Title: WEBO MCP
Author: phuongwebo
Published: <strong>April 24, 2026</strong>
Last modified: July 14, 2026

---

Search plugins

![](https://ps.w.org/webo-mcp/assets/icon-128x128.png?rev=3514777)

# WEBO MCP

 By [phuongwebo](https://profiles.wordpress.org/phuongwebo/)

[Download](https://downloads.wordpress.org/plugin/webo-mcp.2.6.15.zip)

 * [Details](https://scn.wordpress.org/plugins/webo-mcp/#description)
 * [Reviews](https://scn.wordpress.org/plugins/webo-mcp/#reviews)
 *  [Installation](https://scn.wordpress.org/plugins/webo-mcp/#installation)
 * [Development](https://scn.wordpress.org/plugins/webo-mcp/#developers)

 [Support](https://wordpress.org/support/plugin/webo-mcp/)

## Description

**WEBO MCP** is a WordPress MCP server — a complete **Model Context Protocol** gateway
for WordPress. It lets AI agents and MCP-compatible clients (Claude Desktop, Cursor,
Windsurf, n8n, and more) call well-defined tools over REST using JSON-RPC, instead
of scraping the admin or sharing broad credentials.

Official WEBO MCP website, documentation, and ecosystem hub: https://webomcp.com

**Why use WEBO MCP as your WordPress MCP server?**

 * **Token-optimized unified tools:** every domain exposes two abilities — `*-query`(
   all reads) and `*-mutate` (all writes) — with a single `action` discriminator.`
   tools/list` payload is up to 70% smaller than per-operation APIs, which means
   less of the model’s context window is consumed by tool schemas, lower cost per
   session, and fewer hallucinated tool names.
 * Primary router endpoint: `POST /wp-json/mcp/v1/router`
 * Standard MCP-style flow: `initialize`  `tools/list`  `tools/call`
 * Session lifecycle for clients (pass `session_id` or `Mcp-Session-Id` after `initialize`)
 * Built-in tool registry for common WordPress operations (posts, media, terms, 
   menus, options, and more)
 * Bundled Abilities API + MCP Adapter integration, with automatic bridging from
   registered abilities to MCP tools (configurable)
 * WordPress 7.0/Core-aware bridge mode that uses Core Abilities/API surfaces when
   available and falls back only when needed
 * Public tool policy controls (category filters and optional allowlists) plus optional
   internal tool exposure for private environments
 * Bounded MCP audit log, optional per-user/role/client tool allowlists, and a read-
   only administrator health/status tool

**Security model (high level)**

 * MCP access requires a real WordPress user context: Application Password over 
   HTTP Basic, or an existing logged-in session.
 * Optional site-wide or per-user API key and HMAC can be enabled in Settings as
   an additional gate (they do not replace WordPress authentication). Generate/rotate
   from Settings  Security; by default they are skipped for Application Password
   and Bearer clients unless you enable “Require for App Password / Bearer”. Do 
   not put the normal WEBO API key in URLs. For clients that cannot send headers,
   create a short-lived scoped `mcp_token` URL connector token in Settings -> WEBO
   MCP.
 * Default access expectations for the router and `GET /wp-json/webo-mcp/v1/tools`:
   users who are super admins, can `manage_options`, or can `edit_posts`, consistent
   with typical site operator and editor workflows (filterable).

**Client guidance**

Always discover tools before calling them: run `tools/list`, pick an exact tool 
name from the response, validate required arguments, then call `tools/call`. This
reduces mistakes and keeps automation predictable in production.

**Further documentation and optional integrations**

 * Official website, documentation, and ecosystem notes: https://webomcp.com
 * Optional n8n community node (separate package): https://www.npmjs.com/package/
   n8n-nodes-webo-mcp
 * Release notes and migration map: see docs/RELEASE_NOTES_2.1.0.md and docs/MIGRATION_GUIDE_2.1.0.
   md in the GitHub repository
 * Cross-addon dispatcher map (granular legacy names removed from discovery): docs/
   MCP_TOOL_MIGRATION.md

Compatibility note: any MCP-capable client can be used; which large language model
runs inside the client is outside this plugin.

Standalone core tools included:
 – Site info – Content (posts/pages): `webo/content-
query` (list, get, find-by-url, search-replace, list-revisions, get-revision; with
author/date/taxonomy filters) and `webo/content-mutate` (create, update, delete,
bulk-update-status, restore-revision, change-author) – Users: `webo/list-users` 
and `webo/user-mutate` (add-to-blog, set-role) – Media: `webo/media-query` (list
with search/MIME/post_id filters, get) and `webo/media-mutate` (upload, update, 
delete) – Comments: `webo/comment-query` (list, get) and `webo/comment-mutate` (
create, update, delete) – Taxonomy/Terms: `webo/taxonomy-query` (discover, list,
get) and `webo/taxonomy-mutate` (create, update, delete) – Nav menus: list menus,
list menu items (menu_order, db_id), add menu link from post (explicit post_id +
menu_order required) – Plugins: `webo/plugin-query` (installed, active, updates,…)
and `webo/plugin-mutate` (install, activate, deactivate; supports child-site `site_id`/`
blog_id` activation for network admins) – Health: `webo/health-status` (REST/router
status, Application Password support, permalinks, cron, object cache, plugin update
summary, WordPress/PHP versions, and redacted MCP config) – Client health: `webo/
client-health-report` (score 0–100, grade A–D, Markdown scoreboard for agency clients;
hybrid foundation for Pro collectors later) – 404 logs: `webo/get-404-logs` (read-
only Rank Math / Redirection 404 monitor: url, hits, accessed, referrer) – Abilities
bridge: `webo/ability-query` and `webo/ability-execute` in default layered mode.
Only abilities with `meta.mcp.public === true` are visible and executable through
WEBO MCP. – Themes: `webo/theme-query` (installed themes) and `webo/theme-mutate`(
install from WordPress.org by slug, switch installed theme) – Theme context: `webo/
theme-context` (active theme info, block editor settings, style presets, registered
blocks) – Block patterns: `webo/block-patterns` (list/get patterns, list/get synced
patterns) – Site stats: `webo/site-stats` (overview, post counts, comment counts,
user counts, media stats, activity summary) – Activity log: `webo/activity-log` (
list events, summary, clear) – User profile: `webo/user-profile` (get own profile,
update display name / bio / preferences) – Site settings: `webo/site-settings` (
get and update the 20 most common WordPress options via MCP) – Content search: `
webo/content-search` (full-text cross-post-type search with grouped results) – Menus:`
webo/menu-query`, `webo/menu-mutate` (navigation menu items; not post/CPT list order)–
Post/CPT order (optional): `webo/reorder-query`, `webo/reorder-mutate` when [Webo Reorder](https://github.com/mrphuong-webo/webo-reorder)
is active — see docs/abilities/reorder.md – Options: get/update (safe allowlist 
only), set site icon/favicon from media – SEO (WordPress post): seo/article-analysis—
requires post_id; merges Rank Math meta when available (same data path as webo-rank-
math/get-post-seo-meta); optional related-keyword suggestions via outbound request
unless no_autocomplete is true

Excluded by default in standalone-safe mode:
 – Bulk/mass execution tools – Plugin/
theme write-management abilities – Multisite-specific abilities

### Privacy

This plugin does not phone home or send telemetry. MCP traffic is initiated by clients
you configure. Some tools may perform outbound HTTP requests only when a client 
invokes them (for example seo/article-analysis may request keyword suggestions from
a third-party suggest API unless you pass no_autocomplete).

