Title: Royal MCP – Secure AI Connector for Claude, ChatGPT &amp; Gemini
Author: Royal Plugins
Published: <strong>14 januarja, 2026</strong>
Last modified: 29 junija, 2026

---

Search plugins

![](https://ps.w.org/royal-mcp/assets/banner-772x250.png?rev=3515644)

![](https://ps.w.org/royal-mcp/assets/icon-256x256.png?rev=3448287)

# Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini

 By [Royal Plugins](https://profiles.wordpress.org/royalpluginsteam/)

[Download](https://downloads.wordpress.org/plugin/royal-mcp.1.4.32.zip)

 * [Details](https://sl.wordpress.org/plugins/royal-mcp/#description)
 * [Reviews](https://sl.wordpress.org/plugins/royal-mcp/#reviews)
 *  [Installation](https://sl.wordpress.org/plugins/royal-mcp/#installation)
 * [Development](https://sl.wordpress.org/plugins/royal-mcp/#developers)

 [Support](https://wordpress.org/support/plugin/royal-mcp/)

## Description

Royal MCP is a security-first Model Context Protocol (MCP) server for WordPress.
It gives AI platforms like Claude, ChatGPT, and Google Gemini structured access 
to your WordPress content — with authentication, rate limiting, and audit logging
that most MCP implementations skip entirely.

**First-time setup walkthrough (with videos):** [royalplugins.com/support/royal-mcp/connecting-to-claude/](https://royalplugins.com/support/royal-mcp/connecting-to-claude/)

According to [recent security research](https://mcpplaygroundonline.com/blog/mcp-server-security-complete-guide-2026),
41% of public MCP servers have no authentication and respond to tool calls without
any credentials. Royal MCP takes the opposite approach: every MCP session requires
an API key, every request is rate-limited, and every interaction is logged.

#### Why Security Matters for MCP

MCP gives AI agents the ability to read, create, update, and delete your WordPress
content. Without proper authentication, anyone who discovers your MCP endpoint can:

 * Read all your posts, pages, and media
 * Create or delete content
 * Access user data and plugin information
 * Overwhelm your server with rapid-fire requests

Royal MCP prevents all of this with API key authentication on session initialization,
timing-safe key comparison, per-IP rate limiting (60 requests/minute), and a full
activity log of every MCP interaction.

#### Free, Self-Hosted, Fully Featured

Royal MCP is fully featured in its free, GPL-licensed release. There is no Pro version—
all tools ship in the wp.org plugin, and updates go through the standard WordPress
plugin updater.

Your credentials stay on your server. Royal MCP runs entirely inside WordPress: 
API keys, OAuth tokens, and session state all live in your own database. Royal MCP
makes no outbound connections to Royal Plugins’ own servers — no license check, 
no telemetry, no traffic beacon. If you prefer to keep AI inference local too, Ollama
and LM Studio are first-class platforms alongside Claude, ChatGPT, and Gemini.

#### 67 Core Tools + 60 Integration Tools

**WordPress Core (67 tools):**

 * Posts – create, read, update, delete, search, count (any registered public post
   type, featured images supported)
 * Pages – full CRUD with parent page support
 * Post Types – discover all registered public post types on the site
 * Post Revisions – list revision history and roll a post back to any prior version
 * Media – browse, upload from URL or base64, update alt text/caption/title/description,
   set as featured image, delete
 * Comments – create, read, delete; full moderation suite (list pending, approve,
   mark spam, trash)
 * Users – display names and roles (emails and usernames are not exposed)
 * Categories & Tags & Custom Taxonomies – create, update (rename/re-slug/edit/move),
   delete, assign, count, discover all registered taxonomies
 * Term Meta – read, update, delete (most useful for term-level SEO meta – titles,
   descriptions, focus keywords stored against categories and tags)
 * Menus – list menus, list menu items, create / update / delete / reorder menu 
   items
 * Post Meta – read, update, delete custom fields (works with ACF, MetaBox, JetEngine,
   Pods, CPT UI)
 * SEO Meta – read and write Yoast SEO or Rank Math title/description/focus keyword/
   robots/OG fields (auto-detects active SEO plugin)
 * Site Info – site name, description, WordPress version, timezone
 * Plugins & Themes – list installed plugins and themes with active status
 * Theme Appearance – get active theme, read/write theme mods (gated by admin toggle
   + allowlist), read/write Custom CSS
 * Search – full-text content search across post types
 * Permalink Structure – read and update permalink settings (gated by admin toggle)
 * Options – read allowlisted core options, read full plugin settings by slug (sensitive
   keys redacted), and write to allowlisted options when an admin enables it

#### Plugin Integrations (Conditional)

Royal MCP automatically detects compatible plugins and adds specialized MCP tools.
No configuration needed — if the plugin is active, the tools appear.

**WooCommerce Integration (26 tools):**
 When WooCommerce is active, AI agents can
manage your store end-to-end:

 * Browse and search products by category, status, or type
 * Create and update simple and variable products with prices, SKUs, stock levels
 * Manage variable products — list, get, create, update, delete, and batch-update
   product variations
 * Manage global attributes (`pa_*` taxonomies) — list registered attributes, list
   attribute terms, register new attributes, assign attributes to a product as variation
   axes
 * Manage coupons — list, search by code, get, create, update, delete (trash or 
   permanent), and bulk-purge trash; supports all standard WC coupon fields (discount
   type, expiry, usage limits, product/category restrictions, email allowlists)
 * View orders, order details, and update order status
 * List customers with order count and total spent
 * Get store statistics — revenue, order count, average order value by period

**GuardPress Integration (7 tools):**
 When GuardPress is active, AI agents can 
monitor your site security:

 * Get current security score and grade with factor breakdown
 * View security statistics — failed logins, blocked IPs, alerts
 * Run vulnerability scans and review results
 * List blocked IP addresses and failed login attempts
 * Browse the security audit log filtered by severity

**SiteVault Integration (6 tools):**
 When SiteVault is active, AI agents can manage
your backups:

 * List available backups filtered by status or type
 * Trigger new backups (full, database, files, plugins, themes)
 * Check backup progress in real time
 * View backup statistics — total size, last backup, counts
 * List and review backup schedules

**ForgeCache Integration (3 tools):**
 When ForgeCache is active, AI agents can 
manage your page cache:

 * Clear the entire cache, or purge a specific URL
 * View cache statistics — hit rate, file count, total size

**Royal Ledger Integration (4 tools):**
 When Royal Ledger is active, AI agents 
can review your software costs and license data:

 * List recurring software costs and renewal dates
 * Get cost summaries grouped by month, vendor, or category
 * List stored license keys (key VALUES are never exposed — only masked previews;
   decryption requires logging into wp-admin)

**Royal Links Integration (3 tools):**
 When Royal Links is active, AI agents can
manage your branded short links:

 * List existing links with click counts and target URLs
 * Create new branded short links
 * Get click statistics for any link

**Advanced Custom Fields Integration (4 tools):**
 When ACF (free or Pro) is active,
AI agents can read and write ACF fields with the field-type-aware formatting the
ACF UI uses — instead of the raw serialized values WordPress meta returns:

 * Read a single ACF field, formatted per its Return Format setting (hydrated post
   objects, parsed repeater rows, image arrays, etc.)
 * Read every ACF field on a post in one call, with name/label/type/value bundled—
   the most efficient way for an AI to discover what fields exist and read them 
   all
 * Update an ACF field with type-aware value handling (scalar for text/number, array
   for repeaters and flex content, post ID for relationships, attachment ID for 
   images)
 * Enumerate ACF field groups on the site, optionally filtered by post type — for
   AI-driven discovery of available custom fields before reading/writing

**Elementor Integration (7 tools):**
 When Elementor (free or Pro) is active, AI
agents can clone and customize existing Elementor pages without trying to generate
page-builder JSON from scratch:

 * Clone an existing Elementor page with a new title and fresh element IDs (so the
   duplicate opens in the editor without ID collisions)
 * Bulk-replace text across heading, text-editor, button, image-box, icon-box, icon-
   list, testimonial, tabs, accordion, toggle, star-rating, call-to-action, and 
   flip-box widgets
 * Swap image URLs across image, image-box, background_image, and gallery widget
   settings
 * Get a compact outline of any page (section/container hierarchy, widget types,
   text snippets) so Claude can reason over a full page in a few KB instead of the
   raw JSON
 * List saved templates from the Elementor template library and import templates
   from JSON
 * Atomic widgets (Elementor 4.0+ Editor V4 elements) pass through opaque — we never
   decode atomic schemas because Elementor itself may shift them. Widget-level creation
   from scratch is intentionally out of scope; the design commitment is to work 
   from an existing-known-good source.

