Linux 软件免费装

在这里免费安装WordPress以及其他软件

Banner图

Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini

开发者 royalpluginsteam
更新时间 2026年5月14日 13:25
捐献地址: 去捐款
PHP版本: 7.4 及以上
WordPress版本: 7.0
版权: GPLv2 or later
版权网址: 版权信息

标签

ai chatgpt claude mcp mcp-server

下载

1.4.14 1.4.15 1.4.4 1.4.5 1.4.7 1.2.3 1.4.0 1.4.6 1.2.2 1.3.0 1.4.8 1.4.1 1.4.16 1.4.10 1.4.11 1.4.9 1.4.12 1.4.13

详情介绍:

https://youtu.be/8Wbr0ReLpok Royal MCP is a security-first Model Context Protocol (MCP) server for WordPress. It gives AI platforms like Claude, ChatGPT, and Google Gemini structured access to your WordPress content — with authentication, rate limiting, and audit logging that most MCP implementations skip entirely. According to recent security research, 41% of public MCP servers have no authentication and respond to tool calls without any credentials. Royal MCP takes the opposite approach: every MCP session requires an API key, every request is rate-limited, and every interaction is logged. Why Security Matters for MCP MCP gives AI agents the ability to read, create, update, and delete your WordPress content. Without proper authentication, anyone who discovers your MCP endpoint can: Royal MCP prevents all of this with API key authentication on session initialization, timing-safe key comparison, per-IP rate limiting (60 requests/minute), and a full activity log of every MCP interaction. 67 Core Tools + 49 Integration Tools WordPress Core (67 tools): Plugin Integrations (Conditional) Royal MCP automatically detects compatible plugins and adds specialized MCP tools. No configuration needed — if the plugin is active, the tools appear. WooCommerce Integration (26 tools): When WooCommerce is active, AI agents can manage your store end-to-end: GuardPress Integration (7 tools): When GuardPress is active, AI agents can monitor your site security: SiteVault Integration (6 tools): When SiteVault is active, AI agents can manage your backups: ForgeCache Integration (3 tools): When ForgeCache is active, AI agents can manage your page cache: Royal Ledger Integration (4 tools): When Royal Ledger is active, AI agents can review your software costs and license data: Royal Links Integration (3 tools): When Royal Links is active, AI agents can manage your branded short links: Royal MCP and the WordPress Core Abilities API WordPress 6.9 shipped the Abilities API in November 2025 — a primitive that lets plugins register typed capabilities AI agents can call. Core ships three default abilities (site info, user info, environment info) and the wordpress/mcp-adapter package bridges abilities to the MCP protocol. Royal MCP is a complete, production-ready MCP server that predates the official adapter. It runs the full Streamable HTTP transport, enforces API key authentication on every request, ships OAuth 2.0 for Claude Desktop's native connector flow, rate-limits per-IP, redacts sensitive data, and logs every interaction. Out of the box it includes 67 tools for WordPress core operations plus 49 integration tools that auto-load when WooCommerce, GuardPress, SiteVault, ForgeCache, Royal Ledger, or Royal Links is active. Supported AI Platforms Compatible Clients & Frameworks Royal MCP works with any MCP-compliant client, IDE, or AI agent framework — no per-tool configuration required: MCP Spec Compliance Royal MCP implements the MCP 2025-11-25 Streamable HTTP transport specification:

安装:

  1. Upload the royal-mcp folder to /wp-content/plugins/
  2. Activate the plugin through the 'Plugins' menu in WordPress
  3. Go to Royal MCP → Settings to configure
  4. Copy your API key — you will need this to authenticate MCP connections
  5. Add your AI platform(s) and enter their API keys
  6. In your AI client (Claude Desktop, VS Code, etc.), configure the MCP server URL and API key
Full setup guides for each platform are available at royalplugins.com/support/royal-mcp/.

屏幕截图:

  • AI platform configuration with connection testing
  • Activity log showing authenticated MCP requests
  • Claude Desktop MCP connector setup
  • WooCommerce product management via Claude
  • OAuth consent screen for Claude Desktop connector

升级注意事项:

1.4.16 Recommended update: OAuth /token, /register, and /authorize failures now write to Royal MCP > Activity Logs with the exact error code, description, and HTTP status. Pre-1.4.16 these exited silently and required wp-config debug constants to diagnose. No breaking changes. 1.4.15 Critical update: four customer-affecting bugs fixed. (1) API key Regenerate button being silently overridden — clicking did nothing pre-1.4.15. (2) New keys switched to lowercase hex to eliminate uppercase/lowercase character ambiguity in monospace admin fonts. (3) Fixed 1-hour MCP session TTL replaced with sliding 24-hour window so active Claude Desktop sessions stop dying mid-day. (4) MCP endpoint responses (including unauth 401s) now send Cache-Control: no-store — pre-1.4.15 these were missing the header that 1.4.13 added to OAuth endpoints, leaving the MCP endpoint vulnerable to the same edge-cache poisoning. Existing keys keep working. 1.4.14 Recommended update: fixes Claude.ai web connector / ChatGPT MCP connector failing with "Couldn't reach the MCP server" — unauthenticated GET to the MCP endpoint now returns 401 + WWW-Authenticate so OAuth discovery (RFC 9728) starts correctly. Also adds an admin notice that detects when your host blocks /.well-known/oauth-authorization-server (SiteGround / o2switch / Hostinger nginx intercept) and links to the manual fix. Authenticated GET still returns 405 — Claude Desktop / mcp-remote unaffected. No breaking changes. 1.4.13 Recommended update: fixes OAuth endpoint cache poisoning that broke the Claude.ai web connector on hosts with aggressive edge caches. Adds 17 new WooCommerce tools — variable product and attribute management plus full coupon CRUD. No breaking changes. 1.4.12 Recommended update: fixes Claude Desktop tool-list silent failure after recent Claude Desktop updates, and an mcp-remote reconnection loop that could drop the MCP session. Also adds slug alias on wp_get_taxonomies and a structured response on wp_get_term_meta. No breaking changes. 1.4.11 Adds wp_update_term, wp_get/update/delete_term_meta, and wp_get_taxonomies tools — covering tag/category renaming and SEO-plugin term meta (Yoast, Rank Math, AIOSEO). Existing term tools now accept any taxonomy. wp_create_post and wp_update_post accept a post_author user ID. No breaking changes. 1.4.10 Adds 16 new MCP tools: Royal Ledger, ForgeCache, and Royal Links ecosystem integrations (auto-load when each host plugin is active), SEO meta (Yoast or Rank Math auto-routed), permalink structure read/update, and post revision history + restore. No breaking changes. 1.4.9 Adds 13 new MCP tools across three groups: theme appearance (5), menu item CRUD (4), and comment moderation (4). Theme writes are gated by a new admin toggle plus an opt-in allowlist filter, mirroring the 1.4.7 wp_update_option safety pattern. No breaking changes. 1.4.8 Fixes a setup failure that hit users who updated from a pre-1.4.0 build: the Claude custom connector flow returned "Unknown client_id" because the OAuth tables were never created on update. Recommended for anyone who has not been able to add Royal MCP as a Claude connector. 1.4.7 New: AI assistants can now read plugin settings (sensitive keys redacted) and write to allowlisted WordPress options when enabled. New "Allow AI to write WordPress options" toggle is OFF by default; turn it on under Royal MCP > Settings to opt in. 1.3.0 Major security and feature update. MCP endpoint now requires API key authentication. Added WooCommerce, GuardPress, and SiteVault integrations (22 new tools). Rate limiting added. Recommended update for all users. 1.2.3 Security: SSRF protection for outbound requests. WordPress.org compliance fixes. 1.2.0 Security hardening and MCP spec compliance improvements. Recommended update for all users.

常见问题:

What is MCP and why does my WordPress site need it?

Model Context Protocol (MCP) is an open standard created by Anthropic that lets AI assistants interact with external data sources. Without MCP, AI tools like Claude or ChatGPT can only work with content you copy and paste into them. With Royal MCP installed, these AI platforms can directly read your WordPress posts, create new content, manage your WooCommerce products, check your security status, and trigger backups — all through a structured, authenticated protocol.

How is Royal MCP different from other WordPress MCP plugins?

Security. Most MCP plugins — and 41% of all public MCP servers — have no authentication at all. Royal MCP requires an API key for every session, rate-limits requests to prevent abuse, logs every interaction for audit purposes, and filters sensitive data (emails, PHP version, admin credentials) from responses. We built this plugin with the same security standards we apply to GuardPress, our WordPress security plugin used on thousands of sites.

Does Royal MCP duplicate what WordPress core now does?

No. WordPress 6.9 added the Abilities API — a primitive for registering AI-callable functions — and the wordpress/mcp-adapter package bridges abilities to the MCP protocol. Royal MCP is a full MCP server with the security layer, connector flows, and plugin integrations that the bare primitive does not include: enforced API key auth, OAuth 2.0 for Claude Desktop, per-IP rate limiting, audit logging, sensitive-data redaction, 67 ready-to-use WordPress core tools, and 49 integration tools that auto-load for WooCommerce, GuardPress, SiteVault, ForgeCache, Royal Ledger, and Royal Links.

Does Royal MCP work with WooCommerce?

Yes. When WooCommerce is active, Royal MCP automatically adds 26 MCP tools spanning product management (simple and variable, including variation CRUD and global attribute management), full coupon management (list/get/create/update/delete + bulk trash purge), order management (view, update status), customer data, and store statistics. No additional configuration is needed — the tools appear automatically in the MCP tools list.

Can AI assistants configure my plugins for me?

