We checked this and rejected itsecurity

WordPress MCP: why it is not safe to use

WordPress MCP scored 78 and got a warn: it holds full CMS credentials and reads untrusted content while able to publish or delete.

What we found

The WordPress MCP server (docdyhr/mcp-wordpress) is fully open TypeScript, talks only to your own WordPress REST API, and runs no shell commands or remote code. Our scan still flagged it as warn (78/100) for a few reasons.

It can read untrusted content such as comments and post bodies, and we saw no described input sanitization. Because the same server can also publish and delete, a crafted comment or page could try to steer an agent into unwanted writes or deletions (prompt injection).

It also holds WordPress credentials, often admin-level application passwords, stored as plaintext env vars or config with no masking. It inherits whatever role that account has, so an admin token hands user management and site settings to the agent. Broad read access to posts, media, and user profiles (including emails) adds a real data-exposure surface.

What to do instead

Create a dedicated least-privilege WordPress user rather than an admin. Scope it to only the actions you need, avoid delete rights where possible, and keep credentials in a secret store. Treat site content as untrusted, and review the agent's write and delete actions before trusting them unattended.

Want the same outcome, safely? Use our checked skill instead.

Source: https://github.com/docdyhr/mcp-wordpress

We report what our security review found at the time we checked, with the goal of keeping people safe. Projects change; if a maintainer has since fixed this, we are glad to recheck it. Email hello@agentpod.com.

Copied to clipboard. Paste it into your AI (ChatGPT, Claude, or your agent) to add the skill.