#### Royal MCP and the WordPress Core Abilities API

WordPress 6.9 shipped the Abilities API in November 2025 — a primitive that lets
plugins register typed capabilities AI agents can call. Core ships three default
abilities (site info, user info, environment info) and the `wordpress/mcp-adapter`
package bridges abilities to the MCP protocol.

Royal MCP is a complete, production-ready MCP server that predates the official 
adapter. It runs the full Streamable HTTP transport, enforces API key authentication
on every request, ships OAuth 2.0 for Claude Desktop’s native connector flow, rate-
limits per-IP, redacts sensitive data, and logs every interaction. Out of the box
it includes 67 tools for WordPress core operations plus 60 integration tools that
auto-load when WooCommerce, GuardPress, SiteVault, ForgeCache, Royal Ledger, Royal
Links, Elementor, or Advanced Custom Fields (ACF) is active.

#### Supported AI Platforms

 * **Claude (Anthropic)** – Full MCP support via Claude Desktop, Claude Code, and
   VS Code
 * **OpenAI / ChatGPT** – GPT-5.5, GPT-5, GPT-5 Mini, o3
 * **Google Gemini** – Gemini 3.5 Flash, 3.1 Flash-Lite
 * **Groq** – Llama 3.3, Llama 3.1, GPT-OSS
 * **Azure OpenAI** – Azure-hosted OpenAI deployments
 * **AWS Bedrock** – Claude, Llama, Titan models
 * **Ollama / LM Studio** – Local self-hosted models (no external data transmission)
 * **Custom MCP Servers** – Connect to any MCP-compatible endpoint

#### Compatible Clients & Frameworks

 Royal MCP works with any MCP-compliant client, IDE, or AI agent framework — no
per-tool configuration required. Each entry below describes the specific integration
path Royal MCP provides for that target, so customers can answer “will this work
with the tool I already use?”:

 * **Desktop AI apps** – Claude Desktop (native MCP connector via OAuth 2.0), ChatGPT
   Desktop, Gemini Advanced.
 * **AI code IDEs** – Claude Code, VS Code (with MCP extension), Cursor, Windsurf,
   Continue, Cline, Zed, JetBrains AI Assistant.
 * **API testing tools** – Postman, Bruno, Insomnia (use the API key in the `X-Royal-
   MCP-API-Key` header).
 * **Custom field plugins** – Advanced Custom Fields (ACF) has dedicated `acf_*`
   tools that return values formatted per each field’s Return Format setting (the
   same way the ACF UI shows them). MetaBox, JetEngine, Pods, CPT UI, and Custom
   Field Suite are supported through the `wp_get_post_meta` / `wp_update_post_meta`
   tools, so AI agents can populate custom fields just like a human editor.
 * **Page builders** – Elementor has dedicated tools for clone-and-customize workflows(
   clone a page, find/replace text, swap images, get an outline, import templates)–
   see the Tools list. Widget-level creation from scratch is intentionally out of
   scope. Divi, Beaver Builder, Bricks, Gutenberg, Spectra, and Stackable store 
   standard post content that is readable and writable by AI; page-builder-specific
   JSON storage is opaque unless covered by a dedicated tool.
 * **Multilingual** – WPML, Polylang, TranslatePress, qTranslate. Translated posts
   appear as separate posts and can be read or written via the standard post tools.
 * **AI agent frameworks** – LangChain, AutoGen, CrewAI, LlamaIndex, Haystack – 
   any MCP-compatible framework can call Royal MCP’s tools.
 * **AI app platforms** – Anthropic Console, OpenAI Playground, Google AI Studio,
   Vertex AI, Azure AI Studio, Amazon Bedrock Console.

#### MCP Spec Compliance

Royal MCP implements the [MCP 2025-11-25 Streamable HTTP transport specification](https://modelcontextprotocol.io/specification/2025-11-25/basic/transports#streamable-http):

 * Single `/mcp` endpoint for all JSON-RPC communication
 * POST for client messages, GET for server-sent events, DELETE for session termination
 * Cryptographically secure session IDs with transient-based storage
 * Origin header validation to prevent DNS rebinding attacks
 * Proper CORS handling for browser-based MCP clients

### External Services

This plugin connects to third-party AI services to enable AI platforms to interact
with your WordPress content. **No data is transmitted until you explicitly configure
and enable a platform connection.**

**What data is sent:** Your WordPress content (posts, pages, media metadata) as 
requested by the connected AI platform through authenticated MCP tool calls.

**When data is sent:** Only when you have configured a platform with API credentials
AND enabled that platform connection AND the AI platform makes an authenticated 
request.

**Supported services and their policies:**

 * **Anthropic Claude** — Used for Claude AI integration
    [Terms of Service](https://www.anthropic.com/legal/consumer-terms)
   | [Privacy Policy](https://www.anthropic.com/legal/privacy)
 * **OpenAI** — Used for ChatGPT/GPT-4 integration
    [Terms of Use](https://openai.com/policies/terms-of-use)
   | [Privacy Policy](https://openai.com/policies/privacy-policy)
 * **Google Gemini** — Used for Gemini AI integration
    [Terms of Service](https://ai.google.dev/terms)
   | [Privacy Policy](https://policies.google.com/privacy)
 * **Groq** — Used for Groq LPU inference
    [Terms of Service](https://groq.com/terms-of-use/)
   | [Privacy Policy](https://groq.com/privacy-policy/)
 * **Microsoft Azure OpenAI** — Used for Azure-hosted OpenAI models
    [Terms of Service](https://azure.microsoft.com/en-us/support/legal/)
   | [Privacy Policy](https://privacy.microsoft.com/en-us/privacystatement)
 * **AWS Bedrock** — Used for AWS-hosted AI models
    [Terms of Service](https://aws.amazon.com/service-terms/)
   | [Privacy Policy](https://aws.amazon.com/privacy/)
 * **Ollama / LM Studio** — Local self-hosted models (no external data transmission)
 * **Custom MCP Servers** — User-configured servers (data sent to user-specified
   endpoints only)

## Screenshots

[⌊Main settings page with API key and platform overview⌉⌊Main settings page with
API key and platform overview⌉[

Main settings page with API key and platform overview

[⌊AI platform configuration with connection testing⌉⌊AI platform configuration with
connection testing⌉[

AI platform configuration with connection testing

[⌊Activity log showing authenticated MCP requests⌉⌊Activity log showing authenticated
MCP requests⌉[

Activity log showing authenticated MCP requests

[⌊Claude Desktop MCP connector setup⌉⌊Claude Desktop MCP connector setup⌉[

Claude Desktop MCP connector setup

[⌊WooCommerce product management via Claude⌉⌊WooCommerce product management via 
Claude⌉[

WooCommerce product management via Claude

[⌊OAuth consent screen for Claude Desktop connector⌉⌊OAuth consent screen for Claude
Desktop connector⌉[

OAuth consent screen for Claude Desktop connector

## Installation

 1. Upload the `royal-mcp` folder to `/wp-content/plugins/`
 2. Activate the plugin through the ‘Plugins’ menu in WordPress
 3. Go to Royal MCP  Settings to configure
 4. Copy your API key — you will need this to authenticate MCP connections
 5. Add your AI platform(s) and enter their API keys
 6. In your AI client (Claude Desktop, VS Code, etc.), configure the MCP server URL
    and API key
 7. New to MCP? Follow the step-by-step connection walkthrough (with videos) at [royalplugins.com/support/royal-mcp/connecting-to-claude/](https://royalplugins.com/support/royal-mcp/connecting-to-claude/)

Full setup guides for each platform are available at [royalplugins.com/support/royal-mcp/](https://royalplugins.com/support/royal-mcp/).

## FAQ

### What is MCP and why does my WordPress site need it?

Model Context Protocol (MCP) is an open standard created by Anthropic that lets 
AI assistants interact with external data sources. Without MCP, AI tools like Claude
or ChatGPT can only work with content you copy and paste into them. With Royal MCP
installed, these AI platforms can directly read your WordPress posts, create new
content, manage your WooCommerce products, check your security status, and trigger
backups — all through a structured, authenticated protocol.

