Secure MCP server for WordPress content management
Project description
MCP WordPress CrunchTools
A secure MCP (Model Context Protocol) server for WordPress content management. Designed for developers publishing about their work.
Overview
This MCP server is designed to be:
- Secure by default - Comprehensive input validation, credential protection, and SSRF prevention
- No third-party services - Runs locally via stdio, your credentials never leave your machine
- Cross-platform - Works on Linux, macOS, and Windows
- Automatically updated - GitHub Actions monitor for CVEs and update dependencies
- Containerized - Available at
quay.io/crunchtools/mcp-wordpress
Naming Convention
| Component | Name |
|---|---|
| GitHub repo | crunchtools/mcp-wordpress |
| Container | quay.io/crunchtools/mcp-wordpress |
| Python package (PyPI) | mcp-wordpress-crunchtools |
| CLI command | mcp-wordpress-crunchtools |
| Module import | mcp_wordpress_crunchtools |
Features
- 30 Tools for posts, pages, media, and comments
- Security-focused: Credentials protected, input validation, SSRF prevention
- Developer workflow: Scheduled publishing, revisions, search
- Easy integration: Works with Claude Code and other MCP clients
Installation
With uvx (recommended)
uvx mcp-wordpress-crunchtools
With pip
pip install mcp-wordpress-crunchtools
mcp-wordpress-crunchtools
With Container
# Create a shared upload directory (required before first run)
mkdir -p ~/.local/share/mcp-uploads-downloads
podman run -v ~/.local/share/mcp-uploads-downloads:/tmp/mcp-uploads:z \
-e WORDPRESS_URL=https://example.com \
-e WORDPRESS_USERNAME=admin \
-e WORDPRESS_APP_PASSWORD='xxxx xxxx xxxx xxxx' \
quay.io/crunchtools/mcp-wordpress
SELinux note: Use
:z(lowercase, shared) instead of:Z(uppercase, private). MCP servers run as long-lived stdio processes. With:Z, files copied into the directory after container start won't have the container's private MCS label and will be invisible inside the container. The:zflag sets a sharedcontainer_file_tcontext that all containers and the host can read/write.Tip: Use the same shared directory (
~/.local/share/mcp-uploads-downloads/) across multiple MCP container servers (e.g., mcp-wordpress and mcp-gemini) so generated files are immediately available for upload without copying.
From source
git clone https://github.com/crunchtools/mcp-wordpress.git
cd mcp-wordpress
uv sync --all-extras
uv run mcp-wordpress-crunchtools
Configuration
Set these environment variables:
| Variable | Description | Example |
|---|---|---|
WORDPRESS_URL |
WordPress site URL | https://example.com |
WORDPRESS_USERNAME |
WordPress username | admin |
WORDPRESS_APP_PASSWORD |
Application password | xxxx xxxx xxxx xxxx |
MCP_UPLOAD_DIR |
Upload directory inside container (optional) | /tmp/mcp-uploads (default) |
Creating an Application Password
- Log in to WordPress admin
- Go to Users → Profile
- Scroll to Application Passwords
- Enter a name (e.g., "MCP Server") and click Add New
- Copy the generated password (shown once)
Usage with Claude Code
Using uvx (recommended)
claude mcp add mcp-wordpress-crunchtools \
--env WORDPRESS_URL=https://example.com \
--env WORDPRESS_USERNAME=admin \
--env WORDPRESS_APP_PASSWORD="xxxx xxxx xxxx xxxx" \
-- uvx mcp-wordpress-crunchtools
Using pip
pip install mcp-wordpress-crunchtools
claude mcp add mcp-wordpress-crunchtools \
--env WORDPRESS_URL=https://example.com \
--env WORDPRESS_USERNAME=admin \
--env WORDPRESS_APP_PASSWORD="xxxx xxxx xxxx xxxx" \
-- mcp-wordpress-crunchtools
Using Container
# Create a shared upload directory (required before first run)
mkdir -p ~/.local/share/mcp-uploads-downloads
claude mcp add mcp-wordpress-crunchtools \
--env WORDPRESS_URL=https://example.com \
--env WORDPRESS_USERNAME=admin \
--env WORDPRESS_APP_PASSWORD="xxxx xxxx xxxx xxxx" \
-- podman run -i --rm \
-v ~/.local/share/mcp-uploads-downloads:/tmp/mcp-uploads:z \
-e WORDPRESS_URL \
-e WORDPRESS_USERNAME \
-e WORDPRESS_APP_PASSWORD \
quay.io/crunchtools/mcp-wordpress
Available Tools
Site Tools
| Tool | Description |
|---|---|
wordpress_get_site_info |
Get site title, description, URL, timezone |
wordpress_test_connection |
Verify API credentials work |
Post Tools
| Tool | Description |
|---|---|
wordpress_list_posts |
List posts with filtering (status, category, search) |
wordpress_get_post |
Get single post by ID with full content |
wordpress_search_posts |
Search posts by keyword |
wordpress_create_post |
Create new post (supports scheduling) |
wordpress_update_post |
Update existing post |
wordpress_delete_post |
Delete/trash a post |
wordpress_list_revisions |
List revisions for a post |
wordpress_get_revision |
Get specific revision content |
wordpress_list_categories |
List available categories |
wordpress_list_tags |
List available tags |
Page Tools
| Tool | Description |
|---|---|
wordpress_list_pages |
List pages with filtering |
wordpress_get_page |
Get single page by ID |
wordpress_create_page |
Create new page |
wordpress_update_page |
Update existing page |
wordpress_delete_page |
Delete/trash a page |
wordpress_list_page_revisions |
List page revisions |
Media Tools
| Tool | Description |
|---|---|
wordpress_list_media |
List media items |
wordpress_get_media |
Get media item details |
wordpress_upload_media |
Upload file from local path |
wordpress_update_media |
Update media metadata |
wordpress_delete_media |
Delete media item |
wordpress_get_media_url |
Get public URL for media |
Comment Tools
| Tool | Description |
|---|---|
wordpress_list_comments |
List comments with filtering |
wordpress_get_comment |
Get single comment |
wordpress_create_comment |
Add a comment to a post |
wordpress_update_comment |
Update comment content/status |
wordpress_delete_comment |
Delete a comment |
wordpress_moderate_comment |
Approve, hold, spam, or trash |
Examples
Create a Draft Post
Create a new WordPress post titled "My Technical Article" with the content below. Keep it as a draft.
