Complete Feature List
Built specifically for WordPress, Easy MCP AI turns your site into a headless powerhouse for any artificial intelligence assistant.
Core Capabilities
162 AI-Ready WordPress Tools
Complete CRUD coverage for posts, pages, media, comments, users, categories, tags, menus, plugins, themes, blocks, custom post types, revisions, templates, global styles, and more β plus 71 plugin integration tools for WooCommerce, ACF, Yoast SEO, Rank Math, AIOSEO, BuddyPress, and The Events Calendar, and 17 data integration tools for Google Analytics 4 and Google Search Console.
Browse All 162 Tools βStreamable HTTP Transport
Compatible with any MCP AI client.
Pure PHP Architecture
No Node.js, no external proxy, no long-running processes β runs entirely on standard shared hosting.
Connect to Any AI Client
Supports any AI client that is compatible with MCP (Model Context Protocol).
Security & Control
| Feature | Description |
|---|---|
| OAuth 2.1 with PKCE | Full OAuth 2.1 authorization code flow with PKCE (S256), Dynamic Client Registration (RFC 7591), Authorization Server Metadata (RFC 8414), atomic refresh token rotation, and scope-based tool filtering. |
| Bearer Token Auth | SHA-256 hashed token storage β raw token never stored, shown only once. |
| Per-Token Tool Permissions | Checkbox-based tool permission tree β restrict each token to specific tools. |
| WordPress Capability Checks | Every tool call verifies the acting user has the required WordPress capability (`current_user_can`). |
| Rate Limiting | Configurable per-token rate limiting (default: 60 req/min) with atomic object cache support. |
| IP Whitelisting | Restrict MCP access to specific IPs or CIDR ranges (IPv4 and IPv6 supported). |
| Full Audit Log | Every tool call is logged with token ID, tool name, parsed arguments (passwords redacted), result status, IP, and timestamp. |
| Disabled Delete Tools | Globally block dangerous tools (like `wp_delete_user` or `wp_delete_post`) regardless of token permissions. |
Performance
- Lazy Loading: MCP classes only load on REST API requestsβnot on frontend.
- Token Caching: Token validation cached in object cache for blazing fast request times.
- Throttled Updates: Usage timestamps only update every 5 minutes to prevent DB lockups.
Internationalization
- 52 Admin Languages: English, Spanish, French, German, Portuguese, Japanese, Chinese, Indonesian, Arabic, and more.
- Per-Plugin Customization: Set the plugin's language independently from the global WordPress locale.
OAuth 2.1 Authorization
Full OAuth 2.1 Flow with PKCE
Easy MCP AI implements the complete OAuth 2.1 authorization code flow with PKCE (S256 challenge method), allowing AI clients and third-party apps to connect securely without ever handling raw API tokens.
- β Authorization code flow with PKCE (S256)
- β Dynamic Client Registration (RFC 7591)
- β Authorization Server Metadata (RFC 8414) at domain root
- β Atomic refresh token rotation
- β Scope-based tool filtering
- β Configurable token TTLs (access + refresh)
- β Can be disabled with a single WordPress filter