{"id":291619,"date":"2026-03-24T21:17:07","date_gmt":"2026-03-24T21:17:07","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/enable-abilities-for-mcp\/"},"modified":"2026-03-27T22:29:27","modified_gmt":"2026-03-27T22:29:27","slug":"enable-abilities-for-mcp","status":"publish","type":"plugin","link":"https:\/\/pcd.wordpress.org\/plugins\/enable-abilities-for-mcp\/","author":23468324,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.8.0","stable_tag":"1.8.0","tested":"6.9.4","requires":"6.9","requires_php":"8.0","requires_plugins":null,"header_name":"Enable Abilities for MCP","header_author":"Fabio Montenegro","header_description":"Manage which WordPress Abilities are exposed to MCP servers. Enable or disable each ability individually from the dashboard.","assets_banners_color":"245a6b","last_updated":"2026-03-27 22:29:27","external_support_url":"","external_repository_url":"","donate_link":"https:\/\/paypal.me\/fabiomontenegroz","header_plugin_uri":"","header_author_uri":"https:\/\/fabiomontenegro.com","rating":4.7,"author_block_rating":0,"active_installs":70,"downloads":365,"num_ratings":3,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.6.0":{"tag":"1.6.0","author":"fabiomontenegro1987","date":"2026-03-24 21:17:11"},"1.7.0":{"tag":"1.7.0","author":"fabiomontenegro1987","date":"2026-03-25 17:03:19"},"1.8.0":{"tag":"1.8.0","author":"fabiomontenegro1987","date":"2026-03-27 22:29:27"}},"upgrade_notice":{"1.8.0":"<p>Major update: 8 new Custom Post Type abilities for WooCommerce, ACF, JetEngine, and more. All keys standardized to English with automatic migration. Contextual admin notices for missing dependencies.<\/p>","1.7.0":"<p>MCP Adapter dependency notice, connection example for Claude Desktop, and updated installation instructions for WordPress.org.<\/p>","1.6.0":"<p>New reply to comments ability. Fixed Rank Math focus keyword input for reliable MCP integration.<\/p>","1.5.0":"<p>New API Key authentication. Generate a Bearer token from the admin panel to connect external services like Perplexity via custom MCP connector.<\/p>","1.4.0":"<p>Security and code quality update. Fixes path exposure, SVG uploads, email leaks, and capability levels. Full WPCS compliance. Recommended for all users.<\/p>","1.3.0":"<p>New SEO section with Rank Math metadata read\/write abilities. Read and update SEO title, description, focus keywords, robots, Open Graph, and more.<\/p>","1.2.0":"<p>Security update. Adds input validation, per-post capability checks, and sanitization improvements. Recommended for all users.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":1,"5":2},"assets_icons":{"icon-256x256.png":{"filename":"icon-256x256.png","revision":3490388,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-1544x500.png":{"filename":"banner-1544x500.png","revision":3490388,"resolution":"1544x500","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.6.0","1.7.0","1.8.0"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Admin settings page showing all abilities organized by category with toggle switches."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[2353,4917,242115,23853,286],"plugin_category":[45],"plugin_contributors":[258556],"plugin_business_model":[],"class_list":["post-291619","plugin","type-plugin","status-publish","hentry","plugin_tags-ai","plugin_tags-content-management","plugin_tags-mcp","plugin_tags-rest-api","plugin_tags-woocommerce","plugin_category-ecommerce","plugin_contributors-fabiomontenegro1987","plugin_committers-fabiomontenegro1987"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/enable-abilities-for-mcp\/assets\/icon-256x256.png?rev=3490388","icon_2x":"https:\/\/ps.w.org\/enable-abilities-for-mcp\/assets\/icon-256x256.png?rev=3490388","generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p><strong>Enable Abilities for MCP<\/strong> gives you full control over which WordPress Abilities are available to AI assistants through the MCP (Model Context Protocol) Adapter.