ShopMCP docs

Connect a module

WordPress + WooCommerce

Plug one or many WordPress sites into your workspace. Auth uses Application Passwords (built into WP 5.6+) so there's nothing to install on the site. WooCommerce, Yoast SEO, Rank Math, and ACF tools unlock automatically when detected.

Prerequisites

  • WordPress 5.6 or newer (for Application Passwords).
  • A WP user account with edit_posts capability or higher — ShopMCP never asks for more than the actions you take.
  • WooCommerce 3.5+ if you want the woo_* tools (products, orders, customers, reports, stock).
  • The site must be served over HTTPS. ShopMCP refuses to send credentials over plain HTTP.

1. Generate an Application Password in WordPress

In your WP admin, go to Users → Profile (or Users → All Users → (your user) if you're editing another account), scroll down to the Application Passwords section, and type a name like ShopMCP. Click Add New Application Password.

WordPress shows the new password once, in 24-character groups (e.g. AbCd 1234 EfGh 5678 IjKl 9012). Copy the whole thing including the spaces — WordPress ignores them on sign-in.

If you don't see the Application Passwords section, your host may have disabled the feature at the server level (some managed hosts do this). Ask support, or install the official Application Passwords plugin from wordpress.org to re-enable it.

2. (Optional) Generate WooCommerce REST keys

If the site runs WooCommerce and you want access to the woo_* tools, generate a REST API key:

  • Go to WooCommerce → Settings → Advanced → REST API.
  • Click Add key.
  • Set Description to ShopMCP, User to a shop manager (or higher), and Permissions to Read/Write.
  • Click Generate API key. Copy both the Consumer key (starts with ck_) and Consumer secret (starts with cs_) — they only display once.
Read-only keys work for the woo_get_* tools but block every write. If you later want to use woo_update_product etc., you'll need to regenerate with Read/Write.

3. Paste the credentials into ShopMCP

Open Settings → Integrations and click Connect on the WordPress card. Fill in:

  • Site URL — the full https:// URL of the site, e.g. https://blog.example.com.
  • Display name — a friendly label for the dashboard and tool output (e.g. Acme Blog).
  • WordPress username — the login name of the user whose Application Password you generated.
  • Application password — the 24-character value from step 1.
  • Woo consumer key/secret — optional, only if the site has WooCommerce.

ShopMCP verifies the site is reachable, confirms the credentials work, and runs a plugin probe against /wp-json and /wp-json/wp/v2/plugins. The detected plugins show up in the "connected sites" table and gate which tools appear in your tools/list.

4. Multi-site workflow (agencies)

Repeat step 3 as many times as you need — every site lives under a single connection blob but is addressable via its own site_id. The workspace's default site is used when a tool call omits site_id; change the default by clicking Set default on any row.

Use wp_list_sites from the chat client to discover the ids before making targeted calls:

> What WordPress sites do I have connected?

(calls wp_list_sites → returns id, URL, detected plugins per site)

> On the acme-blog site, list draft posts modified this week

(calls wp_get_posts with site_id: "<acme id>", status: "draft", modified_after: ...)

Tool inventory

Always available on every connected site:

  • wp_list_sites, wp_get_site_info
  • wp_get_posts, wp_get_pages, wp_get_media, wp_get_users, wp_get_taxonomies, wp_get_comments

Unlocked when WooCommerce is detected:

  • woo_get_products, woo_get_orders, woo_get_customers, woo_get_coupons, woo_get_sales_report, woo_get_top_sellers, woo_get_stock

Unlocked when Yoast SEO or Rank Math is detected:

  • seo_get_meta — normalized across both plugins so the caller doesn't need to care which is installed.

Unlocked when ACF is detected:

  • acf_get_fields — read ACF field values attached to a post.

Write tools (wp_create_post, wp_update_post, wp_delete_post, wp_upload_media, wp_moderate_comment, woo_create_product, woo_update_product, woo_set_product_stock, woo_update_order_status, woo_create_coupon, woo_create_refund, seo_update_meta, acf_update_fields) are gated by a per-workspace write policy. Every mutating tool supports dry_run: true to preview a unified diff before you authorize the real write.

Troubleshooting

  • "WordPress rejected the credentials (HTTP 401)" — the Application Password was revoked, the user was deactivated, or you pasted the wrong username. Go back to Users → Profile in WP and generate a fresh password.
  • "Couldn't reach /wp-json/" — a security plugin (Wordfence, iThemes, SolidWP) is blocking unauthenticated access to the REST namespace. Whitelist ShopMCP's egress IPs or relax the REST API filter for /wp-json/wp/v2.
  • "WooCommerce returned 404" — either Woo isn't installed, Woo is older than 3.5, or the keys are for a different site. Re-generate the keys in WooCommerce → Settings → Advanced → REST API.
  • Plugin tools don't appear in tools/list — the probe reads /wp-json/wp/v2/plugins, which some hosts disable. If Woo/Yoast/Rank Math/ACF is installed but undetected, the site still works — tools just don't auto-register. Ping support and we can widen the fallback detection.
  • Rate limit hit (HTTP 429) — WooCommerce's Store API rate limits are off by default but some hosts add their own. Back off for 30 seconds and retry.