation (Article, FAQ, HowTo, LocalBusiness)
1046
- - `wp_audit_content_structure` — editorial structure scoring (0-100): intro, conclusion, FAQ, TOC, lists, images
1472
+ ### v3.6.0 — WooCommerce Write
1047
1473
 
1048
- **Intelligence Advanced:**
1049
- - `wp_find_duplicate_content` — TF-IDF cosine similarity for near-duplicate detection with union-find clustering
1050
- - `wp_find_content_gaps` — taxonomy under-representation analysis (categories + tags)
1051
- - `wp_extract_faq_blocks` — FAQ inventory: JSON-LD, Gutenberg blocks, HTML patterns
1052
- - `wp_audit_cta_presence` — CTA detection (6 types) with scoring 0-100
1053
- - `wp_extract_entities` — regex/heuristic named entity extraction (brands, locations, persons, organizations)
1054
- - `wp_get_publishing_velocity` — publication cadence by author/category with trend detection
1055
- - `wp_compare_revisions_diff` — textual diff between revisions with amplitude scoring
1056
- - `wp_list_posts_by_word_count` — posts sorted by length with 6-tier segmentation
1474
+ - `wc_update_product`, `wc_update_stock`, `wc_update_order_status`
1475
+ - `WC_PRICE_GUARDRAIL_THRESHOLD` — configurable price change safety
1057
1476
 
1058
- All Content Intelligence tools are read-only and always allowed regardless of governance flags.
1477
+ ### v3.5.0 WooCommerce Intelligence
1059
1478
 
1060
- 613 Vitest unit tests · 79 tools
1479
+ - `wc_inventory_alert`, `wc_order_intelligence`, `wc_seo_product_audit`, `wc_suggest_product_links`
1061
1480
 
1062
- ### v4.2.0 (2026-02-19) SEO Audit Suite (Sprint 3)
1481
+ ### v3.4.0 — WooCommerce Core
1063
1482
 
1064
- - `wp_find_broken_internal_links` HEAD request link checker with configurable batch size and timeout. Returns broken (4xx/5xx), redirected (3xx), and slow links
1065
- - `wp_find_keyword_cannibalization` — detect posts sharing the same focus keyword. Auto-detects RankMath/Yoast/SEOPress/AIOSEO. Groups conflicts by keyword, flags weakest post by word count
1066
- - `wp_audit_taxonomies` — taxonomy bloat detection: unused terms, near-duplicate detection via Levenshtein distance, single-post terms, over-tagged posts
1067
- - `wp_audit_outbound_links` — external link profile per post: low-authority domains, missing rel="nofollow", broken external URLs
1068
- - `src/htmlParser.js` — shared HTML parsing service (parseImagesFromHtml, extractHeadings, extractInternalLinks, countWords)
1069
- - 400 Vitest unit tests · 63 tools
1483
+ - `wc_list_products`, `wc_get_product`, `wc_list_orders`, `wc_get_order`, `wc_list_customers`, `wc_price_guardrail`
1070
1484
 
1071
- ### v4.1.0 (2026-02-19) SEO Audit Suite (Sprint 2)
1485
+ ### v3.3.0 — Internal Link Intelligence
1072
1486
 
1073
- - `wp_find_thin_content` — surface posts below configurable word count threshold. Scores content quality by word count, heading density, and paragraph structure
1074
- - `wp_audit_canonicals` — validate canonical URLs across posts and pages. Detects missing canonicals, self-referencing mismatches, cross-domain canonicals. Auto-detects RankMath/Yoast/SEOPress/AIOSEO
1075
- - `wp_analyze_eeat_signals` — E-E-A-T scoring per post (0-100): author bio presence, publication/update dates, outbound citations, word count, structured data markers
1076
- - 368 Vitest unit tests · 59 tools
1487
+ - `wp_analyze_links`, `wp_suggest_internal_links`
1488
+ - `src/linkUtils.js` — shared link utilities
1077
1489
 
1078
- ### v4.0.0 (2026-02-19) SEO Audit Suite (Sprint 1)
1490
+ ### v3.2.0 — Governance Workflows
1079
1491
 
1080
- - `wp_audit_media_seo` audit media library for missing alt text, short alt text, unoptimized filenames. Returns per-image scores and prioritized fix list
1081
- - `wp_find_orphan_pages` — identify posts with no internal links pointing to them, sorted by word count. Configurable minimum word threshold and exclusion list
1082
- - `wp_audit_heading_structure` — analyze H1/H2/H3 hierarchy in post content. Detects H1 in body, heading level skips, empty headings, focus keyword absent from H2
1083
- - All 10 SEO audit tools are read-only and always allowed regardless of governance flags
1084
- - 340 Vitest unit tests · 56 tools
1492
+ - Editorial approval: `wp_submit_for_review`, `wp_approve_post`, `wp_reject_post`
1493
+ - `WP_REQUIRE_APPROVAL`, `WP_CONFIRM_DESTRUCTIVE`
1494
+ - `src/confirmationToken.js` — stateless token system
1085
1495
 
1086
- ### v3.6.0 (2026-02-19) WooCommerce Write
1496
+ ### v3.1.0 — MCPB Bundle
1087
1497
 
1088
- - `wc_update_product` — update product fields (title, description, price, stock, status). Integrated with `wc_price_guardrail` threshold enforcement
1089
- - `wc_update_order_status` transition order status (e.g., processing → completed)
1090
- - `WC_PRICE_GUARDRAIL_THRESHOLD` — configurable price change safety threshold (default 20%)
1091
- - All WooCommerce write tools blocked by `WP_READ_ONLY`
1092
- - 305 Vitest unit tests · 53 tools
1498
+ - `dxt/manifest.json` — MCPB v0.3 spec
1499
+ - OS keychain credential storage
1093
1500
 
1094
- ### v3.5.0 (2026-02-19) WooCommerce Intelligence
1501
+ ### v3.0.0 — HTTP Streamable Transport
1095
1502
 
1096
- - `wc_get_customer` customer profile with order history summary and lifetime value
1097
- - `wc_list_coupons` / `wc_get_coupon` — coupon management with discount rules and usage stats
1098
- - `wc_sales_report` revenue, orders, and average order value for a date range
1099
- - `wc_top_products` — ranking by revenue, quantity sold, or order count
1100
- - 287 Vitest unit tests · 50 tools
1503
+ - HTTP transport (MCP spec 2025-03-26) via `MCP_TRANSPORT=http`
1504
+ - Bearer auth, session management, origin validation
1505
+ - Dual mode: stdio + HTTP simultaneously
1101
1506
 
1102
- ### v3.4.0 (2026-02-19) WooCommerce Core
1507
+ ### v2.2.0 — Enterprise Edition
1103
1508
 
1104
- - `wc_list_products` / `wc_get_product` product catalog with variation support
1105
- - `wc_list_orders` / `wc_get_order` — order management with full line item detail
1106
- - `wc_list_customers` — customer list with search and role filtering
1107
- - `wc_price_guardrail` — read-only price change safety analysis
1108
- - Requires `WC_CONSUMER_KEY` and `WC_CONSUMER_SECRET`
1109
- - 271 Vitest unit tests · 46 tools
1110
-
1111
- ### v3.3.0 (2026-02-19) — Internal Link Intelligence
1112
-
1113
- - `wp_analyze_links` — audit all internal/external links in a post. HEAD request verification per link (broken/warning/unknown). Max 20 checks, configurable timeout
1114
- - `wp_suggest_internal_links` — semantic link suggestions scored by category match (+3), freshness (+3/2/1), SEO focus keyword match (+2), title match (+2). Excludes already-linked posts
1115
- - `src/linkUtils.js` — 6 shared utilities: extractInternalLinks, extractExternalLinks, checkLinkStatus, extractFocusKeyword (auto-detects RankMath/Yoast/SEOPress/AIOSEO), calculateRelevanceScore, suggestAnchorText
1116
- - Pre-flight linking workflow: suggest → user validates → `wp_update_post` (never auto-insert)
1117
- - 253 Vitest unit tests · 40 tools
1118
-
1119
- ### v3.2.0 (2026-02-19) — Governance Workflows
1120
-
1121
- - Editorial approval workflow: `wp_submit_for_review` (draft → pending), `wp_approve_post` (pending → publish), `wp_reject_post` (pending → draft + mandatory reason)
1122
- - New governance flag: `WP_REQUIRE_APPROVAL` — blocks direct publish, forces approval workflow
1123
- - Two-step confirmation for destructive operations: `wp_delete_post` and `wp_delete_revision` return a stateless token (60s TTL, SHA-256) when `WP_CONFIRM_DESTRUCTIVE=true`
1124
- - New governance flag: `WP_CONFIRM_DESTRUCTIVE` — requires explicit token confirmation before any delete
1125
- - `src/confirmationToken.js` — stateless token system, zero persistence
1126
- - Governance priority: `WP_READ_ONLY` → `WP_DISABLE_DELETE` → `WP_CONFIRM_DESTRUCTIVE`
1127
- - 225 Vitest unit tests · 38 tools
1128
-
1129
- ### v3.1.0 (2026-02-19) — MCPB Bundle
1130
-
1131
- - `dxt/manifest.json` — MCPB v0.3 spec, 35 tools declared
1132
- - WordPress credentials stored in OS keychain (`sensitive: true`)
1133
- - `npm run build:mcpb` — build script for `.mcpb` distribution
1134
- - 10 new manifest validation tests (201 total)
1135
- - Published to npm: `npx -y @adsim/wordpress-mcp-server@3.1.0`
1136
-
1137
- ### v3.0.0 (2026-02-19) — HTTP Streamable Transport
1138
-
1139
- - HTTP Streamable transport (MCP spec 2025-03-26) via `MCP_TRANSPORT=http`
1140
- - Bearer token authentication with timing-safe comparison (`MCP_AUTH_TOKEN`)
1141
- - Session management via `Mcp-Session-Id` header (UUID v4)
1142
- - Origin header validation (anti-DNS-rebinding)
1143
- - Health endpoint `GET /health`
1144
- - Dual mode `MCP_DUAL_MODE=true` — stdio + HTTP simultaneously
1145
- - Graceful shutdown SIGTERM/SIGINT across both transports
1146
- - 10 new HTTP/auth unit tests (191 total)
1147
- - Published to npm: `@adsim/wordpress-mcp-server`
1148
-
1149
- ### v2.2.0 (2026-02-19) — Enterprise Edition
1150
-
1151
- - 9 new tools: plugins (list/activate/deactivate), themes (list/get), revisions (list/get/restore/delete)
1152
- - New governance flag: `WP_DISABLE_PLUGIN_MANAGEMENT`
1153
- - 171 Vitest unit tests covering all 35 tools (governance, success, 403/404, audit logs)
1154
- - GitHub Actions CI workflow
1155
- - Governance functions read env at call time for testability
1156
- - Exported `handleToolCall` for direct testing
1509
+ - Plugins (list/activate/deactivate), themes (list/get), revisions (list/get/restore/delete)
1510
+ - `WP_DISABLE_PLUGIN_MANAGEMENT`
1157
1511
 