### How is Royal MCP different from other WordPress MCP plugins?

Security. Most MCP plugins — and 41% of all public MCP servers — have no authentication
at all. Royal MCP requires an API key for every session, rate-limits requests to
prevent abuse, logs every interaction for audit purposes, and filters sensitive 
data (emails, PHP version, admin credentials) from responses. We built this plugin
with the same security standards we apply to GuardPress, our WordPress security 
plugin used on thousands of sites.

### Does Royal MCP duplicate what WordPress core now does?

No. WordPress 6.9 added the Abilities API — a primitive for registering AI-callable
functions — and the `wordpress/mcp-adapter` package bridges abilities to the MCP
protocol. Royal MCP is a full MCP server with the security layer, connector flows,
and plugin integrations that the bare primitive does not include: enforced API key
auth, OAuth 2.0 for Claude Desktop, per-IP rate limiting, audit logging, sensitive-
data redaction, 67 ready-to-use WordPress core tools, and 60 integration tools that
auto-load for WooCommerce, GuardPress, SiteVault, ForgeCache, Royal Ledger, Royal
Links, Elementor, and Advanced Custom Fields.

### Does Royal MCP work with WooCommerce?

Yes. When WooCommerce is active, Royal MCP automatically adds 26 MCP tools spanning
product management (simple and variable, including variation CRUD and global attribute
management), full coupon management (list/get/create/update/delete + bulk trash 
purge), order management (view, update status), customer data, and store statistics.
No additional configuration is needed — the tools appear automatically in the MCP
tools list.

### Can AI assistants configure my plugins for me?

Yes, with safety controls. Royal MCP exposes two tools for plugin configuration:

 * `wp_get_plugin_settings` lets AI read any plugin’s stored settings by slug. Sensitive
   values (API keys, secrets, tokens, passwords, license keys, OAuth credentials)
   are automatically replaced with `[REDACTED]` before they leave your server, so
   AI assistants can understand a plugin’s configuration without ever seeing stored
   credentials.
 * `wp_update_option` lets AI write to WordPress options, but only after passing
   three security gates:
    1. The site admin must enable the “Allow AI to write WordPress options” toggle 
       on the Royal MCP settings page (off by default)
    2. The option name must be in a runtime allowlist. The default allowlist is intentionally
       tiny — `blogname`, `blogdescription`, `posts_per_page`, `date_format`, `time_format`.
       Plugin authors opt their own settings in via the `royal_mcp_writable_options`
       filter.
    3. A hard denylist permanently blocks writes to sensitive option names (siteurl,
       home, license keys, secrets, salts, etc.) regardless of the allowlist or the
       toggle.

Plugin authors can opt in their settings with one line: `add_filter('royal_mcp_writable_options',
fn($opts) => array_merge($opts, ['my_plugin_settings']));`

### How do I connect Claude Desktop to WordPress?

Install Royal MCP, go to Royal MCP  Settings, and copy your API key and MCP server
URL. In Claude Desktop, add a new MCP server configuration with the URL and include
the `X-Royal-MCP-API-Key` header with your API key. Full step-by-step guide at [royalplugins.com/support/royal-mcp/](https://royalplugins.com/support/royal-mcp/).
If the connection fails, see the next FAQ.

### The connector won’t connect — where do I start?

About 90% of “can’t connect” / “OAuth failed” / “tools missing” issues resolve in
a basic 4-step pass before any host-specific fix is needed. In order: (1) update
Royal MCP to the latest version (every recent release fixes meaningful OAuth edge
cases), (2) run a conflict test — deactivate all other plugins, switch to a default
theme like Twenty Twenty-Five, and purge every cache layer (any cache plugin, your
host’s server-level cache, Cloudflare/CDN, and browser cache), (3) wipe stale OAuth
state — use the Reset OAuth State button in Royal MCP  Settings if you’re on 1.4.17
or newer, or run the four `DELETE` SQL queries documented in our support article,(
4) check Royal MCP  Activity Logs for the most recent `oauth:` row, which records
exactly which validation rule fired. Full walk-through with copy-pasteable commands
at [royalplugins.com/support/royal-mcp/troubleshooting-start-here.html](https://royalplugins.com/support/royal-mcp/troubleshooting-start-here.html).
Only proceed to host-specific fixes (Cloudflare AI Bots toggle, SiteGround `/.well-
known/` static files, edge-cache exclusions) after the four basics are ruled out—
most “advanced infrastructure” tickets we receive actually resolve in those four
steps.

### I restored my WordPress database from backup and Claude can’t reconnect. How do I fix this?

When you restore from backup, the OAuth client credentials Claude was holding no
longer match anything on the WordPress side, so Claude’s connector ends up with 
a stale token that no Royal MCP installation will accept. The fix in Royal MCP 1.4.17
+ is one click: go to **Royal MCP  Settings** and click the **Reset OAuth State**
button. This wipes all stale OAuth clients, issued access/refresh tokens, and pending
authorization codes. Then in Claude, delete the existing connector entirely, wait
30 seconds, and re-add it from scratch — the full OAuth flow runs fresh against 
the cleaned-up state and the connection works. On 1.4.16 or older the same effect
can be achieved by running four `DELETE` SQL queries documented at [royalplugins.com/support/royal-mcp/troubleshooting-start-here.html](https://royalplugins.com/support/royal-mcp/troubleshooting-start-here.html).
The plugin’s settings, API key, and Activity Log are not affected by Reset OAuth
State — only the OAuth handshake state.

### Claude says “Couldn’t register with sign-in service” or “Session not found” — what’s wrong?

Both messages (plus “no tools available” in Claude.ai after connecting) usually 
mean one of Royal MCP’s OAuth or sessions database tables is physically missing.
The fix is to update Royal MCP to 1.4.29 or newer — the new runtime healer detects
missing tables and recreates them automatically on the next pageload, with no deactivate/
reactivate required. After updating, delete the existing Royal MCP connector in 
Claude, wait 30 seconds, then re-add it fresh. If you can’t update yet and need 
to recover immediately, the manual workaround is `wp option delete royal_mcp_db_version`
followed by loading any wp-admin page. Full symptom diagnostic (phpMyAdmin / WP-
CLI), the auto-heal explanation, and the manual recovery walkthrough are at [royalplugins.com/support/royal-mcp/oauth-tables-missing.html](https://royalplugins.com/support/royal-mcp/oauth-tables-missing.html).

### I’m auditing my install and can’t find the OAuth endpoints under `/wp-json/royal-mcp/v1/`. Where are they?

By design, Royal MCP’s OAuth endpoints (`/register`, `/token`, `/authorize`) are
registered as **top-level WordPress rewrite rules at the site root**, not as REST
API routes under `/wp-json/royal-mcp/v1/`. This is required by the OAuth 2.0 specification(
RFC 6749) and the MCP discovery specs (RFC 8414 and RFC 9728), which mandate predictable
site-root paths so OAuth-discovery-aware clients can find them without per-plugin
configuration. If you’re auditing rewrite rules instead of REST routes, you can 
see ours via `wp rewrite list | grep royal_mcp_oauth` from WP-CLI. The `/wp-json/
royal-mcp/v1/` namespace contains the JSON-RPC tool endpoint at `/mcp` plus supporting
REST routes (`/posts`, `/pages`, `/site`, etc.) — but not the OAuth handshake endpoints
themselves. Both routing layers are normal and both need to be reachable for the
connector to work end-to-end.

### Is my content safe?

Royal MCP is designed with defense in depth. API key authentication is required 
for all MCP sessions. Rate limiting prevents abuse (60 requests per minute per IP).
Activity logging records every tool call. Sensitive data is filtered — user emails,
usernames, admin email, PHP version, and stored credentials inside plugin settings(
api keys, secrets, tokens, passwords) are never exposed through MCP. Comment creation
respects your WordPress moderation settings. Post meta values are sanitized before
storage. Option writes are disabled by default and gated by three independent checks(
admin toggle, allowlist, hard denylist) when enabled. The plugin itself starts disabled
by default — nothing is accessible until you explicitly enable it.

### Can I use local AI models instead of cloud services?

Yes. Royal MCP supports Ollama and LM Studio for fully local AI inference. When 
using local models, no data leaves your server — the AI model runs on your own hardware
and communicates with WordPress through the MCP protocol on localhost.

### What happens if I uninstall Royal MCP?

Royal MCP performs a clean uninstall. All plugin options, database tables (activity
logs), transients, and user meta are removed. No orphaned data is left behind.

