Invizo MCP

Invizo MCP turns your WordPress site into a standalone Model Context Protocol server. It lets approved AI clients work with site content and supported plugins through a native endpoint hosted by WordPress: https://example.com/wp-json/mcp/invizo No Invizo-hosted MCP backend, account, subscription, or license key is required. The plugin bundles the official WordPress MCP Adapter and PHP MCP Schema packages and exposes Invizo's action library through the WordPress Abilities API. The MCP server exposes three compact protocol tools:

• discover-abilities
• get-ability-info
• execute-ability

These tools discover and execute 143 scoped Invizo abilities without flooding AI clients with 143 top-level MCP tools. Highlights

• Direct MCP endpoint hosted by WordPress.
• WordPress Application Password authentication.
• Administrator-only transport and action execution.
• Granular read, write, and delete scopes.
• Dry-run and confirmation safeguards for supported risky operations.
• Copy-ready connection settings for Claude Code, Claude Desktop, Codex, Cursor, and Antigravity.
• Dependency-aware controls for WooCommerce, Elementor, Rank Math SEO, LearnPress, and The Events Calendar.
• No telemetry, tracking, Invizo cloud account, or automatic connection to Invizo servers.

What can agents manage?

• WordPress content: posts, pages, media, categories, tags, comments, revisions, reusable blocks, templates, global styles, menus, and content search.
• Site administration: users, selected safe site settings, post types, taxonomies, statuses, plugins, and themes.
• Custom content: custom post type definitions, custom post type items, post metadata, and MCP-managed post meta definitions.
• Page builders and SEO: Gutenberg content, Elementor page data, and Rank Math SEO metadata.
• WooCommerce: products, variations, orders, notes, coupons, customers, and product terms.
• LearnPress: courses, lessons, quizzes, questions, orders, terms, enrollments, and builder workflows.
• The Events Calendar: events, venues, and organizers.

Who is this for? Invizo MCP is intended for administrators, developers, agencies, and site maintainers who want an AI coding or automation client to work with a WordPress site through a documented, scoped protocol. Because enabled write and delete scopes can modify important site data, use the plugin only with trusted clients and dedicated Application Passwords. Test destructive workflows on a staging site first. Authentication Invizo MCP uses WordPress Application Passwords and WordPress REST authentication. Only authenticated users with the manage_options capability can access the MCP transport or execute Invizo abilities. In a standard WordPress installation this means administrators only. Create a dedicated Application Password from Settings > Invizo MCP for every AI client or computer. Passwords can be revoked individually from the same screen. Application Passwords normally require HTTPS. Local HTTP sites can enable them by setting: define( 'WP_ENVIRONMENT_TYPE', 'local' ); Security plugins can disable Application Passwords. Invizo reports this condition on its settings screen. Scopes and safeguards Administrators choose exactly which read, write, and delete scopes are enabled. Abilities outside enabled scopes are hidden from MCP discovery and rejected during execution. Optional integration scopes are unavailable unless their required plugin is active. Existing handler safeguards remain in place, including:

• WordPress sanitization and validation.
• Plugin availability checks.
• Scope checks inside action handlers.
• Dry-run previews for supported risky operations.
• Explicit confirm: true requirements for supported destructive operations.
• Reserved metadata protection and safe site-setting allow lists.

Data stored by the plugin Invizo MCP stores:

• Endpoint enabled/disabled status and selected scopes in the invizo_mcp_settings option.
• MCP-managed custom post type definitions in the invizo_mcp_registered_cpts option.
• MCP-managed post meta definitions in the invizo_mcp_registered_meta_fields option.
• A plugin version option used for upgrades.

Application Passwords are created and stored by WordPress in user metadata. Invizo tags only the credentials it creates so they can be listed and revoked from the settings page. Invizo MCP does not collect analytics or send usage information to Invizo.

1. Install the Invizo MCP release ZIP, including its bundled vendor directory.
2. Activate the plugin on WordPress 6.9 or newer.
3. Open Settings > Invizo MCP.
4. Enable the MCP endpoint.
5. Select only the scopes your agent needs.
6. Create an Application Password.
7. Choose Claude, Codex, Cursor, or Antigravity and copy the generated configuration.
8. Restart or reload the AI client.
9. Verify the connection by listing the server tools and running discover-abilities.

Do not install a source-only archive that omits Composer dependencies. Minimum requirements

• WordPress 6.9 or newer.
• PHP 7.4 or newer.
• HTTPS for normal Application Password support. WordPress local environments may use HTTP when WP_ENVIRONMENT_TYPE is set to local.
• An MCP client that supports remote HTTP MCP or a compatible local STDIO bridge.

2.0.3

• Replaced dynamic option keys in site settings handlers with explicit WordPress core option references to satisfy plugin review requirements.

2.0.2

• Enqueued settings-page CSS and JavaScript through the WordPress asset APIs.
• Limited dependency notices to the Plugins and Invizo MCP settings screens.
• Restricted WooCommerce customer address updates to an explicit field and setter allowlist.
• Updated the bundled Jetpack Autoloader dependency.

2.0.1

• Prepared the standalone release for WordPress.org review and distribution.
• Added GPL license and third-party dependency notices.
• Added optional uninstall cleanup and automatic revocation of Invizo-created Application Passwords.
• Added privacy, data storage, security reporting, source, build, and external-service documentation.
• Fixed prepared SQL handling for LearnPress enrollment queries.
• Improved local HTTPS connection snippets for .test, .local, and WordPress local environments.
• Removed manual translation loading because WordPress.org loads translations automatically.

2.0.0

• Converted Invizo into a standalone MCP server hosted by WordPress.
• Bundled the official WordPress MCP Adapter, PHP MCP Schema, and Jetpack package autoloader.
• Added /wp-json/mcp/invizo.
• Exposed all 143 existing actions as scoped WordPress abilities through compact discovery, information, and execution tools.
• Replaced shared-secret HMAC authentication with administrator-only WordPress Application Passwords.
• Added endpoint enable/disable control and Application Password creation and revocation.
• Added generated setup instructions for Claude Code, Claude Desktop, Codex, Cursor, and Antigravity.
• Removed the external Invizo dashboard, handshake, server URL, shared secret, and legacy signed execution endpoint.
• Added automatic 1.x settings migration while preserving scopes and managed definitions.