<\/p>\n\n<p>WordPress 6.9 introduced the Abilities API, allowing external tools to discover and execute actions on your site. This plugin extends that functionality by registering a comprehensive set of content management abilities and providing a simple admin interface to toggle each one on or off.<\/p>\n\n<h4>Features<\/h4>\n\n<ul>\n<li><strong>32 abilities<\/strong> organized in 6 categories: Core, Read, Write, SEO, Utility, and Custom Post Types<\/li>\n<li><strong>WooCommerce compatible<\/strong> \u2014 manage products, orders, and any custom post type with full meta field access (_price, _sku, _stock, etc.)<\/li>\n<li><strong>Admin dashboard<\/strong> with toggle switches for each ability<\/li>\n<li><strong>Per-ability control<\/strong> \u2014 expose only what you need<\/li>\n<li><strong>Secure by design<\/strong> \u2014 proper capability checks, input sanitization, and per-post permission validation<\/li>\n<li><strong>WPCS compliant<\/strong> \u2014 fully passes WordPress Coding Standards (phpcs)<\/li>\n<li><strong>MCP-ready<\/strong> \u2014 all abilities include <code>show_in_rest<\/code> and <code>mcp.public<\/code> metadata<\/li>\n<\/ul>\n\n<h4>Available Abilities<\/h4>\n\n<p><strong>Read (safe, query-only):<\/strong><\/p>\n\n<ul>\n<li>Get posts with filters (status, category, tag, search)<\/li>\n<li>Get single post details (content, SEO meta, featured image)<\/li>\n<li>Get categories, tags, pages, comments, media, and users<\/li>\n<\/ul>\n\n<p><strong>Write (create &amp; modify):<\/strong><\/p>\n\n<ul>\n<li>Create, update, and delete posts<\/li>\n<li>Create categories and tags<\/li>\n<li>Create pages<\/li>\n<li>Moderate comments<\/li>\n<li>Reply to comments as the authenticated user<\/li>\n<li>Upload images from external URLs to the media library (with optional auto-assign as featured image)<\/li>\n<\/ul>\n\n<p><strong>SEO \u2014 Rank Math:<\/strong><\/p>\n\n<ul>\n<li>Get full Rank Math metadata for any post\/page (title, description, keywords, robots, Open Graph, SEO score)<\/li>\n<li>Update Rank Math metadata: SEO title, description, focus keyword, canonical URL, robots, Open Graph, primary category, pillar content<\/li>\n<\/ul>\n\n<p><strong>Custom Post Types:<\/strong><\/p>\n\n<ul>\n<li>List all registered custom post types with configuration and taxonomies<\/li>\n<li>Get items from any CPT with filtering, search, and taxonomy queries<\/li>\n<li>Get full details of a CPT item including all meta fields (WooCommerce, ACF, JetEngine, etc.)<\/li>\n<li>Create, update, and delete CPT items with taxonomy and meta field support<\/li>\n<li>Get CPT taxonomies with their terms<\/li>\n<li>Assign taxonomy terms to CPT items<\/li>\n<\/ul>\n\n<p><strong>Utility:<\/strong><\/p>\n\n<ul>\n<li>Search and replace text in post content<\/li>\n<li>Site statistics overview (now includes custom post type counts)<\/li>\n<\/ul>\n\n<h4>Requirements<\/h4>\n\n<ul>\n<li>WordPress 6.9 or later (Abilities API)<\/li>\n<li>MCP Adapter plugin installed and configured<\/li>\n<li>PHP 8.0 or later<\/li>\n<\/ul>\n\n<!--section=installation-->\n<ol>\n<li>In your WordPress dashboard, go to <strong>Plugins &gt; Add New<\/strong> and search for <strong>Enable Abilities for MCP<\/strong>.<\/li>\n<li>Click <strong>Install Now<\/strong>, then <strong>Activate<\/strong>.<\/li>\n<li>Go to <strong>Settings &gt; WP Abilities<\/strong> to manage which abilities are active.<\/li>\n<li>Install and configure the <a href=\"https:\/\/github.com\/WordPress\/mcp-adapter\/releases\">MCP Adapter<\/a> plugin to connect with AI assistants.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"do%20i%20need%20anything%20else%20for%20this%20plugin%20to%20work%3F\"><h3>Do I need anything else for this plugin to work?