Yes, with safety controls. Royal MCP exposes two tools for plugin configuration:

  • wp_get_plugin_settings lets AI read any plugin's stored settings by slug. Sensitive values (API keys, secrets, tokens, passwords, license keys, OAuth credentials) are automatically replaced with [REDACTED] before they leave your server, so AI assistants can understand a plugin's configuration without ever seeing stored credentials.
  • wp_update_option lets AI write to WordPress options, but only after passing three security gates:
  • The site admin must enable the "Allow AI to write WordPress options" toggle on the Royal MCP settings page (off by default)
  • The option name must be in a runtime allowlist. The default allowlist is intentionally tiny — blogname, blogdescription, posts_per_page, date_format, time_format. Plugin authors opt their own settings in via the royal_mcp_writable_options filter.
  • A hard denylist permanently blocks writes to sensitive option names (siteurl, home, license keys, secrets, salts, etc.) regardless of the allowlist or the toggle.
Plugin authors can opt in their settings with one line: add_filter('royal_mcp_writable_options', fn($opts) => array_merge($opts, ['my_plugin_settings']));

How do I connect Claude Desktop to WordPress?

Install Royal MCP, go to Royal MCP → Settings, and copy your API key and MCP server URL. In Claude Desktop, add a new MCP server configuration with the URL and include the X-Royal-MCP-API-Key header with your API key. Full step-by-step guide at royalplugins.com/support/royal-mcp/.

Is my content safe?

Royal MCP is designed with defense in depth. API key authentication is required for all MCP sessions. Rate limiting prevents abuse (60 requests per minute per IP). Activity logging records every tool call. Sensitive data is filtered — user emails, usernames, admin email, PHP version, and stored credentials inside plugin settings (api keys, secrets, tokens, passwords) are never exposed through MCP. Comment creation respects your WordPress moderation settings. Post meta values are sanitized before storage. Option writes are disabled by default and gated by three independent checks (admin toggle, allowlist, hard denylist) when enabled. The plugin itself starts disabled by default — nothing is accessible until you explicitly enable it.

Can I use local AI models instead of cloud services?

Yes. Royal MCP supports Ollama and LM Studio for fully local AI inference. When using local models, no data leaves your server — the AI model runs on your own hardware and communicates with WordPress through the MCP protocol on localhost.

What happens if I uninstall Royal MCP?

Royal MCP performs a clean uninstall. All plugin options, database tables (activity logs), transients, and user meta are removed. No orphaned data is left behind.

Does Royal MCP work with Claude Code, VS Code, Cursor, Windsurf, or other AI IDEs?

Yes. Any MCP-compliant client can connect to Royal MCP. Configure your IDE or client with the MCP server URL (https://yoursite.com/wp-json/royal-mcp/v1/mcp) and the API key (sent in the X-Royal-MCP-API-Key header). Claude Desktop additionally supports the native "Add Connector" OAuth 2.0 flow, which Royal MCP handles via Dynamic Client Registration (RFC 7591) — no manual API key management required on that path. The same OAuth flow works in any client that follows the MCP 2025-11-25 spec.

Does Royal MCP work with custom fields, ACF, MetaBox, JetEngine, Pods, or CPT UI?

Yes. Royal MCP exposes WordPress's standard wp_get_post_meta, wp_update_post_meta, and wp_delete_post_meta tools, which read and write any custom field — including Advanced Custom Fields (ACF), MetaBox, JetEngine, Pods, CPT UI, and Custom Field Suite. AI agents can populate ACF fields, set repeater rows, update flexible content blocks, and read computed fields just like a human editor working in the WordPress admin.

Will Royal MCP slow down my WordPress site?

No. The MCP endpoint is a REST route that runs only when an authenticated AI client makes a request — it does not run on visitor-facing pages, frontend templates, or admin screens (except its own settings page). The activity log uses a single indexed database table and writes asynchronously after the response is sent. Rate limiting (60 requests/minute per IP) prevents accidental overload.

Does Royal MCP work on WordPress multisite networks?

Yes, on a per-site basis. Each site in a multisite network has its own API key, its own activity log, and its own settings. AI clients connect to a specific site's MCP endpoint — Royal MCP does not bridge requests between sites in the network.

Can I limit which posts, pages, or post types AI can access?

Yes. The wp_get_posts and wp_create_post tools accept a post_type parameter and validate it against registered public post types, so private or internal post types are not exposed. Plugin authors can disable specific tools entirely with the royal_mcp_disabled_tools filter, or scope the option-write allowlist with royal_mcp_writable_options. WordPress's standard capability checks also apply to every tool call.

Does Royal MCP work with WPML, Polylang, or TranslatePress for multilingual content?

Yes. Translated posts appear as separate WordPress posts (each with its own ID and language meta) and are readable or writable via the standard wp_get_posts, wp_create_post, and wp_update_post tools. AI agents can list posts in a specific language by filtering on the language meta key, or translate a post and write the corresponding translation by ID.

How do I monitor what AI is doing on my site?

Every authenticated MCP request is logged to the Royal MCP activity log with timestamp, client IP, tool name, parameters (sensitive values redacted), and response status. The log is filterable by time range, client, tool, or status code, and exportable to CSV. The log page refreshes via AJAX so you can watch active sessions in real time.

更新日志:

1.4.16 1.4.15 1.4.14 1.4.13 1.4.12 1.4.11 1.4.10 1.4.9 1.4.8 1.4.7 1.4.6 1.4.5 1.4.4 1.4.3 1.4.2 1.4.1 1.4.0 1.3.0 1.2.3 1.2.2 1.2.1 1.2.0 1.1.0 1.0.0