Overview
This guide will help you set up WordPress MCP (Model Context Protocol) functionality on your AWS Lightsail Bitnami WordPress installation, enabling AI assistants like Claude to interact directly with your WordPress site.
Prerequisites
- AWS Lightsail Bitnami WordPress instance
- SSH access to your server
- Node.js 22+ on your local machine
- Basic familiarity with WordPress admin and command line
Part 1: Install WordPress Plugins on Your Server
Step 1: Access Your Server
# SSH into your Lightsail instance
ssh bitnami@YOUR_SERVER_IPStep 2: Install WordPress Feature API Plugin
# Navigate to WordPress plugins directory
cd /opt/bitnami/wordpress/wp-content/plugins/
# Clone the wp-feature-api repository
sudo git clone https://github.com/Automattic/wp-feature-api.git
# Change ownership to the web server user
sudo chown -R bitnami:daemon wp-feature-api/
# Navigate into the plugin directory
cd wp-feature-api/
# Install dependencies and build
sudo npm run setup
sudo npm run buildStep 3: Install WordPress MCP Plugin
# Navigate back to plugins directory
cd /opt/bitnami/wordpress/wp-content/plugins/
# Clone the wordpress-mcp repository
sudo git clone https://github.com/Automattic/wordpress-mcp.git
# Change ownership
sudo chown -R bitnami:daemon wordpress-mcp/
# Navigate into the plugin directory
cd wordpress-mcp/
# Install PHP dependencies
sudo composer install --no-dev
# Install npm dependencies and build
sudo npm install
sudo npm run buildPart 2: Configure WordPress
Step 4: Activate Plugins
- Log into your WordPress admin dashboard
- Navigate to Plugins → Installed Plugins
- Activate WordPress Feature API
- Activate WordPress MCP
Step 5: Configure MCP Settings
- Go to Settings → MCP in your WordPress admin
- Enable MCP functionality
- Configure which features/tools you want to expose
- Save settings
Step 6: Create Application Password
- Go to Users → Your Profile
- Scroll down to Application Passwords
- Enter a name like “MCP Client”
- Click Add New Application Password
- IMPORTANT: Copy the generated password immediately – you won’t see it again!
Part 3: Configure Local MCP Client
Step 7: Configure Claude Desktop
Create or edit your Claude Desktop configuration file:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"wordpress-mcp": {
"command": "npx",
"args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
"env": {
"WP_API_URL": "https://YOUR_LIGHTSAIL_DOMAIN.com",
"WP_API_USERNAME": "your-username",
"WP_API_PASSWORD": "your-application-password"
}
}
}
}Replace:
YOUR_LIGHTSAIL_DOMAIN.comwith your actual domainyour-usernamewith your WordPress usernameyour-application-passwordwith the application password you generated
Step 8: Configure Cursor (Alternative)
Create ~/.cursor/mcp.json:
{
"mcpServers": {
"wordpress-mcp": {
"command": "npx",
"args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
"env": {
"WP_API_URL": "https://YOUR_LIGHTSAIL_DOMAIN.com",
"WP_API_USERNAME": "your-username",
"WP_API_PASSWORD": "your-application-password"
}
}
}
}Critical Configuration Notes
⚠️ Username Requirements
Make sure you use the correct username! The most common authentication issues are:
- Try your exact WordPress username first (the one you use to log in)
- If that doesn’t work, try your email address instead
- The username is case-sensitive
- Make sure the user has Administrator privileges
🔑 Application Password Spaces
REMOVE ALL SPACES from the application password!
WordPress displays application passwords with spaces for readability, but you must remove them:
- WordPress shows:
AbCd EfGh IjKl MnOp - You must use:
AbCdEfGhIjKlMnOp
This is the #1 cause of authentication failures!
Testing Your Setup
Step 9: Test the Connection
- Restart Claude Desktop or Cursor
- In a new chat, try asking: “Can you tell me about my WordPress site?”
- If configured correctly, Claude should be able to access your site information
Step 10: Available Commands
Once connected, you can ask Claude to:
- List posts, pages, users
- Create and edit content
- Manage media files
- Analyze site settings
- And much more!
Troubleshooting
Common Issues
- Connection Failed: Check your API URL, username, and application password
- Permission Denied: Ensure the WordPress user has Administrator permissions
- SSL Errors: Make sure your site has a valid SSL certificate
- Plugin Not Working: Verify plugins are activated and built correctly
Debug Steps
- Check WordPress error logs:
/opt/bitnami/wordpress/wp-content/debug.log - Test API access manually:
curl -u username:app_password https://yoursite.com/wp-json/wp/v2/posts- Check MCP logs if LOG_FILE is configured in your client setup
Important Notes
- Bitnami Specifics: File paths use
/opt/bitnami/wordpress/instead of standard WordPress paths - Permissions: Always use
sudofor file operations and set proper ownership - Updates: When updating plugins, you may need to rebuild them
- Backups: Always backup your site before making changes
Support Resources
Security Configuration (Critical Step)
⚠️ Important: When you install plugins using git clone, you expose sensitive files that should never be accessible via web browser. This is a critical security risk that must be addressed.
