Title: Invizo MCP Author: Invizo Published: June 19, 2026 Last modified: June 19, 2026 --- Search plugins ![](https://s.w.org/plugins/geopattern-icon/invizo-mcp.svg) # Invizo MCP By [Invizo](https://profiles.wordpress.org/invizo/) [Download](https://downloads.wordpress.org/plugin/invizo-mcp.2.0.3.zip) * [Details](https://wordpress.org/plugins/invizo-mcp/#description) * [Reviews](https://wordpress.org/plugins/invizo-mcp/#reviews) * [Installation](https://wordpress.org/plugins/invizo-mcp/#installation) * [Development](https://wordpress.org/plugins/invizo-mcp/#developers) [Support](https://wordpress.org/support/plugin/invizo-mcp/) ## Description Invizo MCP turns your WordPress site into a standalone Model Context Protocol server. It lets approved AI clients work with site content and supported plugins through a native endpoint hosted by WordPress: ``` https://example.com/wp-json/mcp/invizo ``` No Invizo-hosted MCP backend, account, subscription, or license key is required. The plugin bundles the official WordPress MCP Adapter and PHP MCP Schema packages and exposes Invizo’s action library through the WordPress Abilities API. The MCP server exposes three compact protocol tools: * `discover-abilities` * `get-ability-info` * `execute-ability` These tools discover and execute 143 scoped Invizo abilities without flooding AI clients with 143 top-level MCP tools. #### Highlights * Direct MCP endpoint hosted by WordPress. * WordPress Application Password authentication. * Administrator-only transport and action execution. * Granular read, write, and delete scopes. * Dry-run and confirmation safeguards for supported risky operations. * Copy-ready connection settings for Claude Code, Claude Desktop, Codex, Cursor, and Antigravity. * Dependency-aware controls for WooCommerce, Elementor, Rank Math SEO, LearnPress, and The Events Calendar. * No telemetry, tracking, Invizo cloud account, or automatic connection to Invizo servers. #### What can agents manage? * **WordPress content:** posts, pages, media, categories, tags, comments, revisions, reusable blocks, templates, global styles, menus, and content search. * **Site administration:** users, selected safe site settings, post types, taxonomies, statuses, plugins, and themes. * **Custom content:** custom post type definitions, custom post type items, post metadata, and MCP-managed post meta definitions. * **Page builders and SEO:** Gutenberg content, Elementor page data, and Rank Math SEO metadata. * **WooCommerce:** products, variations, orders, notes, coupons, customers, and product terms. * **LearnPress:** courses, lessons, quizzes, questions, orders, terms, enrollments, and builder workflows. * **The Events Calendar:** events, venues, and organizers. #### Who is this for? Invizo MCP is intended for administrators, developers, agencies, and site maintainers who want an AI coding or automation client to work with a WordPress site through a documented, scoped protocol. Because enabled write and delete scopes can modify important site data, use the plugin only with trusted clients and dedicated Application Passwords. Test destructive workflows on a staging site first. #### Authentication Invizo MCP uses WordPress Application Passwords and WordPress REST authentication. Only authenticated users with the `manage_options` capability can access the MCP transport or execute Invizo abilities. In a standard WordPress installation this means administrators only. Create a dedicated Application Password from **Settings > Invizo MCP** for every AI client or computer. Passwords can be revoked individually from the same screen. Application Passwords normally require HTTPS. Local HTTP sites can enable them by setting: ``` define( 'WP_ENVIRONMENT_TYPE', 'local' ); ``` Security plugins can disable Application Passwords. Invizo reports this condition on its settings screen. #### Scopes and safeguards Administrators choose exactly which read, write, and delete scopes are enabled. Abilities outside enabled scopes are hidden from MCP discovery and rejected during execution. Optional integration scopes are unavailable unless their required plugin is active. Existing handler safeguards remain in place, including: * WordPress sanitization and validation. * Plugin availability checks. * Scope checks inside action handlers. * Dry-run previews for supported risky operations. * Explicit `confirm: true` requirements for supported destructive operations. * Reserved metadata protection and safe site-setting allow lists. #### Data stored by the plugin Invizo MCP stores: * Endpoint enabled/disabled status and selected scopes in the `invizo_mcp_settings` option. * MCP-managed custom post type definitions in the `invizo_mcp_registered_cpts` option. * MCP-managed post meta definitions in the `invizo_mcp_registered_meta_fields` option. * A plugin version option used for upgrades. Application Passwords are created and stored by WordPress in user metadata. Invizo tags only the credentials it creates so they can be listed and revoked from the settings page. Invizo MCP does not collect analytics or send usage information to Invizo. ### Client Configuration The settings page generates current, copy-ready values using your site endpoint and WordPress username. #### Claude Code The primary setup uses `@automattic/mcp-wordpress-remote` through `npx`, with the endpoint, username, and Application Password stored as environment variables. A direct HTTP `.mcp.json` alternative is also shown for clients that support authenticated HTTP MCP servers. #### Claude Desktop Add the generated JSON to: * macOS: `~/Library/Application Support/Claude/claude_desktop_config.json` * Windows: `%APPDATA%\Claude\claude_desktop_config.json` #### Codex Add the generated TOML to: * Project: `.codex/config.toml` * Global: `~/.codex/config.toml` Both `npx` bridge and direct authenticated HTTP examples are provided. #### Cursor Add the generated JSON to: * Project: `.cursor/mcp.json` * Global: `~/.cursor/mcp.json` #### Antigravity Add the generated JSON to: * macOS/Linux: `~/.gemini/antigravity/mcp_config.json` * Windows: `%USERPROFILE%\.gemini\antigravity\mcp_config.json` #### Local HTTPS Trust your local certificate whenever possible. For local development only, bridge configurations may use `NODE_TLS_REJECT_UNAUTHORIZED=0` when the certificate cannot be trusted normally. Never commit Application Passwords to source control or paste them into prompts, tickets, screenshots, or chat messages. ### Privacy and Security The MCP endpoint is disabled by default on new installations. Enabling it does not expose abilities until scopes are selected. The endpoint requires: * Valid WordPress Application Password authentication. * A WordPress user with the `manage_options` capability. * An enabled Invizo scope for the requested ability. Use one dedicated Application Password per client or device so individual connections can be revoked without changing the WordPress account password. When the plugin is uninstalled, Invizo-created Application Passwords are always revoked. Plugin settings and MCP-managed definitions are removed only when **Delete Invizo settings and MCP-managed CPT/meta definitions when the plugin is uninstalled** is enabled. Existing posts and post meta values are never deleted by the uninstaller. #### Reporting security issues Please report security issues privately through the contact information on https:// invizo.io/. Do not publish sensitive vulnerability details in a public support topic before a fix is available. ### Upgrade from 1.x Version 2.0 automatically removes the stored external MCP Server URL and shared secret. It preserves: * Enabled scopes. * MCP-managed custom post type definitions. * MCP-managed post meta definitions. * WordPress content and integration data. Sites that previously had a shared secret configured are migrated with the standalone endpoint enabled. Other installations remain disabled until an administrator explicitly enables the endpoint. The legacy signed endpoint `/wp-json/invizo/v1/execute` and its HMAC headers have been removed. ### External Services Invizo MCP does not contact an Invizo-hosted service. MCP clients may use the third-party npm package `@automattic/mcp-wordpress-remote` as a local bridge when configured by the administrator. The package is downloaded from the npm registry and runs on the computer hosting the AI client, not inside WordPress. When the bridge is used, it sends the configured WordPress endpoint, username, Application Password, and MCP request data directly to the administrator’s WordPress site. It does not send those credentials to Invizo. * Package: https://www.npmjs.com/package/@automattic/mcp-wordpress-remote * Source: https://github.com/Automattic/mcp-wordpress-remote * npm Terms of Use: https://docs.npmjs.com/policies/terms * npm Privacy Notice: https://docs.npmjs.com/policies/privacy Media upload actions can fetch a public file URL explicitly supplied by an authenticated MCP caller through WordPress media sideloading. In that case, the remote file host receives a normal HTTP request from the WordPress site. The service and data destination depend entirely on the URL supplied by the administrator’s MCP client. No external request is made merely by installing or activating Invizo MCP. ### Build and Source Files The distributed plugin contains the human-readable PHP source used at runtime. #### PHP dependencies Composer dependencies are included under `vendor/` because they are required for the standalone MCP endpoint: * `automattic/jetpack-autoloader` * `wordpress/mcp-adapter` * `wordpress/php-mcp-schema` All bundled packages use the GPL-2.0-or-later license. Package source, Composer metadata, and individual license files are included. See `third-party-notices.txt`. #### Rebuilding dependencies From the plugin directory: ``` composer install --no-dev --optimize-autoloader ``` Create the WordPress.org submission ZIP from the parent plugins directory while excluding Git metadata, operating-system files, logs, and Node dependencies. ## Installation 1. Install the Invizo MCP release ZIP, including its bundled `vendor` directory. 2. Activate the plugin on WordPress 6.9 or newer. 3. Open **Settings > Invizo MCP**. 4. Enable the MCP endpoint. 