The plugin stores the following options in the WordPress database when configured:
–`
webo_mcp_api_key`: API key used to authenticate MCP requests. – `webo_mcp_hmac_secret`:
HMAC secret used to sign and validate MCP requests. – `webo_mcp_require_secondary_credentials`:
when enabled, also require API key/HMAC for Application Password and Bearer clients(
off by default so standard connectors are not blocked). – `webo_mcp_url_connector_tokens`:
hashed, expirable, revocable URL connector tokens for clients that cannot send headers.
Raw tokens are shown once and are not stored. – `webo_mcp_tool_allowlist_enabled`
and `webo_mcp_tool_allowlist_rules`: optional administrator-configured MCP tool 
allowlist policy. – `webo_mcp_audit_log_enabled`, `webo_mcp_audit_log_max_entries`,
and `webo_mcp_audit_log`: bounded MCP tool-call audit log settings and compact audit
events. Audit entries include user/tool/action/status data, anonymized IPs, and 
hashed session IDs; they do not store request payloads, API keys, HMAC secrets, 
or Application Passwords. – `webo_mcp_installed_at` and `webo_mcp_review_notice`:
local timestamps/state for an optional WordPress.org review request notice (not 
sent off-site; dismissible).

These options are removed when the plugin is uninstalled via the WordPress Plugins
screen.

### External services

This plugin can connect to Google Suggest (Autocomplete) when a client calls the`
seo/article-analysis` tool and does not set `no_autocomplete` to true. This external
request is used to return related keyword suggestions for SEO analysis.

Service provider: Google LLC (Google Suggest / Autocomplete API endpoint).

Data sent and when:
 – Sent only when `seo/article-analysis` is called with autocomplete
enabled. – Sends the analysis query text to `https://suggestqueries.google.com/complete/
search` as the `q` parameter. – Sends standard HTTP request metadata such as IP 
address and User-Agent as part of the web request.

Terms of Service: https://policies.google.com/terms
 Privacy Policy: https://policies.
google.com/privacy

### Developer Hooks

The plugin exposes the following actions and filters for developers:

### Actions

 * `webo_mcp_register_tools`
    Fired during plugin bootstrap after standalone tools
   are registered. Use this to register custom MCP tools from other plugins.

### Filters

 * `webo_mcp_current_user_can_use_mcp` (bool $allowed, int $user_id)
    Gate for all
   MCP REST access. Default: super admin OR `manage_options` OR `edit_posts`. Override
   to tighten (e.g. super-admin only) in hardened installs.
 * `webo_mcp_secondary_credentials_exempt` (bool $exempt, WP_REST_Request $request)
   
   When true, skip optional API key / HMAC after WordPress auth. Default true for
   Application Password (Basic) and Bearer sessions unless Settings  Security  “
   Require for App Password / Bearer” is enabled. Return false to always enforce`
   X-WEBO-*` headers.
 * `webo_mcp_allow_internal_tools` (bool $allow_internal, WP_REST_Request $request)
   
   Controls whether internal tools are included in tools/list responses. Defaults
   to false for public environments.
 * `webo_mcp_public_categories` (array $categories, WP_REST_Request $request, array
   $tool)
    Filters which tool categories are exposed as public. Defaults to array(‘
   wordpress’ ).
 * `webo_mcp_rate_limit_per_hour` (int $limit, string $client, array|null $profile)
   
   Adjust effective hourly limit (fallback for both buckets).
 * `webo_mcp_rate_limit_read_per_hour` / `webo_mcp_rate_limit_mutate_per_hour` (
   int $limit, string $client, array|null $profile)
    Per-bucket limits after admin/
   profile resolution.
 * `webo_mcp_tool_is_mutating` (bool $is_mutating, string $tool_name, array|null
   $tool_definition, array $arguments)
    Override mutating classification for rate
   limits and read-only profiles.
 * `webo_mcp_tool_arguments_allow_extra` (bool $allow, string $tool_name, array 
   $schema, array $arguments)
    When true, unknown tool argument keys are passed 
   through (default false).
 * `webo_mcp_disallow_url_token_query` (bool $disallowed)
    Block URL connector tokens
   in query strings (admin setting is the default source).
 * `webo_mcp_rest_bom_guard_json_api_requests` (bool $activate, string $uri_raw)
   
   Opt-in BOM sanitizer for all `/wp-json/` responses (default false; MCP routes
   only).
 * `webo_mcp_bridge_deny_patterns` (array $patterns)
    Controls which abilities are
   excluded when auto-bridging abilities into MCP tools (e.g. bulk, themes/, multisite/).
 * `webo_mcp_auto_bridge_abilities` (bool $enabled)
    Enables or disables automatic
   bridging of registered abilities into MCP tools. Defaults to true; bridge mode
   still controls whether the bridge is off, layered, or full.
 * `webo_mcp_bridge_mode` (string $mode)
    Controls Abilities bridge mode after the`
   WEBO_MCP_BRIDGE_MODE` constant and before the stored option. Values: `off`, `
   layered`, `full`. Default: `layered`.
 * `webo_mcp_enable_adapter` (bool $enabled)
    Enables or disables the bundled WordPress
   MCP Adapter runtime. Defaults to true.
 * `webo_mcp_validate_media_fetch_url` (true|\WP_Error $ok, string $url, array $
   parsed)
    Reject unsafe URLs for webo/media-mutate upload action (return WP_Error
   to block).
 * `webo_mcp_tool_allowlist_allowed` (bool $allowed, string $tool_name, WP_REST_Request
   $request, array $params, array $allowed_tools)
    Filters the optional per-user/
   role/client allowlist decision.

