{"id":320780,"date":"2026-06-04T04:57:12","date_gmt":"2026-06-04T04:57:12","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/miniorange-secure-mcp-server\/"},"modified":"2026-07-01T07:54:49","modified_gmt":"2026-07-01T07:54:49","slug":"miniorange-secure-mcp-server","status":"publish","type":"plugin","link":"https:\/\/sq.wordpress.org\/plugins\/miniorange-secure-mcp-server\/","author":14442177,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.2.0","stable_tag":"1.2.0","tested":"7.0","requires":"6.9","requires_php":"7.4","requires_plugins":null,"header_name":"miniOrange Secure MCP Server","header_author":"miniOrange","header_description":"AI governance and policy enforcement for WordPress, built on the Abilities API.","assets_banners_color":"","last_updated":"2026-07-01 07:54:49","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/plugins.miniorange.com\/","header_author_uri":"https:\/\/www.miniorange.com\/","rating":0,"author_block_rating":0,"active_installs":0,"downloads":211,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"mowpms","date":"2026-06-17 12:40:28"},"1.1.0":{"tag":"1.1.0","author":"mowpms","date":"2026-06-17 12:40:28"},"1.1.1":{"tag":"1.1.1","author":"mowpms","date":"2026-06-23 05:16:24"},"1.2.0":{"tag":"1.2.0","author":"mowpms","date":"2026-07-01 07:54:49"}},"upgrade_notice":{"1.2.0":"<p>Adds the NHI Registry screen for managing connected AI clients, per-ability toggles on the Abilities screen, and a revamped plugin UI. No database changes; no upgrade steps required.<\/p>","1.1.1":"<p>Adds support and deactivation feedback forms. No database changes; no upgrade steps required.<\/p>","1.1.0":"<p>Introduces the OAuth-protected MCP server. The plugin now creates database tables; review the updated privacy note in the FAQ.<\/p>","1.0.0":"<p>Initial release. No upgrade steps required.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3560254,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0","1.1.0","1.1.1","1.2.0"],"block_files":[],"assets_screenshots":[],"screenshots":[]},"plugin_section":[],"plugin_tags":[251511,2353,258885,242115,2061],"plugin_category":[38],"plugin_contributors":[143724],"plugin_business_model":[],"class_list":["post-320780","plugin","type-plugin","status-publish","hentry","plugin_tags-abilities","plugin_tags-ai","plugin_tags-governance","plugin_tags-mcp","plugin_tags-oauth","plugin_category-authentication","plugin_contributors-cyberlord92","plugin_committers-cyberlord92","plugin_committers-mowpms"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/miniorange-secure-mcp-server\/assets\/icon-128x128.png?rev=3560254","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>miniOrange Secure MCP Server helps WordPress administrators with AI governance and policy enforcement: understanding, and controlling, what AI assistants and MCP clients are allowed to do on their site.<\/p>\n\n<p>The WordPress Abilities API (available in WordPress 6.9 and later) lets plugins and WordPress core expose discrete, machine-callable capabilities \u2014 for example: get site info, create a post, or generate a summary. This plugin turns those abilities into a remote <strong>Model Context Protocol (MCP)<\/strong> server so AI clients can discover and invoke them, protected by a self-hosted OAuth 2.1 authorization server.<\/p>\n\n<p><strong>What this version does<\/strong><\/p>\n\n<ul>\n<li><strong>NHI Registry.<\/strong> An admin screen listing every non-human identity (AI client) that has registered and authorized access to your site, with OAuth client details and token status. This is the default landing screen when you open the plugin.<\/li>\n<li><strong>Per-ability toggle.<\/strong> Enable or disable individual abilities from being exposed as MCP tools directly from the Abilities screen.<\/li>\n<li><strong>Abilities viewer.<\/strong> A read-only admin screen that lists every ability registered on your site, with its label, description, category, source namespace, and full input\/output JSON schema.<\/li>\n<li><strong>Connection guide.<\/strong> A \"Connect to AI\" tab with step-by-step instructions and your site's MCP URL for connecting clients such as ChatGPT and Claude.<\/li>\n<li><strong>Built-in content abilities.<\/strong> Create Post and Update Post abilities (exposed as MCP tools) so connected clients can draft and edit posts, gated by the user's capabilities.<\/li>\n<li><strong>MCP server.<\/strong> A single Streamable HTTP endpoint that exposes every registered ability as an MCP tool. Tool calls run through the Abilities API, so each ability's own permission check still applies.<\/li>\n<li><strong>Self-hosted dynamic OAuth.<\/strong> WordPress acts as its own OAuth 2.1 authorization server with OAuth 2.0 Dynamic Client Registration (RFC 7591), Protected Resource Metadata (RFC 9728), Authorization Server Metadata (RFC 8414), and Authorization Code flow with PKCE. Clients such as ChatGPT and Claude can register themselves and connect with no manual credential setup.<\/li>\n<\/ul>\n\n<p>Every MCP request runs as the WordPress user who authorized it, so what an AI client can do is bounded by that user's own capabilities.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin files to the <code>\/wp-content\/plugins\/miniorange-secure-mcp-server<\/code> directory, or install the plugin through the WordPress plugins screen directly.<\/li>\n<li>Activate the plugin through the \"Plugins\" screen in WordPress.