=== MCP Content Manager Lite ===
Contributors: j.conti
Tags: mcp, ai, claude, chatgpt, woocommerce
Requires at least: 6.9
Tested up to: 6.9
Requires PHP: 8.3
Stable tag: 1.1.0
License: GPL-2.0-or-later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

Manage WordPress from Claude, ChatGPT, Copilot or any MCP client. 60+ abilities, OAuth 2.1, allowlists, activity log, multilingual and SEO read.

== Description ==

**MCP Content Manager Lite** turns your WordPress site into a first-class Model Context Protocol (MCP) server so AI assistants like Claude, ChatGPT, GitHub Copilot, Cursor, Windsurf, Continue, JetBrains AI Assistant or Cowork can manage your content using natural language.

It is **not** a wrapper around the REST API. The plugin **auto-discovers** every CPT, taxonomy, ACF group, custom field and registered meta on your site and exposes them as MCP abilities, so your AI client instantly understands the structure of your specific install — without configuration files, without code, without YAML.

= Why MCP Content Manager Lite over other MCP plugins =

Most WordPress MCP plugins ship 10–20 hardcoded tools that wrap a fixed list of REST endpoints. MCP Content Manager Lite ships **60+ abilities** out of the box, plus a long list of trust, onboarding and observability features that the rest of the ecosystem still treats as paid extras:

* **Auto-discovery, not hardcoded tools.** Your AI client sees your real schema — CPTs from CPT UI, ACF, JetEngine, Pods, Toolset; taxonomies; statuses; shortcodes; permalink structure — generated dynamically from `WP_Post_Type::get_taxonomies()` and `register_meta()`. Other plugins force you to maintain a YAML/JSON file. This one updates itself.
* **OAuth 2.1 with PKCE built in.** No application passwords. No long-lived bearer tokens floating around. The plugin runs its own OAuth 2.1 server with Dynamic Client Registration so Claude Desktop, ChatGPT, Cursor and Copilot connect with one click and revoke just as easily.
* **Granular per-client allowlists.** Each OAuth client has its own `allowed_abilities` list. Give Claude full read/write, give a webhook integration only `read-post` and `list-recent-posts`. Most MCP plugins are all-or-nothing. Editable visually from the Authentication tab.
* **AI image generation with Google Gemini.** Connect your Gemini API key in Settings and ask the AI to generate up to three images per call, save them to the Media Library, attach them to a post or set one as the featured image. Imagen API, multiple aspect ratios, 2K/4K and image editing remain Premium.
* **Rate limiting per client_id.** Hourly (1000) and daily (10000) caps, both filterable, prevent a runaway agent from blowing through your hosting plan.
* **Activity Log of every MCP call.** Date, client_id, ability slug, status, duration in ms, error code and IP — kept for 30 days with a daily cron purge. Audit what your AI did and when.
* **MCP annotations on every ability** (`readOnlyHint`, `destructiveHint`, `idempotentHint`, `openWorldHint`) so well-behaved clients can warn before destructive calls and parallelize safe ones.
* **Get Started wizard** — environment check, OAuth client creation, AI client picker and a live connection test, all in the first admin tab.
* **Connect tab with config exporter** for Claude Desktop, ChatGPT, Cursor, Windsurf, Continue, JetBrains AI Assistant and a curl debug snippet — copy/paste ready.
* **Public /health endpoint** at `/wp-json/mcpcomal/v1/health` (unauthenticated) for UptimeRobot, BetterStack, Pingdom or any monitoring tool.
* **Universal SEO read** with adapters for Yoast, Rank Math, AIOSEO, The SEO Framework, SureRank, SEOPress, Slim SEO and Squirrly. One ability, eight plugins.
* **Universal multilingual read** with adapters for Polylang, WPML and TranslatePress. List languages, translations and string translations from any of them.
* **WooCommerce read-only** when WooCommerce is active — store info, products, recent orders (with email/name redaction by default) and coupons.
* **Spanish translation bundled** — `mcp-content-manager-lite-es_ES.po/.mo` ship with the plugin.
* **Coexistence with Premium.** If you later install the Premium version, Lite yields automatically and shows a friendly notice. No fatal errors, no class conflicts.

No code. No configuration. Install, activate, run the wizard, paste the URL into your MCP client.

= Everything Included in Lite (60+ abilities) =

**Auto-discovery and schema introspection**

* Discover every CPT, taxonomy, ACF group, JetEngine field and registered meta automatically.
* `list-post-types` — every public and private post type with labels and capabilities.
* `list-taxonomies` — every taxonomy with hierarchy and associated post types.
* `list-post-statuses` — built-in and custom post statuses.
* `list-shortcodes` — every shortcode registered on the site.
* `get-permalink-structure` — current permalink rules.
* `list-blocks-registered` — every block type registered server-side.
* `list-block-patterns` — every block pattern available.
* `list-fse-templates` — FSE templates and template parts (metadata).

**Universal content CRUD**

* Create, read, update, search and delete posts, pages and any custom post type.
* Full Gutenberg block markup support with built-in block reference so the AI generates clean blocks.
* Search with filters by status, author, date range, taxonomy, meta and more.
* Custom fields and ACF fields read/write.
* Featured image assignment from URL or Media Library.
* Bulk-friendly endpoints designed for agentic workflows.

**Site stats and content shortcuts**

* `get-site-stats` — post, comment and user counts with breakdown by status and role.
* `get-media-stats` — mime breakdown and total bytes on disk.
* `list-recent-posts`, `list-pending-comments`, `list-scheduled-posts`, `list-trashed-posts`, `list-post-revisions`.

**Taxonomies**

* List, create, update and delete terms in any taxonomy with full hierarchy support.

**Comments**

* List, read, create, reply, approve, mark as spam, send to trash and delete.
* Bulk moderation friendly.

**Media library**

* List attachments with mime/size filtering.
* Upload from local files or remote URL.
* Set featured image, attach media to posts.

**Users (read-only)**

* Browse users by role with detailed profile view.

**Menus, widgets and sidebars (read-only)**

* `list-nav-menus`, `list-widgets`, `list-sidebars` — full inventory of your navigation surface.

**WooCommerce read-only (conditional)**

When WooCommerce is active, four extra abilities appear automatically:

* `wc-get-store-info` — store name, currency, base address.
* `wc-list-products` — paginated catalog browsing.
* `wc-list-recent-orders` — with email/name redaction by default.
* `wc-list-coupons` — coupon catalog read.

**SEO read (universal, eight plugins)**

* `seo-read-meta` with adapters for Yoast SEO, Rank Math, All in One SEO (AIOSEO), The SEO Framework, SureRank, SEOPress, Slim SEO and Squirrly. Title, description, canonical, robots, OpenGraph and Twitter where the source plugin exposes them.

**Multilingual read (universal, three plugins)**

* `i18n-list-languages` — every active language.
* `i18n-list-translations-for-post` — every translation of a given post.
* `i18n-get-post-in-language` — fetch a specific translation.
* `i18n-list-string-translations` — string translations.
* Adapters for Polylang, WPML and TranslatePress.

**WordPress options (read-only, security whitelist)**

* Read site title, URL, admin email, timezone, date and time format, language, blogname, blog description, posts per page, default category, permalink structure, reading and writing settings.

**Theme customizations (read-only)**

* Read active theme modifications — custom logo, site icon, colors, header text, background.

**System diagnostics**

* Complete environment report — WordPress version, PHP version, database (MySQL/MariaDB version), active theme, active plugins with versions, server software, memory limit, max upload, max post size, max execution time, SSL status, REST API base, security indicators.
* `list-cron-events` — scheduled cron events.
* `list-user-roles` — every role on the site with capability count.

**Plugin management**

* List every installed plugin (active and inactive) and activate or deactivate them.

**Recovery and debug**

* `site-health` — Site Health summary with critical and recommended checks.
* `clear-recovery` — clear WordPress recovery-mode flags after fixing a fatal error (paused plugins, paused themes, recovery_keys).
* Debug logging toggle — flip `[MCPCOMAL-DEBUG]` messages on or off from the Settings tab without editing wp-config.php.

**AI image generation (Gemini)**

When a Google Gemini API key is configured in **Settings**:

* `generate-image` — generate 1–3 images for a prompt using Google Gemini, save each one to the Media Library, optionally attach to a specific post.
* `set-featured-from-prompt` — generate one image from a prompt and assign it as the featured image of an existing post in a single call.
* Imagen API, multiple aspect ratios, 2K/4K resolutions and image editing with prompts remain Premium-only.

**OAuth 2.1 server**

* Authorization Code flow with PKCE.
* Dynamic Client Registration (RFC 7591) so ChatGPT and other modern clients self-register.
* Per-client `allowed_abilities` allowlist with a visual editor in the Authentication tab (checkboxes grouped by area).
* Token revocation, refresh tokens, scope management.

**Trust, observability and rate limiting**

* Activity Log of every MCP call (30-day retention, daily cron purge, paginated admin viewer).
* Hourly and daily rate limits per `client_id` (filterable via `mcpcomal_rate_limit_per_hour` and `mcpcomal_rate_limit_per_day`, or overridable via constants `MCPCOMAL_RATE_LIMIT_PER_HOUR` and `MCPCOMAL_RATE_LIMIT_PER_DAY`).
* MCP annotations on every ability so clients can warn before destructive calls.
* Public `/wp-json/mcpcomal/v1/health` endpoint for uptime monitoring.