### Credits

Special thanks to the authors and open source projects that contributed to this 
plugin:
 – WordPress (https://wordpress.org) – Abilities API (https://github.com/
WordPress/abilities-api) Reference: https://make.wordpress.org/ai/2025/07/17/abilities-
api/ – MCP Adapter (https://github.com/WordPress/mcp-adapter) Reference: https://
make.wordpress.org/ai/2025/07/17/mcp-adapter/ – Composer (https://getcomposer.org)–
Other PHP and JS libraries from the community

If you use this plugin, please give credit to the authors of these libraries.

### License

This plugin is licensed under the GPLv2 or later.
 See https://www.gnu.org/licenses/
gpl-2.0.html for details.

## Installation

 1. Upload the plugin folder to /wp-content/plugins/webo-mcp
 2. Run composer install inside the plugin folder
 3. Activate the plugin in WordPress Admin
 4. Send JSON-RPC requests to POST /wp-json/mcp/v1/router

For release packaging, use scripts/build-release.ps1 to create a clean zip with .
distignore exclusions.

## FAQ

### Which endpoint should MCP clients use?

POST /wp-json/mcp/v1/router

### Where is the official website and the n8n package?

The project hub is https://webomcp.com. For n8n, install the community node from
npm: https://www.npmjs.com/package/n8n-nodes-webo-mcp

### Is webomcp.com the official WEBO MCP website?

Yes. The official WEBO MCP website, documentation hub, and ecosystem landing page
is https://webomcp.com.

### Can this run WordPress abilities by itself?

Yes. On WordPress versions where Core provides the Abilities API, WEBO MCP uses 
Core and does not load a duplicate bundled Abilities API. On older WordPress versions
it falls back to the bundled Composer package. The default bridge mode is `layered`,
which exposes compact `webo/ability-query` and `webo/ability-execute` tools instead
of one tool per ability. You can set bridge mode to `off`, `layered`, or `full` 
with `WEBO_MCP_BRIDGE_MODE`, the `webo_mcp_bridge_mode` filter, or the `webo_mcp_bridge_mode`
option.

### Which abilities are exposed through WEBO MCP?

Only abilities that explicitly set `meta.mcp.public` to true are exposed. Execution
also checks the ability permission callback, WEBO allowlist/policy, and scope/risk
metadata such as `meta.webo_mcp.scope` and `meta.webo_mcp.risk`.

### How do I migrate from legacy one-operation tool names?

Use `tools/list` to discover the dispatcher tool names on your site, then pass the
correct `action` (or query/mutate discriminant) for each operation. Use docs/MIGRATION_GUIDE_2.1.0.
md for the 2.1.0 rollout narrative and docs/MCP_TOOL_MIGRATION.md for a consolidated
addon-by-addon map (Rank Math, Rocket, WooCommerce groups, etc.).

### Can I expose internal tools?

Yes, via filter webo_mcp_allow_internal_tools in private environments.

### Can I limit public tools by category?

Yes, via filter webo_mcp_public_categories.

### Can I keep only WordPress.org-safe features?

Yes. Default bridge rules exclude patterns for bulk, themes, and multisite abilities.

### Is this plugin suitable for production?

Yes, when used with proper authentication, TLS, and a limited tool exposure policy.

### How do I authenticate MCP clients?

Use a WordPress **Application Password** (Users  Profile  Application Passwords)
and send it with HTTP Basic Auth (username = WordPress username, password = the 
application password). Optional **API Key** (`X-WEBO-API-KEY`) and **HMAC** (`X-
WEBO-TIMESTAMP` + `X-WEBO-SIGNATURE`) are managed under Settings  WEBO MCP  Security(
generate/rotate; secrets are shown once). By default those optional headers are **
not** required for Application Password or Bearer clients; enable “Require for App
Password / Bearer” if your client can send `X-WEBO-*` headers. HMAC signature: `
sha256=` + HMAC-SHA256( `timestamp + "." + raw_body`, secret ), skew ≤ 300s. If 
a client cannot send headers, create a short-lived scoped URL connector token and
pass it as `?mcp_token=...`; it is shown once, stored only as a hash, limited to
an explicit tool scope, expirable, and revocable.

### Does WEBO MCP reorder posts and pages?

Use **`webo/reorder-query`** and **`webo/reorder-mutate`** when the separate **Webo
Reorder** plugin is installed and active. Those tools control post `menu_order` 
and taxonomy-specific order — not navigation menus. For Appearance  Menus, use **`
webo/menu-query`** and **`webo/menu-mutate`**. See `docs/abilities/reorder.md` in
the plugin repository.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“WEBO MCP” is open source software. The following people have contributed to this
plugin.

Contributors

 *   [ phuongwebo ](https://profiles.wordpress.org/phuongwebo/)

[Translate “WEBO MCP” into your language.](https://translate.wordpress.org/projects/wp-plugins/webo-mcp)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/webo-mcp/), check out
the [SVN repository](https://plugins.svn.wordpress.org/webo-mcp/), or subscribe 
to the [development log](https://plugins.trac.wordpress.org/log/webo-mcp/) by [RSS](https://plugins.trac.wordpress.org/log/webo-mcp/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 2.6.15

 * Feature: `webo/site-settings` export actions — `export` (safe options table dump),`
   export-general`, and `export-all` (General/Reading/Writing/Discussion/Media/Permalinks/
   Privacy). Secrets and transients omitted.

#### 2.6.14

 * Fix: emit MCP `annotations.readOnlyHint` so ChatGPT can distinguish read vs write
   tools; make set-featured-image idempotent when thumbnail already set; honor site_id/
   blog_id; match agent allowlists across slash/underscore names.

#### 2.6.13

 * Fix: add discoverable `webo/set-featured-image` and steer media-query / content-
   mutate fallbacks when ChatGPT does not load `webo-content/set-featured-image`.

#### 2.6.12

 * Security: Generate / rotate / clear API Key and HMAC Secret without echoing stored
   secrets; HMAC client header guidance; optional enforce for Application Password
   and Bearer clients.
 * Fix: `webo/media-query` list/get returns `attachment_id`, `edit_url`, and `filename`
   for featured-image and mutate workflows.

#### 2.6.11

 * Added: gentle WordPress.org review request for administrators after 7 days (Plugins
   screen and WEBO MCP settings only; dismissible / snoozeable).

#### 2.6.10

 * Added: Website Health score (0–100) and letter grade A–D on `webo/security-audit`
   and `webo/client-health-report`, with a Markdown scoreboard for agency clients.
 * Note: hybrid foundation only — Cloudflare, Redis deep stats, backup age, PDF 
   export, and core checksums remain planned for WEBO MCP Pro.

