Royal MCP -- WordPress 插件

开发者	royalpluginsteam
更新时间	2026年4月3日 11:46
捐献地址:	去捐款
PHP版本:	7.4 及以上
WordPress版本:	6.9
版权:	GPLv2 or later
版权网址:	版权信息

Royal MCP is a security-first Model Context Protocol (MCP) server for WordPress. It gives AI platforms like Claude, ChatGPT, and Google Gemini structured access to your WordPress content — with authentication, rate limiting, and audit logging that most MCP implementations skip entirely. According to recent security research, 41% of public MCP servers have no authentication and respond to tool calls without any credentials. Royal MCP takes the opposite approach: every MCP session requires an API key, every request is rate-limited, and every interaction is logged. Why Security Matters for MCP MCP gives AI agents the ability to read, create, update, and delete your WordPress content. Without proper authentication, anyone who discovers your MCP endpoint can:

Read all your posts, pages, and media
Create or delete content
Access user data and plugin information
Overwhelm your server with rapid-fire requests

Royal MCP prevents all of this with API key authentication on session initialization, timing-safe key comparison, per-IP rate limiting (60 requests/minute), and a full activity log of every MCP interaction. 37+ MCP Tools Built In WordPress Core (37 tools):

Posts — create, read, update, delete, search, count
Pages — full CRUD with parent page support
Media — library browsing, metadata, deletion
Comments — create (respects moderation settings), read, delete
Users — display names and roles (emails and usernames are not exposed)
Categories & Tags — create, assign, delete, count
Menus — list menus and menu items
Post Meta — read, update, delete custom fields
Site Info — site name, description, WordPress version, timezone
Plugins & Themes — list installed plugins and themes with active status
Search — full-text content search across post types
Options — read allowlisted safe options only

Plugin Integrations (Conditional) Royal MCP automatically detects compatible plugins and adds specialized MCP tools. No configuration needed — if the plugin is active, the tools appear. WooCommerce Integration (9 tools): When WooCommerce is active, AI agents can manage your store:

Browse and search products by category, status, or type
Create and update products with prices, SKUs, stock levels
View orders, order details, and update order status
List customers with order count and total spent
Get store statistics — revenue, order count, average order value by period

GuardPress Integration (7 tools): When GuardPress is active, AI agents can monitor your site security:

Get current security score and grade with factor breakdown
View security statistics — failed logins, blocked IPs, alerts
Run vulnerability scans and review results
List blocked IP addresses and failed login attempts
Browse the security audit log filtered by severity

SiteVault Integration (6 tools): When SiteVault is active, AI agents can manage your backups:

List available backups filtered by status or type
Trigger new backups (full, database, files, plugins, themes)
Check backup progress in real time
View backup statistics — total size, last backup, counts
List and review backup schedules

Works Alongside WordPress Core MCP WordPress is building MCP support into core via the Abilities API. Royal MCP complements this by providing security controls that the core implementation does not include — API key authentication, rate limiting, activity logging, and sensitive data filtering. When the Abilities API ships, Royal MCP will continue to provide the security layer, plugin integrations, and WooCommerce tools that core does not cover. Supported AI Platforms

Claude (Anthropic) — Full MCP support via Claude Desktop, Claude Code, and VS Code
OpenAI / ChatGPT — GPT-4o, GPT-4 Turbo, GPT-3.5 Turbo
Google Gemini — Gemini 1.5 Pro, 1.5 Flash
Groq — Llama 3.3, Mixtral, Gemma 2
Azure OpenAI — Azure-hosted OpenAI deployments
AWS Bedrock — Claude, Llama, Titan models
Ollama / LM Studio — Local self-hosted models (no external data transmission)
Custom MCP Servers — Connect to any MCP-compatible endpoint

MCP Spec Compliance Royal MCP implements the MCP 2025-03-26 Streamable HTTP transport specification:

Single /mcp endpoint for all JSON-RPC communication
POST for client messages, GET for server-sent events, DELETE for session termination
Cryptographically secure session IDs with transient-based storage
Origin header validation to prevent DNS rebinding attacks
Proper CORS handling for browser-based MCP clients

1.4.0

New: OAuth 2.0 authorization server — Claude Desktop's "Add Connector" flow now works natively
New: Dynamic Client Registration (RFC 7591) for seamless MCP client onboarding
New: PKCE-secured authorization code flow per MCP spec (2025-03-26)
New: Token refresh with automatic rotation for long-lived sessions
New: WordPress login integration — consent screen after authentication
New: Metadata discovery endpoint at /.well-known/oauth-authorization-server
New: Daily cleanup of expired OAuth tokens via scheduled event
Improved: MCP endpoint now accepts both Bearer tokens and API key authentication
Improved: CORS headers include Authorization for OAuth-based clients
Security: Access tokens stored as SHA-256 hashes (never stored in plain text)
Security: Authorization codes are single-use with 10-minute expiry
Security: PKCE (S256) required for all authorization requests
Security: Redirect URI validation enforces localhost or HTTPS only

1.3.0

New: WooCommerce integration — 9 MCP tools for products, orders, customers, and store stats (auto-detected)
New: GuardPress integration — 7 MCP tools for security score, scans, firewall logs, and audit trail (auto-detected)
New: SiteVault integration — 6 MCP tools for backup management, scheduling, and progress tracking (auto-detected)
Security: MCP endpoint now requires API key authentication via X-Royal-MCP-API-Key header
Security: Added rate limiting (60 requests/minute per IP) to prevent abuse and accidental DoS
Security: API key comparison uses timing-safe hash_equals() to prevent timing attacks
Security: Sanitized wp_update_post_meta values before storage
Security: Comments created via MCP now respect WordPress moderation settings
Security: Removed admin_email and php_version from wp_get_site_info response
Security: Removed user_login and user_email from wp_get_users/wp_get_user responses
Improved: CORS headers include X-Royal-MCP-API-Key for cross-origin MCP clients

1.2.3

Security: Added SSRF protection — validates all outbound URLs against private/reserved IP ranges
Fixed: Text domain changed from 'wp-royal-mcp' to 'royal-mcp' to match plugin slug
Fixed: Menu slugs updated for WP.org compliance
Improved: REST API permission callbacks include explanatory comments for reviewers
Compatibility: Tested up to WordPress 6.9

1.2.2

Added: Documentation link on Plugins page (Settings | Documentation)
Added: Documentation banner on settings page

1.2.1

Fixed: Claude Connector setup guide link displaying raw HTML

1.2.0

Security: Origin header validation to prevent DNS rebinding attacks
Security: Session ID format validation (ASCII visible characters only)
Improved: MCP 2025-03-26 Streamable HTTP spec compliance
Added: Filter hook royal_mcp_allowed_origins for custom origin allowlist

1.1.0

Added multi-platform AI support (Claude, OpenAI, Gemini, Groq, Azure, Bedrock)
Added Claude Desktop MCP connector
Added activity logging
Added connection testing

1.0.0

Initial release

Royal MCP

标签

下载

详情介绍:

安装:

屏幕截图:

升级注意事项:

常见问题:

更新日志: