How to Connect Claude MCP to Self-Hosted WordPress (Complete Guide)

The setup has two parts: a plugin on your WordPress site, and an entry in your Claude Desktop config file. Once both are in place, Claude gets a full set of WordPress tools: creating posts, managing categories, uploading media all from your desktop.

There are three authentication methods to choose from. I’ll cover all of them, but I’ll be clear about which one I’d recommend for each use case.

What You Don’t Need

• No paid plan. The WordPress.com MCP connector requires Jetpack Complete. This doesn’t.
• No AI Engine plugin. AI Engine is a separate product — unrelated to this setup.
• No Jetpack. Not required at all.

What You Do Need

• Node.js 22+ installed on your machine (required for the fetch API)
• A self-hosted WordPress site
• Claude Desktop or Cowork installed
• Automacttic’s WordPress MCP Plugin

Step 1: Install and Enable the wordpress-mcp Plugin

Instead of using Claude Coworks connector, we will use a wordpress plugin to setup our MCP, then connect to that. Automattic’s plugin It exposes data and functionality via the WordPress REST API.

Download the latest wordpress-mcp.zip release from Automattic GitHub page:

https://github.com/Automattic/wordpress-mcp/releases

In WordPress admin, go to Plugins / Add New / Upload Plugin, upload the .zip, install and activate it.

Then go to Settings/ MCP Settings and enable MCP functionality. Just installing the plugin isn’t enough. If you skip this, the endpoint won’t be available and nothing will connect.

Step 2: Choose Your Authentication Method

There are three options. Here’s what each one means in practice:

Option A: OAuth 2.1 (Default — Most Secure)

This is the default. On first run, a browser window opens for you to authorise Claude to connect to your site. After that, tokens are stored locally and refreshed automatically. Most secure, best long-term experience, no tokens to manage manually.

{
  "mcpServers": {
    "your-site-name": {
      "command": "npx",
      "args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
      "env": {
        "WP_API_URL": "https://yoursite.com"
      }
    }
  }
}

Option B: JWT Token (Recommended for Automation)

This is what I use. No browser popup, no interactive auth — just paste a token and it works. Better for automated pipelines where you don’t want a browser window opening mid-task. The tradeoff: JWT tokens have an expiry date, so you’ll need to regenerate periodically.

Generate a JWT token from within the wordpress-mcp plugin settings in WordPress admin. Then add OAUTH_ENABLED: "false" to prevent the OAuth flow from kicking in alongside it:

{
  "mcpServers": {
    "your-site-name": {
      "command": "npx",
      "args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
      "env": {
        "WP_API_URL": "https://yoursite.com",
        "JWT_TOKEN": "your-jwt-token-here",
        "OAUTH_ENABLED": "false"
      }
    }
  }
}

Option C: Application Passwords (Legacy)

You may see other blogs referencing this method, which didn’t work for me (20th March 2026). Looking at Automattic’s docs, this approach is listed as “legacy”. I’ve left it here for reference, in case you are wondering why its not mentioned. This MAY work for other AI Tools, as im a CLaude user I don’t know. By all means, leave a comment below if you got this working!

Generate an Application Password in WordPress admin under Users → Profile → Application Passwords, then:

{
  "mcpServers": {
    "your-site-name": {
      "command": "npx",
      "args": ["-y", "@automattic/mcp-wordpress-remote@latest"],
      "env": {
        "WP_API_URL": "https://yoursite.com",
        "WP_API_USERNAME": "your-wp-username",
        "WP_API_PASSWORD": "Xxxx xxxx xxxx xxxx xxxx xxxx",
        "OAUTH_ENABLED": "false"
      }
    }
  }
}

Config Notes

• WP_API_URL is just your site root — e.g. https://yoursite.com with no path or suffix. The name is misleading but it’s fixed by the .
• The key name (e.g. your-site-name) becomes the tool namespace in Cowork — so "my blog" gives you tools like mcp__my_blog__wp_add_post.
• Multiple sites: add each as a separate named entry inside the same mcpServers object. Don’t create a second top-level JSON object — that silently breaks everything.
• Validate your JSON at jsonlint.com before restarting. A trailing comma or misplaced bracket will break it silently and cause it to be deleted to default; which is annoying if you have a large config file with multiple passwords!

Step 3: Fully Restart Cowork

Quit completely from the menu bar icon and relaunch — not just close the window. Config changes aren’t picked up until a full restart. If you chose OAuth, a browser window will open on first launch for authorisation. JWT and Application Password methods connect silently.

Once connected, verify by asking Claude to list your posts or get site info.

What You Can Do With It

Once connected: create and update posts and pages, manage categories and tags, upload media, edit site settings, search content — all without opening WordPress admin. I’m running this across four sites, each as a separate named entry in the config. Same npx command for all of them; only the URL and auth credentials differ.

Troubleshooting

Tools not showing after restart: Validate JSON at jsonlint.com first. Then confirm the plugin is installed, activated, and enabled in Settings → MCP Settings.

OAuth browser doesn’t open: Check port 3000 is available, or set a different port with OAUTH_CALLBACK_PORT. Or switch to JWT auth to avoid OAuth entirely.

JWT stops working: Tokens expire. Generate a new one from the plugin settings in WordPress admin, update the config, restart.

“Waiting for other instance” messages: Normal — the package coordinates between multiple MCP clients to prevent auth conflicts.

API endpoint not found: The plugin is probably installed but not enabled. Go to Settings → MCP Settings in WordPress admin.