Options: allow webo/get-options and webo/update-options to manage html_custom_css for trusted admin MCP flows.
2.1.18
Integration: register webo/reorder-query and webo/reorder-mutate MCP tools when the Webo Reorder plugin is active (post/CPT order; not nav menu order).
2.1.17
Enhancement: webo/content-mutate can update post passwords for protected content when the authenticated user has permission to edit the post.
Safety: post password updates stay inside the existing content mutation capability checks.
2.1.16
Fix: webo/content-mutate can preserve raw block HTML for users with unfiltered_html, allowing admin page-builder content and inline styles to be managed through MCP.
Security: users without unfiltered_html continue to pass content through the normal WordPress post KSES boundary.
2.1.15
WordPress 7.0 readiness: add defensive feature detection for Abilities API, MCP Adapter, Connectors API, and wp_supports_ai().
Bootstrap: avoid loading duplicate bundled Abilities API or MCP Adapter code when Core/external implementations are already present.
Bridge: add off, layered (default), and full modes. Layered mode exposes compact webo/ability-query and webo/ability-execute tools so tools/list stays small by default.
Security: only bridge abilities with meta.mcp.public === true; execution now passes through ability permissions, WEBO policy/allowlist checks, and scope/risk gates.
Health: extend webo/health-status with WordPress 7.0/Core AI/MCP compatibility diagnostics.
Themes: extend webo/theme-mutate with WordPress.org theme install by slug; optional activation still requires switch_themes.
2.1.14
Fix: bridge scoped plugin-management capabilities while network admins activate or deactivate plugins inside a child site.
Keeps child-site plugin toggles explicit through site_id / blog_id without widening network-wide activation behavior.
2.1.13
Added webo/plugin-mutate for WordPress.org plugin install, activation, and deactivation through the core plugin endpoint.
Added site_id / blog_id support so network admins can activate or deactivate plugins for one multisite child site from the network MCP endpoint.
Safety: rejects conflicting site_id / blog_id plus network_activate / network_wide requests so child-site activation and network-wide activation stay explicit.
2.1.12
Added a bounded, admin-readable MCP audit log for tools/call events with user, tool/action, object ID when available, anonymized IP, hashed session ID, status, and compact result/error summaries.
Added optional per-user, per-role, and per-client/Application Password tool allowlists. Enforcement is disabled by default to preserve existing access until an administrator opts in.
Security: enforce object-level capabilities for MCP content/media mutations, including edit_post, delete_post, publish/private status changes, and taxonomy-specific term capabilities.
Security: filter read tools by read_post and hide tools from tools/list when the authenticated user lacks the tool capability.
Hardening: use WordPress safe HTTP validation for optional Google Suggest requests in seo/article-analysis.
2.1.10
Fix: register webo/plugin-query in Standalone_Tools so MCP clients can list plugin updates (query=updates, optional refresh=true) and other inspection modes.
Bootstrap: prime WP_Abilities_Registry at init:2 so wp_abilities_api_init runs before MCP bootstrap (init:20), preventing _doing_it_wrong when abilities register on webo_mcp_register_tools.
2.1.9
Refactor: move built-in MCP tool registration into inc/bootstrap/class-standalone-tools.php (smaller bootstrap; same tool names).
Maintainer: broaden .gitignore (composer vendor/bin/, Cursor local config, scratch files); ship scripts/ helpers and docs/WPORG_REVIEW_REPLY_2.0.28.md; keep composer.json production-only.
2.1.8
BOM guard: fix PCRE — use ^(?:xEFxBBxBF)+ so multiple UTF-8 BOMs are stripped (the old ^xEFxBBxBF+ only repeated the final 0xBF byte, breaking responses such as wp/v2/types on webo.vn for MCP clients).
2.1.7
BOM guard: sanitize all REST API requests (/wp-json/…, wp-json.php, ?rest_route=) by default (webo_mcp_rest_bom_guard_json_api_requests filter to disable).
2.1.6
BOM guard: treat Abilities API REST URLs (wp-abilities/v1) the same as MCP router URLs — @automattic/mcp-wordpress-remote calls discover/execute over wp-abilities, which previously skipped the sanitizer.
2.1.5
BOM guard: also start the sanitizer on plugins_loaded and init at priority -999999 when the request URI looks MCP (covers BOM echoed before rest_api_init).