Why Security Configuration is Required
When you run git clone to install WordPress MCP plugins, you’re downloading the entire development repository, which includes:
.git/directory – Contains complete repository history, potentially including sensitive information- Configuration files –
composer.json,package.json,webpack.config.jsreveal your tech stack and dependencies - Development files – Build scripts, documentation, and temporary files
- Dependencies –
node_modules/,vendor/directories (if present) - Environment files – Any
.envfiles or configuration that might contain secrets
These files are meant for development, not production, and can reveal sensitive information about your server setup to attackers.
Security Risk Assessment
High Risk Files:
.git/– Entire repository history including potentially sensitive commitscomposer.json/package.json– Dependency information that reveals software versions- Build configuration files – Technical details about your setup
What Attackers Can Learn:
- Your development workflow and tools
- Software versions you’re running (for exploit targeting)
- Repository history and previous configurations
- Internal file structures and organization
Security Implementation Options
Choose one of these approaches:
Option 1: Remove Sensitive Files (Recommended – Simplest)
After plugin installation and building, clean up sensitive files:
# Navigate to WordPress MCP plugin
cd /opt/bitnami/wordpress/wp-content/plugins/wordpress-mcp/
# Remove git history and development files
sudo rm -rf .git/
sudo rm -f composer.json composer.lock package.json package-lock.json
sudo rm -f webpack.config.js tsconfig.json .eslintrc.js
sudo rm -f *.md README.md CONTRIBUTING.md
sudo rm -rf node_modules/ tests/ docs/
# Repeat for WordPress Feature API plugin
cd /opt/bitnami/wordpress/wp-content/plugins/wp-feature-api/
sudo rm -rf .git/
sudo rm -f composer.json composer.lock package.json package-lock.json
sudo rm -f webpack.config.js tsconfig.json .eslintrc.js
sudo rm -f *.md README.md CONTRIBUTING.md
sudo rm -rf node_modules/ tests/ docs/
# Set proper ownership
sudo chown -R bitnami:daemon /opt/bitnami/wordpress/wp-content/plugins/
Option 2: Apache Configuration Rules (Advanced)
Add security rules to your Apache configuration:
# Add security rules to Apache config
sudo tee -a /opt/bitnami/apache/conf/httpd.conf << 'EOF'
# WordPress Plugin Security Rules
<DirectoryMatch "\.git">
Require all denied
</DirectoryMatch>
<FilesMatch "\.(json|lock|md|yml|yaml|log|tmp)$">
Require all denied
</FilesMatch>
<DirectoryMatch "node_modules">
Require all denied
</DirectoryMatch>
<DirectoryMatch "(^|/)vendor/">
Require all denied
</DirectoryMatch>
EOF
Test and restart Apache:
# Test configuration syntax
sudo /opt/bitnami/apache/bin/httpd -t
# If syntax is OK, restart services
sudo /opt/bitnami/ctlscript.sh restart
⚠️ Note: If you get “Service Unavailable” errors after restart, the configuration may be too restrictive. Remove the added rules and use Option 1 instead.
Security Verification
After implementing security measures, test that sensitive files are properly blocked:
# These commands should return "403 Forbidden" or "404 Not Found"
# Replace your-domain.com with your actual domain
curl -I https://your-domain.com/wp-content/plugins/wordpress-mcp/.git/
curl -I https://your-domain.com/wp-content/plugins/wordpress-mcp/composer.json
curl -I https://your-domain.com/wp-content/plugins/wordpress-mcp/package.json
curl -I https://your-domain.com/wp-content/plugins/wp-feature-api/.git/
✅ Secure Response: HTTP/1.1 403 Forbidden or HTTP/1.1 404 Not Found
❌ Insecure Response: Any response that shows actual file content
Best Practices for Future Updates
When updating plugins:
- If using Option 1 (file removal):
- Pull updates:
git pull origin main - Rebuild:
npm run build - Clean sensitive files again (repeat removal commands)
- Pull updates:
- If using Option 2 (Apache rules):
- Updates are automatically protected
- No additional cleanup needed
For production deployments, consider:
- Using official plugin releases instead of git clone
- Implementing automated deployment scripts that clean sensitive files
- Regular security audits of plugin directories
Why This Matters
Without proper security:
- Attackers can access your entire development history
- Technical details about your setup are exposed
- Dependency information reveals potential vulnerabilities
- Your site appears unprofessional and insecure
With proper security:
- Only necessary production files are accessible
- Your technical stack remains private
- Site appears professionally configured
- Reduced attack surface for potential threats
This security step is mandatory when using git clone for plugin installation and should never be skipped in production environments.
Leave a Reply