5. Select only the scopes your agent needs. 6. Create an Application Password. 7. Choose Claude, Codex, Cursor, or Antigravity and copy the generated configuration. 8. Restart or reload the AI client. 9. Verify the connection by listing the server tools and running `discover-abilities`. Do not install a source-only archive that omits Composer dependencies. #### Minimum requirements * WordPress 6.9 or newer. * PHP 7.4 or newer. * HTTPS for normal Application Password support. WordPress local environments may use HTTP when `WP_ENVIRONMENT_TYPE` is set to `local`. * An MCP client that supports remote HTTP MCP or a compatible local STDIO bridge. ## FAQ ### Does Invizo contact api.mcp.invizo.io? No. Version 2.0 does not require or contact an Invizo backend. ### Is WordPress itself the MCP server? Yes. WordPress serves MCP JSON-RPC requests at `/wp-json/mcp/invizo`. ### Why do some clients still use npx? Some desktop clients communicate with local STDIO MCP processes more reliably than remote authenticated HTTP endpoints. `@automattic/mcp-wordpress-remote` is a local transport bridge; it is not an Invizo-hosted server. ### Can editors connect? No. Invizo requires `manage_options` at the MCP transport and ability layers. ### What happens when the endpoint is disabled? The Invizo MCP route is not initialized. Existing Application Passwords remain valid WordPress credentials until revoked, but they cannot access an inactive Invizo endpoint. ### Why is an integration scope disabled? WooCommerce, Elementor, Rank Math SEO, LearnPress, and The Events Calendar scopes require the corresponding plugin to be active. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Invizo MCP” is open source software. The following people have contributed to this plugin. Contributors * [ Invizo ](https://profiles.wordpress.org/invizo/) [Translate “Invizo MCP” into your language.](https://translate.wordpress.org/projects/wp-plugins/invizo-mcp) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/invizo-mcp/), check out the [SVN repository](https://plugins.svn.wordpress.org/invizo-mcp/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/invizo-mcp/) by [RSS](https://plugins.trac.wordpress.org/log/invizo-mcp/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 2.0.3 * Replaced dynamic option keys in site settings handlers with explicit WordPress core option references to satisfy plugin review requirements. #### 2.0.2 * Enqueued settings-page CSS and JavaScript through the WordPress asset APIs. * Limited dependency notices to the Plugins and Invizo MCP settings screens. * Restricted WooCommerce customer address updates to an explicit field and setter allowlist. * Updated the bundled Jetpack Autoloader dependency. #### 2.0.1 * Prepared the standalone release for WordPress.org review and distribution. * Added GPL license and third-party dependency notices. * Added optional uninstall cleanup and automatic revocation of Invizo-created Application Passwords. * Added privacy, data storage, security reporting, source, build, and external- service documentation. * Fixed prepared SQL handling for LearnPress enrollment queries. * Improved local HTTPS connection snippets for `.test`, `.local`, and WordPress local environments. * Removed manual translation loading because WordPress.org loads translations automatically. #### 2.0.0 * Converted Invizo into a standalone MCP server hosted by WordPress. * Bundled the official WordPress MCP Adapter, PHP MCP Schema, and Jetpack package autoloader. * Added `/wp-json/mcp/invizo`. * Exposed all 143 existing actions as scoped WordPress abilities through compact discovery, information, and execution tools. * Replaced shared-secret HMAC authentication with administrator-only WordPress Application Passwords. * Added endpoint enable/disable control and Application Password creation and revocation. * Added generated setup instructions for Claude Code, Claude Desktop, Codex, Cursor, and Antigravity. * Removed the external Invizo dashboard, handshake, server URL, shared secret, and legacy signed execution endpoint. * Added automatic 1.x settings migration while preserving scopes and managed definitions. ## Meta * Version **2.0.3** * Last updated **22 hours ago** * Active installations **Fewer than 10** * WordPress version ** 6.9 or higher ** * Tested up to **7.0** * PHP version ** 7.4 or higher ** * Tags * [ai-automation](https://wordpress.org/plugins/tags/ai-automation/)[developer-tools](https://wordpress.org/plugins/tags/developer-tools/) [mcp](https://wordpress.org/plugins/tags/mcp/)[woocommerce](https://wordpress.org/plugins/tags/woocommerce/) [WordPress Management](https://wordpress.org/plugins/tags/wordpress-management/) * [Advanced View](https://wordpress.org/plugins/invizo-mcp/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/invizo-mcp/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/invizo-mcp/reviews/) ## Contributors * [ Invizo ](https://profiles.wordpress.org/invizo/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/invizo-mcp/) ## Donate Would you like to support the advancement of this plugin? [ Donate to this plugin ](https://invizo.io/)