TeamDay.ai
AI WordPress Management: Run Your WordPress Site with AI Agents
← Back
Jozo · 10 min read · 2026/02/24
WordPress AI Agents Content Management MCP SEO Automation CMS

AI WordPress Management: Run Your WordPress Site with AI Agents

WordPress powers 43% of the web. Yet managing a WordPress site is still a manual grind — writing posts, moderating comments, updating plugins, checking stats, tweaking settings. Each task small on its own. Together, a death by a thousand clicks.

What if you could just tell your WordPress site what to do?

That’s what the AI WordPress Studio in TeamDay does. Connect your WordPress site — WordPress.com or self-hosted — and an AI agent manages it through conversation. Not a plugin that auto-generates junk content. A real agent with tools that reads your site, understands context, and executes your instructions.

How It Works: WordPress Meets MCP

The magic is MCP — Model Context Protocol. It’s an open standard that gives AI agents structured access to external tools. Instead of screen-scraping your WordPress admin or making blind API calls, the agent connects through a proper protocol that WordPress speaks natively.

TeamDay supports two connection methods:

WordPress.com — One-Click OAuth

If your site is on WordPress.com, connection takes 10 seconds:

  1. Click Connect in the WordPress Studio
  2. Authorize with your WordPress.com account
  3. Done — the agent can now manage your site

Under the hood, this uses WordPress.com’s official MCP endpoint with OAuth 2.1 and PKCE. Your credentials never touch TeamDay’s servers — it’s a direct token exchange between your browser and WordPress.com.

Self-Hosted WordPress — Plugin + Application Password

Running WordPress on your own server? You need WordPress 6.9 or newer (which introduced the Abilities API that MCP depends on). Then two steps on your side:

  1. Install the MCP Adapter plugin — In your WordPress admin: Plugins → Add New → search “MCP Adapter”. Or grab it from GitHub. Activate it.
  2. Create an Application Password — Users → Your Profile → scroll to “Application Passwords” → name it “TeamDay” → click Add. Copy the password (it won’t be shown again).

Then in TeamDay, add the Self-Hosted WordPress integration and enter your site URL, username, and the application password. TeamDay automatically connects to the MCP Adapter endpoint on your site (/wp-json/mcp/mcp-adapter-default-server) via the @automattic/mcp-wordpress-remote proxy.

Why Application Passwords? They’ve been built into WordPress since version 5.6. Unlike your main login password, application passwords can be revoked individually, and they don’t grant access to the WordPress admin UI — only to the REST API. Perfect for agent access.

What the Agent Can Do

Once connected, your WordPress site becomes a tool the AI can use. Here’s what that looks like in practice:

Content Operations

  • Write posts — “Write a blog post about our Q1 product update and publish it” → The agent drafts the post, formats it, sets categories and tags, and publishes.
  • Edit pages — “Update the About page — change the founding year to 2024” → Done in seconds.
  • Manage media — Upload images, set featured images, organize the media library.

Site Administration

  • Plugin management — “What plugins need updates?” → Gets the list. “Update them all” → Executed.
  • Comment moderation — “Check for spam comments and delete them” → Reviews, filters, removes.
  • User management — “Add a contributor account for [email protected]” → Creates the account with the right role.

Monitoring

  • Traffic stats — “How did last week’s blog post perform?” → Pulls views, visitors, referrers.
  • Site health — “Any issues with the site?” → Checks plugin conflicts, update status, security notices.

The key difference from a chatbot: the agent doesn’t tell you how to do these things. It does them. When you say “publish a post,” it’s published. When you say “delete spam comments,” they’re gone.

The Real Power: Cross-Office Synergies

A WordPress management agent on its own is useful. But WordPress doesn’t exist in a vacuum — it’s the publishing layer for a content operation that includes SEO research, analytics, content creation, and distribution. That’s where TeamDay’s multi-office architecture shines.

WordPress Studio + SEO Office

The AI SEO Office connects to Ahrefs, Google Search Console, and SE Ranking. It knows your keyword rankings, backlink profile, and content gaps.