**Onboarding and connection**

* Get Started wizard as the first admin tab — environment check, OAuth client creation, AI client picker, live connection test.
* Connect tab with copy/paste config exporter for Claude Desktop, ChatGPT, Cursor, Windsurf, Continue, JetBrains AI Assistant and a curl debug snippet.
* Prompts gallery — 30+ curated prompts loaded from `data/prompts.json`, browsable from the admin and ready to copy into your MCP client.
* "Detected on this site" badges in the Status tab linking WooCommerce, Yoast, Rank Math, multilingual plugins and ACF to their relevant Premium category.
* Navigable Premium catalog inside the Go Premium tab — searchable browser of every Premium feature.
* Spanish translation bundled (es_ES); ready for translate.wordpress.org community translations.

= Example Requests You Can Make =

Just talk to your AI assistant naturally:

**Content creation**

* "Create a new blog post titled 'Summer Travel Guide' with an introduction paragraph and three headings, draft status."
* "Write a draft page called 'About Us' with our company description and add a hero block at the top."
* "Create 5 draft posts for our weekly newsletter series about healthy recipes."

**Content management**

* "Show me all draft posts from the last month."
* "Update the post 'Holiday Sale' to change the status from draft to published."
* "Find all posts in the 'Tutorials' category that don't have a featured image."
* "Empty the trash."

**Taxonomies and organization**

* "Create a new category called 'Case Studies' under 'Resources'."
* "List all tags that are only used once."
* "Move all posts from the 'News' category to 'Announcements'."

**Comments**

* "Show me all pending comments waiting for moderation."
* "Approve all comments from the last 24 hours."
* "Reply to the latest comment on the 'Contact' page thanking them for reaching out."

**Media**

* "Upload this image from URL and set it as the featured image for post 42."
* "List all images uploaded this month, sorted by size."

**AI image generation (Gemini)**

* "Generate a hero image of a sunset over the ocean and set it as the featured image of post 123."
* "Create three illustrations of a friendly robot drinking coffee and attach them to my draft post."
* "Generate a featured image for my new article: a minimalist desk with a laptop, plants and morning light."

**Multilingual**

* "What languages does this site have configured in Polylang?"
* "List the translations of post 1234 across all languages."
* "Fetch the Spanish version of the 'About' page."

**SEO**

* "Read the SEO meta of the homepage."
* "List the title and meta description of every post in the 'Services' category."

**WooCommerce (read-only)**

* "Show me the last 20 paid orders."
* "What coupons are currently active?"
* "List products that are out of stock."

**Site diagnostics**

* "What PHP version is the server running?"
* "Show me a complete system diagnostics report."
* "Which plugins are currently active?"
* "Deactivate the plugin that is causing issues."
* "Enable debug mode so I can see the errors."

**Discovery**

* "What content types does this site have?"
* "Show me all the custom fields registered for the 'product' post type."
* "What taxonomies are available for 'portfolio' posts?"

= Compatible MCP Clients =

The plugin works with any MCP client that supports remote servers and OAuth 2.1. Confirmed clients:

* **Claude Desktop, Claude Code, Cowork** (Anthropic) — full native OAuth 2.1.
* **ChatGPT** (OpenAI) — full native OAuth 2.1 with Dynamic Client Registration.
* **GitHub Copilot in VS Code** — native OAuth (VS Code 1.101+).
* **Cursor AI** — OAuth (some servers may need the mcp-remote bridge).
* **Windsurf** (Codeium) — OAuth for remote MCP servers.
* **Continue** — full native OAuth 2.1 in VS Code and IntelliJ.
* **Augment Code** — native OAuth with one-click approval.
* **JetBrains AI Assistant** — MCP support in JetBrains IDEs (2025.2+).

Any application that implements the Model Context Protocol with remote server support should work. There are 500+ MCP clients today and the protocol is the same everywhere.

= Who Is This For? =

* **Content creators** who want to draft, schedule and update posts using natural language.
* **Site administrators** who want quick diagnostics, log inspection and bulk content oversight.
* **Agencies** managing dozens of WordPress sites from a single AI assistant.
* **WooCommerce store owners** who want to inspect their catalog, orders and coupons via chat.
* **Multilingual site owners** running Polylang, WPML or TranslatePress.
* **Developers** building agentic workflows on top of WordPress.

= Requirements =

* WordPress 6.9 or later (AI Mode requires WordPress 7.0+ — see FAQ).
* PHP 8.3 or later.
* The [WordPress MCP Adapter](https://github.com/WordPress/mcp-adapter) plugin (the Lite plugin can also load the bundled adapter automatically if no other source provides it).
* An MCP-compatible client.

