Royal MCP

Changelog

1.4.5

  • New: WordPress Playground live preview — click “Live Preview” on the plugin listing to try the Royal MCP settings page and activity log in a browser sandbox with demo API key and sample log entries pre-seeded.
  • New: Video walkthrough embedded on the plugin listing page.

1.4.4

  • Feature: Custom post type support — wp_get_posts and wp_create_post now accept a post_type parameter
  • Feature: New wp_get_post_types tool discovers all registered public post types on the site
  • Enhancement: wp_get_post and wp_get_posts responses now include the post type field
  • Enhancement: Post type validation ensures only public post types can be queried or created

1.4.3

  • Security: Fixed broken access control on MCP REST API endpoints (reported by Alexis Lafontaine via Patchstack)
  • Security: All MCP tool calls now require authenticated API key or OAuth Bearer token
  • Security: Removed reliance on Origin header as a security control

1.4.2

  • Security: Enforce authentication on every MCP request, not just session initialization
  • Security: Bind MCP sessions to authenticated credentials to prevent session hijacking
  • Security: Add authentication to GET stream and DELETE session endpoints

1.4.1

  • Fix: Resolved fatal error during activation on WordPress 7.0 RC (“Class Token_Store not found”)
  • Fix: Fully qualified namespace references for WP 7.0 compatibility
  • Tested: WordPress 7.0 RC2 compatibility verified

1.4.0

  • New: OAuth 2.0 authorization server — Claude Desktop’s “Add Connector” flow now works natively
  • New: Dynamic Client Registration (RFC 7591) for seamless MCP client onboarding
  • New: PKCE-secured authorization code flow per MCP spec (2025-03-26)
  • New: Token refresh with automatic rotation for long-lived sessions
  • New: WordPress login integration — consent screen after authentication
  • New: Metadata discovery endpoint at /.well-known/oauth-authorization-server
  • New: Daily cleanup of expired OAuth tokens via scheduled event
  • Improved: MCP endpoint now accepts both Bearer tokens and API key authentication
  • Improved: CORS headers include Authorization for OAuth-based clients
  • Security: Access tokens stored as SHA-256 hashes (never stored in plain text)
  • Security: Authorization codes are single-use with 10-minute expiry
  • Security: PKCE (S256) required for all authorization requests
  • Security: Redirect URI validation enforces localhost or HTTPS only

1.3.0

  • New: WooCommerce integration — 9 MCP tools for products, orders, customers, and store stats (auto-detected)
  • New: GuardPress integration — 7 MCP tools for security score, scans, firewall logs, and audit trail (auto-detected)
  • New: SiteVault integration — 6 MCP tools for backup management, scheduling, and progress tracking (auto-detected)
  • Security: MCP endpoint now requires API key authentication via X-Royal-MCP-API-Key header
  • Security: Added rate limiting (60 requests/minute per IP) to prevent abuse and accidental DoS
  • Security: API key comparison uses timing-safe hash_equals() to prevent timing attacks
  • Security: Sanitized wp_update_post_meta values before storage
  • Security: Comments created via MCP now respect WordPress moderation settings
  • Security: Removed admin_email and php_version from wp_get_site_info response
  • Security: Removed user_login and user_email from wp_get_users/wp_get_user responses
  • Improved: CORS headers include X-Royal-MCP-API-Key for cross-origin MCP clients

1.2.3

  • Security: Added SSRF protection — validates all outbound URLs against private/reserved IP ranges
  • Fixed: Text domain changed from ‘wp-royal-mcp’ to ‘royal-mcp’ to match plugin slug
  • Fixed: Menu slugs updated for WP.org compliance
  • Improved: REST API permission callbacks include explanatory comments for reviewers
  • Compatibility: Tested up to WordPress 7.0

1.2.2

  • Added: Documentation link on Plugins page (Settings | Documentation)
  • Added: Documentation banner on settings page

1.2.1

  • Fixed: Claude Connector setup guide link displaying raw HTML

1.2.0

  • Security: Origin header validation to prevent DNS rebinding attacks
  • Security: Session ID format validation (ASCII visible characters only)
  • Improved: MCP 2025-03-26 Streamable HTTP spec compliance
  • Added: Filter hook royal_mcp_allowed_origins for custom origin allowlist

1.1.0

  • Added multi-platform AI support (Claude, OpenAI, Gemini, Groq, Azure, Bedrock)
  • Added Claude Desktop MCP connector
  • Added activity logging
  • Added connection testing

1.0.0

  • Initial release

Plugin Website
Visit website

Version:
1.4.5
Last Updated
April 18, 2026
Active Installs
600
Requires
WordPress 5.8
Tested Up To
WordPress 7.0
Requires PHP
7.4

Share Post

Join our newsletter.

Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.