#### 2.6.9

 * Added: read-only `webo/get-404-logs` to list URL, hits, last accessed time, and
   referrer from Rank Math 404 Monitor or the Redirection plugin (no wp-admin required).

#### 2.6.8

 * Added: `webo/user-mutate` with `add-to-blog` (multisite) and `set-role` actions
   for promoting existing users.
 * Added: `webo/content-mutate` action `change-author` to reassign post authors 
   with `edit_others_posts` checks.
 * Dev: unit coverage for user-mutate and change-author dry-run/execute paths.

#### 2.6.7

 * Fix: expose the new content-query list filters in the tool schema so App/connector
   calls keep `category`, `taxonomy`/`term`, `parent`, and `template` arguments 
   instead of stripping them.

#### 2.6.6

 * Added: `webo/content-query` list filters for `post_type` arrays, `category`, `
   taxonomy`/`term`, `parent`, and page `template` so AI clients can select service
   pages/posts before SEO batches.
 * Dev: add unit coverage for shorthand content query filters.

#### 2.6.5

 * Fix: centralize mutation write-mode parsing with `MutationGuard` so `dry_run=
   false`, `false`, `0`, and `"0"` execute instead of being forced back to previews.
 * Fix: `force=true` now confirms guarded operations only and no longer turns a 
   preview into a write by itself.
 * Dev: standard mutation responses include `ok`, `executed`, `dry_run`, and structured
   diff fields for safer AI client handling.

#### 2.6.4

 * Fix: map Rank Math, GSC/Search Console, SEO audit, and interlinking tool families
   to semantic SEO capabilities for AI workflow planning.
 * Fix: treat `seo.internal-links` as an optional SEO Autopilot capability so disabling
   an interlinks addon does not block core Rank Math/GSC dry-runs.
 * Readme: highlight the official WEBO MCP website at https://webomcp.com for WordPress.
   org visitors.

#### 2.6.3

 * Added: `webo/run-workflow` MCP tool so registered workflows can run from the 
   gate and create execution history records.
 * Added: workflow runner validation for availability, callable callbacks, and missing
   workflow ids.

#### 2.6.2

 * Added: execution history for workflow and AI runs, including caller, inputs, 
   changed posts, SEO/schema changes, submitted URLs, duration, status, and rollback
   checkpoint metadata.
 * Added: `webo/execution-history` tool with list, get, and rollback actions.
 * Added: SEO Autopilot run history with automatic checkpoints and rollback metadata.

#### 2.6.1

 * Fix: accept camelCase MCP arguments such as `dryRun` and `pluginFile` for snake_case
   tool schemas.
 * Fix: plugin manager now honors `dry_run=false` and string `"false"` when executing
   activate/deactivate mutations.

#### 2.6.0

 * Added: vNext capability registry, workflow registry, event bus, queue engine,
   checkpoint service, AI planner, recommendation engine, and plugin manager service.
 * Added: SEO Autopilot skeleton workflow with report-only, dry-run, and auto modes.
 * Added: SDK documentation and sample addon for capabilities, workflows, events,
   and queue integration.
 * Fix: keep `WEBOMCP_VERSION` in sync with the plugin header for accurate MCP initialize
   metadata.

#### 2.5.7

 * QA: add output contracts and multisite context coverage for MCP tools.
 * Fix: suppress multisite option DB errors in health scans.
 * Security: mask PII/secrets in comment spam analysis and audit/usage outputs.
 * Added: security audit checks for theme updates, common admin logins, and search
   visibility.

#### 2.5.6

 * Added: plugin conflict analysis, plugin health dry-run upgrades, security audit,
   multisite health, SEO cluster draft, task planning, comment moderation, CLI tool
   testing, and client health report tools.
 * Added: grouped audit and usage reporting by tool, user, client, and session.
 * Fix: normalize ability scope/risk metadata, hide broken abilities from discovery,
   and restore safe content-mutate dry-run defaults.

#### 2.5.5

 * Fix: Suppress WP 6.9 `_doing_it_wrong` notices when optional addon abilities (
   e.g. webo-ultimo/*) are not registered — use `wp_has_ability()` via `webo_mcp_get_ability()`.
 * Fix: Prime Abilities registry at `init:2` so `wp_abilities_api_init` runs before
   MCP tool registration.
 * Fix: Hide and block MCP tools whose `ability_name` is not registered.

#### 2.5.4

 * Fix: ChatGPT upload tools return structured `{ ok, attachment_id, url, edit_url}`
   success and `{ ok, error_code, debug }` errors.
 * Fix: `webo-media/upload-chatgpt-file` declares `openai/fileParams` on `file_path`
   and accepts plain file objects without client-side ValueError.
 * Added: `webo-media/upload-chatgpt-file-id` for direct `file_id` + optional `download_url`
   uploads.
 * Added: `file_id` and `download_url` top-level args on `webo-media/upload-file`.

#### 2.5.3

 * Added: `webo-media/upload-chatgpt-file` helper tool for direct ChatGPT `{ download_url,
   file_id }` uploads.
 * Fix: `webo-media/upload-file` detects unre rewritten `/mnt/data/` paths and prefers
   rewritten file objects from `file` or `file_path`.

#### 2.5.2

 * Fix: `webo-media/upload-file` accepts `file_path` as a string sandbox path (openai/
   fileParams rewrite) and `file` as a connector payload object with download_url/
   file_id.

#### 2.5.1

 * Fix: `webo-media/upload-file` declares `openai/fileParams` for ChatGPT sandbox
   file rewrite and accepts mounted `file` references via `download_url`.
 * MCP: expose tool `_meta` and OpenAI file object schemas in `tools/list` for connector
   file bridge compatibility.

#### 2.5.0

 * Added: `webo-media/upload-file` public write tool for ChatGPT sandbox/local file
   uploads via `file_data` (base64), `file_path`, or `file_id`.
 * Added: `webo-content/publish-post` public write tool to publish a post and return
   its permalink.
 * Updated: `webo-content/set-featured-image` now returns `updated: true` for the
   media bridge workflow.

#### 2.4.9

 * Added: `webo-media/upload` public write tool for media uploads from base64/data-
   URI/file URL payloads with optional title, alt, and caption.
 * Added: `webo-content/set-featured-image` public write tool to set a post featured
   image and return `featured_image_url`.

#### 2.4.8

 * Release: publish the latest direct content creation tools and router/policy compatibility
   fixes to WordPress.org SVN.

#### 2.4.7

 * Added: `webo-content/create-post` and `webo-content/update-post-status` public
   write tools for direct ChatGPT draft creation and status updates.
 * Metadata: update WEBO MCP website and author links to https://webomcp.com for
   the WordPress.org release.