= Need More? Get Premium =

The **[Premium version](https://plugins.joseconti.com/en/product/mcp-content-manager-for-wordpress/)** of MCP Content Manager turns your WordPress site into a full agentic workstation. **290+ abilities across 17 categories**, with everything Lite has, plus:

**WooCommerce — full store control (8 modules)**

* Products with variations, attributes, gallery, pricing tiers, stock and shipping classes (CRUD).
* Orders edit, refunds (full or partial) and email payment links.
* Customers CRUD with billing and shipping addresses.
* Sales analytics — top products, revenue trends, conversion, orders by status, executive KPIs.
* Shipping zones, methods, rates and shipping classes (CRUD).
* Webhooks management (CRUD).
* Store settings — payment gateways, tax, checkout, emails, accounts (read and write).
* Subscriptions across 5 platforms — WooCommerce Subscriptions, Yith, Sumo, ASWC and WBTE — list, modify, cancel.

**SEO suite — full read and write across 8 plugins**

* `seo-write` — universal SEO meta write across Yoast, Rank Math, AIOSEO, SureRank, SiteSEO, The SEO Framework, Squirrly and SEOPress.
* `seo-audit` — content auditor with scoring, suggestions and bulk fixes.

**Security and hardening**

* `security-hardening` — 23 hardening measures across 3 risk levels with security-audit scoring, batch-apply and per-measure revert.
* `malware-cleanup` — hacked-site cleanup workflow: core integrity vs. official checksums, malware pattern scanning in wp-content, database injection detection (scripts, iframes, hidden spam, pharma hacks), rogue admin detection, plugin verification against WordPress.org, .htaccess analysis, clean file replacement and salt regeneration.

**Maintenance and recovery**

* `maintenance-mode` — toggle a branded maintenance page with allowlist for admins.
* `optimizer-cache` — adapter for the 7 most common cache plugins (WP Rocket, W3 Total Cache, WP Super Cache, LiteSpeed, SG Optimizer, Hummingbird, FlyingPress) — purge, pre-warm and configuration viewer.
* `profiler` — performance profiler with 0–100 scoring, 20 built-in optimizations, before/after comparison and one-click rollback.

**Time Machine — backups and restore**

* Automatic snapshots before plugin/theme installs and core updates.
* One-click rollback of any change.
* Sentinel emergency recovery mode.

**Automation and developer bridge**

* `wpcli-bridge` — execute WP-CLI commands remotely with per-command permissions, default 16-command blocklist, color-coded danger levels and `proc_open()` execution with timeout and shell-metachar blocking.
* `plugin-theme-install` — install plugins and themes from WordPress.org by slug or any ZIP URL, with options diff after activation and a 14-phase site-creation guide.

**Users and roles**

* `users-crud` — create, read, update and delete users with role assignment and password generation.
* `roles-caps` — full role and capability CRUD with a built-in capability catalog, role comparison, per-user audit and escalation prevention.

**Multisite and network**

* `multisite-manager` — network-wide site CRUD, cross-site ability execution and network-wide plugin/theme management.
* `site-creation` — create new sites in the network with a structured wizard.

**Full Site Editing**

* `fse-nav-menus` — classic and FSE navigation CRUD with block-aware serialization.
* `fse-global-styles` — read and write theme.json variables (color tokens, typography, spacing).
* `fse-fonts` — font management (upload, register, remove).
* `fse-templates` — template and pattern write.
* `widgets-write` — widget and sidebar write.

**Custom fields universal write**

* `custom-fields-write` — ACF, Meta Box, Pods and JetEngine with full repeater and flexible content support.

**Multilingual write**

* `i18n-translations-write` — create translations, sync source/target, queue site-wide AI translations across Polylang, WPML and TranslatePress.

**Media analyzer and AI image generation**

* `media-analyzer` — orphaned media detection, dashboard with per-attachment usage, WebP/AVIF conversion, thumbnail regeneration.
* `ai-image-generation` — Google Gemini and Imagen with 10 aspect ratios, 3 sizes (1K/2K/4K), PNG/JPEG, direct upload to Media Library, prompt stored as attachment meta.

**Files and configuration**

* `file-manager` — read and write theme files (with safety checks).
* `htaccess-manager` — analyze, edit and back up `.htaccess`.
* `wp-config` — toggle wp-config flags safely.

**Auditing and rollback**

* `action-logger` — forensic action log with diff per change.
* `hmac-confirmations` — HMAC-signed confirmation tokens for 30+ high-risk abilities. Nothing destructive runs without your explicit, cryptographically-signed consent.

**Advanced diagnostics**

* `session-diagnostics` — hook inspector, REST route discovery, shortcode registry, test emails, asset listing, Action Scheduler, SSL and DNS analysis.
* `coding-guidelines` — coding-guidelines validator for theme and plugin files.