1158
- ### v2.1.0 (2026-02-16)
1512
+ ### v2.1.0 — Enterprise Governance + Multi-Target
1159
1513
 
1160
- - Enterprise governance controls (read-only, draft-only, type/status allowlists)
1161
- - Structured JSON audit trail (27 instrumentation points)
1514
+ - Governance controls (read-only, draft-only, allowlists)
1515
+ - Structured JSON audit trail
1162
1516
  - Multi-target site management
1163
- - 27 MCP tools including pages CRUD, media upload, taxonomy creation, custom post types
1164
- - SEO auto-detection for 4 plugins (Yoast, RankMath, SEOPress, AIOSEO)
1165
- - Health checks, retry with backoff, rate limiting
1517
+ - SEO auto-detection for 4 plugins
1166
1518
 
1167
1519
  ### v1.0.0 (2025-10-17)
1168
1520
 
1169
- - Initial release — JavaScript, 5 tools (list, get, create, update, search posts)
1521
+ - Initial release — 5 tools (list, get, create, update, search posts)
1170
1522
 
1171
1523
  ---
1172
1524
 
1173
1525
  ## Roadmap
1174
1526
 
1175
- ### v4.7 — GSC Integration
1527
+ ### v4.14 — GSC Integration
1176
1528
  - `wp_get_gsc_performance` — Google Search Console API (clicks, impressions, position, CTR per URL)
1177
- - `wp_find_quick_win_keywords` — surface keywords ranking positions 1120 for targeted updates
1178
- - `wp_seo_content_decay` — cross-reference GSC traffic loss with content age to prioritize refresh candidates
1529
+ - `wp_find_quick_win_keywords` — surface keywords ranking positions 11-20
1530
+ - `wp_seo_content_decay` — cross-reference GSC traffic loss with content age
1179
1531
 
1180
- ### v4.8 — Redirect Intelligence
1181
- - `wp_create_redirect` — create 301 redirects via Redirection plugin or RankMath/Yoast Redirects. Auto-triggered governance hook when `wp_update_post` changes a slug
1532
+ ### v4.15 — Redirect Intelligence
1533
+ - `wp_create_redirect` — create 301 redirects via Redirection plugin or RankMath/Yoast
1182
1534
  - `wp_list_404_errors` — surface recent 404s from Redirection plugin log
1183
1535
 
1184
- ### v4.9OAuth & Registry
1185
- - OAuth 2.0 / JWT authentication
1186
- - MCP Registry submission
1536
+ ### v5.0Architecture Refactoring
1537
+ - Modular tool files (`src/tools/*.js`)
1538
+ - TypeScript migration
1187
1539
 
1188
1540
  ---
1189
1541
 
@@ -1197,6 +1549,6 @@ MIT — see [LICENSE](LICENSE).
1197
1549
 
1198
1550
  ## Credits
1199
1551
 
1200
- Built by [AdSim](https://adsim.be) — Digital Marketing & AI Agency, Liège, Belgium.
1552
+ Built by [AdSim](https://adsim.be) — Digital Marketing & AI Agency, Liege, Belgium.
1201
1553
 
1202
1554
  Building the governance layer for Claude-powered WordPress infrastructure in regulated environments.