WEBO MCP

2.1.14

• Fix: bridge scoped plugin-management capabilities while network admins activate or deactivate plugins inside a child site.
• Keeps child-site plugin toggles explicit through site_id / blog_id without widening network-wide activation behavior.

2.1.13

• Added webo/plugin-mutate for WordPress.org plugin install, activation, and deactivation through the core plugin endpoint.
• Added site_id / blog_id support so network admins can activate or deactivate plugins for one multisite child site from the network MCP endpoint.
• Safety: rejects conflicting site_id / blog_id plus network_activate / network_wide requests so child-site activation and network-wide activation stay explicit.

2.1.12

• Added a bounded, admin-readable MCP audit log for tools/call events with user, tool/action, object ID when available, anonymized IP, hashed session ID, status, and compact result/error summaries.
• Added optional per-user, per-role, and per-client/Application Password tool allowlists. Enforcement is disabled by default to preserve existing access until an administrator opts in.
• Added read-only administrator tool webo/health-status covering REST/router status, Application Password support, permalinks, cron, object cache, plugin update summary, WordPress/PHP versions, and redacted MCP config status.

2.1.11

• Security: enforce object-level capabilities for MCP content/media mutations, including edit_post, delete_post, publish/private status changes, and taxonomy-specific term capabilities.
• Security: filter read tools by read_post and hide tools from tools/list when the authenticated user lacks the tool capability.
• Hardening: use WordPress safe HTTP validation for optional Google Suggest requests in seo/article-analysis.

2.1.10

• Fix: register webo/plugin-query in Standalone_Tools so MCP clients can list plugin updates (query=updates, optional refresh=true) and other inspection modes.
• Bootstrap: prime WP_Abilities_Registry at init:2 so wp_abilities_api_init runs before MCP bootstrap (init:20), preventing _doing_it_wrong when abilities register on webo_mcp_register_tools.

2.1.9

• Refactor: move built-in MCP tool registration into inc/bootstrap/class-standalone-tools.php (smaller bootstrap; same tool names).
• Maintainer: broaden .gitignore (composer vendor/bin/, Cursor local config, scratch files); ship scripts/ helpers and docs/WPORG_REVIEW_REPLY_2.0.28.md; keep composer.json production-only.

2.1.8

• BOM guard: fix PCRE — use ^(?:xEFxBBxBF)+ so multiple UTF-8 BOMs are stripped (the old ^xEFxBBxBF+ only repeated the final 0xBF byte, breaking responses such as wp/v2/types on webo.vn for MCP clients).

2.1.7

• BOM guard: sanitize all REST API requests (/wp-json/…, wp-json.php, ?rest_route=) by default (webo_mcp_rest_bom_guard_json_api_requests filter to disable).

2.1.6

• BOM guard: treat Abilities API REST URLs (wp-abilities/v1) the same as MCP router URLs — @automattic/mcp-wordpress-remote calls discover/execute over wp-abilities, which previously skipped the sanitizer.

2.1.5

• BOM guard: also start the sanitizer on plugins_loaded and init at priority -999999 when the request URI looks MCP (covers BOM echoed before rest_api_init).

2.1.4

• BOM guard: start output buffer at rest_api_init priority 0 when Request-URI/rest_route looks like MCP (catches BOM printed before routing); loop-strip repeated BOM/FEFF; filter webo_mcp_rest_bom_guard_enabled to disable.

2.1.3

• REST: strip accidental UTF-8 BOM / stray U+FEFF before JSON on MCP routes so clients no longer fail JSON parse with Unexpected token (defensive ob_start handler on rest_pre_dispatch).

2.1.2

• Restore the versioned skills/ subtree in the Git repository (guides and ability-specific SKILL.md files referenced from README.md), matching the documented npx skills add workflows.
• Add webo-mcp-ultimo-domain-dns-cf skill index entry (Ultimo checking-dns + Cloudflare checklist).
• skills/README.md: document WP Rocket skill (cache-query / cache-mutate unified tools).

2.1.1

• Documentation: add docs/MCP_TOOL_MIGRATION.md (cross-addon dispatcher map; Rank Math + Rocket public-vs-internal discovery, WooCommerce query/mutate tool names).
• Readme (GitHub + WordPress.org): align examples with webo/content-query, document meta.mcp.public visibility for bridged abilities, link migration doc; sync standalone tool bullets (menus, themes, plugins).