Combined workflow:

  1. SEO Office identifies a keyword opportunity: “best project management tools 2026” — high volume, low competition
  2. You tell the WordPress Studio: “Write and publish a post targeting ‘best project management tools 2026’”
  3. The agent writes an SEO-optimized post using the keyword data from your SEO Office, then publishes it to WordPress
  4. Next week, the SEO Office tracks how the new post is ranking

No copy-pasting between tools. No exporting CSVs. The agents share the same workspace and can reference each other’s outputs.

WordPress Studio + Content Studio

The AI Content Studio has specialized agents for writing, image generation, and translation. It writes long-form content that’s better than what a general-purpose agent produces.

Combined workflow:

  1. Content Studio writes an in-depth article with custom cover image
  2. Content translator localizes it to Spanish, French, German, Japanese
  3. WordPress Studio publishes the English version to your main site
  4. You publish translations to your multilingual WordPress setup (WPML/Polylang)

Three AI teams, one content pipeline. The Content Studio focuses on quality writing, the WordPress Studio handles CMS operations.

WordPress Studio + Data Analytics

The AI Data Analytics office connects to your databases and builds dashboards. Pair it with WordPress for data-driven content:

  • Pull quarterly metrics from your database
  • Generate charts and insights
  • WordPress Studio publishes them as a data report post
  • Schedule it to run every quarter automatically

WordPress Studio + Social Media Team

Publish a post, then have the AI Social Media Team find relevant Reddit and Hacker News threads where you can share it authentically. Content creation and distribution in one flow.

Scheduled Missions: Set It and Forget It

The WordPress Studio comes with default missions you can enable:

  • Weekly Content Review — Every Monday, the agent audits your recent posts: checks for broken links, missing alt text, outdated information, and SEO issues. Produces a report with recommended fixes.
  • Daily Comment Moderation — Every morning, the agent reviews new comments, flags spam, and optionally auto-approves comments from known contributors.

You can create custom missions too. Some ideas:

  • Monthly plugin audit — Check all plugins for updates, security vulnerabilities, and unused plugins that should be removed
  • Weekly competitor content scan — Compare your publishing frequency and topics against competitor blogs (combine with SEO Office data)
  • Daily stats digest — Morning summary of yesterday’s traffic, top posts, and referral sources

Missions run on a cron schedule. They execute, produce a report, and you review it when convenient. The WordPress site stays maintained even when you’re focused on other things.

Setting It Up: 5-Minute Guide

For WordPress.com

  1. Go to your TeamDay workspace → AI TeamsWordPress Studio
  2. Click ConnectWordPress.com
  3. Authorize with your WordPress.com account
  4. Start chatting: “Show me my recent posts”

For Self-Hosted WordPress

Requirements: WordPress 6.9 or newer (for the Abilities API).

  1. On your WordPress site:
    • Install and activate the MCP Adapter plugin (Plugins → Add New → search “MCP Adapter”, or download from GitHub)
    • Go to Users → Your Profile → Application Passwords
    • Enter name “TeamDay”, click Add New Application Password
    • Copy the generated password
  2. In TeamDay → WordPress StudioConnectWordPress (Self-Hosted)
  3. Enter your WordPress URL (e.g., https://myblog.com or https://example.com/blog/ for subdirectory installs), username, and the application password
  4. Start chatting: “What’s the status of my site?”

TeamDay automatically connects to the correct MCP endpoint on your site. No complex configuration, no webhook setup, no custom code.

Security plugins warning: If you have a REST API security plugin installed (e.g., miniOrange REST API Authentication, Disable REST API, Wordfence with REST API restrictions), it may block the MCP Adapter endpoint. You’ll need to whitelist the /mcp/ namespace in the plugin’s settings, or temporarily disable the REST API restriction to test the connection. The MCP Adapter uses the endpoint /wp-json/mcp/mcp-adapter-default-server — if that URL returns a 401 or 403 error, a security plugin is likely the cause.

URL tip: Enter the URL where your WordPress is installed. For most sites that’s the root domain (e.g., https://myblog.com). If WordPress runs in a subdirectory, include it — e.g., https://example.com/blog/ or https://example.com/wp/. The connector appends the MCP endpoint path automatically.