<\/h3><\/dt>\n<dd><p>Yes. This plugin requires WordPress 6.9+ (which includes the Abilities API) and the MCP Adapter plugin to connect abilities with AI assistants like Claude.<\/p><\/dd>\n<dt id=\"are%20all%20abilities%20enabled%20by%20default%3F\"><h3>Are all abilities enabled by default?<\/h3><\/dt>\n<dd><p>Yes. On first activation, all abilities are enabled. You can disable any of them from <strong>Settings &gt; WP Abilities<\/strong>.<\/p><\/dd>\n<dt id=\"is%20it%20safe%20to%20enable%20write%20abilities%3F\"><h3>Is it safe to enable write abilities?<\/h3><\/dt>\n<dd><p>Write abilities respect WordPress capabilities. For example, creating a post requires the <code>publish_posts<\/code> capability, and editing checks per-post permissions. The MCP user must have the appropriate WordPress role.<\/p><\/dd>\n<dt id=\"does%20it%20work%20on%20multisite%3F\"><h3>Does it work on Multisite?<\/h3><\/dt>\n<dd><p>Yes. The plugin can be network-activated. Each site in the network has its own ability configuration.<\/p><\/dd>\n<dt id=\"does%20it%20work%20with%20woocommerce%3F\"><h3>Does it work with WooCommerce?<\/h3><\/dt>\n<dd><p>Yes. The Custom Post Types section automatically detects WooCommerce products, orders, coupons, and any other registered post type. You can list, create, update, and delete items with full access to WooCommerce meta fields like <code>_price<\/code>, <code>_sku<\/code>, <code>_stock_status<\/code>, <code>_regular_price<\/code>, and more.<\/p><\/dd>\n<dt id=\"can%20i%20add%20custom%20abilities%3F\"><h3>Can I add custom abilities?<\/h3><\/dt>\n<dd><p>This plugin registers abilities using the standard <code>wp_register_ability()<\/code> API. You can register additional abilities in your own plugin using the <code>wp_abilities_api_init<\/code> hook.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.8.0<\/h4>\n\n<ul>\n<li>New: 8 Custom Post Type abilities \u2014 list, get, create, update, delete CPT items, get taxonomies, and assign terms<\/li>\n<li>New: Full CPT support works with any plugin or theme (WooCommerce, ACF, JetEngine, custom code, etc.)<\/li>\n<li>New: All meta fields accessible on CPT items (including _price, _sku, ACF fields, etc.)<\/li>\n<li>New: Contextual admin notices for CPT section (no CPTs detected) and SEO section (Rank Math not active)<\/li>\n<li>New: Site statistics now include custom post type counts<\/li>\n<li>Changed: All ability keys standardized to English (e.g. ewpa\/obtener-posts \u2192 ewpa\/get-posts)<\/li>\n<li>Changed: All source strings standardized to English; Spanish moved to translation files<\/li>\n<li>Changed: Automatic migration preserves existing settings when upgrading from v1.7<\/li>\n<li>Total abilities increased from 24 to 32<\/li>\n<\/ul>\n\n<h4>1.7.0<\/h4>\n\n<ul>\n<li>New: Admin notice when MCP Adapter plugin is not installed with download link<\/li>\n<li>New: MCP endpoint URL and Claude Desktop configuration example in API Key section<\/li>\n<li>Updated: Installation instructions reflect WordPress.org plugin directory availability<\/li>\n<\/ul>\n\n<h4>1.6.0<\/h4>\n\n<ul>\n<li>New: Reply to comments ability (responder-comentario) \u2014 respond to existing comments as the authenticated user<\/li>\n<li>Fix: Rank Math focus keyword parameter changed from array to single string for proper MCP compatibility<\/li>\n<li>Improved: Updated actualizar-rankmath label and descriptions for better AI discovery via MCP<\/li>\n<li>Total abilities increased from 23 to 24<\/li>\n<\/ul>\n\n<h4>1.5.0<\/h4>\n\n<ul>\n<li>New: API Key authentication for external MCP connections (Perplexity, custom connectors)<\/li>\n<li>New: Generate, regenerate, and revoke API keys from Settings &gt; WP Abilities<\/li>\n<li>New: Bearer token authentication scoped to MCP REST API routes only<\/li>\n<li>New: API key stored as SHA-256 hash with timing-safe validation<\/li>\n<li>New: Authorization header extraction with Apache\/Nginx\/CGI fallbacks<\/li>\n<li>New: <code>includes\/auth.php<\/code> module with authentication logic<\/li>\n<li>Clean uninstall updated to remove API key option<\/li>\n<\/ul>\n\n<h4>1.4.0<\/h4>\n\n<ul>\n<li>Security: removed server filesystem path exposure from image upload response<\/li>\n<li>Security: removed SVG from allowed upload extensions (XSS prevention)<\/li>\n<li>Security: upgraded capability checks for Rank Math metadata and site statistics abilities<\/li>\n<li>Security: replaced <code>@unlink()<\/code> with <code>wp_delete_file()<\/code> for proper file deletion<\/li>\n<li>Security: replaced <code>user_email<\/code> with <code>user_login<\/code> in user listing ability to prevent email exposure<\/li>\n<li>Code quality: full WordPress Coding Standards (WPCS 3.x) compliance \u2014 zero errors, zero warnings<\/li>\n<li>Code quality: tabs indentation, Yoda conditions, spaces inside parentheses, proper docblocks<\/li>\n<li>Code quality: replaced short ternary operators with explicit ternaries and helper function<\/li>\n<li>Code quality: named function callbacks for activation hook<\/li>\n<li>Code quality: proper multi-line comment formatting<\/li>\n<\/ul>\n\n<h4>1.3.0<\/h4>\n\n<ul>\n<li>New: SEO \u2014 Rank Math section with 2 dedicated abilities<\/li>\n<li>New: Get Rank Math metadata (title, description, keywords, canonical URL, robots, Open Graph, Twitter, primary category, pillar content, SEO score)<\/li>\n<li>New: Update Rank Math metadata with per-field granularity and input validation<\/li>\n<li>New: Upload image from URL ability \u2014 downloads external images to the media library with optional auto-assign as featured image<\/li>\n<li>Total abilities increased from 20 to 23<\/li>\n<\/ul>\n\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>Security hardening: runtime validation of all enum inputs (post_status, orderby, order)<\/li>\n<li>Security hardening: integer inputs clamped to allowed ranges<\/li>\n<li>Security hardening: per-post capability checks for edit, delete, and search-replace<\/li>\n<li>Security hardening: sanitize tags, validate featured images, author IDs, and post dates<\/li>\n<li>Security hardening: wp_unslash and sanitize nonce verification<\/li>\n<li>Fixed: page template uses sanitize_file_name instead of sanitize_text_field<\/li>\n<li>Fixed: search-replace validates empty search and sanitizes replacement with wp_kses_post<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Fixed: added <code>show_in_rest =&gt; true<\/code> to all custom abilities meta (required for REST API and MCP discovery)<\/li>\n<li>Fixed: ability categories now register on <code>wp_abilities_api_categories_init<\/code> hook<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release<\/li>\n<li>17 custom abilities: 8 read, 7 write, 2 utility<\/li>\n<li>3 core abilities exposed to MCP<\/li>\n<li>Admin settings page with per-ability toggles<\/li>\n<\/ul>","raw_excerpt":"Manage which WordPress Abilities are exposed to MCP (Model Context Protocol) servers. Compatible with WooCommerce, ACF, JetEngine, and any custom post &hellip;","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/291619","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=291619"}],"author":[{"embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/fabiomontenegro1987"}],"wp:attachment":[{"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=291619"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=291619"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=291619"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=291619"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=291619"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/pcd.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=291619"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}