2.1.0

• Token optimization — ecosystem-wide enum-dispatch unification. All WEBO MCP addons now follow the same query/mutate pattern as the core plugin, replacing one-tool-per-operation APIs with unified abilities that accept an action argument:
  • webo-mcp-woocommerce: 27 individual tools → 10 unified tools (webo/woo-query-products, webo/woo-mutate-products, webo/woo-query-orders, webo/woo-mutate-orders, webo/woo-query-customers, webo/woo-mutate-customers, webo/woo-query-coupons, webo/woo-mutate-coupons, webo/woo-query-store, webo/woo-mutate-store).
  • webo-mcp-rank-math: 18 individual tools → 10 unified webo-rank-math/*-query/*-mutate abilities; granular abilities may stay MCP-internal (see addon wp_register_ability_args).
  • webo-mcp-rocket: 9 individual tools → 2 unified tools (webo-rocket/cache-query, webo-rocket/cache-mutate).
• Impact: with core and addons active the total tool count visible in tools/list drops from ~79+ to ~34. A smaller tool list means the model picks tools faster, uses less context budget per request, and makes fewer tool-name errors.
• Pattern: each unified ability requires one action string that is dispatched server-side via PHP match(). All existing handler logic is preserved — only the registration surface changes.
• Updated skills documentation for webo-mcp-ability-woocommerce, webo-mcp-ability-rank-math, webo-mcp-ability-rocket, and webo-mcp-guide.

2.0.45

• Refactor: unify media tools into webo/media-query (list, get) and webo/media-mutate (upload, update, delete); removes 5 legacy media tools.
• Refactor: unify taxonomy/term tools into webo/taxonomy-query (discover, list, get) and webo/taxonomy-mutate (create, update, delete); removes 6 legacy term tools.
• Refactor: unify comment tools into webo/comment-query (list, get) and webo/comment-mutate (update, delete); removes 4 legacy comment tools.
• Refactor: unify post/content tools into webo/content-query and webo/content-mutate; removes 17 legacy post tools.
• Refactor: replace webo/list-active-plugins with unified webo/plugin-query (list, get, activate, deactivate).
• All unified tools normalize the id field as the primary response identifier; domain aliases (attachment_id, term_id, comment_id) are kept for backward compatibility.
• SEO: improved Unicode word count using Unicode ranges for multilingual content; non-spaced scripts (CJK, Thai) now estimate word count via character-based heuristics.

2.0.44

• SEO readability: estimate word count for non-spaced scripts (CJK, Thai, Khmer) via character-based heuristics.

2.0.43

• SEO readability: count Unicode title and meta description lengths correctly for non-ASCII characters.

2.0.42

• SEO readability: count Unicode words correctly for multilingual content.

2.0.41

• Media/site settings: add webo/set-site-icon to set the WordPress site icon/favicon from an existing image attachment.

2.0.40

• MCP post tools: add page, offset, orderby, and order support to webo/list-posts responses for reliable batch processing.
• SEO analyzer: infer the WordPress post title as the primary H1 when content omits an H1, and include Article JSON-LD from post/Rank Math metadata for more accurate schema checks.

2.0.39

• Options: allow safe permalink/category/tag base updates through MCP and flush rewrite rules after URL setting changes.

2.0.38

• MCP post tools: preserve safe HTML for post content/excerpt arguments so SEO headings, lists, tables, and images can be authored through create/update calls.

2.0.35

• New site-management tools: webo/list-themes and webo/switch-theme for discovering installed themes and switching the active theme by stylesheet slug.
• Readme: release includes the shortened WordPress.org short description, keeping the short description under the 150 character import limit.

2.0.34

• Options: allow webo/update-options and webo/get-options to handle show_on_front and page_on_front.
• Safety: validate show_on_front as posts|page and ensure page_on_front references a valid Page ID (or 0).

2.0.33

• Readme: refresh WordPress.org-facing description for clarity; lead with product value and protocol workflow, move ecosystem links to a secondary section.

2.0.32

• Fix: avoid WP 6.9 Abilities API incorrect-usage notices by hardening adapter category/ability registration order and late-boot recovery.
• Docs: add AGENTS.md workflow guidance and prioritize guide-first structure in README/readme.txt.

2.0.31

• Maintenance: version bump.

2.0.30

• Maintenance: version bump.

2.0.29

• Reliability: harden MCP adapter bootstrap and schema type handling (supports array/nullable type definitions safely).
• WP-CLI noise reduction: register core mcp-adapter abilities before bridge wiring and suppress default adapter server bootstrap in CLI mode to avoid false missing-ability errors.
• Release notice: users running WEBO MCP Pro should update Pro package compatibility notes from the official docs/release channel before production rollout.

2.0.28

• WordPress.org review fixes: added explicit External services disclosure for Google Suggest/Autocomplete used by seo/article-analysis (service purpose, transmitted query data and request metadata, conditions, Terms and Privacy links).
• Compatibility: removed use of WPINC for nav-menu API loading; now load nav-menu API via explicit core include paths with availability checks to reduce environment-specific path issues.

2.0.27

• Security (WordPress.org guidelines): MCP router no longer maps API keys or HMAC to arbitrary user accounts. All requests require WordPress Application Password (Basic Auth) or an existing logged-in session; optional site API key and HMAC apply only after authentication.
• Readme: Contributors includes phuongwebo; clarify authentication in description and FAQ.

