Enable Abilities for MCP
| 开发者 | fabiomontenegro1987 |
|---|---|
| 更新时间 | 2026年5月14日 09:44 |
| 捐献地址: | 去捐款 |
| PHP版本: | 8.0 及以上 |
| WordPress版本: | 6.9 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
详情介绍:
Enable Abilities for MCP gives you full control over which WordPress Abilities are available to AI assistants through the MCP (Model Context Protocol) Adapter.
WordPress 6.9 introduced the Abilities API, allowing external tools to discover and execute actions on your site. This plugin extends that functionality by registering a comprehensive set of content management abilities and providing a simple admin interface to toggle each one on or off.
Features
- 48 abilities organized in 10 categories: Core, Read, Write, SEO (Rank Math), SEO (SEOPress), SEO (Yoast), Utility, Custom Post Types, WooCommerce, and The Events Calendar
- WooCommerce integration — dedicated abilities to manage products, orders, and customers using the native WooCommerce API (HPOS-compatible, formally declared)
- The Events Calendar integration — list, get, create, and update events with venue, organizer, and date filters
- Admin dashboard with toggle switches for each ability
- Per-ability control — expose only what you need
- Secure by design — proper capability checks, input sanitization, and per-post permission validation
- WPCS compliant — fully passes WordPress Coding Standards (phpcs)
- MCP-ready — all abilities include
show_in_restandmcp.publicmetadata
- Get posts with filters (status, category, tag, search)
- Get single post details (content, SEO meta, featured image)
- Get categories, tags, pages, comments, media, and users
- Create, update, and delete posts
- Create categories and tags
- Create pages
- Moderate comments
- Reply to comments as the authenticated user
- Upload images from external URLs to the media library (with optional auto-assign as featured image)
- Get full Rank Math metadata for any post/page (title, description, keywords, robots, Open Graph, SEO score)
- Update Rank Math metadata: SEO title, description, focus keyword, canonical URL, robots, Open Graph, primary category, pillar content
- Get full SEOPress metadata for any post/page (title, description, focus keyword, robots, canonical, Open Graph, Twitter Card)
- Update SEOPress metadata: SEO title, description, focus keyword, canonical URL, robots directives, Open Graph, Twitter Card
- Get full Yoast SEO metadata for any post/page (title, description, focus keyphrase, canonical, robots, Open Graph, Twitter Card)
- Update Yoast SEO metadata: SEO title, description, focus keyphrase, canonical URL, robots (noindex, nofollow, advanced), Open Graph, Twitter Card
- Get Yoast sitemap index — fetch and parse the sitemap index, returning all registered sitemap URLs with last modification date
- List all registered custom post types with configuration and taxonomies
- Get items from any CPT with filtering, search, and taxonomy queries
- Get full details of a CPT item including all meta fields (WooCommerce, ACF, JetEngine, etc.)
- Create, update, and delete CPT items with taxonomy and meta field support
- Get CPT taxonomies with their terms
- Assign taxonomy terms to CPT items
- List products with price, SKU, stock status, categories, and type
- Get full product detail including gallery, attributes, and variations
- Update product price, sale price, stock quantity, and status
- List orders with customer, total, status, and date (HPOS-compatible)
- Get full order detail: line items, billing/shipping, totals, and notes
- Update order status with optional note
- List customers with email, name, total spent, and order count
- List events with start/end date, venue, organizer, and date range filter
- Get full event detail with resolved venue address and organizer contact
- Create new events with title, description, dates, venue, and organizer
- Update existing events
- Search and replace text in post content
- Site statistics overview (includes custom post type counts)
- Update any post meta field by exact key (with protected internal key blocklist)
- WordPress 6.9 or later (Abilities API)
- MCP Adapter plugin installed and configured
- PHP 8.0 or later
安装:
- In your WordPress dashboard, go to Plugins > Add New and search for Enable Abilities for MCP.
- Click Install Now, then Activate.
- Go to Settings > WP Abilities to manage which abilities are active.
- Install and configure the MCP Adapter plugin to connect with AI assistants.
常见问题:
Do I need anything else for this plugin to work?
Yes. This plugin requires WordPress 6.9+ (which includes the Abilities API) and the MCP Adapter plugin to connect abilities with AI assistants like Claude.
Are all abilities enabled by default?
Yes. On first activation, all abilities are enabled. You can disable any of them from Settings > WP Abilities.
Is it safe to enable write abilities?