Note: If the agent reports that abilities are empty, you may need to enable MCP visibility on your WordPress abilities. This can happen if your WordPress theme or plugin configuration doesn’t set the mcp.public metadata flag on core abilities. A simple must-use plugin can fix this — see the MCP Adapter documentation for details.

Troubleshooting

”Unexpected token ’<’ — is not valid JSON”

Symptom: The agent shows MCP error -32603: Unexpected token '<', "<!DOCTYPE"... is not valid JSON.

Cause: The MCP proxy is receiving an HTML page instead of a JSON API response. This almost always means the Authorization header is being stripped before it reaches WordPress.

Quick test: Run this in your terminal (replace with your site URL and credentials):

curl -s -u "yourusername:xxxx xxxx xxxx xxxx xxxx xxxx" \
  "https://yoursite.com/wp-json/wp/v2/users/me" | head -c 200

If you see {"code":"rest_not_logged_in",...} despite providing valid credentials, the Authorization header is being stripped.

How to verify your server type: Check your response headers:

curl -sI "https://yoursite.com/" | grep -i "server\|litespeed\|x-powered"

Look for x-litespeed-cache or server: LiteSpeed — this tells you it’s a LiteSpeed server and the .htaccess approach alone won’t work.

Fix: The mu-plugin approach (works on all servers)

This is the recommended fix that works on LiteSpeed, Apache (CGI mode), Nginx, and any other server configuration. Create a file at wp-content/mu-plugins/fix-auth-header.php:

<?php
/**
 * Fix Authorization header stripped by LiteSpeed/Apache CGI/FastCGI.
 * Must-use plugin — loads automatically, can't be deactivated accidentally.
 */
if ( ! isset( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
    // Try common server variables first
    if ( isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
        $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
    } elseif ( isset( $_SERVER['CGI_HTTP_AUTHORIZATION'] ) ) {
        $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['CGI_HTTP_AUTHORIZATION'];
    }

    // Fall back to getallheaders() — bypasses LiteSpeed's header filtering
    if ( ! isset( $_SERVER['HTTP_AUTHORIZATION'] ) && function_exists( 'getallheaders' ) ) {
        $headers = getallheaders();
        if ( isset( $headers['Authorization'] ) ) {
            $_SERVER['HTTP_AUTHORIZATION'] = $headers['Authorization'];
        } elseif ( isset( $headers['authorization'] ) ) {
            $_SERVER['HTTP_AUTHORIZATION'] = $headers['authorization'];
        }
    }

    // Last resort — apache_request_headers()
    if ( ! isset( $_SERVER['HTTP_AUTHORIZATION'] ) && function_exists( 'apache_request_headers' ) ) {
        $apache = apache_request_headers();
        if ( isset( $apache['Authorization'] ) ) {
            $_SERVER['HTTP_AUTHORIZATION'] = $apache['Authorization'];
        }
    }
}

Why a mu-plugin instead of .htaccess? On LiteSpeed servers (GreenGeeks, Hostinger, Namecheap, many cPanel hosts), .htaccess directives like SetEnvIf Authorization and RewriteRule don’t reliably pass the header through. LiteSpeed strips it at the web server level before .htaccess rules execute. The mu-plugin uses PHP’s native getallheaders() function, which reads headers directly from the SAPI layer — bypassing LiteSpeed’s filtering entirely.

Why not a regular plugin? Files in wp-content/mu-plugins/ load automatically before all other plugins and can’t be deactivated from the admin UI. This is critical because the auth fix must run before WordPress processes any REST API request. A regular plugin could be accidentally deactivated, silently breaking the MCP connection.

After creating the file, verify it works:

curl -s -u "yourusername:xxxx xxxx xxxx xxxx xxxx xxxx" \
  "https://yoursite.com/wp-json/wp/v2/users/me?_=$(date +%s)"

You should see your user profile JSON with "id": — that confirms authentication is working. The ?_=$(date +%s) parameter busts the LiteSpeed cache to ensure you’re getting a fresh response.

Alternative: .htaccess fix (Apache only)

If your server runs Apache with mod_php (not CGI/FastCGI), this simpler fix works. Add to your .htaccess in the WordPress root:

# Pass Authorization header to PHP (Apache mod_php only)
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

This does not work on LiteSpeed or Apache in CGI/FastCGI mode. If in doubt, use the mu-plugin approach above.