<\/li>\n<li>Open the \"Secure MCP Server\" menu item (under Tools) to review the NHI Registry and abilities registered on your site.<\/li>\n<li>Connect an MCP client (see the FAQ) to <code>https:\/\/YOUR-SITE\/wp-json\/mosmcp\/v1\/mcp<\/code>.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"how%20do%20chatgpt%20and%20claude%20connect%3F\"><h3>How do ChatGPT and Claude connect?<\/h3><\/dt>\n<dd><p>Add a custom connector pointing at your MCP endpoint, <code>https:\/\/YOUR-SITE\/wp-json\/mosmcp\/v1\/mcp<\/code>. The client discovers the OAuth endpoints automatically, registers itself, walks you through logging in to WordPress and approving access, and then connects. The site must be reachable over HTTPS (cloud clients cannot reach <code>localhost<\/code>); for local development, expose the site through an HTTPS tunnel such as ngrok or cloudflared.<\/p><\/dd>\n<dt id=\"does%20this%20plugin%20store%20any%20data%3F\"><h3>Does this plugin store any data?<\/h3><\/dt>\n<dd><p>Yes. To run the OAuth server it creates three database tables for registered clients, short-lived authorization codes, and access\/refresh tokens. Tokens and client secrets are stored only as keyed hashes, never in plaintext. A single options row holds the plugin's hash salt. All of this is removed when the plugin is deleted.<\/p><\/dd>\n<dt id=\"my%20server%20returns%20401%20even%20with%20a%20valid%20token.\"><h3>My server returns 401 even with a valid token.<\/h3><\/dt>\n<dd><p>Some Apache configurations strip the <code>Authorization<\/code> header before it reaches PHP. Add the following to your WordPress root <code>.htaccess<\/code>:<\/p>\n\n<pre><code>RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]\n<\/code><\/pre><\/dd>\n<dt id=\"why%20does%20the%20%22source%22%20column%20show%20a%20namespace%20instead%20of%20a%20plugin%20name%3F\"><h3>Why does the \"Source\" column show a namespace instead of a plugin name?<\/h3><\/dt>\n<dd><p>The Abilities API does not record which plugin registered a given ability. The namespace prefix (the part before the slash in the ability name) is the most reliable indicator of where an ability comes from.<\/p><\/dd>\n<dt id=\"what%20is%20the%20nhi%20registry%3F\"><h3>What is the NHI Registry?<\/h3><\/dt>\n<dd><p>The NHI (Non-Human Identity) Registry is where you create and manage named ability policies for AI clients. Each NHI has a name and an optional list of abilities it is permitted to invoke. When an AI client makes an MCP request, the effective set of allowed abilities is the union of all currently enabled NHIs. An NHI with no explicit ability list permits all registered abilities. You can create as many NHIs as you need and toggle them on or off independently.<\/p><\/dd>\n<dt id=\"how%20do%20i%20control%20which%20abilities%20an%20ai%20client%20can%20access%3F\"><h3>How do I control which abilities an AI client can access?<\/h3><\/dt>\n<dd><p>There are two levels of control. First, use the per-ability toggle on the Abilities screen to exclude an individual ability from being exposed as an MCP tool entirely \u2014 this applies regardless of any NHI policy. Second, use the NHI Registry to create a policy that lists exactly which abilities are permitted for MCP requests. Only the union of enabled NHI allow-lists is reachable by connected clients.<\/p><\/dd>\n<dt id=\"can%20i%20disable%20an%20nhi%20without%20deleting%20it%3F\"><h3>Can I disable an NHI without deleting it?<\/h3><\/dt>\n<dd><p>Yes. Every NHI has an enable\/disable toggle in the NHI Registry screen. A disabled NHI has no effect on MCP requests but its name and ability list are preserved, so you can re-enable it at any time without reconfiguring it.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.2.0<\/h4>\n\n<ul>\n<li>Added NHI Registry: a new admin screen to view and manage all non-human identity (AI client) registrations, including OAuth client details and token status.<\/li>\n<li>Added per-ability toggle to enable or disable individual abilities from being exposed as MCP tools.<\/li>\n<li>Revamped the plugin UI.<\/li>\n<\/ul>\n\n<h4>1.1.1<\/h4>\n\n<ul>\n<li>Added in-plugin support form and deactivation feedback modal.<\/li>\n<\/ul>\n\n<h4>1.1.0<\/h4>\n\n<ul>\n<li>Added a remote MCP server endpoint that exposes registered abilities as MCP tools.<\/li>\n<li>Added a self-hosted OAuth 2.1 authorization server with Dynamic Client Registration, PKCE, and discovery metadata so ChatGPT and Claude can connect.<\/li>\n<\/ul>\n\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release: read-only viewer for abilities registered through the WordPress Abilities API.<\/li>\n<\/ul>","raw_excerpt":"AI governance for WordPress: expose your Abilities API as a secure, OAuth-protected MCP server for AI clients like ChatGPT and Claude.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/320780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=320780"}],"author":[{"embeddable":true,"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/cyberlord92"}],"wp:attachment":[{"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=320780"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=320780"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=320780"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=320780"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=320780"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/sq.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=320780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}