#### 2.4.6

 * Fix: `webo/content-mutate` no longer defaults create/update and other direct 
   write actions to dry-run preview mode; explicit `dry_run:true` still previews
   those actions, while `search-replace` keeps its safe preview-by-default behavior.

#### 2.4.5

 * Bridge: expose public plugin-prefixed abilities in `webo/ability-query` and full
   bridge discovery (removed default `plugins/` deny pattern).
 * New: hub connector pairing endpoints and shared-secret authentication flow (`/
   wp-json/webo-mcp/v1/health`, `/pair`, `/disconnect`) for WEBO MCP Hub integration.

#### 2.4.4

 * Admin: redesigned WEBO MCP settings UI — dashboard stat tiles, card layout, copy-
   to-clipboard fields, and Logs & Usage tab with LLM metering controls.

#### 2.4.3

 * New: hybrid LLM usage metering (report-only, no quotas). Prefers client-reported`
   params._meta.llm_usage`; falls back to MCP payload byte estimate (~4 bytes/token).
 * New: `webo/usage-stats` tool — summary, recent, session, task, record, clear.
 * New: `notifications/usage` JSON-RPC method for explicit client usage reports 
   without a tools/call.

#### 2.4.1

 * Fix: keep `update` in content-query schema so read-tool write guard returns explicit
   error (args were stripped before handler).

#### 2.4.0

 * Performance: `webo/content-query` get/find-by-url/find-by-slug omit `content`
   and `excerpt` unless `include_content:true` or `include_excerpt:true` — smaller
   MCP payloads for AI agents.
 * New: `webo/plugin-mutate` action `upgrade` — update installed plugins from WordPress.
   org (transient or optional `version`).

#### 2.3.7

 * Security: `webo/content-query` find-by-url is read-only; reject `update` payload
   with clear error (use `webo/content-mutate`).

#### 2.3.6

 * Consistency: unified tool responses (`webo/content-query`, `webo/content-mutate`,`
   webo/menu-*`, `webo/theme-*`) now set `tool` and `action` to the MCP tool name
   instead of legacy per-operation names.
 * Requirement: minimum PHP raised to 8.0 (plugin header and readme).

#### 2.3.5

 * Security: separate read vs mutate rate limits (Settings  Security); agent profiles
   support read_only, max_read_calls_per_hour, max_mutate_calls_per_hour.
 * Security: read-only agent profiles block mutating tools and write-scoped abilities.
 * Security: media upload-from-URL rejects disallowed Content-Type (e.g. text/html).
 * Settings: expanded Security tab guidance for API key, HMAC, URL tokens, and MCP
   access filter.

#### 2.3.4

 * Performance: `webo/site-stats` media action skips upload dir scan unless `include_disk_size:
   true` (1h transient cache when enabled).
 * Performance: invalidate `tools/list` cache when bridge mode or allowlist settings
   change.
 * Maintenance: weekly cron prunes expired MCP session transients.

#### 2.3.3

 * Security: admin-configurable MCP tools/call rate limit (Settings  Security); 
   agent profiles still override per client.
 * Security: MCP sessions are bound to the WordPress user that created them on initialize.
 * Security: tool arguments are stripped to schema keys by default (filter `webo_mcp_tool_arguments_allow_extra`
   to opt in).
 * Security: `webo/ability-execute` requires `edit_posts`; media upload-from-URL
   no longer follows HTTP redirects (SSRF hardening).
 * Security: optional disallow `?mcp_token=` query auth; optional audit webhook 
   host allowlist.
 * Performance: short-lived `tools/list` cache per user/policy; audit log batches
   option writes per request.
 * Fix: checkpoint create returns admin edit URL instead of public permalink; REST
   BOM guard defaults to MCP routes only.

#### 2.3.2

 * Claude Desktop / MCP SDK: SSE keepalive on `GET /wp-json/mcp/v1/router` (and 
   adapter SSE routes) so supergateway and Claude Desktop no longer drop the transport;
   sessionless GET returns 405 instead of 400.
 * Claude Desktop / MCP SDK: `initialize` returns capability objects, sets `Mcp-
   Session-Id`, and `tools/list` includes `inputSchema`; `tools/call` wraps results
   in the standard MCP `content[]` text block format.
 * New tools: `webo/create-content-checkpoint` and `webo/restore-content-checkpoint`
   for AI-safe backup and rollback of posts, nav menus, and safe site options before
   bulk MCP writes.
 * Fix: sync `WEBOMCP_VERSION` with the plugin header so `initialize` reports the
   correct MCP server version.

#### 2.3.1

 * Compatibility: fix SCF Abilities API fatal while priming the registry during 
   plugin activation.

#### 2.3.0

 * New tools: `webo/theme-context` (active theme info, editor settings, style presets,
   registered blocks), `webo/block-patterns` (list/get patterns and synced patterns),`
   webo/site-stats` (counts and activity summary), `webo/activity-log` (list, summary,
   clear), `webo/user-profile` (get/update own profile), `webo/site-settings` (get/
   update 20 common WordPress options), `webo/content-search` (cross-post-type full-
   text search with grouped results).
 * Enhancement: `webo/comment-mutate` now supports `create` action for creating 
   new comments.
 * Enhancement: `webo/content-query list` now accepts `author`, `author_name`, `
   date_after`, `date_before`, and `tax_query` filters.
 * Enhancement: `webo/media-query list` now accepts `search`, `mime_type`, `post_id`,
   and `page` filters; response includes `found`, `pages`, `mime_type`, and `alt_text`
   fields.
 * Enhancement: `webo/content-mutate create` and `update` include `_content_warnings`
   when WordPress filters the submitted content on save.

#### 2.2.1

 * Compatibility: autoload bundled MCP schema dependency when the external MCP adapter
   stack is absent.
 * Router: fix flattened MCP argument coalescing for `webo/ability-execute`.

#### 2.2.0

 * Admin: dedicated **WEBO MCP** top-level menu with Overview, Security, Bridge &
   Tools, Agents & Connectors, Audit, and Advanced tabs; legacy Settings link redirects.
 * WordPress 7.0: expanded Core feature detection, Connectors read-bridge (`webo/
   connector-query`), WP AI prompt tool (`webo/ai-prompt`), agent profiles, rate
   limits, audit webhook/CSV export, and multisite network bridge defaults.
 * WP-CLI: `wp webo-mcp health`, `tools-list`, `revoke-tokens`, `audit-count`.
 * Dependencies: MCP Adapter ^0.5 (bundled fallback when external adapter absent).

