Xaflo WP Connect

The WordPress plugin that listens to AI

A lightweight server-side companion that exposes a secure, scoped REST API on your WordPress site. Install it once, generate a token, and Claude Code can read and write your content from your computer.

↓ Download plugin v1.0.0 (zip) How to install →

Why this plugin exists

WordPress’s REST API isn’t enough

Stock /wp-json/wp/v2/ gives you posts and pages, but no SEO, no analytics, no theme files, no multilingual, no scoped tokens, no audit log. Xaflo WP Connect fills the gaps with 74 typed endpoints and JWT-based authentication.

🔐

JWT tokens with scopes

Every token has explicit scopes: content:read, media:write, db:read, seo:write, etc. Revocable, expiring, audited.

📋

Audit log on every call

Every API request is logged with timestamp, scope, user, IP, payload (sanitized) and outcome. 90-day retention, configurable.

🛡️

Rate limiting built-in

Per-token sliding window. Sensitive scopes (write, exec, install) get tighter caps. HTTP 429 with Retry-After.

🧩

Adapter system

Pluggable adapters for Yoast/Rank Math/AIOSEO, WPML/Polylang, Site Kit/MonsterInsights/Jetpack analytics. Add yours.

⚙️

Two-step destructive ops

Backups, DB writes, plugin installs require a confirmation token from the first call. No accidents.

🪶

Lightweight

200 KB zip. PSR-4 namespaced PHP 8.1+. Composer autoload. WP-CLI compatible. No external services.

Installation

From upload to token in three minutes

Download the zip

Click the download button at the top of this page. The zip is ~200 KB and contains the plugin + the MCP server tarball.

Upload via wp-admin

Plugins → Add new plugin → Upload plugin → choose the zip → Install now → Activate.

Set signing secret

The plugin tells you to add WPCB_JWT_SECRET to wp-config.php. A strong random secret is generated for you.

Generate token

Xaflo → Tokens → New token. Pick scopes (start with content:read, media:read). Copy immediately — shown once.

Paste into Xaflo

Open the desktop app → + Add WordPress site → paste site URL + token → Verify & continue. Done.

Requirements

What you need on your WordPress site

🟢

WordPress 6.0+

The plugin uses block APIs and modern REST hooks. Tested up to 6.9.

🐘

PHP 8.1+

Required for typed enums, readonly properties, and proper performance. PHP 8.2 / 8.3 also fully supported.

🔒

HTTPS

Required by default. The plugin refuses to issue tokens over plain HTTP. Disable only behind a TLS-terminating proxy.