Xaflo

Download ↓
Documentation

Everything you need to know

From your first install to advanced scope rotation and multi-site management. If something’s missing, tell us and we’ll add it.

Quick start

Already installed both pieces? Open Xaflo Desktop → + Add WordPress site → paste URL + token → Verify & continue. Restart Claude Code completely. In a new session run /mcp.

Fresh install? Three steps:

  1. Install the WordPress plugin. Download Xaflo WP Connect. Upload via wp-admin → Plugins → Add new → Upload. Activate.
  2. Install Xaflo Desktop. Download the installer for your OS. Run it. Open the app from the desktop shortcut.
  3. Bridge them. In WordPress admin: Xaflo → Settings → install signing secret. Then Xaflo → Tokens → New token (scopes: content:read, media:read). Copy the token. In Xaflo Desktop: + Add site. Paste URL + token.

Architecture

Xaflo is three pieces working in sync:

  • Xaflo WP Connect plugin — server-side PHP plugin on WordPress. Exposes /wp-json/wpcb/v1/* with JWT auth, rate limiting, scopes and audit logging.
  • claude-wp-mcp — Node.js MCP server. Bridges Claude Code’s MCP protocol to the plugin’s REST API. Bundled with Xaflo Desktop.
  • Xaflo Desktop — Electron + Svelte app. Manages every connection in your ~/.claude.json, runs health checks, hosts the prompt library and tool browser.

Claude Code reads ~/.claude.json at startup. Each entry becomes one MCP server. Each server registers its tools with prefix mcp__<name>__wp_*. You ask Claude “use wp_list_posts on movin”, Claude calls mcp__movin__wp_list_posts, the MCP server translates to HTTPS calls against your WordPress.

Token scopes

Every JWT carries a list of allowed scopes. Tools check their required scope before executing. Suggested starting set: content:read, media:read, seo:read, analytics:read, site:read.

Add write scopes only when needed. Dangerous scopes (db:write, cli:exec, plugin:install, system:backup, theme:write) trigger two-step confirmation on every call.

The 74 tools

Grouped by domain:

  • Posts & Pages (10) — list, get, create, update, delete, publish, search across posts and pages
  • Media (7) — list, upload, delete, set alt/caption/description, optimize, find unused
  • SEO (6) — read/write Yoast/RankMath/AIOSEO meta, audit posts in bulk, sitemap status, broken links
  • Analytics (9) — overview, top posts/keywords/referrers, zero-traffic pages, period compare, trends by category
  • Multilingual (10) — list languages, get/set translations, audit string coverage
  • Theme (13) — read/switch themes, edit Customizer, manage menus and widgets, inject custom CSS
  • Plugins (8) — list, install from repo/zip, activate/deactivate, read/write files, scaffold new plugin
  • Taxonomy (2) — list, create terms
  • Site & System (7) — read/write settings, health, performance, backups
  • Advanced (2) — SQL queries with guard, WP-CLI execution

Browse them all in Xaflo Desktop → Tools.

Prompt library

Xaflo Desktop ships with 17 curated prompts you can copy and paste into Claude Code. Categories:

  • Audit & QA — full SEO audit, broken links, missing alt text, multilingual coverage
  • Create & Publish — draft post from topic, translate existing post, scaffold landing page
  • Manage — recent posts, empty trash, plugin update check, bulk category change
  • Analytics — top posts this month, zero-traffic pages, trend by category
  • Development — map active theme, add custom CSS via Customizer, scaffold a new plugin

You can also create your own — they’re saved to your userData/custom-prompts.json and appear at the top of the list under ⭐ My prompts.

Managing multiple sites

One Xaflo Desktop install handles unlimited WordPress sites. Each site gets its own entry in .claude.json with its own command, args (site URL + token), and unique slug like wp-movin or wp-podcast.

In Claude Code prompts you reference each site by its slug:

User: List my last 5 posts on wp-podcast
Claude: [calls mcp__wp-podcast__wp_list_posts(per_page=5)]
✓ Found 5 posts on podcast.allincrypto.com…

Troubleshooting

“Verification failed: HTTP 404” — Xaflo Desktop is calling an endpoint the plugin doesn’t expose. Ensure both are on v1.0.0 or later. Re-download the latest desktop installer.

“Failed to create token” — usually the JWT secret is missing. Go to wp-admin → Xaflo → Settings, click “Install JWT secret”.

“Plugin file does not exist” on upload — your zip was built with backslash paths. Re-download from this site or rebuild with a UNIX zipper.

Claude Code doesn’t see my new connection — you must fully quit Claude Code (Cmd/Ctrl+Q, then restart). Reload-window (Cmd/Ctrl+R) doesn’t pick up .claude.json changes.

REST API reference

All endpoints live under https://your-site.com/wp-json/wpcb/v1/ and require the Authorization: Bearer <jwt> header (except /health which only returns metadata).

  • GET /health — plugin version, WP version, PHP version, multilingual adapter, scopes (public)
  • GET /performance — system info, disk, MySQL, OPcache, plugins, theme (requires site:read)
  • GET /posts + POST /posts + PATCH /posts/{id} + DELETE /posts/{id}
  • GET /media + POST /media/upload + PATCH /media/{id} + DELETE /media/{id}
  • GET /seo/post/{id} + PUT /seo/post/{id} + POST /seo/audit/bulk
  • GET /tokens + POST /tokens + DELETE /tokens/{jti} (cookie-auth admin only)
  • POST /db/query — read with db:read, write with db:write + confirmation token
  • …and 50 more — browse them all from Xaflo Desktop’s Tools page.

Security model

JWT signing — HS256 with a 32+ byte secret in WPCB_JWT_SECRET. Tokens include iss (your site URL), iat, exp, jti, sub (WP user id), scopes.

Revocation — every token has a unique jti. Revoking adds the jti to wp_wpcb_revoked; the middleware checks on every request.

Rate limits — sliding 2-bucket per-token per-minute counter. Configurable per scope. Global default 60 RPM.

HTTPS enforcement — refuses to issue tokens or accept requests over HTTP. Override only if you terminate TLS at a verified proxy.

SqlGuard — every SQL query is parsed and validated for tables outside the WordPress prefix, dangerous keywords, and write operations without confirmation tokens.

FileSandbox — theme and plugin file writes go through a sandbox that compares against an allowlist + backs up the file + verifies write succeeded.

Audit log — every request is recorded with timestamp, jti, user, IP, endpoint, scope required, result, payload (sanitized). Default 90-day retention.

Need a hand?

Documentation will keep growing. If your question isn’t answered, ask us directly — we triage every request.

Get in touch → Back to home