”401 Unauthorized” or “rest_forbidden”

Symptom: The agent connects but gets WordPress API error (401): rest_forbidden.

Possible causes:

  • Authorization header stripped (most common) — This is the #1 cause on shared hosting. Use the mu-plugin fix above. You can confirm by checking: does every authenticated request return the same 401, regardless of whether credentials are valid or not? If yes, the header is being stripped.
  • Application Password was revoked — Go to Users → Profile → Application Passwords and check if it still exists. If not, create a new one.
  • Wrong username — The username must be your WordPress login username, not your display name or email. Check Users → Your Profile → the “Username” field at the top. Note: some usernames contain a period (e.g., kevinc.) — include it.
  • LiteSpeed Cache — LiteSpeed aggressively caches REST API responses, including authenticated ones. Add a cache-busting query parameter (?_=123) to test requests, or configure LiteSpeed to exclude /wp-json/ from caching.
  • Security plugin blocking REST API — Plugins like miniOrange, Wordfence, or Disable REST API may block the /mcp/ namespace. Whitelist /wp-json/mcp/ in the plugin settings.
  • ModSecurity / WAF — Some hosting providers run ModSecurity rules that block the MCP endpoint, returning a 404 instead of 401. Contact your hosting provider to whitelist the /wp-json/mcp/ path.

”Connected but limited or 0 abilities available”

Symptom: The connection succeeds but the agent says it has no tools, limited abilities, or can only run get-site-info and get-environment-info.

Why this happens: WordPress 6.9 introduced the Abilities API, which is how the MCP Adapter exposes WordPress features to AI agents. However, the Abilities API is brand new — WordPress core currently only registers a handful of abilities. Content management abilities (creating posts, uploading media, managing comments) are not yet registered as MCP abilities in core.

The good news: your agent still has full capabilities. TeamDay automatically detects this situation and gives the agent a pre-authenticated REST API helper script. The same Application Password you entered during setup authenticates the WordPress REST API (/wp-json/wp/v2/), which has been available since WordPress 4.7 and supports complete content management:

  • Create, edit, and publish posts and pages
  • Upload images and set featured images
  • Manage categories, tags, and taxonomies
  • Moderate and reply to comments
  • Manage users and roles
  • Update site settings

The AI agent uses the REST API directly for content operations — it doesn’t depend solely on MCP abilities. So even with only 2 MCP abilities registered, your agent can write blog posts, upload images, manage your media library, and handle all day-to-day WordPress operations.

To get more MCP abilities:

  1. Update the MCP Adapter plugin to the latest version — newer versions register more abilities.
  2. Check MCP Adapter settings in WordPress Admin → Settings → MCP Adapter. Ensure capabilities are enabled.
  3. Wait for WordPress core updates — as WordPress 6.10+ ships, more core abilities will be registered natively.
  4. Create a must-use plugin to force core abilities to be public. Create wp-content/mu-plugins/mcp-public-abilities.php:
<?php
/**
 * Make WordPress core abilities visible to MCP
 */
add_filter('wp_abilities_register', function($abilities) {
    foreach ($abilities as &$ability) {
        if (!isset($ability['mcp']['public'])) {
            $ability['mcp']['public'] = true;
        }
    }
    return $abilities;
});
  1. Deactivate and reactivate the MCP Adapter plugin to force re-registration.

Connection works locally but not from TeamDay

If you can access https://yoursite.com/wp-json/mcp/mcp-adapter-default-server from your browser but TeamDay can’t connect:

  • Cloudflare Bot Protection may be blocking server-to-server requests. Add a firewall rule in Cloudflare to allow requests to /wp-json/* paths, or set the security level to “Essentially Off” for the API path.
  • IP-based restrictions — Some hosting providers block non-browser requests. Check your hosting control panel for IP whitelisting settings.
  • Cloudflare Under Attack Mode — If enabled, it adds a JavaScript challenge that API clients can’t solve. Disable it or create a bypass rule for /wp-json/.