### Does Royal MCP work with Claude Code, VS Code, Cursor, Windsurf, or other AI IDEs?

Yes. Any MCP-compliant client can connect to Royal MCP. Configure your IDE or client
with the MCP server URL (`https://yoursite.com/wp-json/royal-mcp/v1/mcp`) and the
API key (sent in the `X-Royal-MCP-API-Key` header). Claude Desktop additionally 
supports the native “Add Connector” OAuth 2.0 flow, which Royal MCP handles via 
Dynamic Client Registration (RFC 7591) — no manual API key management required on
that path. The same OAuth flow works in any client that follows the MCP 2025-11-
25 spec.

### Does Royal MCP work with custom fields, ACF, MetaBox, JetEngine, Pods, or CPT UI?

Yes. Royal MCP exposes WordPress’s standard `wp_get_post_meta`, `wp_update_post_meta`,
and `wp_delete_post_meta` tools, which read and write any custom field — including
Advanced Custom Fields (ACF), MetaBox, JetEngine, Pods, CPT UI, and Custom Field
Suite. AI agents can populate ACF fields, set repeater rows, update flexible content
blocks, and read computed fields just like a human editor working in the WordPress
admin.

### Will Royal MCP slow down my WordPress site?

No. The MCP endpoint is a REST route that runs only when an authenticated AI client
makes a request — it does not run on visitor-facing pages, frontend templates, or
admin screens (except its own settings page). The activity log uses a single indexed
database table and writes asynchronously after the response is sent. Rate limiting(
60 requests/minute per IP) prevents accidental overload.

### Does Royal MCP work on WordPress multisite networks?

Yes, on a per-site basis. Each site in a multisite network has its own API key, 
its own activity log, and its own settings. AI clients connect to a specific site’s
MCP endpoint — Royal MCP does not bridge requests between sites in the network.

### Can I limit which posts, pages, or post types AI can access?

Yes. The `wp_get_posts` and `wp_create_post` tools accept a `post_type` parameter
and validate it against registered public post types, so private or internal post
types are not exposed. Plugin authors can disable specific tools entirely with the`
royal_mcp_disabled_tools` filter, or scope the option-write allowlist with `royal_mcp_writable_options`.
WordPress’s standard capability checks also apply to every tool call.

### Does Royal MCP work with WPML, Polylang, or TranslatePress for multilingual content?

 Yes. Translated posts appear as separate WordPress posts (each with its own ID
and language meta) and are readable or writable via the standard `wp_get_posts`,`
wp_create_post`, and `wp_update_post` tools. AI agents can list posts in a specific
language by filtering on the language meta key, or translate a post and write the
corresponding translation by ID.

### How do I monitor what AI is doing on my site?

Every authenticated MCP request is logged to the Royal MCP activity log with timestamp,
client IP, tool name, parameters (sensitive values redacted), and response status.
The log is filterable by time range, client, tool, or status code, and exportable
to CSV. The log page refreshes via AJAX so you can watch active sessions in real
time.

## Reviews

![](https://secure.gravatar.com/avatar/d4caf7bb2335072d6ff3961637252ef86f13385835568eb4f4d7080609cd7a7e?
s=60&d=retro&r=g)

### 󠀁[Solid plugin, Does the job, Great Support](https://wordpress.org/support/topic/solid-plugin-does-the-job-great-support/)󠁿

 [artisantrainingacademy](https://profiles.wordpress.org/artisantrainingacademy/)
13 junija, 2026

Been using this with Claude for a few months now. Session persistence works, the
tool surface is broader than I expected (menus, theme mods, custom CSS, Elementor
data, post revisions all available), and it’s stable in production. Support is fantastic.
Highly Recommended.

![](https://secure.gravatar.com/avatar/b4365c58c37450ac7358a1464049ac74a7ba7bb8379bad81574652314bd84638?
s=60&d=retro&r=g)

### 󠀁[Great Plugin](https://wordpress.org/support/topic/great-plugin-41462/)󠁿

 [ober37](https://profiles.wordpress.org/ober37/) 30 aprila, 2026

I have been using this plugin to automate my site management within an ecosystem
of Claude agents and it has worked great! I am also very impressed on how often 
the author continues to update its functionality! I look forward to working more
with this plugin and to helping expand its functionality!

![](https://secure.gravatar.com/avatar/d6fed4080121d3c6fdcca7de06aa2f2e186d9968dd3b312dbc23aeb0fca27177?
s=60&d=retro&r=g)

### 󠀁[awesome together with claude](https://wordpress.org/support/topic/awesome-together-with-claude/)󠁿

 [michealdupont](https://profiles.wordpress.org/michealdupont/) 26 aprila, 2026

using this plugin together with claude desktop, amazing setup, real time saver! 
Recommended for all Vibe wordpressers!

![](https://secure.gravatar.com/avatar/1479b95bd09f586493758772ad35daf4e650e1232d9babe53dab67036fa2b802?
s=60&d=retro&r=g)

### 󠀁[Lightweight & simple to use](https://wordpress.org/support/topic/lightweight-simple-to-use/)󠁿

 [tinab3](https://profiles.wordpress.org/tinab3/) 9 aprila, 2026

We have been using this for months now, it only took a few minutes to setup and 
allow us to connect MCP to Claude to run updates on some sites. Never had issues,
seems light and play well with other plugins and WP

 [ Read all 4 reviews ](https://wordpress.org/support/plugin/royal-mcp/reviews/)

## Contributors & Developers

“Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini” is open source software.
The following people have contributed to this plugin.

Contributors

 *   [ Royal Plugins ](https://profiles.wordpress.org/royalpluginsteam/)

[Translate “Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini” into your language.](https://translate.wordpress.org/projects/wp-plugins/royal-mcp)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/royal-mcp/), check 
out the [SVN repository](https://plugins.svn.wordpress.org/royal-mcp/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/royal-mcp/) by [RSS](https://plugins.trac.wordpress.org/log/royal-mcp/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.4.32

 * Feature: `wp_search` now accepts optional `snippet` (int, max 1000 chars) and`
   per_page` (default 20, max 100) parameters. When `snippet` is set, each result
   row includes the matched post’s `slug` and a content excerpt windowed around 
   the first occurrence of the search term — lets AI drivers skip a follow-up `wp_get_page`
   per result on multi-page audits. Snippet extraction strips HTML and registered
   shortcodes and is multibyte-safe. Strictly additive; existing callers without
   the new parameters see no behavior change.
 * Feature: `wc_get_orders` now accepts a `page` parameter for stores with more 
   than `per_page` orders. **Response shape change:** the tool now returns `{orders,
   page, per_page, total, total_pages}` instead of a bare array. AI drivers should
   iterate `page` until `page >= total_pages`. Pre-1.4.32, orders beyond the first
   100 were unreachable.
 * Docs: general readme cleanup and updates.

#### 1.4.31

 * Hardening: `wp_delete_post` capability check now runs before the post-existence
   lookup. Pre-1.4.31, a Subscriber-tier OAuth Bearer calling `wp_delete_post` with
   a non-existent post ID received “Post not found.” rather than a permission error—
   effectively a post-ID enumeration surface (the response distinguished “exists
   but you can’t delete” from “doesn’t exist”). 1.4.31 inverts the order: unauthorized
   callers now receive a permission error regardless of whether the target post 
   exists. Same defense-in-depth pattern as the six integration cap-order fixes 
   shipped in 1.4.30.
 * Hardening: `wp_get_post_meta` now requires the `edit_post` capability for underscore-
   prefixed (protected) meta keys, matching WordPress core’s `is_protected_meta()`
   convention. Pre-1.4.31, a Subscriber-tier OAuth Bearer could read underscore-
   prefixed post meta on public posts (Yoast SEO `_yoast_wpseo_*`, `_edit_lock`,`
   _wp_attached_file`, ACF internal fields, custom plugin meta) because the broader`
   read_post` cap returned true for public content. The non-underscore (developer-
   visible) meta path keeps the existing `read_post` gate so legitimate public-meta
   reads continue to work for low-privilege users. Empty-key “return all meta” requests
   also require `edit_post` since the response would otherwise expose protected 
   keys.
 * Hardening: `wp_update_post`, `wp_update_page`, `wp_update_media`, and `wp_update_term`
   now treat empty-string text fields as “preserve existing value” rather than “
   blank the field.” Pre-1.4.31, an AI driver that template-filled an optional text
   argument with `""` instead of omitting it would silently destroy the existing
   post body, title, excerpt, caption, alt text, term name, or term description.
   Field omission already preserved existing values via PHP’s `isset()` gate; this
   extends the same protection to the empty-string case. To explicitly clear a text
   field, edit through the WP admin.
 * Ergonomics: Every tool that identifies a single post now accepts either `id` 
   or `post_id`. Pre-1.4.31, `wp_get_post` / `wp_update_post` / `wp_delete_post`
   required `id` while `wp_get_post_meta` / `wp_update_post_meta` / `wp_get_seo_meta`/`
   wp_update_seo_meta` / `wp_get_post_revisions` / `wp_add_post_terms` required `
   post_id` — an AI driver that called a tool with the wrong-named argument received
   an InputValidationError. Both names are now accepted on every post-identifying
   tool (pages and media included; comments, terms, and users keep their separate
   ID domains). No schema changes; existing callers continue to work unchanged.
 * UX: Royal Plugins Founders Bundle banner tweaks on the Royal MCP settings page.
 * UX: New wp.org review-request banner on the Royal MCP settings page with a direct
   CTA to leave a review. Dismissable per plugin version — appears once on each 
   plugin update, no time-based or pageload re-prompts.