#### 2.1.23

 * Multisite: add an opt-in Trusted Raw HTML setting so trusted site administrators
   can preserve Elementor and MCP content containing `script`, `style`, `canvas`,`
   iframe`, and other raw HTML when explicitly enabled.
 * Options: allow `webo/get-options` and `webo/update-options` to read and configure
   the Trusted Raw HTML policy.

#### 2.1.22

 * Security: replace normal API-key-in-URL support with short-lived scoped `mcp_token`
   URL connector tokens for clients that cannot send headers.
 * Security: URL connector tokens are shown once, stored only as hashes, expire 
   automatically, can be revoked, cannot expose internal tools, and are limited 
   by an explicit tool allowlist.
 * Admin: add Settings -> WEBO MCP controls to generate and revoke URL connector
   tokens without storing raw secrets.

#### 2.1.21

 * Superseded by 2.1.22. Do not put the normal WEBO API key in URLs.

#### 2.1.20

 * Multisite: allow network admins to target child sites with `site_id` / `blog_id`
   on `webo/content-query`, `webo/content-mutate`, `webo/get-options`, and `webo/
   update-options`.

#### 2.1.19

 * Options: allow `webo/get-options` and `webo/update-options` to manage `html_custom_css`
   for trusted admin MCP flows.

#### 2.1.18

 * Integration: register `webo/reorder-query` and `webo/reorder-mutate` MCP tools
   when the Webo Reorder plugin is active (post/CPT order; not nav menu order).

#### 2.1.17

 * Enhancement: `webo/content-mutate` can update post passwords for protected content
   when the authenticated user has permission to edit the post.
 * Safety: post password updates stay inside the existing content mutation capability
   checks.

#### 2.1.16

 * Fix: `webo/content-mutate` can preserve raw block HTML for users with `unfiltered_html`,
   allowing admin page-builder content and inline styles to be managed through MCP.
 * Security: users without `unfiltered_html` continue to pass content through the
   normal WordPress post KSES boundary.

#### 2.1.15

 * WordPress 7.0 readiness: add defensive feature detection for Abilities API, MCP
   Adapter, Connectors API, and `wp_supports_ai()`.
 * Bootstrap: avoid loading duplicate bundled Abilities API or MCP Adapter code 
   when Core/external implementations are already present.
 * Bridge: add `off`, `layered` (default), and `full` modes. Layered mode exposes
   compact `webo/ability-query` and `webo/ability-execute` tools so `tools/list`
   stays small by default.
 * Security: only bridge abilities with `meta.mcp.public === true`; execution now
   passes through ability permissions, WEBO policy/allowlist checks, and scope/risk
   gates.
 * Health: extend `webo/health-status` with WordPress 7.0/Core AI/MCP compatibility
   diagnostics.
 * Themes: extend `webo/theme-mutate` with WordPress.org theme install by slug; 
   optional activation still requires `switch_themes`.

#### 2.1.14

 * Fix: bridge scoped plugin-management capabilities while network admins activate
   or deactivate plugins inside a child site.
 * Keeps child-site plugin toggles explicit through `site_id` / `blog_id` without
   widening network-wide activation behavior.

#### 2.1.13

 * Added `webo/plugin-mutate` for WordPress.org plugin install, activation, and 
   deactivation through the core plugin endpoint.
 * Added `site_id` / `blog_id` support so network admins can activate or deactivate
   plugins for one multisite child site from the network MCP endpoint.
 * Safety: rejects conflicting `site_id` / `blog_id` plus `network_activate` / `
   network_wide` requests so child-site activation and network-wide activation stay
   explicit.

#### 2.1.12

 * Added a bounded, admin-readable MCP audit log for `tools/call` events with user,
   tool/action, object ID when available, anonymized IP, hashed session ID, status,
   and compact result/error summaries.
 * Added optional per-user, per-role, and per-client/Application Password tool allowlists.
   Enforcement is disabled by default to preserve existing access until an administrator
   opts in.
 * Added read-only administrator tool `webo/health-status` covering REST/router 
   status, Application Password support, permalinks, cron, object cache, plugin 
   update summary, WordPress/PHP versions, and redacted MCP config status.

#### 2.1.11

 * Security: enforce object-level capabilities for MCP content/media mutations, 
   including `edit_post`, `delete_post`, publish/private status changes, and taxonomy-
   specific term capabilities.
 * Security: filter read tools by `read_post` and hide tools from `tools/list` when
   the authenticated user lacks the tool capability.
 * Hardening: use WordPress safe HTTP validation for optional Google Suggest requests
   in `seo/article-analysis`.

#### 2.1.10

 * Fix: register **`webo/plugin-query`** in `Standalone_Tools` so MCP clients can
   list plugin updates (`query=updates`, optional `refresh=true`) and other inspection
   modes.
 * Bootstrap: prime `WP_Abilities_Registry` at `init:2` so `wp_abilities_api_init`
   runs before MCP bootstrap (`init:20`), preventing `_doing_it_wrong` when abilities
   register on `webo_mcp_register_tools`.

#### 2.1.9

 * Refactor: move built-in MCP tool registration into `inc/bootstrap/class-standalone-
   tools.php` (smaller bootstrap; same tool names).
 * Maintainer: broaden `.gitignore` (composer `vendor/bin/`, Cursor local config,
   scratch files); ship `scripts/` helpers and `docs/WPORG_REVIEW_REPLY_2.0.28.md`;
   keep `composer.json` production-only.

#### 2.1.8

 * BOM guard: fix PCRE — use `^(?:\xEF\xBB\xBF)+` so **multiple** UTF-8 BOMs are
   stripped (the old `^\xEF\xBB\xBF+` only repeated the final `0xBF` byte, breaking
   responses such as `wp/v2/types` on `webo.vn` for MCP clients).

#### 2.1.7

 * BOM guard: sanitize **all** REST API requests (`/wp-json/…`, `wp-json.php`, `?
   rest_route=`) by default (`webo_mcp_rest_bom_guard_json_api_requests` filter 
   to disable).

#### 2.1.6

 * BOM guard: treat **Abilities API** REST URLs (`wp-abilities/v1`) the same as 
   MCP router URLs — `@automattic/mcp-wordpress-remote` calls discover/execute over`
   wp-abilities`, which previously skipped the sanitizer.

#### 2.1.5

 * BOM guard: also start the sanitizer on `plugins_loaded` and `init` at priority`-
   999999` when the request URI looks MCP (covers BOM echoed before `rest_api_init`).