Subdirectory installs

If WordPress is installed in a subdirectory (e.g., https://example.com/blog/), make sure you enter the full path including the subdirectory. TeamDay appends the MCP endpoint automatically:

  • https://example.com/blog/https://example.com/blog/wp-json/mcp/mcp-adapter-default-server
  • https://example.com/https://example.com/wp-json/mcp/mcp-adapter-default-server

If you enter just https://example.com but WordPress lives at /blog/, the connection will fail because the MCP endpoint doesn’t exist at the root domain.

Agent asks for credentials or URLs

Symptom: After a chat timeout or in a new conversation, the agent asks you to provide your WordPress URL, username, or Application Password.

This should not happen. Your credentials are stored in Space Settings → Data Sources and the agent is explicitly told they’re pre-configured. The agent has authenticated access via both MCP tools and a REST API helper script — it should never need to ask you for credentials in chat.

If it happens:

  1. Check your TeamDay version — We shipped a fix in March 2026 that ensures the agent always receives credential awareness instructions, even when the MCP connection fails during preflight checks.
  2. Don’t re-enter credentials in chat — The agent can’t store them there. Any credentials entered in chat are lost when the session ends.
  3. Update credentials in Settings — If your Application Password was revoked or expired, update it in Space Settings → Data Sources, not in chat.
  4. Report it — If this keeps happening on the latest version, it’s a bug. Let us know at support at teamday.ai.

How credential management works: When you connect your WordPress site, TeamDay stores the URL, username, and Application Password securely in your Space configuration. Every time the agent starts (or resumes after a timeout), it receives a system prompt that includes these credentials for API access. The agent never needs to ask you for them — and is instructed not to.

Why MCP Matters for WordPress

WordPress has had a REST API for years. Plugins like WPGraphQL and Headless WordPress have enabled programmatic access. So why does MCP matter?

Because APIs are for developers. MCP is for agents.

A REST API gives you endpoints — POST /wp/v2/posts, GET /wp/v2/comments. You need to know the schema, handle authentication, parse responses, manage pagination. That’s fine if you’re building an app. It’s terrible if you’re an AI agent trying to help a user manage their site.

MCP wraps the API in a protocol that AI agents understand natively. WordPress 6.9 introduced the Abilities API — a way for WordPress core and plugins to register capabilities (called “abilities”) that external tools can discover and execute. The MCP Adapter plugin bridges these abilities to the MCP protocol through three meta-tools:

  • Discover abilities — the agent asks “what can I do?” and gets back every registered WordPress ability
  • Get ability info — the agent asks for the detailed schema of a specific ability
  • Execute ability — the agent calls any ability by name with parameters

This means the agent doesn’t need hardcoded knowledge of WordPress. New plugins can register their own abilities, and the agent discovers them automatically. Install a WooCommerce abilities plugin? The agent can manage orders. Add a custom ability for your membership site? The agent picks it up.

This is the same pattern that powers every MCP-enabled tool in TeamDay. The protocol is the interface — WordPress becomes just another tool in the agent’s toolkit, alongside Ahrefs, Google Analytics, and your database.

What’s Next

The WordPress MCP ecosystem is young but moving fast. WordPress 6.9 introduced the Abilities API, and the official MCP Adapter plugin bridges it to the MCP protocol. WordPress.com’s MCP endpoint makes it one of the first major CMS platforms to adopt the protocol natively.

Because the Abilities API is extensible, we expect the ecosystem to grow rapidly:

  • WooCommerce abilities — Manage products, orders, and inventory through the same agent interface
  • Multisite management — Manage an entire WordPress network from one conversation
  • Gutenberg block creation — Describe a layout, get a block pattern
  • Theme customization — “Change the header background to match our brand color” → Applied
  • Third-party plugin abilities — Any plugin can register abilities that the agent discovers automatically

The foundation is here. WordPress speaks MCP. TeamDay speaks MCP. As plugins register new abilities, the agent’s capabilities grow without any configuration changes on your side.

Try It

The AI WordPress Studio is available now in TeamDay. Connect your WordPress site in minutes, then tell the agent what you need done.

No more death by a thousand clicks.

Get started with WordPress Studio →