#### 1.4.30

 * New: `elementor_add_widget` MCP tool — the first structural-write Elementor tool.
   Programmatically drop widgets or containers into an existing Elementor page. 
   Dual-surface design: the raw path accepts any widget type registered with Elementor(
   or an Editor V4 atomic prefix) plus a full Elementor settings object; the curated
   path covers the 11 highest-frequency widget types (container, heading, text-editor,
   button, image, image-box, icon-box, icon-list, video, divider, spacer) with flat
   parameters that the tool expands into the canonical settings object internally,
   saving tokens on every call. Container widgets can include nested children inline(
   one call drops a parent container with N child widgets, recursive). Atomic widgets(
   Editor V4) pass through opaquely via the raw path since their JSON schema is 
   not publicly documented. Curated `video` detects host and routes YouTube, Vimeo,
   and Dailymotion URLs to the correct internal Elementor field. Curated `icon-list`
   builds the repeater shape with auto-generated item IDs. Cap-checked via `edit_post`
   per the existing Elementor-tool pattern (1.4.26 hardening still applies). Pre-
   1.4.30 the Elementor tools covered clone-and-customize (1.4.19) and read (`elementor_get_page_outline`);
   they did not let an agent build a page widget by widget. 1.4.30 closes that gap
   with the smallest possible surface.
 * Hardening: `elementor_add_widget` rejects unknown `widget_type` slugs at the 
   boundary rather than serializing them into `_elementor_data` (where Elementor
   would render them as silent empty placeholders). Validates against Elementor’s
   widget registry, allows Editor V4 atomic prefixes (`a-*` / `e-*`) opaquely, and
   fails open if the registry is unreachable so a transient autoloader miss can’t
   block writes that would otherwise succeed. Catches typos (`headng`, `text-edtior`)
   at the API call instead of after an agent thinks the page was built.
 * Hardening: Capability check order in six integration tool wrappers (GuardPress,
   SiteVault, ForgeCache, Royal Ledger, ACF, Royal Links). Pre-1.4.30 the “integration
   is not active” check fired before the capability check, so a Subscriber-tier 
   OAuth Bearer calling an integration tool on a site where that integration was
   inactive would receive the “X is not active” error message — effectively a presence-
   probe surface that let unauthorized callers enumerate which integrations were
   installed. 1.4.30 inverts the order: an unauthorized caller now receives a permission
   error first regardless of whether the integration is present. For four of the
   six wrappers the existing umbrella cap (`manage_options` for GuardPress / SiteVault/
   Royal Ledger) was already correct and only needed reordering; ACF and Royal Links
   gained a new `edit_posts` umbrella check above their per-handler caps. Per-handler
   object-level checks (`read_post`, `edit_post`, `manage_options`) remain in place—
   no semantic change for authorized callers.

#### 1.4.29

 * Fix: Restore the runtime DB-migration retry semantic that regressed in 1.4.27.
   On a subset of wp.org auto-update installs (LiteSpeed-fronted hosts with opcache,
   plus any environment where the autoloader transiently failed during the file-
   swap), 1.4.27’s `maybe_upgrade_db()` could mark the schema version as up-to-date
   even when the new sessions table and OAuth tables hadn’t actually been created.
   The latched state silently broke OAuth registration (`/register` returned 500
   with “Failed to persist client registration. The OAuth tables may be missing”)
   and MCP session persistence (`Mcp-Session-Id` couldn’t be looked up on the next
   request, returning 404 “Session not found”). 1.4.29 restores the success-tracking—`
   db_version` only advances when every required migration actually ran — and adds
   a force-load fallback so a transient autoloader miss can’t latch the install.
   Affected customers heal automatically on the 1.4.29 update; if any install is
   still stuck after updating, a single deactivate + reactivate also creates the
   tables.
 * Fix: Defensive self-heal on `/register`. If the OAuth client registration handler
   hits the “tables may be missing” error path, the plugin now attempts to create
   the missing tables once and retry the insert before returning the 500 to the 
   calling MCP client. Belt-and-suspenders for any install that still updates with
   the autoloader race fired.
 * Fix: `maybe_upgrade_db()` no longer trusts the `royal_mcp_db_version` option 
   alone — it now also verifies that the OAuth-clients and sessions tables physically
   exist before short-circuiting the migration. Closes a recovery gap where an install
   whose tables had been dropped externally (or by an uninstall that left the version
   option behind) could not self-heal via the runtime migration, even after a deactivate
   + reactivate cycle. Thanks to @rula99 for the wp.org forum report and root-cause
   analysis.
 * Fix: `uninstall.php` now also deletes the `royal_mcp_db_version` option. Pre-
   1.4.29, uninstall dropped all tables and cleared settings but left the version
   option in place, so a subsequent reinstall on the same WP install would see the
   option matching the new plugin version and skip table re-creation, leaving the
   install in a stuck state. Uninstall now leaves a fully clean slate. Thanks to@
   rula99.

#### 1.4.28

 * Compatibility: Authorization-header API key fallback. Pre-1.4.28, if an MCP client
   sent its static API key via the universal `Authorization: Bearer <key>` HTTP 
   header, Royal MCP routed the value entirely into OAuth-token validation, failed(
   since an API key is not an OAuth token), and returned 401 — even though the same
   key worked when sent via the Royal-MCP-specific `X-Royal-MCP-API-Key` header.
   This broke connection with several modern MCP clients (Apify’s newly-launched
   MCP connectors, n8n, Make.com, anything that follows the universal HTTP convention
   for bearer credentials). 1.4.28 adds a strict-additive fallback: after OAuth-
   token validation fails, the same Bearer value is tried as an API key before returning
   the 401. The security perimeter is unchanged — API keys were already accepted
   as bearer credentials via a different header name; this just accepts the universal
   convention every modern MCP client uses. The `X-Royal-MCP-API-Key` header continues
   to work for backward compatibility.
 * Feature: Yoast / Rank Math `wp_get_seo_meta` and `wp_update_seo_meta` tools now
   read and write the post URL slug (the “Slug” field shown in Yoast’s and Rank 
   Math’s post editors). Pre-1.4.28, AI agents could write SEO title, meta description,
   focus keyword, robots, and OG fields but had to fall back to `wp_update_post`
   for the slug — an extra tool call and a workflow break. Now a single `wp_update_seo_meta`
   call covers the whole SEO setup. The slug is a WordPress-native field (post_name),
   so it works regardless of whether Yoast or Rank Math is installed. Slug updates
   route through `wp_update_post()` so WordPress’s slug-uniqueness logic runs (appends-
   2, -3, etc on collision) and downstream `save_post` hooks fire normally. The 
   actually-saved slug is returned in the response so the caller can confirm whether
   WordPress modified the requested value. Requires `edit_post` capability on the
   target post (the same gate the rest of the tool already enforces). Thanks to @
   KKNORR-TC for the request (GH issue #34).