2.1.4
BOM guard: start output buffer at rest_api_init priority 0 when Request-URI/rest_route looks like MCP (catches BOM printed before routing); loop-strip repeated BOM/FEFF; filter webo_mcp_rest_bom_guard_enabled to disable.
2.1.3
REST: strip accidental UTF-8 BOM / stray U+FEFF before JSON on MCP routes so clients no longer fail JSON parse with Unexpected token (defensive ob_start handler on rest_pre_dispatch).
2.1.2
Restore the versioned skills/ subtree in the Git repository (guides and ability-specific SKILL.md files referenced from README.md), matching the documented npx skills add workflows.
Add webo-mcp-ultimo-domain-dns-cf skill index entry (Ultimo checking-dns + Cloudflare checklist).
Readme (GitHub + WordPress.org): align examples with webo/content-query, document meta.mcp.public visibility for bridged abilities, link migration doc; sync standalone tool bullets (menus, themes, plugins).
2.1.0
Token optimization — ecosystem-wide enum-dispatch unification. All WEBO MCP addons now follow the same query/mutate pattern as the core plugin, replacing one-tool-per-operation APIs with unified abilities that accept an action argument:
Impact: with core and addons active the total tool count visible in tools/list drops from ~79+ to ~34. A smaller tool list means the model picks tools faster, uses less context budget per request, and makes fewer tool-name errors.
Pattern: each unified ability requires one action string that is dispatched server-side via PHP match(). All existing handler logic is preserved — only the registration surface changes.
Updated skills documentation for webo-mcp-ability-woocommerce, webo-mcp-ability-rank-math, webo-mcp-ability-rocket, and webo-mcp-guide.
2.0.45
Refactor: unify media tools into webo/media-query (list, get) and webo/media-mutate (upload, update, delete); removes 5 legacy media tools.
Refactor: unify taxonomy/term tools into webo/taxonomy-query (discover, list, get) and webo/taxonomy-mutate (create, update, delete); removes 6 legacy term tools.
Refactor: unify comment tools into webo/comment-query (list, get) and webo/comment-mutate (update, delete); removes 4 legacy comment tools.
Refactor: unify post/content tools into webo/content-query and webo/content-mutate; removes 17 legacy post tools.
Refactor: replace webo/list-active-plugins with unified webo/plugin-query (list, get, activate, deactivate).
All unified tools normalize the id field as the primary response identifier; domain aliases (attachment_id, term_id, comment_id) are kept for backward compatibility.
SEO: improved Unicode word count using Unicode ranges for multilingual content; non-spaced scripts (CJK, Thai) now estimate word count via character-based heuristics.
2.0.44
SEO readability: estimate word count for non-spaced scripts (CJK, Thai, Khmer) via character-based heuristics.
2.0.43
SEO readability: count Unicode title and meta description lengths correctly for non-ASCII characters.
2.0.42
SEO readability: count Unicode words correctly for multilingual content.
2.0.41
Media/site settings: add webo/set-site-icon to set the WordPress site icon/favicon from an existing image attachment.
2.0.40
MCP post tools: add page, offset, orderby, and order support to webo/list-posts responses for reliable batch processing.
SEO analyzer: infer the WordPress post title as the primary H1 when content omits an H1, and include Article JSON-LD from post/Rank Math metadata for more accurate schema checks.
2.0.39
Options: allow safe permalink/category/tag base updates through MCP and flush rewrite rules after URL setting changes.
2.0.38
MCP post tools: preserve safe HTML for post content/excerpt arguments so SEO headings, lists, tables, and images can be authored through create/update calls.
2.0.35
New site-management tools: webo/list-themes and webo/switch-theme for discovering installed themes and switching the active theme by stylesheet slug.
Readme: release includes the shortened WordPress.org short description, keeping the short description under the 150 character import limit.
2.0.34
Options: allow webo/update-options and webo/get-options to handle show_on_front and page_on_front.
Safety: validate show_on_front as posts|page and ensure page_on_front references a valid Page ID (or 0).
2.0.33
Readme: refresh WordPress.org-facing description for clarity; lead with product value and protocol workflow, move ecosystem links to a secondary section.
2.0.32
Fix: avoid WP 6.9 Abilities API incorrect-usage notices by hardening adapter category/ability registration order and late-boot recovery.
Docs: add AGENTS.md workflow guidance and prioritize guide-first structure in README/readme.txt.
2.0.31
Maintenance: version bump.
2.0.30
Maintenance: version bump.
2.0.29
Reliability: harden MCP adapter bootstrap and schema type handling (supports array/nullable type definitions safely).