#### 2.1.4

 * BOM guard: start output buffer at `rest_api_init` priority 0 when Request-URI/`
   rest_route` looks like MCP (catches BOM printed before routing); loop-strip repeated
   BOM/FEFF; filter `webo_mcp_rest_bom_guard_enabled` to disable.

#### 2.1.3

 * REST: strip accidental UTF-8 BOM / stray U+FEFF before JSON on MCP routes so 
   clients no longer fail JSON parse with `Unexpected token` (defensive `ob_start`
   handler on `rest_pre_dispatch`).

#### 2.1.2

 * Restore the versioned **`skills/`** subtree in the Git repository (guides and
   ability-specific SKILL.md files referenced from README.md), matching the documented`
   npx skills add` workflows.
 * Add **`webo-mcp-ultimo-domain-dns-cf`** skill index entry (Ultimo checking-dns
   + Cloudflare checklist).
 * skills/README.md: document **WP Rocket** skill (`cache-query` / `cache-mutate`
   unified tools).

#### 2.1.1

 * Documentation: add docs/MCP_TOOL_MIGRATION.md (cross-addon dispatcher map; Rank
   Math + Rocket public-vs-internal discovery, WooCommerce query/mutate tool names).
 * Readme (GitHub + WordPress.org): align examples with `webo/content-query`, document`
   meta.mcp.public` visibility for bridged abilities, link migration doc; sync standalone
   tool bullets (menus, themes, plugins).

#### 2.1.0

 * **Token optimization — ecosystem-wide enum-dispatch unification.** All WEBO MCP
   addons now follow the same query/mutate pattern as the core plugin, replacing
   one-tool-per-operation APIs with unified abilities that accept an `action` argument:
    - **webo-mcp-woocommerce:** 27 individual tools  10 unified tools (`webo/woo-
      query-products`, `webo/woo-mutate-products`, `webo/woo-query-orders`, `webo/
      woo-mutate-orders`, `webo/woo-query-customers`, `webo/woo-mutate-customers`,`
      webo/woo-query-coupons`, `webo/woo-mutate-coupons`, `webo/woo-query-store`,`
      webo/woo-mutate-store`).
    - **webo-mcp-rank-math:** 18 individual tools  10 unified `webo-rank-math/*-
      query`/`*-mutate` abilities; granular abilities may stay MCP-internal (see
      addon `wp_register_ability_args`).
    - **webo-mcp-rocket:** 9 individual tools  2 unified tools (`webo-rocket/cache-
      query`, `webo-rocket/cache-mutate`).
 * **Impact:** with core and addons active the total tool count visible in `tools/
   list` drops from ~79+ to ~34. A smaller tool list means the model picks tools
   faster, uses less context budget per request, and makes fewer tool-name errors.
 * **Pattern:** each unified ability requires one `action` string that is dispatched
   server-side via PHP `match()`. All existing handler logic is preserved — only
   the registration surface changes.
 * Updated skills documentation for webo-mcp-ability-woocommerce, webo-mcp-ability-
   rank-math, webo-mcp-ability-rocket, and webo-mcp-guide.

#### 2.0.45

 * Refactor: unify media tools into `webo/media-query` (list, get) and `webo/media-
   mutate` (upload, update, delete); removes 5 legacy media tools.
 * Refactor: unify taxonomy/term tools into `webo/taxonomy-query` (discover, list,
   get) and `webo/taxonomy-mutate` (create, update, delete); removes 6 legacy term
   tools.
 * Refactor: unify comment tools into `webo/comment-query` (list, get) and `webo/
   comment-mutate` (update, delete); removes 4 legacy comment tools.
 * Refactor: unify post/content tools into `webo/content-query` and `webo/content-
   mutate`; removes 17 legacy post tools.
 * Refactor: replace `webo/list-active-plugins` with unified `webo/plugin-query`(
   list, get, activate, deactivate).
 * All unified tools normalize the `id` field as the primary response identifier;
   domain aliases (attachment_id, term_id, comment_id) are kept for backward compatibility.
 * SEO: improved Unicode word count using Unicode ranges for multilingual content;
   non-spaced scripts (CJK, Thai) now estimate word count via character-based heuristics.

#### 2.0.44

 * SEO readability: estimate word count for non-spaced scripts (CJK, Thai, Khmer)
   via character-based heuristics.

#### 2.0.43

 * SEO readability: count Unicode title and meta description lengths correctly for
   non-ASCII characters.

#### 2.0.42

 * SEO readability: count Unicode words correctly for multilingual content.

#### 2.0.41

 * Media/site settings: add `webo/set-site-icon` to set the WordPress site icon/
   favicon from an existing image attachment.

#### 2.0.40

 * MCP post tools: add page, offset, orderby, and order support to webo/list-posts
   responses for reliable batch processing.
 * SEO analyzer: infer the WordPress post title as the primary H1 when content omits
   an H1, and include Article JSON-LD from post/Rank Math metadata for more accurate
   schema checks.

#### 2.0.39

 * Options: allow safe permalink/category/tag base updates through MCP and flush
   rewrite rules after URL setting changes.

#### 2.0.38

 * MCP post tools: preserve safe HTML for post content/excerpt arguments so SEO 
   headings, lists, tables, and images can be authored through create/update calls.

#### 2.0.35

 * New site-management tools: `webo/list-themes` and `webo/switch-theme` for discovering
   installed themes and switching the active theme by stylesheet slug.
 * Readme: release includes the shortened WordPress.org short description, keeping
   the short description under the 150 character import limit.

#### 2.0.34

 * Options: allow `webo/update-options` and `webo/get-options` to handle `show_on_front`
   and `page_on_front`.
 * Safety: validate `show_on_front` as `posts|page` and ensure `page_on_front` references
   a valid Page ID (or 0).

#### 2.0.33

 * Readme: refresh WordPress.org-facing description for clarity; lead with product
   value and protocol workflow, move ecosystem links to a secondary section.

#### 2.0.32

 * Fix: avoid WP 6.9 Abilities API incorrect-usage notices by hardening adapter 
   category/ability registration order and late-boot recovery.

#### 2.0.29

 * Reliability: harden MCP adapter bootstrap and schema type handling (supports 
   array/nullable type definitions safely).
 * WP-CLI noise reduction: register core mcp-adapter abilities before bridge wiring
   and suppress default adapter server bootstrap in CLI mode to avoid false missing-
   ability errors.
 * Release notice: users running WEBO MCP Pro should update Pro package compatibility
   notes from the official docs/release channel before production rollout.

#### 2.0.28

 * WordPress.org review fixes: added explicit `External services` disclosure for
   Google Suggest/Autocomplete used by `seo/article-analysis` (service purpose, 
   transmitted query data and request metadata, conditions, Terms and Privacy links).
 * Compatibility: removed use of `WPINC` for nav-menu API loading; now load nav-
   menu API via explicit core include paths with availability checks to reduce environment-
   specific path issues.