Schedule a Post
Update post ID 123 to publish on December 25, 2024 at 10:00 AM.
Upload an Image
Upload this image to WordPress and set the alt text to "Architecture diagram".
Find and Moderate Comments
List all comments in "hold" status and approve the legitimate ones.
Security
- Credential Protection: All credentials stored as
SecretStr, never logged - SSRF Prevention: REST API path hardcoded, cannot be overridden
- Input Validation: All inputs validated via Pydantic models
- Rate Limiting: Handles WordPress rate limits gracefully
- TLS Enforcement: All requests use HTTPS with certificate validation
- Size Limits: Response size limited to 10MB to prevent memory issues
- Timeout: All requests timeout after 30 seconds
Development
# Install dev dependencies
uv sync --all-extras
# Run tests
uv run pytest
# Run linting
uv run ruff check src tests
# Run type checking
uv run mypy src
# Format code
uv run ruff format src tests
License
AGPL-3.0-or-later
Credits
Built by crunchtools.com
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_wordpress_crunchtools-0.5.0.tar.gz.
File metadata
- Download URL: mcp_wordpress_crunchtools-0.5.0.tar.gz
- Upload date:
- Size: 154.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
72a40144e739a4e294248e76918ed9835b46d3fdfced68ee2ae8a034319b474f
|
|
| MD5 |
d2a78526cfb66c435ba35644ca2571ba
|
|
| BLAKE2b-256 |
1e0a2608ad70db71bb9b18bd78f8b43753ccebd7cea15820b8045faf059ed229
|
Provenance
The following attestation bundles were made for mcp_wordpress_crunchtools-0.5.0.tar.gz:
Publisher:
publish.yml on crunchtools/mcp-wordpress
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
mcp_wordpress_crunchtools-0.5.0.tar.gz -
Subject digest:
72a40144e739a4e294248e76918ed9835b46d3fdfced68ee2ae8a034319b474f - Sigstore transparency entry: 1017774515
- Sigstore integration time:
-
Permalink:
crunchtools/mcp-wordpress@db651581fe7d1ad00a6fbc6a58f0b04a5716000d -
Branch / Tag:
refs/tags/v0.5.0 - Owner: https://github.com/crunchtools
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@db651581fe7d1ad00a6fbc6a58f0b04a5716000d -
Trigger Event:
release
-
Statement type:
File details
Details for the file mcp_wordpress_crunchtools-0.5.0-py3-none-any.whl.
File metadata
- Download URL: mcp_wordpress_crunchtools-0.5.0-py3-none-any.whl
- Upload date:
- Size: 39.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7fa720c0bd95db87ece6bcf4fff54c85f4529628ebbffad9f25210c91d3dd302
|
|
| MD5 |
c4c55f06c37dbd9112aa29070df655c1
|
|
| BLAKE2b-256 |
1165b29e3cdd14044ae119aa21bef6732543fba3a284216b58a12df2492dae8d
|
Provenance
The following attestation bundles were made for mcp_wordpress_crunchtools-0.5.0-py3-none-any.whl:
Publisher:
publish.yml on crunchtools/mcp-wordpress
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
mcp_wordpress_crunchtools-0.5.0-py3-none-any.whl -
Subject digest:
7fa720c0bd95db87ece6bcf4fff54c85f4529628ebbffad9f25210c91d3dd302 - Sigstore transparency entry: 1017774538
- Sigstore integration time:
-
Permalink:
crunchtools/mcp-wordpress@db651581fe7d1ad00a6fbc6a58f0b04a5716000d -
Branch / Tag:
refs/tags/v0.5.0 - Owner: https://github.com/crunchtools
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@db651581fe7d1ad00a6fbc6a58f0b04a5716000d -
Trigger Event:
release
-
Statement type:
