Friday, July 17, 2026

Ultimate WordPress Spam Protection Guide – Step by Step (2026)

If you run a WordPress site, then you know that spam is a real annoying problem whether it comes to contact forms, WordPress comments, or user registrations.

The good news is that stopping spam in WordPress is a lot easier than you probably think, and you don’t need expensive tools either.

We have spent over 16 years testing anti-spam plugins, tools, and refining strategies to keep WPBeginner and our other business websites safe from daily spam attacks.

In this ultimate guide, we’ll walk you through how to block each type of WordPress spam, step by step from the basics to advanced modern automated spam protection. These are the exact methods we’re using to protect our own websites.

The Ultimate WordPress Spam Protection Guide - Step by Step

We’re covering a lot of ground in this ultimate guide, so use the quick links below to jump straight to the section you want to learn about first:

1. Free Built-In Settings to Turn On First

WordPress comes with several anti-spam options that can protect your site against spam. These built-in options won’t stop every bot, but they will remove the easiest targets right away.

We always recommend turning these settings on first, because they cost nothing and take only a few minutes to set up.

Tighten Your WordPress Discussion Settings

To prevent comment spam, the built-in discussion settings in WordPress act as your first line of defense. They allow you to control who can post, what kind of links are permitted, and how much control you have over the conversation.

To configure these anti-spam controls, go to Settings » Discussion in your WordPress dashboard.

Protecting the WordPress comment section against spammers

The most useful tool on this screen is the comment moderation queue. This tool acts as a holding area that keeps submissions hidden from the public until you have a chance to look them over.

Because nothing goes live automatically, spam never reaches your visitors, even if it manages to get past your other filters.

To turn this on, scroll down to the ‘Before a comment appears’ section and check the box next to ‘Comment must be manually approved.’

How to require manual approval for WordPress comments

If you want, you can also enable ‘Comment author must have a previously approved comment.’ This lets returning commenters post without waiting for approval. However, be sure to review your published comments regularly since they won’t appear in your moderation queue.

After that, scroll to the ‘Comment Moderation’ box, where you’ll find a setting that limits links. Because spam comments almost always contain web addresses, WordPress can automatically hold any submission that includes too many links.

The field labeled ‘Hold a comment in the queue if it contains [X] or more links’ is set to 2 by default. Lowering that number to 1 will help you catch even more junk.

Adding comments to an approval queue in WordPress

On the same screen, you can use the comment blocklist to automatically filter out unwanted content. This tool looks for specific words, names, email addresses, or web addresses and sends any matching comment straight to the trash.

In the ‘Disallowed Comment Keys’ box, you can paste your own trigger words, putting one on each line, and then save your changes.

Filtering your WordPress comments
Require a Name and Email, and Hold First-Time Commenters

Healthy discussions start with real people. Requiring commenters to enter a name and email encourages more thoughtful conversations and discourages anonymous drive-by comments.

Most genuine visitors won’t mind providing these details, and it helps create a more welcoming and trustworthy community around your website.

To enable this, scroll to the ‘Other comment settings’ section and check the box next to ‘Comment author must fill out name and email.’

How to block anonymous comments on your WordPress website

If you want to master the review process and manage your queue efficiently, our beginner’s guide to moderating comments in WordPress covers the full workflow.

Disable Comments Where You Do Not Need Them

Depending on the type of website you have, you may not need a comment section at all. If that’s the case, then you can simply disable comments entirely and that’ll get rid of the WordPress comment spam problem once and for all.

The most thorough option is the code method, which disables comment support across your entire site at once. It’s safest to add the snippet with a free code snippets plugin like WPCode rather than editing your theme’s files directly, so a theme update can’t undo it.

add_action('admin_init', function () {
    // Redirect any user trying to access comments page
    global $pagenow;
    
    if ($pagenow === 'edit-comments.php') {
        wp_safe_redirect(admin_url());
        exit;
    }

    // Remove comments metabox from dashboard
    remove_meta_box('dashboard_recent_comments', 'dashboard', 'normal');

    // Disable support for comments and trackbacks in post types
    foreach (get_post_types() as $post_type) {
        if (post_type_supports($post_type, 'comments')) {
            remove_post_type_support($post_type, 'comments');
            remove_post_type_support($post_type, 'trackbacks');
        }
    }
});

// Close comments on the front-end
add_filter('comments_open', '__return_false', 20, 2);
add_filter('pings_open', '__return_false', 20, 2);

// Hide existing comments
add_filter('comments_array', '__return_empty_array', 10, 2);

// Remove comments page in menu
add_action('admin_menu', function () {
    remove_menu_page('edit-comments.php');
});

// Remove comments links from admin bar
add_action('init', function () {
    if (is_admin_bar_showing()) {
        remove_action('admin_bar_menu', 'wp_admin_bar_comments_menu', 60);
    }
});

Our guide on how to completely disable comments in WordPress walks through that snippet along with the other options.

If you’d rather not go site-wide, you can also turn comments off on individual pages. This is handy when you only want them gone on specific pages, like your Contact or About pages, which rarely need a comment section.

To do this, open the page in the WordPress content editor. Then click the ‘Discussion’ option in the right-hand sidebar and select ‘Closed.’

How to disable comments on your WordPress pages

You can also stop spam from piling up on older content without touching your newer posts. If you don’t expect comments on old posts, then WordPress can close them automatically after a set number of days.

This gives spam bots fewer chances to target your archived content.

To set this up, head to Settings » Discussion and find the ‘Other comment settings’ section. Check the box next to ‘Automatically close comments on posts older than [X] days’, then set a sensible limit such as 30 or 90 days.

Automatically closing comments on older WordPress posts
Disable Trackbacks and Pingbacks

Trackbacks and pingbacks notify you when another website claims to have linked to one of your blog posts.

While they were originally designed to help bloggers connect conversations across different websites, they’re now commonly abused by spammers to send fake link notifications.

Turning this feature off completely removes a whole category of junk notifications from your dashboard.

To disable these notifications, go to the Settings » Discussion screen in your WordPress dashboard. Here, uncheck the box next to ‘Allow link notifications from other blogs (pingbacks and trackbacks) on new posts.’

Disabling pingbacks and trackbacks in WordPress Discussion settings

With that done, don’t forget to click ‘Save Changes’ at the bottom of the screen.

Just be aware that changing this option only protects the posts you publish from this moment forward. If you want to clean up the content you’ve already published in the past, you can follow our step-by-step guide on how to disable trackbacks and pings on existing WordPress posts.

2. Set Up Modern AI-Powered Spam Bot Protection for WordPress

In the era of AI where automated spam is increasing, the best defense against it is a modern AI-powered spam protection for WordPress.

These spam filtering solutions automatically detect and block spam on your WordPress comments, contact forms, and user registrations without the use of CAPTCHA which can hurt conversions.

On WPBeginner, we use ActiveLayer for this. It is AI-powered and runs server-side, so it stops spam invisibly, without a CAPTCHA and it’s GDPR compliant.

In the last 30 days, it has blocked over 25,739 spam comments and contact form submissions on our website. It even shows you a confidence score, and the reason behind every submission it flags, not just a pass-or-fail verdict when you look at their logs.

ActiveLayer Spam Stats Screenshot for WPBeginner

The free plan includes 1,000 spam checks with no credit card, and paid plans start at around $4 per month billed yearly.

The two other popular spam filtering plugins for WordPress you could try are Akismet or CleanTalk.

Akismet is very popular and still is a good fit for personal blogs, where its “name your price” plan can be free for non-commercial sites. But they have raised their prices significantly for commercial sites which is quite expensive for smaller businesses. For a business site, we would point you to either ActiveLayer or CleanTalk.

Whichever tool you choose, stick to just one, because running two spam filters at once can conflict and block real visitors. The benefit of these spam protection plugins are that they integrate with all other popular contact form plugins by default.

3. Power-User Tips for Stopping WordPress Comment Spam

So far we’ve configured the built-in spam prevention settings in WordPress, and an automated spam filtering plugin for WordPress. The combination of these two should block most spam.

However if you are not able to set up modern AI spam protection due to costs or another reason, then you can use one of these tips below to combat comment spam in WordPress.

Add a Free CAPTCHA to Your Comment Form

CAPTCHA is a simple test that most human visitors pass without any effort, while automated scripts fail it. We recommend adding Cloudflare Turnstile CAPTCHA to your WordPress comments because it’s free and fairly straight forward to set up.

To set it up, install and activate the free Simple Cloudflare Turnstile plugin. You will be asked to create a free account on Cloudflare’s website and connect it with the plugin.

Once that’s done, you can scroll to the ‘Enable Turnstile on your forms’ section. Simply check the boxes to protect all your WordPress forms and click ‘Save Changes’.

How to protect your site against spammers and spambots using the free Simple Cloudflare Turnstile plugin

Here’s our detailed guide on how to add Cloudflare Turnstile CAPTCHA in WordPress.

Google reCAPTCHA is another option, which you can add with the Advanced Google reCAPTCHA plugin. We no longer recommend it because Google has capped their free tier at 10,000 assessments per month for your entire organization whereas Cloudflare Turnstile stay free without limits.

Limit or Require Login to Comment

Another really effective way to stop comment spam in WordPress is to control who’s allowed to participate in comments.

If your comment section is open to everyone, then spammers can continuously flood your forms with automated links. Restricting comments to registered account holders ensures that only verified users can post. This forces a level of accountability that most bots will not bother trying to bypass.

Because it requires readers to go through the extra step of creating and logging into an account, this approach is best suited for membership sites, online forums, and private communities.

If you run an open, public blog, then we’d recommend using an automated filtering service or a reader challenge instead as those add less friction.

If you do decide to turn this restriction on, go to Settings » Discussion in your WordPress dashboard. Under the ‘Other comment settings’ section, check the box next to ‘Users must be registered and logged in to comment.’

Requiring user registration before allowing comments

As always, don’t forget to save your changes.

Use Antispam Bee for Free Keyword and Pattern Filtering

Some spam slips through basic checks by mimicking human writing. This is where a dedicated filtering plugin can help protect your site.

Antispam Bee is an excellent free, privacy-friendly anti-spam plugin that doesn’t require an API key or account registration. Installing Antispam Bee gives you a powerful set of local rules to analyze comment data before it even hits your database.

Once it’s activated, you can configure your rules by going to Settings » Antispam Bee.

Protecting your site against automated spam scripts using WordPress plugins

We recommend enabling the options to:

  • Trust approved commenters.
  • Mark as spam.
  • Do not delete.
  • Use regular expressions (which allows the plugin to scan for known text and link patterns).

You should also check the box to ‘Look in the local spam database.’ This allows Antispam Bee to cross-reference new submissions against previous spam history on your site.

Look in your local spam database

Under ‘Advanced,’ you can set Antispam Bee to delete existing spam after a set number of days, which keeps your database tidy without any manual effort.

We highly recommend leaving the email notifications for spam turned off in this section. A busy website can attract hundreds of automated submissions a day, and these alerts will quickly flood your inbox.

If you want to try one more free tweak, then you can remove the website address field from the comment form.

Our step-by-step guide on how to remove the website URL field from the comment form shows you how to do this in just a few quick steps.

4. Stopping WordPress Contact Form Spam (Best Practices)

Contact and lead forms are among the most attacked parts of any WordPress site. We know this firsthand because we once had to combat more than 18,000 spam entries flooding a single form.

We use WPForms to build forms on WPBeginner, and it’s a popular form builder plugin used by over 5 million websites. Their free version includes smart anti-spam protection, CAPTCHA integrations with Google / Cloudflare Turnstile, and the paid plans add the filtering options we cover below.

Other popular form builders like Gravity Forms and Fluent Forms have similar anti-spam settings, so check the options in whichever form builder plugin you use. We will show WPForms here because it’s what we use and consider the best fit for beginners.

Enable Default Anti-Spam Token (or Similar HoneyPot)

To combat lead form spam, WPForms silently attaches a unique, time-sensitive token to your form on every page load. The anti-spam token blocks automated scripts, which means spam entries are blocked before they reach your inbox.

It’s turned on by default for new forms, but it’s worth confirming.

Open your form, go to Settings » Spam Protection and Security, and make sure ‘Enable modern anti-spam protection’ is switched on.

An example of a form builder with built-in anti-spam protection

This is a modern version of the Honeypot technology which most WordPress form plugins come with, so it may be labeled as Honeypot in another form tool that you might be using.

Enable a CAPTCHA on Your Contact Form

More aggressive bots mimic human browsing and slip past the invisible token. Adding a visible CAPTCHA field stops them by forcing a challenge they can’t read or solve.

WPForms has both Cloudflare Turnstile and Google reCAPTCHA built in, and we default to Turnstile here. It’s free for everyone and runs its checks in the background, so most real visitors pass without solving a puzzle.

To set it up, go to WPForms » Settings » CAPTCHA and choose ‘Cloudflare Turnstile’.

Adding Cloudflare Turnstile CAPTCHA to a WordPress website

Then add the Site Key and Secret Key from your Cloudflare account, and save your settings.

Finally, add the CAPTCHA field to each form you want to protect.

Add Turnstile field to WPForms

For a full walkthrough, see our guide on how to add Cloudflare Turnstile CAPTCHA in WordPress.

Google reCAPTCHA is also selectable on that same WPForms » Settings » CAPTCHA screen. We default to Turnstile because it’s free without limits, but reCAPTCHA still works if you prefer it.

If you’d rather not send visitor data to Google or Cloudflare, then WPForms’ Custom Captcha field (available on any paid plan) builds the challenge on your own server instead.

Add the field, then set it to a random math problem or your own question and answer.

Setting a question and answer custom CAPTCHA in WPForms
Use Time-Based Behavioral Checks to Stop Contact Form Spam

A real person needs several seconds to read a question and fill out a form, while a bot submits in a fraction of a second. Time-based checks flag those impossibly fast submissions without changing anything the visitor sees.

With WPForms, the ‘Enable minimum time to submit’ option is enabled by default with a minimum time to submit of 2 seconds. However, you can update the minimum time to any value you like.

The WPForms minimum time to submit anti-spam setting
Block Form Submission by Country, IP, Email Address, and More

Some spam form submissions still gets through unless you screen the content itself. In the Pro version, WPForms lets you block entries by specific email address, by keyword, and by country or IP address.

To block a sender, open your form, select the Email field, open the Advanced tab, choose Denylist, and enter the addresses or domains to ban. A wildcard like *@example.com blocks an entire domain.

Advanced email allowlist and denylist filtering in WPForms

To block spammy phrases, go to Settings » Spam Protection and Security.

Turn on ‘Enable keyword filter’, open ‘Edit keyword list’, and add each term on its own line.

Creating a list of banned words for your online forms

And if you only serve certain regions, turn on ‘Enable country filter’ on the same screen to allow or deny locations.

Country filter in WPForms

Alternatively if your WordPress form solution doesn’t have this option, you can also block IP addresses in WordPress.

5. Stopping Spam User Registrations in WordPress (Best Practices)

On a membership site or WooCommerce store, spam registrations are more than a nuisance. Fake accounts clog your user database and skew your customer and email metrics.

Here’s what you can do to prevent spam user registrations in WordPress.

Turn Registration Off When You Do Not Need It

If you’re not running a membership site or an eCommerce store, then you likely don’t need to allow user registration. The easiest thing to prevent user registration spam there is to turn it off.

Simply go to Settings » General in your WordPress admin area, and uncheck the ‘Anyone can register’ box.

Disabling user registration on your website, blog, or eCommerce store
Require Email Confirmation Before an Account Activates

If you do need open registration, then the goal is to let only real people in while keeping spam bots out. The setting that stops the most fake signups is requiring a confirmed email address, or a manual review, before an account goes live.

Where that control lives depends on what plugin you’re using to manage user registration in WordPress. You will want to start with your platform’s default setting instead of bolting a general form plugin onto a system that already handles this.

If you run a WooCommerce store, then go to WooCommerce » Settings » Accounts & Privacy. This is where you decide whether shoppers can create an account at all, limit account creation to checkout, or keep guest checkout on so no account creation is needed.

Force guest checkout by disabling account creation and login during checkout in WooCommerce

WooCommerce core doesn’t add a separate email-confirmation step on its own. If you want one, then you’ll need a custom email verification extension or the custom signup form covered below.