= Lite vs Premium at a glance =

| Capability | Lite | Premium |
| --- | --- | --- |
| Auto-discovery (CPTs, taxonomies, ACF, meta) | Yes | Yes |
| Universal content CRUD | Yes | Yes |
| Comments, media, taxonomies | Yes | Yes |
| OAuth 2.1 + per-client allowlist | Yes | Yes |
| Activity Log + rate limiting | Yes | Yes |
| Get Started wizard + Connect tab | Yes | Yes |
| Multilingual read (Polylang/WPML/TranslatePress) | Yes | Yes |
| SEO read (8 plugins) | Yes | Yes |
| WooCommerce read | Yes | Yes |
| SEO write + audit | — | Yes |
| WooCommerce write (products, orders, refunds, shipping) | — | Yes |
| WooCommerce subscriptions (5 platforms) | — | Yes |
| Security hardening (23 measures) | — | Yes |
| Hacked-site cleanup | — | Yes |
| Time Machine backups + rollback | — | Yes |
| WP-CLI bridge | — | Yes |
| Plugin & theme installation | — | Yes |
| Users & roles CRUD | — | Yes |
| Multisite manager | — | Yes |
| FSE write (templates, fonts, global styles) | — | Yes |
| Custom fields write (ACF, Meta Box, Pods, JetEngine) | — | Yes |
| Multilingual write + AI translation | — | Yes |
| AI image generation with Gemini (1–3 images, save to Media, set featured) | Yes | Yes |
| AI image generation with Imagen, multi aspect ratio, 2K/4K, image edit | — | Yes |
| Performance profiler | — | Yes |
| File manager + htaccess + wp-config | — | Yes |
| HMAC-signed confirmations on destructive actions | — | Yes |
| Total abilities | 60+ | 290+ |

**[Get MCP Content Manager Premium](https://plugins.joseconti.com/en/product/mcp-content-manager-for-wordpress/)**

== External Services ==

This plugin connects to the following external services:

= WordPress.org API =

The system diagnostics feature tests whether your server can make outgoing HTTP requests (both GET and POST) by connecting to the WordPress.org core version check API. This is used only when the user explicitly requests a system diagnostics report. The data sent is the WordPress version number. No personal data is transmitted.

* Service: [WordPress.org](https://wordpress.org/)
* [Terms of Use](https://wordpress.org/about/terms-of-service/)
* [Privacy Policy](https://wordpress.org/about/privacy/)

= OAuth 2.1 Authentication =

This plugin implements an OAuth 2.1 server so that MCP clients (Claude, ChatGPT, Copilot, Cursor, etc.) can authenticate with your site. The OAuth flow happens entirely between the MCP client application and your own WordPress site. No data is sent to any third-party service by the plugin during authentication. The MCP client connects directly to your site's REST API endpoints.

= Google Gemini (optional, only when image generation is configured) =

If — and only if — you configure a Google Gemini API key in **Settings > MCP Content Manager Lite > Settings**, the `generate-image` and `set-featured-from-prompt` abilities call Google's Gemini API at `generativelanguage.googleapis.com`. The data sent is: the prompt provided by the AI client, the model id you have configured (default `gemini-2.0-flash-exp`) and the API key. The response (a base64-encoded image) is saved to the Media Library and the prompt is stored as attachment meta. No data is sent to Google when the API key is empty or the abilities are not invoked.

* Service: [Google AI / Gemini](https://ai.google.dev/)
* [Terms of Service](https://ai.google.dev/gemini-api/terms)
* [Privacy Policy](https://policies.google.com/privacy)

== Installation ==

1. Upload the `mcp-content-manager-lite` folder to `wp-content/plugins/` (or install via the WordPress admin).
2. Activate the plugin through the **Plugins** menu in WordPress.
3. Install and activate the [WordPress MCP Adapter](https://github.com/WordPress/mcp-adapter) plugin if it is not already installed (the Lite plugin can also load a bundled copy automatically if nothing else provides one).
4. Go to **Settings > MCP Content Manager Lite** and run the **Get Started** wizard. It checks your environment, creates an OAuth client, lets you pick your AI client and runs a live connection test.
5. Open the **Connect** tab and copy the configuration block for your client (Claude Desktop, ChatGPT, Cursor, Windsurf, Continue, JetBrains AI or curl).
6. Start managing your content with natural language.

= Connecting Your MCP Client =

The plugin works with any MCP client that supports remote servers with OAuth 2.1.

**Your MCP Server URL is:**
`https://your-domain.com/wp-json/mcp/mcp-adapter-default-server`

You can find the exact URL in **Settings > MCP Content Manager Lite > Status**.

