Enable Abilities for MCP
| 开发者 | fabiomontenegro1987 |
|---|---|
| 更新时间 | 2026年3月28日 06:39 |
| 捐献地址: | 去捐款 |
| PHP版本: | 8.0 及以上 |
| WordPress版本: | 6.9 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Enable Abilities for MCP gives you full control over which WordPress Abilities are available to AI assistants through the MCP (Model Context Protocol) Adapter.
WordPress 6.9 introduced the Abilities API, allowing external tools to discover and execute actions on your site. This plugin extends that functionality by registering a comprehensive set of content management abilities and providing a simple admin interface to toggle each one on or off.
Features
- 32 abilities organized in 6 categories: Core, Read, Write, SEO, Utility, and Custom Post Types
- WooCommerce compatible — manage products, orders, and any custom post type with full meta field access (_price, _sku, _stock, etc.)
- Admin dashboard with toggle switches for each ability
- Per-ability control — expose only what you need
- Secure by design — proper capability checks, input sanitization, and per-post permission validation
- WPCS compliant — fully passes WordPress Coding Standards (phpcs)
- MCP-ready — all abilities include
show_in_restandmcp.publicmetadata
- Get posts with filters (status, category, tag, search)
- Get single post details (content, SEO meta, featured image)
- Get categories, tags, pages, comments, media, and users
- Create, update, and delete posts
- Create categories and tags
- Create pages
- Moderate comments
- Reply to comments as the authenticated user
- Upload images from external URLs to the media library (with optional auto-assign as featured image)
- Get full Rank Math metadata for any post/page (title, description, keywords, robots, Open Graph, SEO score)
- Update Rank Math metadata: SEO title, description, focus keyword, canonical URL, robots, Open Graph, primary category, pillar content
- List all registered custom post types with configuration and taxonomies
- Get items from any CPT with filtering, search, and taxonomy queries
- Get full details of a CPT item including all meta fields (WooCommerce, ACF, JetEngine, etc.)
- Create, update, and delete CPT items with taxonomy and meta field support
- Get CPT taxonomies with their terms
- Assign taxonomy terms to CPT items
- Search and replace text in post content
- Site statistics overview (now includes custom post type counts)
- WordPress 6.9 or later (Abilities API)
- MCP Adapter plugin installed and configured
- PHP 8.0 or later
安装:
- In your WordPress dashboard, go to Plugins > Add New and search for Enable Abilities for MCP.
- Click Install Now, then Activate.
- Go to Settings > WP Abilities to manage which abilities are active.
- Install and configure the MCP Adapter plugin to connect with AI assistants.
常见问题:
Do I need anything else for this plugin to work?
Yes. This plugin requires WordPress 6.9+ (which includes the Abilities API) and the MCP Adapter plugin to connect abilities with AI assistants like Claude.
Are all abilities enabled by default?
Yes. On first activation, all abilities are enabled. You can disable any of them from Settings > WP Abilities.
Is it safe to enable write abilities?
Write abilities respect WordPress capabilities. For example, creating a post requires the publish_posts capability, and editing checks per-post permissions. The MCP user must have the appropriate WordPress role.
Does it work on Multisite?
Yes. The plugin can be network-activated. Each site in the network has its own ability configuration.
Does it work with WooCommerce?
Yes. The Custom Post Types section automatically detects WooCommerce products, orders, coupons, and any other registered post type. You can list, create, update, and delete items with full access to WooCommerce meta fields like _price, _sku, _stock_status, _regular_price, and more.
Can I add custom abilities?
This plugin registers abilities using the standard wp_register_ability() API. You can register additional abilities in your own plugin using the wp_abilities_api_init hook.
更新日志:
1.8.0
- New: 8 Custom Post Type abilities — list, get, create, update, delete CPT items, get taxonomies, and assign terms
- New: Full CPT support works with any plugin or theme (WooCommerce, ACF, JetEngine, custom code, etc.)
- New: All meta fields accessible on CPT items (including _price, _sku, ACF fields, etc.)
- New: Contextual admin notices for CPT section (no CPTs detected) and SEO section (Rank Math not active)
- New: Site statistics now include custom post type counts
- Changed: All ability keys standardized to English (e.g. ewpa/obtener-posts → ewpa/get-posts)
- Changed: All source strings standardized to English; Spanish moved to translation files
- Changed: Automatic migration preserves existing settings when upgrading from v1.7
- Total abilities increased from 24 to 32
- New: Admin notice when MCP Adapter plugin is not installed with download link
- New: MCP endpoint URL and Claude Desktop configuration example in API Key section
- Updated: Installation instructions reflect WordPress.org plugin directory availability
- New: Reply to comments ability (responder-comentario) — respond to existing comments as the authenticated user
- Fix: Rank Math focus keyword parameter changed from array to single string for proper MCP compatibility
- Improved: Updated actualizar-rankmath label and descriptions for better AI discovery via MCP
- Total abilities increased from 23 to 24
- New: API Key authentication for external MCP connections (Perplexity, custom connectors)
- New: Generate, regenerate, and revoke API keys from Settings > WP Abilities
- New: Bearer token authentication scoped to MCP REST API routes only
- New: API key stored as SHA-256 hash with timing-safe validation
- New: Authorization header extraction with Apache/Nginx/CGI fallbacks
- New:
includes/auth.phpmodule with authentication logic - Clean uninstall updated to remove API key option
- Security: removed server filesystem path exposure from image upload response
- Security: removed SVG from allowed upload extensions (XSS prevention)
- Security: upgraded capability checks for Rank Math metadata and site statistics abilities
- Security: replaced
@unlink()withwp_delete_file()for proper file deletion - Security: replaced
user_emailwithuser_loginin user listing ability to prevent email exposure - Code quality: full WordPress Coding Standards (WPCS 3.x) compliance — zero errors, zero warnings
- Code quality: tabs indentation, Yoda conditions, spaces inside parentheses, proper docblocks
- Code quality: replaced short ternary operators with explicit ternaries and helper function
- Code quality: named function callbacks for activation hook
- Code quality: proper multi-line comment formatting
- New: SEO — Rank Math section with 2 dedicated abilities
- New: Get Rank Math metadata (title, description, keywords, canonical URL, robots, Open Graph, Twitter, primary category, pillar content, SEO score)
- New: Update Rank Math metadata with per-field granularity and input validation
- New: Upload image from URL ability — downloads external images to the media library with optional auto-assign as featured image
- Total abilities increased from 20 to 23
- Security hardening: runtime validation of all enum inputs (post_status, orderby, order)
- Security hardening: integer inputs clamped to allowed ranges
- Security hardening: per-post capability checks for edit, delete, and search-replace
- Security hardening: sanitize tags, validate featured images, author IDs, and post dates
- Security hardening: wp_unslash and sanitize nonce verification
- Fixed: page template uses sanitize_file_name instead of sanitize_text_field
- Fixed: search-replace validates empty search and sanitizes replacement with wp_kses_post
- Fixed: added
show_in_rest => trueto all custom abilities meta (required for REST API and MCP discovery) - Fixed: ability categories now register on
wp_abilities_api_categories_inithook
- Initial release
- 17 custom abilities: 8 read, 7 write, 2 utility
- 3 core abilities exposed to MCP
- Admin settings page with per-ability toggles