WP-CLI noise reduction: register core mcp-adapter abilities before bridge wiring and suppress default adapter server bootstrap in CLI mode to avoid false missing-ability errors.
Release notice: users running WEBO MCP Pro should update Pro package compatibility notes from the official docs/release channel before production rollout.
2.0.28
WordPress.org review fixes: added explicit External services disclosure for Google Suggest/Autocomplete used by seo/article-analysis (service purpose, transmitted query data and request metadata, conditions, Terms and Privacy links).
Compatibility: removed use of WPINC for nav-menu API loading; now load nav-menu API via explicit core include paths with availability checks to reduce environment-specific path issues.
2.0.27
Security (WordPress.org guidelines): MCP router no longer maps API keys or HMAC to arbitrary user accounts. All requests require WordPress Application Password (Basic Auth) or an existing logged-in session; optional site API key and HMAC apply only after authentication.
Readme: Contributors includes phuongwebo; clarify authentication in description and FAQ.
2.0.26
New MCP tool seo/article-analysis (category seo, edit_posts): WordPress-only on-page SEO signals for a post via post_id — rendered content, Rank Math merge, readability, issues, content_gaps. Agent documentation: skills/webo-mcp-seo-article/SKILL.md in the GitHub repo (not bundled in the WordPress.org zip).
Readme: Stable tag sync, privacy note for optional outbound tool requests.
2.0.25
list-posts: document defaults (publish + post type post); response includes applied filters so empty results are easier to explain. Models should pass status draft (etc.) and post_type page when listing those.
2.0.24
Nav menus: list-nav-menu-locations response includes note explaining slug vs label; MCP descriptions tell models to call this tool first to discover theme_location keys.
2.0.23
Nav menus: list-nav-menus response includes menu_id (same as term_id) and clearer MCP tool descriptions so clients list menus without asking users for menu_id first.
2.0.22
Nav menus: if create-nav-menu / create-nav-menu-for-location targets a name that already exists, reuse the existing menu term and continue (reused_existing_menu in JSON). Return a clear error if core nav-menu.php cannot be loaded. Expanded primary fallback slugs (primary-menu, header-menu, mobile). assign-nav-menu-to-location accepts menu_name when menu_id is omitted (assigned_via_menu_name in response).
2.0.21
Nav menus: resolve theme location when slug primary is missing (single registered slot, or common slugs main/header/menu-1/navigation). Load wp-includes/nav-menu.php before wp_create_nav_menu in REST context. Response field theme_location_resolution indicates how the slug was chosen.
2.0.20
Access: MCP router gate allows manage_options and edit_posts (Editors, site admins on multisite), not only is_super_admin; fixes list-nav-menus / tools/call failing for non-administrator users. Multisite API key/HMAC falls back to first site Administrator if no Super Admin login exists. Error code webo_mcp_access_denied replaces misleading super-admin-only message.
2.0.15
Nav menus: list-nav-menus, list-nav-menu-items (db_id, menu_order, object_id, parent_db_id), add-nav-menu-item-from-post with required post_id, post_type, and menu_order (explicit developer values; no auto placement).
2.0.14
Security: MCP JSON-RPC router, SecurityHelper, tools discovery, and internal-tool policy default to network Super Admin on multisite (is_super_admin). Single-site installs use WordPress core’s is_super_admin() behavior (typically full administrators). Global API key/HMAC elevates to the first Super Admin user on multisite.
2.0.7
Readme: highlight https://webomcp.com and n8n community node https://www.npmjs.com/package/n8n-nodes-webo-mcp; short description and FAQ; README.md aligned.
2.0.6
License: plugin header uses the same wording as readme.txt (“GPL v2 or later”) to satisfy WordPress.org declared-license checks.
2.0.5
Plugin header: @wordpress-plugin marker for strict scanners; License line uses GPLv2 or later slug (Plugin Handbook).
2.0.4
Plugin header: handbook field order, shorter Description line, License text “GPL v2 or later”, Domain Path for translations.
2.0.3
WordPress.org / Plugin Check: include composer.json when vendor is bundled; replace unlink with wp_delete_file for temp uploads; remove load_plugin_textdomain (core loads translations); resolve API key usermeta via get_users instead of direct $wpdb; readme short description, allowed Tags, Stable tag sync.
2.0.2
WordPress.org packaging: release zip excludes dotfiles and all .github trees; readme Tested up to 6.9.