**Claude Desktop / Claude Code / Cowork**

1. Go to Settings > MCP Servers > Add server.
2. Paste your MCP Server URL as the endpoint.
3. When you connect for the first time, your browser opens an authorization page — click Authorize.
4. Done. Ask Claude to list your post types and start working.

**ChatGPT (OpenAI)**

1. Enable Developer Mode in ChatGPT settings.
2. Add a new remote MCP server and paste your MCP Server URL.
3. ChatGPT handles OAuth registration and authentication automatically (Dynamic Client Registration).

**VS Code / GitHub Copilot**

1. Open VS Code settings (1.101+) and add a new MCP server.
2. Paste your MCP Server URL.
3. Authenticate via the OAuth browser flow when prompted.

**Cursor / Windsurf / Continue / Augment Code / JetBrains AI**

1. Open the MCP server settings in your client.
2. Add a new server and paste your MCP Server URL.
3. Complete the OAuth 2.1 authentication when prompted.

The OAuth 2.1 handshake happens automatically — you only need to authorize once per device.

== Frequently Asked Questions ==

= How is this different from other MCP plugins on the WordPress repository? =

Three things, mostly. First, **auto-discovery**: the plugin reads your real schema (CPTs, taxonomies, registered meta, ACF, JetEngine) at runtime, so the AI client sees your specific install — no hand-maintained YAML or hardcoded tool list. Second, **breadth**: 60+ abilities in Lite versus the 10–20 typical of competing plugins, including multilingual read across Polylang/WPML/TranslatePress, SEO read across 8 plugins, WooCommerce read, FSE inventory and a full system diagnostics report. Third, **trust infrastructure**: OAuth 2.1 with PKCE, per-client allowlists, rate limiting, an activity log with 30-day retention, MCP annotations on every ability, a public health endpoint and a config-exporter for every major MCP client. Most other plugins charge for a subset of those.

= What is AI Mode and why does it say it requires WordPress 7.0? =

AI Mode is a built-in chat interface that lets you talk to AI assistants directly from the WordPress admin panel. It uses the Connectors API introduced in WordPress 7.0, so it becomes available when you update to that version.

In the meantime you can already use **all 60+ abilities** by connecting your AI assistant (Claude Desktop, ChatGPT, Copilot, Cursor, etc.) to your site via MCP. The MCP connection works on WordPress 6.9 and gives you the same access — through your preferred AI client.

= Does it work with any custom post type? =

Yes. The plugin auto-discovers all registered CPTs, including those from WooCommerce, ACF, Toolset, Pods, CPT UI, JetEngine, Jetpack and any custom implementation. If WordPress knows about it, your AI assistant does too.

= Do I need to write code or configure anything? =

No. Install, activate, run the Get Started wizard. The plugin handles discovery and content management automatically.

= Which MCP clients are supported? =

Any MCP-compatible client with remote server support and OAuth 2.1. Confirmed: Claude Desktop, Claude Code, Cowork, ChatGPT, GitHub Copilot in VS Code, Cursor AI, Windsurf, Continue, Augment Code and JetBrains AI Assistant. There are 500+ MCP clients today and the protocol is the same in all of them.

= Is it secure? =

Yes. The plugin uses OAuth 2.1 with PKCE for authentication. Every MCP connection requires an authorization. Each OAuth client has its own `allowed_abilities` allowlist so you can restrict what a given client can do. Hourly and daily rate limits prevent abuse. Every call is recorded in the Activity Log with client_id, ability, status and IP for 30 days. WordPress options access is restricted to a security whitelist. The Lite version provides read-only access to users, options and theme settings; all destructive operations on posts, comments and media require explicit caller authentication.

= Can I limit which abilities a specific AI client can use? =

Yes. Each OAuth client has its own `allowed_abilities` allowlist. Open **Settings > MCP Content Manager Lite > Authentication**, click the **Permissions** button next to the client and pick "All abilities" or "Restricted to selected abilities" with checkboxes grouped by area (Core, WooCommerce, Multilingual, SEO). You can let Claude Desktop run everything while a CI integration only sees `list-recent-posts` and `read-post`. The helper class `MCPCOMAL_OAuth_Permissions` also exposes `set/get/is_allowed` APIs for programmatic management.

= How do I monitor MCP usage? =

Two ways. The **Activity Log** tab shows every call with date, client_id, ability, status, duration and IP — paginated and searchable. The **/wp-json/mcpcomal/v1/health** public endpoint returns plugin and adapter status for any uptime monitor (UptimeRobot, BetterStack, Pingdom, etc.).

= Can I use Lite and Premium at the same time? =

If both plugins are active, the Premium version takes over automatically and you will see a friendly notice suggesting you deactivate Lite. There will be no errors or conflicts.