#### 1.4.27

 * Reliability: MCP session state moved off WordPress transients onto a dedicated`
   wp_royal_mcp_sessions` table. Pre-1.4.27, sites with an active WordPress object
   cache drop-in (typically dropped by some LiteSpeed-based managed hosts, or caching
   plugins like SpeedyCache) could see every MCP tool call after `initialize` fail
   with `404 Session not found or expired`, because the object cache backend was
   silently evicting the transient between requests. Direct DB storage with sha256-
   hashed session lookup gives reliable persistence regardless of cache backend —
   the same defense-in-depth pattern the 1.4.17 release applied to OAuth authorization
   codes for the identical root cause. No customer action required; the new table
   is created automatically on update, and existing transient-based sessions expire
   naturally as MCP clients reconnect.
 * Cleanup: Removed orphan admin-AJAX handler `royal_mcp_get_platform_fields` along
   with the `render_platform_fields` helper method it called. Both had been dead
   code — an earlier refactor moved the platform-field rendering inline into `templates/
   admin/settings.php`, leaving the class method as a vestige reachable only through
   the unused AJAX handler. The live Settings page render path is unchanged. ~130
   lines removed; smaller attack surface (registered admin-AJAX handlers remain 
   reachable via direct POST regardless of whether the UI wires them up).
 * Compliance: Tightened one description-section bullet that enumerated three SEO
   plugins by name without per-brand functional content, rewriting it as a generic
   capability description (“term-level SEO meta — titles, descriptions, focus keywords”).

#### 1.4.26

 * Security: Per-tool WordPress capability checks added to all content, user, term,
   comment, and integration tools. Pre-1.4.26, an authenticated OAuth Bearer token
   issued to a low-privileged WordPress role (Subscriber, Contributor) could be 
   used to invoke admin-only operations via Royal MCP tools — create/update/delete
   admin-owned content, enumerate users, read private posts and post meta, manage
   WooCommerce records, trigger SiteVault backups, read GuardPress security audit
   logs, and more. The API-key authentication path was unaffected (it explicitly
   runs as the administrator role per 1.4.6, since the API key is admin-only-accessible).
   Per-tool checks now uniformly enforce: `read_post` on read tools (object-level),`
   list_users` on user-read tools, `edit_post` / `edit_others_posts` / `delete_post`/`
   delete_others_posts` on post-write tools (object-level via map_meta_cap), `manage_categories`/
   per-taxonomy caps on term tools, `edit_comment` on comment-delete, `manage_woocommerce`
   on WooCommerce tools, and `manage_options` on integration tools that touch backups,
   security state, or financial data. The list-tool status filters (`wp_get_posts`,`
   wp_get_comments`) were additionally converted from a denylist of restricted statuses
   to a positive allowlist of public statuses, so unexpected status values (`any`,
   unknown strings, typos) fail closed and require the matching read cap. The 1.4.23
   ACF integration + 1.4.6 media upload + 1.4.17 comment-moderation + 1.4.17 menu
   tools were already correctly gated; 1.4.26 brings the rest of the tool surface
   to that same pattern. Reported by Alessandro Greco (Aleff). Recommended for all
   users.

#### 1.4.25

 * UX: MCP Server URL is now surfaced prominently in General Settings as the canonical
   inbound URL for every MCP client (Claude.ai, ChatGPT, Claude Desktop, Cursor,
   Gemini, and any other MCP host). Previously the same URL was tucked into a card
   labeled “Claude Connector Settings — FOR CLAUDE.AI”, making it invisible to users
   setting up non-Claude clients who would then search the page for a ChatGPT-specific
   URL that doesn’t exist. The new section header clarifies that the same URL works
   for all MCP-compatible clients.
 * UX: New “MCP Client Setup Guides” section with in-product accordion walkthroughs
   for Claude.ai, ChatGPT, Claude Desktop, and Cursor. Each guide references the
   canonical MCP Server URL from General Settings, with deep links to the full screenshot
   walkthroughs on royalplugins.com/support/. Previously only Claude.ai had an in-
   product Quick Setup Guide and ChatGPT / Claude Desktop / Cursor users had to 
   leave the page to find setup instructions.
 * UX: “AI Platforms” section renamed to “Outbound AI Provider Configuration” with
   a prominent disambiguation banner clarifying that this section is for OUTBOUND
   API calls only (your site calling Claude or OpenAI), distinct from the INBOUND
   MCP server flow above. The “AI Platforms” naming was collision-prone — customers
   configuring an MCP client for inbound use would frequently mistake this outbound-
   only provider list for the place to “set up Claude/ChatGPT”, enter their OpenAI
   API key, and then find that no inbound connection was made.
 * UX: Cloudflare warning (“turn off Block AI Bots”) relocated from the Claude-only
   card to General Settings next to the MCP URL — it applies to every MCP client,
   not just Claude, but was previously only shown to users with the Claude provider
   configured.
 * UX: Legacy REST API Base URL demoted into a collapsible “Advanced” subsection
   within General Settings, alongside manual OAuth Client ID / Client Secret credentials.
   Most users connect via the canonical MCP Server URL and never need these.
 * Fix: Universal admin icon alignment pass. Every dashicon in every button on the
   Royal MCP settings page is now flex-centered relative to its container instead
   of sitting on the text baseline. Add Provider button no longer renders as a blue
   button with an invisible blue icon (dashicons now inherit white text color from`.
   button-primary`). Reset OAuth State, Copy, Regenerate, Test Connection, Add Provider,
   eye/visibility toggle, and the platform card collapse/delete buttons all share
   the same centering rule — previously each was hand-tuned per-button with mixed
   results, and a `line-height: 1.4` hack on the Reset OAuth button has been removed.
 * Fix: Description helper text contrast bumped from `#646970` italic to `#50575e`
   non-italic for readability on the gray `#f9f9f9` postbox backgrounds. The italic
   at 13px was hard to scan, particularly on the platform configuration cards.
 * Fix: Visible keyboard focus ring on all buttons in the settings page (2px white
   inner ring + 2px brand-blue outer ring) for accessibility.

#### 1.4.24

 * New: Advanced Custom Fields integration. Four new MCP tools — `acf_get_field`,`
   acf_get_fields`, `acf_update_field`, `acf_get_field_groups` — registered automatically
   when ACF (free or Pro) is active. The dedicated integration returns values formatted
   per each field’s Return Format setting (hydrated post objects, parsed repeater
   rows, image arrays, attachment IDs) instead of the raw serialized values WordPress’s
   standard meta API returns. `acf_get_fields` bundles discovery and read into one
   call — AI agents can list every ACF field defined on a post with its name, label,
   type, and value in a single round-trip. WP_Post / WP_User / WP_Term return values
   are flattened to small JSON-encodable arrays so the LLM gets useful structure
   without raw WP objects in the response payload. Sites without ACF active see 
   no change — the tools are conditionally registered behind `function_exists('get_field')`.
 * Fix: `wc_create_product` now respects the `type` argument and creates the matching
   WooCommerce product class (Simple, Variable, Grouped, External). Pre-1.4.24 the
   tool’s input schema advertised the four product types but the handler hardcoded`
   WC_Product_Simple` regardless of the caller’s choice — so passing `type: variable`
   silently returned a simple product, and the downstream `wc_create_variation` 
   call then failed with “Product is not a variable product”, breaking the variable-
   product workflow end-to-end. Unsupported product types now throw an explicit 
   exception so callers see the failure instead of getting a wrong-typed product
   back. Bug had been present since the WooCommerce integration first shipped in
   1.4.10.
 * Doc: readme.txt Description now leads with a “First-time setup walkthrough (with
   videos)” pointer to the Connecting Claude to Royal MCP guide, and the Installation
   section ends with the same pointer for users who skip past the listing description.
   New users arriving via wp.org plugin search were missing the setup guide that’s
   been linked from the marketing-site sub-nav for weeks.
 * Doc: AI Platforms screen in WP Admin now shows a contextual notice on the Claude
   platform card pointing at the inbound setup guide. The AI Platforms feature configures
   outbound API calls (this site -> Claude), but customers frequently arrive at 
   this card meaning to do the inbound MCP setup (Claude.ai or Claude Desktop ->
   this site). The notice clarifies the distinction and links to the guide so users
   don’t get stuck. Only renders when Claude has been added as a platform.

