The WordPress plugin
that turns WP into a tool surface.
Install on any WordPress site. Issue scoped JWT tokens. Expose 78 typed tools (now including remote maintenance + debug.log tail) to any MCP-compatible AI client.
A complete control plane for AI agents.
78 REST tools, typed
Every WordPress capability you actually use, exposed as a typed REST endpoint with JSON schema. Posts, pages, media, menus, widgets, customizer, plugins, themes, CLI, DB, debug.log, maintenance.
Remote maintenance mode NEW
Toggle a styled 503 page from Xaflo Desktop or wp-admin. IP allow-list keeps operators in, everyone else out. Mirrors a .maintenance file + branded drop-in.
Debug.log tail NEW
Parse + filter the WP error log over REST. Severity-aware. 8 MB tail cap.
JWT scoped tokens
23 granular scopes. Read-only for analytics. Write-only for content. Revoke instantly.
Auto-update
Plugin polls updates/v1/ every 12h. SHA-256 verified before unpack.
Analytics built in
Top posts, no-traffic pages, keywords, referrers, period comparison — no GA4 SDK setup, no Search Console OAuth dance.
SEO toolkit
Bulk audit, single-page diagnosis, schema injection, sitemap status — works alongside Yoast / Rank Math / SEOPress without conflict.
Auto-backups
Every destructive write triggers a snapshot. Restore via wp_backup_restore.
Audit log
Every API call: actor, scope, payload, timestamp. RGPD-friendly.
WPML + Polylang
Multilingual aware. Translations as first-class objects.
Production-ready in under 5 minutes.
Upload & activate
Plugins → Add New → Upload. Pick xaflo-wp-connect-1.3.1.zip. Activate.
Add signing secret
Add one line to wp-config.php:define('WPCB_JWT_SECRET', '...');
Issue a token
Xaflo → Tokens → New. Pick scopes. Copy. Paste into Xaflo Desktop.
Why not just use WP’s built-in REST API?
Because Claude needs typed, scoped, audited tool descriptors — not a 50-endpoint REST surface that talks JSON like it’s 2014.
| Capability | Stock WP REST | Xaflo WP Connect |
|---|---|---|
| Typed tool descriptors | — | 78 tools |
| Scoped JWT auth | Application Passwords only | 23 granular scopes |
| Auto-backup before writes | No | Snapshot + restore |
| Audit log | No | Every call logged |
| Remote maintenance toggle | No | Styled 503 + IP bypass |
| Debug.log tail | No | Parsed + severity-filtered |
| Analytics tools | No | 10 analytics endpoints |
| SEO bulk audit | No | Built in |
| CLI execution | No | wp_cli_exec (scoped) |
| Multilingual aware | No | WPML + Polylang |
| MCP-compatible | Manual wiring needed | Native via claude-wp-mcp |
| Self-hosted auto-update | No | SHA-256 verified |
Get the plugin.
No license key. No phone-home. No telemetry. Just a .zip and your wp-config.