Write abilities respect WordPress capabilities. For example, creating a post requires the publish_posts capability, and editing checks per-post permissions. The MCP user must have the appropriate WordPress role.
Does it work on Multisite?
Yes. The plugin can be network-activated. Each site in the network has its own ability configuration.
Does it work with WooCommerce?
Yes. The Custom Post Types section automatically detects WooCommerce products, orders, coupons, and any other registered post type. You can list, create, update, and delete items with full access to WooCommerce meta fields like _price, _sku, _stock_status, _regular_price, and more.
Can I add custom abilities?
This plugin registers abilities using the standard wp_register_ability() API. You can register additional abilities in your own plugin using the wp_abilities_api_init hook.
更新日志:
2.0.3
- New: SEOPress section —
ewpa/get-seopressreads SEO title, description, focus keyword, canonical URL, robots (noindex/nofollow/noarchive/noimageindex/nosnippet), Open Graph, and Twitter Card for any post or page - New: SEOPress section —
ewpa/update-seopressupdates any combination of those fields; only provided fields are modified - New: Yoast SEO section —
ewpa/yoast-get-seoreads SEO title, description, focus keyphrase, canonical URL, robots (noindex/nofollow/advanced), Open Graph, and Twitter Card - New: Yoast SEO section —
ewpa/yoast-update-seoupdates any combination of those fields; only provided fields are modified - New: Yoast SEO section —
ewpa/yoast-get-sitemap-indexfetches and parses the Yoast sitemap index, returning all registered sitemap URLs with last modification dates - New:
ewpa/update-post-metautility ability — writes any post meta field by exact key; useful for SEO plugins or custom fields not covered by dedicated sections; protected against internal WP keys via blocklist (filterable withewpa_blocked_meta_keys) - Improved: SEO meta in
get-post,get-page,create-post,update-post,create-page, andupdate-pagenow auto-detects the active SEO plugin (Rank Math, Yoast SEO, The SEO Framework, SEOPress, AIOSEO) instead of writing to both Yoast and Rank Math keys simultaneously - Updated: Total abilities: 48 in 10 categories
- Fix: Re-release to ensure all users receive the corrected admin CSS and JavaScript — sites that auto-updated to 2.0.1 before the tab and JS fixes were in place will now receive the correct assets
- Fix: Ability count in plugin description corrected to 42 (get-page and update-comment were added in 1.9.2/1.9.3)
- Fix: Activity log DB table now created correctly —
PRIMARY KEYSQL formatted for dbDelta - Fix:
ewpa_log_activity()is self-healing — auto-creates table on first failed insert, no manual intervention required - Fix: Input parameter unified to
status(waspost_status) acrossewpa/get-posts,ewpa/get-pages, andewpa/get-cpt-itemsfor consistency with write abilities - Fix: Uninstall now cleans up
ewpa_bearer_enabledandewpa_db_versionoptions (previously leaked on uninstall) - Fix: Admin tabs now use WordPress native
nav-tabclasses — resolves broken button styling on sites where themes or plugins override default button CSS - Fix: Admin JavaScript wrapped in
document.readyStateguard — tabs and toggle now work correctly on sites with optimization plugins (WP Rocket, LiteSpeed, etc.) that defer or combine scripts - Code quality: WPCS auto-fixed 14 issues; short ternary operators and docblock corrections applied manually
- Code quality:
phpcs.xmlruleset updated — WooCommerce and The Events Calendar custom capabilities declared - Code quality: Zero errors across all core plugin files
- Note: If tabs or the Bearer toggle appear broken after updating, purge your Cloudflare or CDN cache — CDNs may serve stale JS/CSS files regardless of the plugin version parameter
- New: Activity log — tracks every MCP ability execution per user with timestamp; viewable and clearable from the admin
- New: Three-tab admin interface: Connection, Activity Log, Abilities — cleaner organization
- New: Bearer token is now optional with an on/off toggle; existing installs auto-detected and migrated without breaking changes
- New: Application Passwords configuration section with step-by-step setup guide
- New: In-browser Base64 credential generator — no terminal required to configure Claude Desktop
- New:
includes/activity-log.php— table management, logging helpers, and AJAX clear handler - New: File-only upgrade migration via
plugins_loadedhook — no reactivation needed - Changed: All copy buttons use HTTP-safe clipboard fallback (works on non-HTTPS local environments)
- Updated: Total abilities: 42 (includes new get-page, update-comment added in previous minor versions)
- New: Update Comment ability (ewpa/update-comment) — update content, author name, email, or WordPress user of an existing comment
- New: Get Single Page ability (ewpa/get-page) — retrieves full page detail by ID including content, template, hierarchy, and SEO metadata
- Fix: Formally declare WooCommerce HPOS (High-Performance Order Storage) compatibility via FeaturesUtil::declare_compatibility(), resolving the WooCommerce compatibility warning in WP Admin
- Fix: Replace date() with gmdate() to avoid timezone-related display issues
- New: WooCommerce section with 7 dedicated abilities (products, orders, customers) — HPOS-compatible
- New: The Events Calendar section with 4 abilities (list, get, create, update events)
- Updated: Total abilities increased from 32 to 40
- Code quality: Added phpcs.xml.dist ruleset declaring WooCommerce and The Events Calendar custom capabilities
- Code quality: Zero errors, zero warnings across all plugin files
- New: 8 Custom Post Type abilities — list, get, create, update, delete CPT items, get taxonomies, and assign terms
- New: Full CPT support works with any plugin or theme (WooCommerce, ACF, JetEngine, custom code, etc.)