2.0.26

• New MCP tool seo/article-analysis (category seo, edit_posts): WordPress-only on-page SEO signals for a post via post_id — rendered content, Rank Math merge, readability, issues, content_gaps. Agent documentation: skills/webo-mcp-seo-article/SKILL.md in the GitHub repo (not bundled in the WordPress.org zip).
• Readme: Stable tag sync, privacy note for optional outbound tool requests.

2.0.25

• list-posts: document defaults (publish + post type post); response includes applied filters so empty results are easier to explain. Models should pass status draft (etc.) and post_type page when listing those.

2.0.24

• Nav menus: list-nav-menu-locations response includes note explaining slug vs label; MCP descriptions tell models to call this tool first to discover theme_location keys.

2.0.23

• Nav menus: list-nav-menus response includes menu_id (same as term_id) and clearer MCP tool descriptions so clients list menus without asking users for menu_id first.

2.0.22

• Nav menus: if create-nav-menu / create-nav-menu-for-location targets a name that already exists, reuse the existing menu term and continue (reused_existing_menu in JSON). Return a clear error if core nav-menu.php cannot be loaded. Expanded primary fallback slugs (primary-menu, header-menu, mobile). assign-nav-menu-to-location accepts menu_name when menu_id is omitted (assigned_via_menu_name in response).

2.0.21

• Nav menus: resolve theme location when slug primary is missing (single registered slot, or common slugs main/header/menu-1/navigation). Load wp-includes/nav-menu.php before wp_create_nav_menu in REST context. Response field theme_location_resolution indicates how the slug was chosen.

2.0.20

• Access: MCP router gate allows manage_options and edit_posts (Editors, site admins on multisite), not only is_super_admin; fixes list-nav-menus / tools/call failing for non-administrator users. Multisite API key/HMAC falls back to first site Administrator if no Super Admin login exists. Error code webo_mcp_access_denied replaces misleading super-admin-only message.

2.0.15

• Nav menus: list-nav-menus, list-nav-menu-items (db_id, menu_order, object_id, parent_db_id), add-nav-menu-item-from-post with required post_id, post_type, and menu_order (explicit developer values; no auto placement).

2.0.14

• Security: MCP JSON-RPC router, SecurityHelper, tools discovery, and internal-tool policy default to network Super Admin on multisite (is_super_admin). Single-site installs use WordPress core’s is_super_admin() behavior (typically full administrators). Global API key/HMAC elevates to the first Super Admin user on multisite.

2.0.7

• Readme: highlight https://webomcp.com and n8n community node https://www.npmjs.com/package/n8n-nodes-webo-mcp; short description and FAQ; README.md aligned.

2.0.6

• License: plugin header uses the same wording as readme.txt (“GPL v2 or later”) to satisfy WordPress.org declared-license checks.

2.0.5

• Plugin header: @wordpress-plugin marker for strict scanners; License line uses GPLv2 or later slug (Plugin Handbook).

2.0.4

• Plugin header: handbook field order, shorter Description line, License text “GPL v2 or later”, Domain Path for translations.

2.0.3

• WordPress.org / Plugin Check: include composer.json when vendor is bundled; replace unlink with wp_delete_file for temp uploads; remove load_plugin_textdomain (core loads translations); resolve API key usermeta via get_users instead of direct $wpdb; readme short description, allowed Tags, Stable tag sync.

2.0.2

• WordPress.org packaging: release zip excludes dotfiles and all .github trees; readme Tested up to 6.9.

2.0.1

• Hardening: HMAC auth passes REST permission layer; SSRF guard for upload-media-from-url; paginated search-replace (max 500 posts per call); sanitized safe option updates; removed duplicate unused settings class.

2.0.0

• Plugin renamed to WEBO MCP; folder and main file: webo-mcp/webo-mcp.php.
• Text domain, REST namespace webo-mcp/v1, hooks webo_mcp_* (breaking for custom code using old hook names).
• Options and API-key usermeta migrate automatically from webo-wordpress-mcp keys on first load.

1.1.1

• Added empty input_schema definitions for core/get-user-info and core/get-environment-info.
• Fixes MCP tools/call validation errors when invoking these no-input core tools.

1.0.2

• Added new read-only tool: webo/list-active-plugins.
• Enables MCP clients to verify active plugins with capability check.

1.0.1

• Metadata refresh release to ensure dependency headers are reloaded correctly.
• tools/list compatibility improvements for include_internal aliases and legacy endpoint support.

1.0.0

• Initial stable public release.
• MCP JSON-RPC router with initialize, tools/list, tools/call.
• Tool registry integration and public visibility policy controls.
• Session management and optional API key/HMAC security.