grade D

3 days ago

glama

wp-mcp

A Model Context Protocol server that turns WordPress sites into AI-operable surfaces by exposing CRUD primitives for posts, users, comments, and settings. It supports both local STDIO and remote HTTP transports, allowing AI assistants to manage content and site configuration directly.

→ rnaga/wp-mcp · listed on glama

Install from

Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

⚠️

Known vulnerabilities in dependencies: 3 high

Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.

✅

No credential exfiltration, no sensitive file access, no obfuscation

Static analysis found nothing flowing your secrets to unexpected places.

🔐

You'll be asked for 3 credentials: DB_PASSWORD, REMOTE_PASSWORD, TEST_API_KEY

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configALLOWED_ISSUER_HOSTNAMES

configCONFIG_SQLITE_DB_PATH

configDB_HOST

configDB_NAME

🔐 secretDB_PASSWORD

configDB_PORT

configDB_USER

configDEFAULT_BLOG_ID

configDEFAULT_SITE_ID

configLOCAL_CONFIG— file <path> / -f <path> WordPress config manifest location Used by local start to point the init hook at a custom WP config JSON.

configLOCAL_USERNAME— "": "wp-admin"

configLOG_LEVEL

configMULTISITE

configOAUTH_AUTHORIZATION_URL— Authorization server URL https://auth.example.com Sent to clients in error headers and used by the CLI when initializing device flows.

configOAUTH_ISSUER_URL

configOAUTH_REGISTRATION_URL

configOAUTH_RESOURCE_NAME— Display name for the protected resource Example WordPress MCP Returned in discovery metadata.

configOAUTH_RESOURCE_URL— Public URL of the protected resource https://mcp.example.com Included in OAuth resource metadata and DNS-rebinding protection checks.

configOAUTH_REVOCATION_URL

configOAUTH_SCOPES_SUPPORTED— Comma-separated scopes supported by the resource openid,offline_access,posts.read Advertised in discovery metadata and WWW-Authenticate headers.

configOAUTH_SERVICE_DOCUMENTATION_URL— Documentation link for the resource https://docs.example.com/mcp Returned in discovery metadata.

configOAUTH_TOKEN_URL

configPORT

configREMOTE_AUTH_TYPE— "": "oauth",

configREMOTE_CUSTOM_HEADERS

🔐 secretREMOTE_PASSWORD

configREMOTE_URL— "": "https://wp-mcp.example.com/mcp"

configREMOTE_USERNAME

🔐 secretTEST_API_KEY

configTEST_DB_HOST

configTEST_DB_PORT

configTEST_ENABLED

configWP_MCP_ENV_BASE_PATH

configWP_MCP_SECRET_DB_PATH

configWP_MCP_SECRET_ENV_FILE

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 4 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/rnaga-wp-mcp-1iefiv)](https://m8ven.ai/mcp/rnaga-wp-mcp-1iefiv)

commit: 66e65e375e205234ae4da8fa3095ae665c395df6

code hash: 9c4ef39f73cbb924578da34301e8d71cf3aadafcf58c146cddd3643e2228f192

verified: 4/18/2026, 6:28:28 PM

view raw JSON →