- New: All meta fields accessible on CPT items (including _price, _sku, ACF fields, etc.)
- New: Contextual admin notices for CPT section (no CPTs detected) and SEO section (Rank Math not active)
- New: Site statistics now include custom post type counts
- Changed: All ability keys standardized to English (e.g. ewpa/obtener-posts → ewpa/get-posts)
- Changed: All source strings standardized to English; Spanish moved to translation files
- Changed: Automatic migration preserves existing settings when upgrading from v1.7
- Total abilities increased from 24 to 32
- New: Admin notice when MCP Adapter plugin is not installed with download link
- New: MCP endpoint URL and Claude Desktop configuration example in API Key section
- Updated: Installation instructions reflect WordPress.org plugin directory availability
- New: Reply to comments ability (responder-comentario) — respond to existing comments as the authenticated user
- Fix: Rank Math focus keyword parameter changed from array to single string for proper MCP compatibility
- Improved: Updated actualizar-rankmath label and descriptions for better AI discovery via MCP
- Total abilities increased from 23 to 24
- New: API Key authentication for external MCP connections (Perplexity, custom connectors)
- New: Generate, regenerate, and revoke API keys from Settings > WP Abilities
- New: Bearer token authentication scoped to MCP REST API routes only
- New: API key stored as SHA-256 hash with timing-safe validation
- New: Authorization header extraction with Apache/Nginx/CGI fallbacks
- New:
includes/auth.phpmodule with authentication logic - Clean uninstall updated to remove API key option
- Security: removed server filesystem path exposure from image upload response
- Security: removed SVG from allowed upload extensions (XSS prevention)
- Security: upgraded capability checks for Rank Math metadata and site statistics abilities
- Security: replaced
@unlink()withwp_delete_file()for proper file deletion - Security: replaced
user_emailwithuser_loginin user listing ability to prevent email exposure - Code quality: full WordPress Coding Standards (WPCS 3.x) compliance — zero errors, zero warnings
- Code quality: tabs indentation, Yoda conditions, spaces inside parentheses, proper docblocks
- Code quality: replaced short ternary operators with explicit ternaries and helper function
- Code quality: named function callbacks for activation hook
- Code quality: proper multi-line comment formatting
- New: SEO — Rank Math section with 2 dedicated abilities
- New: Get Rank Math metadata (title, description, keywords, canonical URL, robots, Open Graph, Twitter, primary category, pillar content, SEO score)
- New: Update Rank Math metadata with per-field granularity and input validation
- New: Upload image from URL ability — downloads external images to the media library with optional auto-assign as featured image
- Total abilities increased from 20 to 23
- Security hardening: runtime validation of all enum inputs (post_status, orderby, order)
- Security hardening: integer inputs clamped to allowed ranges
- Security hardening: per-post capability checks for edit, delete, and search-replace
- Security hardening: sanitize tags, validate featured images, author IDs, and post dates
- Security hardening: wp_unslash and sanitize nonce verification
- Fixed: page template uses sanitize_file_name instead of sanitize_text_field
- Fixed: search-replace validates empty search and sanitizes replacement with wp_kses_post
- Fixed: added
show_in_rest => trueto all custom abilities meta (required for REST API and MCP discovery) - Fixed: ability categories now register on
wp_abilities_api_categories_inithook
- Initial release
- 17 custom abilities: 8 read, 7 write, 2 utility
- 3 core abilities exposed to MCP
- Admin settings page with per-ability toggles