Description
miniOrange Secure MCP Server helps WordPress administrators with AI governance and policy enforcement: understanding, and controlling, what AI assistants and MCP clients are allowed to do on their site.
The WordPress Abilities API (available in WordPress 6.9 and later) lets plugins and WordPress core expose discrete, machine-callable capabilities — for example: get site info, create a post, or generate a summary. This plugin turns those abilities into a remote Model Context Protocol (MCP) server so AI clients can discover and invoke them, protected by a self-hosted OAuth 2.1 authorization server.
What this version does
- Abilities viewer. A read-only admin screen (in the Secure MCP Server menu) that lists every ability registered on your site, with its label, description, category, source namespace, and full input/output JSON schema.
- Connection guide. A “Connect to AI” tab with step-by-step instructions and your site’s MCP URL for connecting clients such as ChatGPT and Claude.
- Built-in content abilities. Create Post and Update Post abilities (exposed as MCP tools) so connected clients can draft and edit posts, gated by the user’s capabilities.
- MCP server. A single Streamable HTTP endpoint that exposes every registered ability as an MCP tool. Tool calls run through the Abilities API, so each ability’s own permission check still applies.
- Self-hosted dynamic OAuth. WordPress acts as its own OAuth 2.1 authorization server with OAuth 2.0 Dynamic Client Registration (RFC 7591), Protected Resource Metadata (RFC 9728), Authorization Server Metadata (RFC 8414), and Authorization Code flow with PKCE. Clients such as ChatGPT and Claude can register themselves and connect with no manual credential setup.
Every MCP request runs as the WordPress user who authorized it, so what an AI client can do is bounded by that user’s own capabilities.
Installation
- Upload the plugin files to the
/wp-content/plugins/miniorange-secure-mcp-serverdirectory, or install the plugin through the WordPress plugins screen directly. - Activate the plugin through the “Plugins” screen in WordPress.
- Open the “Secure MCP Server” menu item (under Tools) to review the abilities registered on your site.
- Connect an MCP client (see the FAQ) to
https://YOUR-SITE/wp-json/mosmcp/v1/mcp.
FAQ
-
How do ChatGPT and Claude connect?
-
Add a custom connector pointing at your MCP endpoint,
https://YOUR-SITE/wp-json/mosmcp/v1/mcp. The client discovers the OAuth endpoints automatically, registers itself, walks you through logging in to WordPress and approving access, and then connects. The site must be reachable over HTTPS (cloud clients cannot reachlocalhost); for local development, expose the site through an HTTPS tunnel such as ngrok or cloudflared. -
Does this plugin store any data?
-
Yes. To run the OAuth server it creates three database tables for registered clients, short-lived authorization codes, and access/refresh tokens. Tokens and client secrets are stored only as keyed hashes, never in plaintext. A single options row holds the plugin’s hash salt. All of this is removed when the plugin is deleted.
-
My server returns 401 even with a valid token.
-
Some Apache configurations strip the
Authorizationheader before it reaches PHP. Add the following to your WordPress root.htaccess:RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] -
Why does the “Source” column show a namespace instead of a plugin name?
-
The Abilities API does not record which plugin registered a given ability. The namespace prefix (the part before the slash in the ability name) is the most reliable indicator of where an ability comes from.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“miniOrange Secure MCP Server” is open source software. The following people have contributed to this plugin.
Contributors
Translate “miniOrange Secure MCP Server” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.1.0
- Added a remote MCP server endpoint that exposes registered abilities as MCP tools.
- Added a self-hosted OAuth 2.1 authorization server with Dynamic Client Registration, PKCE, and discovery metadata so ChatGPT and Claude can connect.
1.0.0
- Initial release: read-only viewer for abilities registered through the WordPress Abilities API.