Other membership and course platforms handle account verification in their own settings, so start there:

  • MemberPress: WordPress creates the account on registration, so pair it with the free User Verification plugin to keep the account inactive until the person confirms their email. See MemberPress’ documentation for the full details.
  • BuddyPress and BuddyBoss: email activation is built in, so new members stay inactive until they click the activation link. Enable registration under Settings » General (BuddyPress) or BuddyBoss » Settings » Login & Registration. See BuddyPress documentation and BuddyBoss documentation for more details.
  • LearnDash: registration runs on WordPress’s own user system, so there’s no native email-confirmation step. An account goes live the moment someone signs up. To hold new accounts until the email is verified, add that check at the WordPress or form level, using a user verification plugin or the custom WPForms registration form covered below.

If you’re building a custom registration form rather than using one of the systems above, then you can use WPForms User Registration addon which lets you turn on email activation under the form’s User Registration settings, with either an email confirmation link or manual admin approval.

Requiring email activation for new WordPress user accounts

Similar options are available in Gravity Forms, WSForm, and other popular WordPress form plugins. For the full walkthrough, see our guide on how to moderate new user registrations.

Add CAPTCHA and Honeypot to WordPress Signup Form

The same tips that protect your WordPress contact forms also work on WordPress signup form. Since you already set up Cloudflare Turnstile earlier, you can switch it on for your registration form in a click.

For a dedicated walkthrough, see our guide on how to add a CAPTCHA to your login and registration forms.

If you’re using the default WordPress registration page, then you can add hidden honeypot fields to your registration form with the free WP Armour plugin. The plugin logs every bot it blocks under WP Armour » Statistics.

The WP Armour WordPress plugin
Use AI-Powered Tools for Blocking WordPress Registration Spam

Honeypots and CAPTCHAs stop obvious bots, but they can’t spot someone signing up with a throwaway email or from a known-bad IP address.

That’s where automated detection helps. It screens each new signup against live reputation data and blocks the ones that look fraudulent.

ActiveLayer and CleanTalk both offer this for WordPress registrations, and you can switch it on for your signup form the same way you did for your contact forms.

6. Add a Site-Wide WordPress Firewall

A Web Application Firewall (WAF) screens every visitor and blocks malicious requests before they reach your site. Since most form spam is automated, a good firewall can stop a lot of it at the perimeter.

We recommend a DNS-level firewall, which filters traffic on the provider’s network before it touches your server.

On WPBeginner, we use Cloudflare, which has a free plan with basic firewall protection (setup requires pointing your domain’s nameservers to Cloudflare).

The Cloudflare website, a DNS level firewall for WordPress

Our guide on how to set up the free Cloudflare CDN and firewall walks through it.

Plus, our roundup of the best WordPress firewall plugins compares the other options if you want to weigh them up.

7. Cleanup WordPress Spam and Ongoing Monitoring

Stopping new spam is only half the job. If you’re like most websites, you already have a backlog of old junk that needs cleaning up.

A quick cleanup keeps your database tidy and helps your new tools run at their best.

🚨 Always create a complete WordPress backup before deleting anything in bulk. These actions permanently wipe data, with no undo button if you make a mistake.

Bulk-Delete Existing Spam Comments

WordPress spam filter flags junk comments but doesn’t delete them, so they can build up in your spam folder and take up database space until you clear them out.

In your dashboard, go to Comments, click the ‘Spam’ filter at the top, and hit ‘Empty Spam’ to permanently clear everything your filters caught.

Bulk deleting spam comments on your website, blog, or online store

If you have thousands of junk comments, the dashboard can freeze or time out. A free plugin like WP Bulk Delete is faster and more reliable for big backlogs.

For other methods, see our guide on how to bulk delete WordPress comments.

Clean Out Existing Fake User Accounts

Leaving bot profiles in your database is a security risk and skews your analytics. That’s why it’s important to clean out these fake accounts.

For a handful, go to Users » All Users, click the ‘Subscriber’ user role filter (the role almost all registration bots use), select the fake accounts, and choose Delete from the ‘Bulk actions’ menu.

