// Use when hardening WordPress sites, auditing security configurations, applying security measures, or working with the MCP Content Manager Security module: wp-config.php constants, .htaccess rules, HTTP headers, login protection, REST API restrictions, file permissions, and security scoring.
Use when performing WordPress site maintenance: updating plugins, themes, or core. Executes a safe update cycle with pre-flight page checks, automatic snapshots, controlled update execution with anti-loop protection, post-update verification, error log inspection, and automatic rollback decisions. Also handles stuck maintenance mode cleanup.
Use when configuring The7 WordPress theme (Dream-Theme). Provides all available options (colors, typography, header, footer, layout, blog, portfolio, buttons, page titles, mobile header, floating header, micro-widgets, stripes, social buttons, advanced settings) and procedures to apply them via MCP Content Manager abilities. Classic theme — theme options stored in wp_options as the7. Logo uses WordPress custom_logo theme mod.
Customize and configure any WordPress theme. Use this skill when the user wants to change the design of their site, modify colors, typography, header, footer, layout, or any visual aspect of the active theme. Also when they ask to "change the design", "customize the theme", "modify the appearance", "configure the theme", "change colors", "change fonts", "adjust the header/footer", or any request related to the visual appearance and configuration of the WordPress site. Searches first for a theme-specific skill before performing scans. Compatible with both classic themes and block (FSE) themes.
Use when configuring the Avada WordPress theme (ThemeFusion). Guides the user through a 5-phase conversation to fully configure Avada — covering ALL 600+ options across 33 sections (colors, typography, header, footer, page title bar, breadcrumbs, sliding bar, sidebars, blog, portfolio, search, social media, WooCommerce, Events Calendar, bbPress, layout, background, logo, responsive, slideshows, elastic slider, lightbox, forms, extra, contact, performance, privacy, maintenance, advanced, custom CSS, auth pages, and page-level overrides). Classic theme — options stored in wp_options as fusion_options. Logo uses both Avada options AND WordPress custom_logo theme mod.
Use when configuring the Twenty Twenty-Five WordPress theme. Provides all available options (colors, typography, layout, spacing, templates, block styles, 8 style variations, 98 patterns) and procedures to apply them via MCP Content Manager abilities.
Use when configuring the Twenty Twenty-Four WordPress theme. Provides all available options (colors, typography, layout, spacing, duotones, gradients, templates, block styles, style variations, patterns) and procedures to apply them via MCP Content Manager abilities.
| name | wordpress-security |
| description | Use when hardening WordPress sites, auditing security configurations, applying security measures, or working with the MCP Content Manager Security module: wp-config.php constants, .htaccess rules, HTTP headers, login protection, REST API restrictions, file permissions, and security scoring. |
| compatibility | Targets WordPress 6.0+ on PHP 7.4+. Uses MCP Content Manager Premium v2.3+ abilities for automated security operations. Apache/LiteSpeed for .htaccess measures; Nginx requires manual server config. |
CRITICAL PRINCIPLE: Never apply security changes without first auditing and informing the user.
