Linux 软件免费装

在这里免费安装WordPress以及其他软件

miniOrange Secure MCP Server

开发者 cyberlord92
更新时间 2026年6月23日 13:16
PHP版本: 7.4 及以上
WordPress版本: 7.0
版权: Expat
版权网址: 版权信息

标签

ai oauth mcp abilities governance

下载

1.0.0 1.1.0 1.1.1

详情介绍:

miniOrange Secure MCP Server helps WordPress administrators with AI governance and policy enforcement: understanding, and controlling, what AI assistants and MCP clients are allowed to do on their site. The WordPress Abilities API (available in WordPress 6.9 and later) lets plugins and WordPress core expose discrete, machine-callable capabilities — for example: get site info, create a post, or generate a summary. This plugin turns those abilities into a remote Model Context Protocol (MCP) server so AI clients can discover and invoke them, protected by a self-hosted OAuth 2.1 authorization server. What this version does Every MCP request runs as the WordPress user who authorized it, so what an AI client can do is bounded by that user's own capabilities.

安装:

  1. Upload the plugin files to the /wp-content/plugins/miniorange-secure-mcp-server directory, or install the plugin through the WordPress plugins screen directly.
  2. Activate the plugin through the "Plugins" screen in WordPress.
  3. Open the "Secure MCP Server" menu item (under Tools) to review the abilities registered on your site.
  4. Connect an MCP client (see the FAQ) to https://YOUR-SITE/wp-json/mosmcp/v1/mcp.

升级注意事项:

1.1.1
  • Added support and feedback forms to the plugin.
1.1.0 Adds an OAuth-protected MCP server. The plugin now creates database tables; review the updated privacy note in the FAQ. 1.0.0 Initial release. No upgrade steps required.

常见问题:

How do ChatGPT and Claude connect?

Add a custom connector pointing at your MCP endpoint, https://YOUR-SITE/wp-json/mosmcp/v1/mcp. The client discovers the OAuth endpoints automatically, registers itself, walks you through logging in to WordPress and approving access, and then connects. The site must be reachable over HTTPS (cloud clients cannot reach localhost); for local development, expose the site through an HTTPS tunnel such as ngrok or cloudflared.

Does this plugin store any data?

Yes. To run the OAuth server it creates three database tables for registered clients, short-lived authorization codes, and access/refresh tokens. Tokens and client secrets are stored only as keyed hashes, never in plaintext. A single options row holds the plugin's hash salt. All of this is removed when the plugin is deleted.

My server returns 401 even with a valid token.

Some Apache configurations strip the Authorization header before it reaches PHP. Add the following to your WordPress root .htaccess: RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Why does the "Source" column show a namespace instead of a plugin name?

The Abilities API does not record which plugin registered a given ability. The namespace prefix (the part before the slash in the ability name) is the most reliable indicator of where an ability comes from.

更新日志:

1.1.1 1.1.0 1.0.0