= Does it work with WooCommerce? =

Lite auto-discovers WooCommerce post types and adds four read-only abilities when WooCommerce is active (`wc-get-store-info`, `wc-list-products`, `wc-list-recent-orders` with email/name redaction, `wc-list-coupons`). Full store management — variations, refunds, customers, analytics, shipping zones, webhooks, settings and subscriptions across 5 platforms — is in the **[Premium version](https://plugins.joseconti.com/en/product/mcp-content-manager-for-wordpress/)**.

= Can I read SEO meta from my AI assistant? =

Yes, in Lite. The `seo-read-meta` ability has adapters for Yoast SEO, Rank Math, AIOSEO, The SEO Framework, SureRank, SEOPress, Slim SEO and Squirrly. Writing SEO meta and content audits are Premium features.

= Does it support multilingual sites? =

Lite ships read-only support for Polylang, WPML and TranslatePress: list languages, list translations, fetch a specific translation and list string translations. Creating translations and AI-powered translation queueing are Premium features.

= Does it include backups? =

The Time Machine backup system with automatic snapshots before updates and one-click rollback is a Premium feature. **[Get Premium](https://plugins.joseconti.com/en/product/mcp-content-manager-for-wordpress/)** for peace of mind on every update.

= Can it detect and clean malware? =

Yes, with the Premium version. Your AI assistant can verify core file integrity against official checksums, scan wp-content for malware patterns, detect database injections (scripts, iframes, hidden spam, pharma hacks), identify rogue admin accounts, verify plugins against WordPress.org, analyze `.htaccess` for malicious rules, replace infected core files with clean versions and regenerate security salts. All diagnostic scans are read-only and all cleanup actions require explicit confirmation.

= Can I run WP-CLI commands? =

The WP-CLI bridge with per-command permissions and default blocklist is Premium-only.

= Can my AI assistant generate images? =

Yes, in Lite. Configure a Google Gemini API key in **Settings > MCP Content Manager Lite > Settings**, then call `generate-image` (1–3 images per prompt) or `set-featured-from-prompt` (one image generated and set as featured of a post). Each generated image is saved to the Media Library with the prompt stored as `_mcpcomal_gemini_prompt` meta and as alt text. Lite is limited to Google Gemini, the model's native PNG output and up to 3 images per call. The Imagen API, multiple aspect ratios, 2K/4K resolutions and image editing with prompts are Premium features.

= How do I get a Gemini API key? =

Go to [Google AI Studio](https://aistudio.google.com/app/apikey) (free tier available), generate an API key and paste it into **Settings > MCP Content Manager Lite > Settings**. The key is stored with autoload disabled and never leaves your site except in the outgoing call to `generativelanguage.googleapis.com`.

= How do I customize rate limits? =

Filter `mcpcomal_rate_limit_per_hour` (default 1000) and `mcpcomal_rate_limit_per_day` (default 10000). Both are per `client_id`. You can also override the defaults via the constants `MCPCOMAL_RATE_LIMIT_PER_HOUR` and `MCPCOMAL_RATE_LIMIT_PER_DAY` in wp-config.php.

= Where is data stored? =

In your WordPress database, in dedicated tables created on activation (OAuth, Chat AI, Activity Log) plus a backup directory in `wp-content/uploads/`. Nothing is sent to third parties; the OAuth flow runs entirely between the client app and your site.

== Screenshots ==

1. MCP Content Manager Lite settings page with the Get Started wizard.
2. Auto-discovered site schema in Claude.
3. Creating content with natural language.
4. Activity Log of every MCP call with client_id, status and duration.
5. Connect tab with config exporter for Claude Desktop, ChatGPT, Cursor, Windsurf, Continue and JetBrains AI.
6. Prompts gallery with curated prompts.
7. Status tab with "Detected on this site" badges.
8. System diagnostics report.

== Changelog ==

= 1.1.0 — 2026-04-29 =

This release closes the gap with competing MCP plugins on read coverage and adds onboarding, audit, granular permissions, a multilingual layer and AI image generation.

Quantitative: 31 → 62 abilities (56 base + 4 multilingual + 2 AI image).