#### 2.0.27

 * Security (WordPress.org guidelines): MCP router no longer maps API keys or HMAC
   to arbitrary user accounts. All requests require WordPress Application Password(
   Basic Auth) or an existing logged-in session; optional site API key and HMAC 
   apply only after authentication.
 * Readme: Contributors includes phuongwebo; clarify authentication in description
   and FAQ.

#### 2.0.26

 * New MCP tool seo/article-analysis (category seo, edit_posts): WordPress-only 
   on-page SEO signals for a post via post_id — rendered content, Rank Math merge,
   readability, issues, content_gaps. Agent documentation: skills/webo-mcp-seo-article/
   SKILL.md in the GitHub repo (not bundled in the WordPress.org zip).
 * Readme: Stable tag sync, privacy note for optional outbound tool requests.

#### 2.0.25

 * list-posts: document defaults (publish + post type post); response includes applied
   filters so empty results are easier to explain. Models should pass status draft(
   etc.) and post_type page when listing those.

#### 2.0.24

 * Nav menus: list-nav-menu-locations response includes note explaining slug vs 
   label; MCP descriptions tell models to call this tool first to discover theme_location
   keys.

#### 2.0.23

 * Nav menus: list-nav-menus response includes menu_id (same as term_id) and clearer
   MCP tool descriptions so clients list menus without asking users for menu_id 
   first.

#### 2.0.22

 * Nav menus: if create-nav-menu / create-nav-menu-for-location targets a name that
   already exists, reuse the existing menu term and continue (reused_existing_menu
   in JSON). Return a clear error if core nav-menu.php cannot be loaded. Expanded
   primary fallback slugs (primary-menu, header-menu, mobile). assign-nav-menu-to-
   location accepts menu_name when menu_id is omitted (assigned_via_menu_name in
   response).

#### 2.0.21

 * Nav menus: resolve theme location when slug primary is missing (single registered
   slot, or common slugs main/header/menu-1/navigation). Load wp-includes/nav-menu.
   php before wp_create_nav_menu in REST context. Response field theme_location_resolution
   indicates how the slug was chosen.

#### 2.0.20

 * Access: MCP router gate allows `manage_options` and `edit_posts` (Editors, site
   admins on multisite), not only `is_super_admin`; fixes list-nav-menus / tools/
   call failing for non-administrator users. Multisite API key/HMAC falls back to
   first site Administrator if no Super Admin login exists. Error code `webo_mcp_access_denied`
   replaces misleading super-admin-only message.

#### 2.0.15

 * Nav menus: list-nav-menus, list-nav-menu-items (db_id, menu_order, object_id,
   parent_db_id), add-nav-menu-item-from-post with required post_id, post_type, 
   and menu_order (explicit developer values; no auto placement).

#### 2.0.14

 * Security: MCP JSON-RPC router, SecurityHelper, tools discovery, and internal-
   tool policy default to network Super Admin on multisite (`is_super_admin`). Single-
   site installs use WordPress core’s `is_super_admin()` behavior (typically full
   administrators). Global API key/HMAC elevates to the first Super Admin user on
   multisite.

#### 2.0.7

 * Readme: highlight https://webomcp.com and n8n community node https://www.npmjs.
   com/package/n8n-nodes-webo-mcp; short description and FAQ; README.md aligned.

#### 2.0.6

 * License: plugin header uses the same wording as readme.txt (“GPL v2 or later”)
   to satisfy WordPress.org declared-license checks.

#### 2.0.5

 * Plugin header: @wordpress-plugin marker for strict scanners; License line uses
   GPLv2 or later slug (Plugin Handbook).

#### 2.0.4

 * Plugin header: handbook field order, shorter Description line, License text “
   GPL v2 or later”, Domain Path for translations.

#### 2.0.3

 * WordPress.org / Plugin Check: include composer.json when vendor is bundled; replace
   unlink with wp_delete_file for temp uploads; remove load_plugin_textdomain (core
   loads translations); resolve API key usermeta via get_users instead of direct
   $wpdb; readme short description, allowed Tags, Stable tag sync.

#### 2.0.2

 * WordPress.org packaging: release zip excludes dotfiles and all .github trees;
   readme Tested up to 6.9.

#### 2.0.1

 * Hardening: HMAC auth passes REST permission layer; SSRF guard for upload-media-
   from-url; paginated search-replace (max 500 posts per call); sanitized safe option
   updates; removed duplicate unused settings class.

#### 2.0.0

 * Plugin renamed to WEBO MCP; folder and main file: webo-mcp/webo-mcp.php.
 * Text domain, REST namespace webo-mcp/v1, hooks webo_mcp_* (breaking for custom
   code using old hook names).
 * Options and API-key usermeta migrate automatically from webo-wordpress-mcp keys
   on first load.

#### 1.1.1

 * Added empty input_schema definitions for core/get-user-info and core/get-environment-
   info.
 * Fixes MCP tools/call validation errors when invoking these no-input core tools.

#### 1.0.2

 * Added new read-only tool: webo/list-active-plugins.
 * Enables MCP clients to verify active plugins with capability check.

#### 1.0.1

 * Metadata refresh release to ensure dependency headers are reloaded correctly.
 * tools/list compatibility improvements for include_internal aliases and legacy
   endpoint support.

#### 1.0.0

 * Initial stable public release.
 * MCP JSON-RPC router with initialize, tools/list, tools/call.
 * Tool registry integration and public visibility policy controls.
 * Session management and optional API key/HMAC security.

## Meta

 *  Version **2.6.15**
 *  Last updated **1 day ago**
 *  Active installations **20+**
 *  WordPress version ** 6.4 or higher **
 *  Tested up to **7.0.1**
 *  PHP version ** 8.0 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/webo-mcp/)
 * Tags
 * [AI agent](https://scn.wordpress.org/plugins/tags/ai-agent/)[automation](https://scn.wordpress.org/plugins/tags/automation/)
   [json rpc](https://scn.wordpress.org/plugins/tags/json-rpc/)[mcp](https://scn.wordpress.org/plugins/tags/mcp/)
   [model context protocol](https://scn.wordpress.org/plugins/tags/model-context-protocol/)
 *  [Advanced View](https://scn.wordpress.org/plugins/webo-mcp/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/webo-mcp/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/webo-mcp/reviews/)

## Contributors

 *   [ phuongwebo ](https://profiles.wordpress.org/phuongwebo/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/webo-mcp/)