#### 1.4.23

 * Fix: AI Platforms model dropdowns refreshed across all five LLM providers (Claude,
   OpenAI, Gemini, Groq, Bedrock) to remove deprecated and retired models, add current
   production lineups, and rotate defaults to vendor-recommended replacements. Verified
   against each vendor’s official deprecation page on the day of release (Anthropic,
   OpenAI, Google AI, Groq, AWS Bedrock). Specifically: Claude removed `claude-sonnet-
   4-20250514` (Anthropic retires it on June 15, 2026); OpenAI replaced `gpt-4o-
   mini`/`gpt-4-turbo`/`gpt-4`/`gpt-3.5-turbo`/`o1-preview`/`o1-mini` with GPT-5.5,
   GPT-5, GPT-5 Mini, GPT-5 Nano, and o3, and the new default is `gpt-5`; Gemini
   removed the entire 1.5 family (already returns 404), the 2.0 Flash variants (
   shut down June 1, 2026), and the 2.5 family (all retire October 16, 2026), with
   the dropdown now offering `gemini-3.5-flash` (new default) and `gemini-3.1-flash-
   lite`; Groq removed `mixtral-8x7b-32768` and `gemma2-9b-it` and added `openai/
   gpt-oss-120b` and `openai/gpt-oss-20b`; AWS Bedrock refreshed from the year-old
   Claude 3 Sonnet / Claude 3 Haiku / Llama 3 / Titan Text lineup to Claude 4 family(
   Opus 4.7, Sonnet 4.6, Haiku 4.5), Amazon Nova 2 Lite + Nova Pro, and Llama 3.3
   70B. Pre-1.4.23 customers picking any of these now-retired models would receive
   404 from the vendor (Test Connection) or upstream API errors (any runtime call);
   1.4.23 also resets the default model on Gemini, OpenAI, and Bedrock to current
   vendor-recommended replacements so fresh installs land on a working model without
   manual selection. No code paths beyond `Platform\Registry.php` are changed; existing
   installs that already have a working model stored in settings are unaffected.

#### 1.4.22

 * Fix: AI Platforms  Test Connection on the Claude platform now uses the model 
   selected in the dropdown and the underlying test ping points at a model Anthropic
   still serves. Pre-1.4.22 the Test Connection button had two compounding defects
   in `Platform\Registry.php`: the `test_body.model` was hardcoded to `claude-3-
   5-haiku-20241022` regardless of the dropdown selection, AND that model has since
   been deprecated by Anthropic — so every click of Test Connection returned `Server
   responded with status 404: model: claude-3-5-haiku-20241022` no matter which 
   model was chosen or whether the API key was valid. The dropdown is also refreshed
   to the current Claude lineup (Opus 4.7, Sonnet 4.6, Haiku 4.5) and the Gemini
   dropdown adds the 2.x family entries. Reported by two customers within four days;
   affects every Royal MCP install using the AI Platforms feature with a Claude 
   key.
 * Fix: Manually-configured OAuth Client ID and Client Secret in Claude Connector
   Settings  Advanced settings can now be cleared through the UI. Pre-1.4.22 the
   sanitize callback treated an empty submission as “preserve previous value” (defense
   against accidental blanking), which left customers no way to switch from manual-
   credential mode back to Dynamic Client Registration once a static client had 
   been generated. A new Clear button appears next to each field when populated;
   it AJAX-clears the stored value and the connector falls back to Dynamic Client
   Registration on the next handshake. The existing Reset OAuth State button (1.4.17)
   is also extended to wipe these manual credentials in addition to clients/tokens/
   auth codes, with a success message that confirms when it happened.
 * Fix: OAuth root rewrite rules (`/authorize`, `/token`, `/register`, `/.well-known/
   oauth-authorization-server`) now match both bare and trailing-slash variants.
   Pre-1.4.22 the rules used a bare `$` regex anchor that didn’t match the trailing-
   slash form WordPress canonical_redirect adds on default permalink structures —
   the trailing-slash URL fell through to standard WP page lookup and could be hijacked
   by membership plugins or theme templates that serve their own page for any non-
   matching URL. Discovery clients then received HTML at 200 instead of JSON metadata
   and silently failed. Widening to `/?$` matches both forms; the bare-path variants
   continue to work.
 * New: Admin notice detects when your web server returns a 301 trailing-slash redirect
   on POST `/register` — a host-side config issue (Nginx `mod_dir`, Apache `mod_dir`,
   or `.htaccess` canonicalization) that breaks OAuth registration because clients
   don’t follow 301 on POST. The notice surfaces the issue and links to a support
   article with Nginx and Apache fixes. Cached in a 12-hour transient and skipped
   on dev hosts and multisite subsites, matching the existing self-check pattern.
   Self-check probes are short-circuited inside the OAuth dispatcher so they don’t
   generate Activity Log noise.
 * New: The existing `.well-known/` self-check (1.4.14, 1.4.19) now also detects
   when the discovery endpoint returns an HTML body at status 200 — a membership
   plugin (ARMember, MemberPress, Restrict Content Pro) or theme template is intercepting
   the request and serving its own login or access-denied page instead of letting
   Royal MCP’s JSON response through. Surfaces a notice with the most common fixes(
   add OAuth paths to the plugin’s unrestricted-URL list, re-save Permalinks, deactivate
   suspects).

#### 1.4.21

 * Fix: Gutenberg block content created or updated via `wp_create_page`, `wp_update_page`,`
   wp_create_post`, and `wp_update_post` is no longer mangled in the block’s JSON
   comment. Two compounding bugs surfaced on WordPress 7.0’s new per-block Custom
   CSS feature, where a block like `<!-- wp:table {"style":{"css":"a\nb\n& table{
   color: red; }"}} -->` round-tripped as `au005cnbu005cnu005cu0026 table { color:
   red; }`, breaking the block’s render and triggering Gutenberg’s “unexpected content”
   warning. (1) Pre-1.4.21 the tools ran `wp_kses_post()` on the caller’s content
   before handing it to `wp_insert_post()`, which HTML-encoded the block delimiters.
   The fix removes that pre-filter and trusts WordPress’s own `content_save_pre`
   filter inside `wp_insert_post()`, which applies `wp_filter_post_kses` based on
   the calling user’s `unfiltered_html` capability — the same code path the block
   editor itself uses when admins save block content. (2) `wp_insert_post()` runs`
   wp_unslash()` on its arguments internally per the WordPress slashing convention,
   which was stripping the literal backslashes inside escape sequences (`\n`, `&`)
   that block JSON depends on. The fix `wp_slash()`es the content before passing,
   so the internal `wp_unslash` leaves the original input intact. Round-trip is 
   now byte-for-byte preserved on both WordPress 6.x and 7.0. Reported by @danielkleinert
   in royalplugins/royal-mcp#15.

#### 1.4.20

 * Fix: WooCommerce order tools no longer hang when a `shop_order_refund` record
   appears in the result set. With HPOS (High-Performance Order Storage) enabled,
   WooCommerce stores both real orders and refund child records in the same `wc_orders`
   table, and `wc_get_orders()` returned both unless explicitly filtered. The `format_order_summary()`
   and `format_order_detail()` formatters expect a `WC_Order` and choke when handed
   a `WC_Order_Refund`, producing an indefinite hang that surfaced to MCP clients
   as error -32001 (timeout). Fixed in all four call sites in `includes/Integrations/
   WooCommerce.php`: the `wc_get_orders` and `get_store_stats` queries now include`'
   type' => 'shop_order'`; the `wc_get_order` and `wc_update_order_status` handlers
   now reject inputs that don’t resolve to a `WC_Order` instance (catching refund
   IDs because `WC_Order_Refund` extends `WC_Abstract_Order`, not `WC_Order`). Only
   affects HPOS-enabled stores — pre-HPOS, `shop_order_refund` lives in `wp_posts`
   as a distinct post_type and is never returned by `wc_get_orders()`. Thanks to@
   ober37 for the diagnosis and the PR (royalplugins/royal-mcp#20, #21).

