| 开发者 | invizo |
|---|---|
| 更新时间 | 2026年7月14日 16:10 |
| 捐献地址: | 去捐款 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
https://example.com/wp-json/mcp/invizo
Invizo MCP uses WordPress Application Passwords, administrator-only access, granular scopes, and the WordPress Abilities API. Administrators decide exactly what an AI client can discover and execute: read-only content, post creation, WooCommerce operations, media uploads, Elementor workflows, Rank Math metadata, LearnPress course actions, Events Calendar management, and more.
No Invizo account, subscription, license key, telemetry, or Invizo cloud service is required.
Why choose Invizo MCP?
/wp-json/mcp/invizo.discover-abilities, get-ability-info, and execute-ability instead of flooding clients with dozens of top-level tools.discover-abilitiesget-ability-infoexecute-ability@automattic/mcp-wordpress-remote bridge through npx. Clients that support authenticated remote HTTP MCP can connect directly to the WordPress endpoint.
Built for administrators, developers, stores, agencies, and site managers
Invizo MCP is for WordPress administrators, WooCommerce store owners, agencies, developers, SEO teams, educators, and site maintainers who want trusted AI clients to work with WordPress through a documented, scoped protocol.
Use read-only scopes for research and reporting. Add write scopes for content workflows. Enable delete scopes only for trusted clients and tested workflows.
Authentication
Invizo MCP uses WordPress Application Passwords and WordPress REST authentication.
Only authenticated users with the manage_options capability can access the MCP transport or execute Invizo abilities. In a standard WordPress installation this means administrators only.
Create a dedicated Application Password from Settings > Invizo MCP for every AI client or computer. Passwords can be revoked individually from the same screen.
Application Passwords normally require HTTPS. Local HTTP sites can enable them by setting:
define( 'WP_ENVIRONMENT_TYPE', 'local' );
Security plugins can disable Application Passwords. Invizo reports this condition on its settings screen.
Scopes and safeguards
Administrators choose exactly which read, write, and delete scopes are enabled. Abilities outside enabled scopes are hidden from MCP discovery and rejected during execution.
Optional integration scopes are unavailable unless their required plugin is active.
Existing handler safeguards remain in place, including:
confirm: true requirements for supported destructive operations.invizo_mcp_settings option.invizo_mcp_registered_cpts option.invizo_mcp_registered_meta_fields option.vendor directory.discover-abilities.WP_ENVIRONMENT_TYPE is set to local.Invizo MCP is a WordPress MCP server plugin. It gives approved AI clients a secure Model Context Protocol endpoint for reading and managing WordPress content, WooCommerce data, builders, SEO metadata, LMS content, events, custom post types, and metadata.
Yes. Invizo MCP hosts a native MCP endpoint inside WordPress at /wp-json/mcp/invizo.
The Model Context Protocol, or MCP, is an open protocol that lets AI clients discover tools, inspect input schemas, and execute actions on connected systems. Invizo MCP uses MCP to expose WordPress abilities to authorized AI clients.
Invizo MCP includes setup instructions for Claude Code, Claude Desktop, Codex, Cursor, and Antigravity. Other MCP-compatible clients can connect when they support authenticated remote HTTP MCP or a local STDIO bridge.
Yes. Use the Claude Code or Claude Desktop configuration generated on the Invizo MCP settings page. The configuration points Claude to your WordPress MCP endpoint and authenticates with a WordPress Application Password.
Yes. Invizo MCP provides a Codex config.toml example for both project-level and global Codex configuration. After adding the generated MCP server block, restart Codex and verify the server exposes discover-abilities, get-ability-info, and execute-ability.
Yes. Invizo MCP provides Cursor mcp.json examples for project and global configuration. Cursor can use the local @automattic/mcp-wordpress-remote bridge when needed.
Invizo MCP is built on the open Model Context Protocol. It can work with MCP-compatible clients that support remote HTTP MCP or a local bridge. Use the client configuration format supported by your ChatGPT MCP environment.
WordPress itself does not need Node.js to run Invizo MCP. Some desktop clients use npx @automattic/mcp-wordpress-remote as a local bridge on the computer running the AI client.
No. Invizo MCP does not contact api.mcp.invizo.io, does not require an Invizo account, and does not send usage analytics to Invizo. WordPress hosts the MCP endpoint.
