EchoOps MCP

EchoOps MCP exposes a secure MCP endpoint on your own WordPress site so compatible AI assistants and automation tools can work through controlled WordPress abilities. Core is usable on its own. No EchoOps Cloud account is required. EchoOps MCP 0.1.0 requires PHP 8.4. Compatibility with earlier PHP 8.x versions may be evaluated in a future release. The plugin includes:

• OAuth2 Authorization Code with PKCE.
• Dynamic Client Registration.
• A protected MCP endpoint at /wp-json/echoops-mcp/v1/mcp.
• Controlled EchoOps abilities for site information, posts, pages, media, taxonomies, and terms.
• Safe defaults: read abilities are enabled by default, write abilities are disabled by default.
• No delete abilities, direct publish abilities, or user management abilities.
• Admin controls for allowed OAuth users, ability toggles, active sessions, settings, and audit log review.
• A first-run Setup page with generic connection templates and downloadable non-secret client configuration.
• An admin OAuth Test Helper for manual testing without displaying tokens or secrets.
• Redacted audit logging for ability execution attempts.

Client templates are generic setup aids unless a specific client has been separately verified. The plugin does not overclaim compatibility with any particular third-party MCP client. Privacy And External Services EchoOps MCP Core runs on your WordPress site. It does not require an EchoOps Cloud account and does not send usage telemetry or audit data to EchoOps services. Authorized OAuth clients connect to your site's OAuth-protected MCP endpoint. Admins control which WordPress users may authorize clients and which EchoOps abilities are enabled. The optional echoops/media-upload-from-url ability is a write ability and is disabled by default. If an administrator enables it and an authorized client executes it, your WordPress site sends HTTP HEAD and GET requests to the URL supplied by that client to validate and download the media file. The remote server may receive request metadata such as your site's server IP address and standard HTTP headers. Audit input summaries redact keys containing password, secret, token, authorization, cookie, nonce, and key. Content-like fields such as content, post_content, description, body, and html are stored only as length and SHA-256 hash summaries. Access tokens, refresh tokens, authorization codes, client secrets, private keys, cookies, nonces, and authorization headers are not displayed in admin screens or written to audit logs. Uninstall currently retains OAuth, audit, and settings data until a retention/export policy is implemented.

0.1.0

• Initial public MVP package.
• Added OAuth2 Authorization Code with PKCE, Dynamic Client Registration, token validation, and OAuth metadata endpoints.
• Added protected MCP endpoint using wordpress/mcp-adapter.
• Added EchoOps MVP abilities for site info, site health, posts, pages, media, taxonomies, and terms.
• Added safe-by-default ability toggles.
• Added Setup, Dashboard, Abilities, Connections, Audit Log, Settings, manual callback, and OAuth Test Helper admin pages.
• Added allowed OAuth users, session revocation, audit logging, and redaction.