1. Run mcm/security-audit to get current state and score (0-100)
2. Present results grouped by risk level:
🟢 SAFE — Can apply directly without side effects
🟡 CAUTION — May affect plugins/themes; explain risks first
🔴 CRITICAL — Can break the site; require explicit backup confirmation
3. The USER decides, the plugin executes
If MCP Content Manager is available:
Use ability: mcm/security-audit
If not available, check manually:
// Check wp-config.php constants
defined('DISALLOW_FILE_EDIT') // Should be true
defined('FORCE_SSL_ADMIN') // Should be true if HTTPS available
defined('WP_DEBUG_DISPLAY') // Should be false in production
// Check .htaccess rules
// Look for directory listing protection, PHP execution blocks, sensitive file protection
// Check HTTP response headers
// X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
If the audit shows no 2FA plugin is installed, recommend the official WordPress Two-Factor plugin:
mcm/install-plugin (slug: two-factor), but configuration must be done manually by the userThese have NO known side effects and can be applied in batch:
| ID | Measure | Points |
|---|---|---|
file_edit_disabled | DISALLOW_FILE_EDIT in wp-config.php | 5 |
wpconfig_htaccess_protection | Block HTTP access to wp-config.php | 5 |
disable_directory_listing | Options -Indexes in .htaccess | 5 |
uploads_php_execution_block | Block PHP in wp-content/uploads/ | 5 |
sensitive_files_protection | Block access to .sql, .bak, .log files | 4 |
login_attempt_limit | Progressive brute force lockout | 10 |
disable_pingbacks_trackbacks | Close pingbacks globally | 3 |
remove_pingback_header | Remove X-Pingback header | 2 |
hotlinking_protection | Block hotlinking from external domains | 2 |
remove_version_info | Remove WordPress version from source | 3 |
idle_session_logout | Auto-logout after inactivity | 3 |
weak_password_audit | Check for common passwords | 5 |
If MCP Content Manager is available:
Use ability: mcm/security-apply-safe
Optional: exclude specific measures with "exclude" parameter
Always explain risks before applying:
| ID | Measure | Points | Risk |
|---|---|---|---|
xmlrpc_protection | Block/limit XML-RPC | 8 | Jetpack, WP mobile app need it |
rest_api_protection | Restrict sensitive endpoints | 8 | Some plugins use public REST API |
user_enumeration_protection | Block author enumeration | 7 | Author archives return 404 |
force_ssl_admin | Force HTTPS on admin | 10 | Breaks if SSL not configured |
security_headers | HTTP security headers | 7 | Varies by header |
custom_login_url | Change /wp-login.php URL | 3 | Users may lose access |
file_permissions_fix | Fix file/dir permissions | 5 | Server ACLs may differ |
disable_file_mods | DISALLOW_FILE_MODS | — | Disables MCP itself! |
For XML-RPC, recommend selective mode:
For REST API, NEVER block:
/wp-json/mcp/* — MCP adapter endpoints/wc/v3/* — WooCommerce API/wp/v2/posts, /wp/v2/pages — Public contentFor FORCE_SSL_ADMIN, always pre-verify:
$response = wp_safe_remote_get('https://' . $_SERVER['HTTP_HOST'] . '/wp-admin/', array('sslverify' => true));
if (is_wp_error($response)) {
// DO NOT enable FORCE_SSL_ADMIN
}
These require backup_confirmed=true and explicit user consent:
| ID | Measure | Risk |
|---|---|---|
database_prefix_change | Change DB table prefix | SQL errors = site down |
move_wpconfig_outside | Move wp-config.php up | Site inaccessible if fails |
| HSTS header | Strict-Transport-Security | Irreversible if SSL removed |
| CSP header (enforce mode) | Content-Security-Policy | Breaks scripts/styles easily |
Database prefix change protocol:
CSP implementation — two phases:
After applying ANY measure, verify site health:
1. Check frontend loads (HTTP 200)
2. Check wp-admin loads (HTTP 200)
3. Check REST API responds (MCP endpoints)
4. If any check fails → auto-revert the measure
If MCP Content Manager is available, this is done automatically by mcm_security_verify_site_health().
Apache/LiteSpeed: All .htaccess measures work natively.
Nginx: .htaccess measures (2.4, 2.5, 2.6, 2.7, 2.17) are NOT supported. Instead:
not_applicable in audit resultsCustom Login URL recovery:
mcm/security-emergency-login ability (restores /wp-login.php for 15 min)mcm-emergency-login.txt in ABSPATH via FTPwp-config.php recovery:
mcm/restore-backup ability to restoreGeneral recovery:
/wp-json/mcp/*) are NOT blocked by REST API protection# BEGIN MCM Security - [id] / # END MCM Security - [id]chmod 644 wp-config.php temporarily.# BEGIN MCM Security - [measure_id] and delete to matching # END.mcm-emergency-login.txt in WordPress root via FTP.delete_transient('mcm_login_attempts_' . hash('sha256', $user_ip)).