* New: Discovery extended — list-post-types, list-taxonomies, list-post-statuses, list-shortcodes, get-permalink-structure
* New: Site stats — get-site-stats (post/comment/user counts), get-media-stats (mime breakdown + total size on disk)
* New: Content shortcuts — list-recent-posts, list-pending-comments, list-scheduled-posts, list-trashed-posts, list-post-revisions
* New: FSE read-only — list-blocks-registered, list-block-patterns, list-fse-templates (metadata only)
* New: Menus, widgets and sidebars (read-only) — list-nav-menus, list-widgets, list-sidebars
* New: WooCommerce read-only (conditional) — wc-get-store-info, wc-list-products, wc-list-recent-orders (with email/name redaction), wc-list-coupons
* New: SEO read universal — seo-read-meta with adapters for Yoast, Rank Math, AIOSEO, The SEO Framework, SureRank, SEOPress, Slim SEO and Squirrly
* New: System extended — list-cron-events, list-user-roles
* New: Multilingual read-only — i18n-list-languages, i18n-list-translations-for-post, i18n-get-post-in-language, i18n-list-string-translations (Polylang, WPML, TranslatePress)
* New: AI Image Generation (Gemini) — generate-image (1–3 images per call) and set-featured-from-prompt. Settings tab subsection for the API key and model. Imagen API, multiple aspect ratios, 2K/4K and image editing remain Premium-only.
* New: MCP annotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) on every ability — existing and new
* New: Activity Log — every MCP tool call recorded with client_id, slug, status, duration, error code and IP. Retention 30 days, daily cron purge. Admin tab with paginated viewer
* New: Granular OAuth permissions — per-client allowed_abilities allowlist (DB column + helper class) plus the "Permissions" subview in the Authentication tab to edit it visually with checkboxes grouped by area
* New: Rate limiting — hourly (1000) and daily (10000) caps per client_id, configurable via filters
* New: Get Started wizard — environment check + OAuth client creation + AI client selection + connection test
* New: Connect tab — config exporter for Claude Desktop, ChatGPT, Cursor, Windsurf, Continue, JetBrains AI and a curl debug snippet
* New: Public /mcpcomal/v1/health endpoint (unauthenticated) for uptime monitoring
* New: Prompts gallery — 30+ curated prompts loaded from data/prompts.json
* New: Spanish translation (mcp-content-manager-lite-es_ES.po/.mo) — admin tab labels and key UI strings
* New: Premium catalog navigable — searchable browser of the Premium feature catalog inside the Go Premium tab
* New: "Detected on this site" badges in Status — links to the relevant Premium category for WooCommerce, Yoast, Rank Math, multilingual plugins and ACF
* New: Premium upsell hints with per-OAuth-session throttle (one hint per category, not on every call)
* New: docs/manual-test-plan-v1.1.md — human QA checklist for every sprint area

= 1.0.2 — 2026-04-08 =
* Fixed content CRUD abilities (create, read, update, search, delete) not registering when the Premium version was installed but inactive
* Fixed Gutenberg block reference ability not registering under the same condition
* Added defensive category registration fallback for content management abilities

= 1.0.1 — 2026-04-08 =
* Improved AI Mode notice for WordPress < 7.0: explains that all abilities are already available via MCP connection and links to connection settings
* Fixed PHP compatibility issue with vendor dependencies (brick/math) for WordPress.org validation
* Added FAQ entry explaining AI Mode vs MCP connection
* Added OpenRouter logo for the WordPress 7.0 Connectors API registration
* Condensed Premium features section in description

= 1.0.0 =
* First public release
* Auto-discovers all CPTs, taxonomies and registered meta fields
* Universal CRUD for any content type (posts, pages, custom post types)
* Full taxonomy management (list, create, update, delete terms)
* Complete comment management with bulk moderation
* Media library management (list, upload, featured images, attachments)
* User directory with role-based listing (read-only)
* WordPress options reader with security whitelist
* Theme customizations reader
* Full system diagnostics and environment report
* Plugin management (list, activate, deactivate)
* Debug mode toggle (WP_DEBUG)
* Recovery mode clearing
* Gutenberg block reference for AI-assisted content creation
* OAuth 2.1 authentication with PKCE for secure MCP connections
* Compatible with Claude, ChatGPT, GitHub Copilot, Cursor, Windsurf, Continue and any MCP client
* Coexistence support with Premium version (no conflicts)

== Upgrade Notice ==

= 1.1.0 =
Major release: 60+ abilities, OAuth 2.1 allowlists with a visual editor, rate limiting, Activity Log with 30-day retention, Get Started wizard, Connect tab with config exporter for 6 AI clients, public /health endpoint, AI image generation with Google Gemini, multilingual read across Polylang/WPML/TranslatePress, SEO read across 8 plugins, Spanish translation. Auto-migrates the OAuth schema on upgrade — no manual steps.

= 1.0.2 =
Fixed content CRUD abilities not registering when Premium version was installed but inactive. All 30 abilities now register correctly.

= 1.0.1 =
Improved AI Mode notice for WordPress < 7.0 — now explains how to use MCP connection in the meantime. Fixed PHP compatibility issue. Added OpenRouter logo for Connectors API.

= 1.0.0 =
First public release. Manage your entire WordPress site from Claude, ChatGPT, Copilot or any MCP client.