No. Version 2.0 does not require or contact an Invizo backend.
Yes. WordPress serves MCP JSON-RPC requests at /wp-json/mcp/invizo.
Invizo MCP is self-hosted. Your WordPress site runs the endpoint, uses WordPress Application Passwords, and relies on administrator-selected scopes. No Invizo-hosted relay is required.
Invizo MCP uses the Model Context Protocol and the WordPress Abilities API. AI clients can discover available abilities, inspect schemas, and execute scoped actions through MCP instead of guessing REST routes.
It exposes three compact tools: discover-abilities, get-ability-info, and execute-ability. Those tools provide access to the allowed WordPress abilities without publishing every action as a separate top-level MCP tool.
Yes. Administrators select the exact read, write, and delete scopes. Disabled scopes are hidden from MCP discovery and rejected during execution.
Yes. Enable only read scopes, such as Read Posts, Read Pages, Read Media, Read WooCommerce Data, or Read Site Settings and Structure.
Yes, when Create/Edit Posts or Create/Edit Pages is enabled. You can keep those scopes disabled for read-only clients.
Only when the relevant delete scope is enabled. Keep delete scopes disabled unless the client and workflow are trusted.
Yes. When WooCommerce is active and WooCommerce scopes are enabled, Invizo MCP can expose abilities for products, variations, orders, order notes, order statuses, coupons, customers, and product terms.
Yes. Elementor scopes become available when Elementor is active. Invizo MCP can expose Elementor page-builder workflows to authorized MCP clients.
Yes. Invizo MCP includes Gutenberg page-builder support and abilities for reusable blocks, patterns, block templates, and global styles.
Yes. Rank Math SEO scopes become available when Rank Math SEO is active.
Yes. LearnPress read, write, delete, and builder scopes become available when LearnPress is active.
Yes. Events Calendar read and write scopes become available when The Events Calendar is active.
Yes. Invizo MCP includes scopes for custom post types, custom post type items, post meta, and MCP-managed metadata definitions.
Some desktop clients communicate with local STDIO MCP processes more reliably than remote authenticated HTTP endpoints. @automattic/mcp-wordpress-remote is a local transport bridge; it is not an Invizo-hosted server.
No. Invizo requires manage_options at the MCP transport and ability layers.
Invizo MCP uses WordPress Application Passwords. Create a dedicated Application Password for each AI client or computer, then store that credential in the client configuration.
Separate credentials make revocation simple. If one computer, client, or workflow should stop connecting, revoke only that Application Password.
Yes. Revoke the Application Password from the Invizo MCP settings page or the WordPress user profile. Revocation immediately stops that credential.
The Invizo MCP route is not initialized. Existing Application Passwords remain valid WordPress credentials until revoked, but they cannot access an inactive Invizo endpoint.
WooCommerce, Elementor, Rank Math SEO, LearnPress, and The Events Calendar scopes require the corresponding plugin to be active.
Invizo MCP executes what the authenticated AI client requests and what enabled scopes allow. Review client prompts carefully, use read-only scopes when possible, and test write workflows on staging before using them on production.
It can be used on live stores, but write and delete scopes can affect products, orders, coupons, customers, and terms. Use dedicated credentials, least-privilege scopes, and staging tests for risky workflows.
Invizo MCP stores plugin settings, selected scopes, MCP-managed CPT definitions, and MCP-managed metadata definitions. It does not collect analytics or send usage data to Invizo.
Invizo-created Application Passwords are revoked. Plugin settings and MCP-managed CPT/meta definitions are deleted only if uninstall cleanup is enabled. Existing posts and post meta values are never deleted by the uninstaller.
Check that the Application Password is correct, the WordPress user is an administrator, Application Passwords are available on the site, and the client is sending HTTP Basic authentication correctly.
Confirm the endpoint is enabled, at least one scope is selected, required integration plugins are active, and the AI client has been restarted after adding the configuration.
Yes. Application Passwords normally require HTTPS. Local HTTP sites can enable them by setting WP_ENVIRONMENT_TYPE to local.
Invizo MCP is designed for administrator-only access on the site where it is active. Test multisite workflows carefully because scopes and capabilities can vary by network and site configuration.
Please report security issues privately through https://invizo.io/ so they can be handled before public disclosure.
.test, .local, and WordPress local environments./wp-json/mcp/invizo.