#### 1.4.19

 * New: Six Elementor tools for clone-and-customize workflows: `elementor_clone_page`
   duplicates an existing Elementor page with fresh element IDs and draft status;`
   elementor_replace_text` does bulk text substitution across heading, text-editor,
   button, image-box, icon-box, icon-list, testimonial, tabs, accordion, toggle,
   star-rating, call-to-action, and flip-box widgets; `elementor_replace_image` 
   swaps image URLs across image, image-box, background_image, and gallery widget
   settings; `elementor_get_page_outline` extracts a compact section/container hierarchy
   with widget types and text snippets (typically under 2KB so Claude can reason
   over a full page without burning the JSON budget); `elementor_list_local_templates`
   enumerates entries in the Elementor template library; `elementor_import_template`
   wraps the official `\Elementor\TemplateLibrary\Source_Local::import_template()`
   API. All six tools auto-register when Elementor is active and are hidden otherwise.
   Atomic widgets (Elementor 4.0+ Editor V4 elements) pass through opaque — we never
   decode atomic schemas because Elementor itself may shift them. Widget-level creation
   from scratch is intentionally out of scope; the design commitment is to never
   generate Elementor JSON from a blank slate and to always work from an existing-
   known-good source. Capability-gated (`edit_posts` plus `edit_post` per-post).
   Tested end-to-end against a real Elementor Pro 4.0.4 page with 74 widgets and
   9 top-level containers.
 * New: Admin notice now detects stale static `.well-known/oauth-authorization-server`
   files left in the webroot from a pre-1.4.0-era host-support workaround. The smoking
   gun: the static file’s metadata advertises OAuth endpoints under `/wp-json/royal-
   mcp/v1/authorize` (the old REST-namespace paths) instead of the current root 
   paths (`/authorize`, `/token`, `/register`). Claude.ai reads the stale metadata,
   follows the bad URLs to 404, and the connection silently fails. The notice surfaces
   the file paths and the SSH/SFTP delete command, with a per-user dismiss. Detection
   is cached in a 12-hour transient and skipped on dev hosts and multisite subsites,
   same pattern as the existing host-blocked detection. Triggered by a customer 
   support ticket where the connection looked working from a curl probe but Claude.
   ai connector consistently failed; root cause was a leftover file from host support
   six months earlier. The existing host-blocked detection (404 on `/.well-known/`)
   is unchanged.
 * Doc: Readme “Page builders” line softened. Previous text (“Post content stored
   by builders is fully readable and writable by AI”) implied a flat statement of
   universal coverage that wasn’t accurate for Elementor’s JSON-storage model. New
   text describes Elementor’s clone-and-customize tools explicitly and clarifies
   that page-builder-specific JSON storage is opaque to AI unless covered by a dedicated
   tool. Divi/Beaver Builder/Bricks/Gutenberg/Spectra/Stackable handling is unchanged—
   their standard post content remains AI-readable via the existing post tools.

#### 1.4.18

 * Fix: The `/wp-json/royal-mcp/v1/mcp` GET handler is now User-Agent-aware. Anthropic’s
   post-OAuth session-establishment probe (User-Agent: `Claude-User`) now receives
   HTTP 200 + `Content-Type: text/event-stream` with a minimal keepalive comment,
   satisfying the spec-compliant session start. Other authenticated GET requests(
   mcp-remote, custom scripts) continue to receive 405 with `Allow: POST, DELETE,
   OPTIONS` to preserve the 1.4.12 fix that stopped mcp-remote’s retry-storm pattern.
   Without this differentiation, customers updating to 1.4.17 would see the auth-
   code DB-table fix succeed at `/token` but Anthropic’s subsequent GET probe receive
   405 four times before giving up — same connector-failure symptom they had on 
   1.4.16, just with a different cause. This is the 4th iteration of the `/mcp` 
   endpoint response-code matrix and the discrimination layer is documented in `
   _internal/royal-mcp/MCP_ENDPOINT_BEHAVIOR_MATRIX.md`.
 * Fix: `wp_update_menu_item` and `wp_reorder_menu_items` no longer destroy non-
   empty existing fields. Pre-1.4.18 these tools passed partial args to WordPress’s`
   wp_update_nav_menu_item()`, which merges any unspecified fields with empty defaults—
   effectively wiping titles, URLs, parent_id, and target on every item touched.
   Reported in royalplugins/royal-mcp issue #14: a 96-item menu reduced to flat,
   blank custom links across all items, requiring ~170 API calls to rebuild. The
   fix is a read-merge-write pattern in a new internal helper that reads existing
   item values via `wp_setup_nav_menu_item()` and merges with caller-supplied overrides
   before writing. A destructive-operation guardrail also refuses explicit-empty
   values for `title` or `url` that would zero a non-empty existing value (use `
   wp_delete_menu_item` + `wp_create_menu_item` to clear those intentionally). `
   wp_reorder_menu_items` additionally returns a `skipped` array when individual
   items can’t be safely reordered (e.g. missing or recently deleted) instead of
   silently failing.
 * Doc: New FAQ entry covering DB-restore recovery via the Reset OAuth State button(
   closes issue #12). After restoring WordPress from backup, the OAuth client credentials
   Claude was holding become stale and no Royal MCP install will accept them — one-
   click recovery via Royal MCP  Settings  Reset OAuth State (1.4.17+) wipes all
   OAuth state without affecting the plugin’s settings, API key, or Activity Log.
 * Doc: New FAQ entry clarifying that OAuth endpoints (`/register`, `/token`, `/
   authorize`) are top-level WordPress rewrite rules at the site root, not REST 
   API routes under `/wp-json/royal-mcp/v1/`. Customers auditing their install via
   the REST namespace were confused into thinking the OAuth endpoints weren’t registered;
   this is by design per the OAuth 2.0 (RFC 6749) and MCP discovery (RFC 8414, RFC
   9728) specs which mandate predictable site-root paths.
 * Doc: New FAQ entry “The connector won’t connect — where do I start?” links to
   a new troubleshooting-start-here support article. About 90% of “can’t connect”
   issues resolve in a 4-step basic checklist (update, conflict test, OAuth state
   wipe, Activity Log check) before any host-specific fix is needed; surfacing this
   in the readme front-loads the basic workflow that pre-1.4.18 was buried under
   the advanced support articles.

#### 1.4.17

 * Fix: Authorization codes (the short-lived single-use secret exchanged at the 
   OAuth `/token` step) are now stored in a dedicated `wp_royal_mcp_oauth_auth_codes`
   database table with atomic single-row consume, replacing the previous WordPress-
   transient storage. On host stacks running multiple object-cache layers (LiteSpeed
   Cache + SpeedyCache confirmed as a reproducer), the transient backend was silently
   evicting the auth code in the ~2-second window between `/authorize` and `/token`,
   breaking the OAuth handshake with `invalid_grant: Authorization code is invalid,
   expired, or already used.` even on a fully clean test. The new storage layer 
   is unaffected by object-cache eviction since reads and writes go directly to 
   the database. The schema migration runs automatically on `plugins_loaded` for
   existing installs (no manual reactivation required).
 * New: “Reset OAuth State” admin button on the Royal MCP settings page. One click
   wipes all registered OAuth clients, issued access/refresh tokens, and pending
   authorization codes — recovering from stuck handshakes without dropping to wp-
   cli or SQL. All currently-connected MCP …

## Meta

 *  Version **1.4.32**
 *  Last updated **4 dnevi ago**
 *  Active installations **6.000+**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/royal-mcp/)
 * Tags
 * [AI](https://sl.wordpress.org/plugins/tags/ai/)[ChatGPT](https://sl.wordpress.org/plugins/tags/chatgpt/)
   [Claude](https://sl.wordpress.org/plugins/tags/claude/)[elementor](https://sl.wordpress.org/plugins/tags/elementor/)
   [mcp](https://sl.wordpress.org/plugins/tags/mcp/)
 *  [Advanced View](https://sl.wordpress.org/plugins/royal-mcp/advanced/)

## Ratings

 5 out of 5 stars.

 *  [  4 5-star reviews     ](https://wordpress.org/support/plugin/royal-mcp/reviews/?filter=5)
 *  [  0 4-star reviews     ](https://wordpress.org/support/plugin/royal-mcp/reviews/?filter=4)
 *  [  0 3-star reviews     ](https://wordpress.org/support/plugin/royal-mcp/reviews/?filter=3)
 *  [  0 2-star reviews     ](https://wordpress.org/support/plugin/royal-mcp/reviews/?filter=2)
 *  [  0 1-star reviews     ](https://wordpress.org/support/plugin/royal-mcp/reviews/?filter=1)

[Your review](https://wordpress.org/support/plugin/royal-mcp/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/royal-mcp/reviews/)

## Contributors

 *   [ Royal Plugins ](https://profiles.wordpress.org/royalpluginsteam/)

## Support

Issues resolved in last two months:

     9 out of 11

 [View support forum](https://wordpress.org/support/plugin/royal-mcp/)

## Donate

Would you like to support the advancement of this plugin?

 [ Donate to this plugin ](https://www.royalplugins.com)