⚠️ Be very careful to select only fake Subscriber accounts, and never an Administrator account.

Deleting fake users on your online store

For thousands of accounts, the free WP Bulk Delete plugin can remove users by role, inactivity, or registration date in one sweep.

For more information, see our guide on how to bulk delete WordPress users by role.

Handle False Positives

No filter is perfect, so never auto-delete your spam folder without a quick glance first.

In Comments » Spam, hover over a legitimate comment and click ‘Not Spam’. That also teaches your filter to recognize similar comments as safe in the future.

Marking a comment as Not Spam on WordPress
Set a Monthly Anti-Spam Review Routine

A few minutes each month keeps spam from piling back up. Add these three checks to your maintenance routine:

  • Scan for false positives: skim your spam comment folder and form entries so no real messages were caught by accident.
  • Empty your spam folders: once you’ve rescued anything real, clear them to keep your database lean.
  • Check your user list: glance at new registrations for gibberish usernames or suspicious email domains that slipped through.

Key Takeaways

Here is a summary of the best practices we have covered to completely protect your WordPress website from spam:

  • Start with free WordPress settings: turn on comment moderation, tighten your link limits, build a comment blocklist, and disable trackbacks. These cost nothing and clear out the easiest spam.
  • Use automated, invisible filtering: a server-side tool like ActiveLayer, Akismet, or CleanTalk blocks bots in the background without making real visitors solve puzzles.
  • Layer your contact form defenses: honeypots alone no longer stop modern bots, so combine them with timing checks, token validation, and an automated filter.
  • Secure your registrations: require email confirmation for new accounts and screen every signup with an automated tool.
  • Add a site-wide firewall: a DNS-level firewall like Cloudflare blocks a lot of automated spam at the perimeter, before it ever reaches your forms.
  • Run regular cleanup: bulk-delete old spam comments and fake accounts, then spend a few minutes each month checking for false positives.

Frequently Asked Questions About WordPress Spam Protection

Is free Akismet-style filtering enough, or do I need more?

For a small personal blog with only comment spam, a single free filter like Akismet is usually enough. Once you add contact forms, signup forms, or user registration, you’ll want a service that protects those too, like ActiveLayer or CleanTalk.

Will adding a CAPTCHA hurt my form conversions?

It can. The extra step causes some real visitors to give up on the form. This is why we prefer invisible, server-side detection that blocks bots without asking anyone to solve a puzzle.

Why am I still getting spam after installing an anti-spam plugin?

Usually because the plugin only guards one entry point. If it protects your comments but not your signup or contact forms, bots just move to those instead, and older tricks like basic honeypots no longer stop modern bots. The fix is a layered setup: your built-in WordPress settings, an automated filter, and a firewall working together.

How do I stop fake user registrations without turning off signups completely?

Turn on email confirmation so new accounts stay inactive until the person clicks a link in their inbox, which bots can’t do. Pair it with a honeypot and an automated filter, and real people can still sign up freely.

Can spam actually hurt my SEO or get my site blacklisted?

It can, but it depends on where the spam is. Comment spam sitting in your moderation queue is never published, so search engines never see it and your SEO stays safe.

Published spam is the real risk, because it can slowly pull down your rankings. WordPress does tag comment links as nofollow, which limits the damage.

We hope this article helped you learn how to protect your WordPress website against spam. You may also want to check out our ultimate WordPress security guide to improve your website security.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post Ultimate WordPress Spam Protection Guide – Step by Step (2026) first appeared on WPBeginner.



from WPBeginner https://ift.tt/qIB7WwS
via IFTTT

Friday, July 10, 2026

How to Connect AI Agents With WordPress using MCP (Step by Step)

AI assistants like Claude Code, Cowork, and ChatGPT are incredible productivity boosters, and if you wished that you could connect these AI tools with WordPress directly, then you’re not alone.

Lately, I have been using WordPress MCP by WPVibe to let my AI assistant manage my website, and it’s truly amazing how much time this saves. You can simply ask it to create a post, upload image, handle admin tasks, and more from a single conversational prompt.

In this step by step tutorial, I’ll show you how to connect your favorite AI tools with WordPress using MCP along with sharing a few work examples, so you can see what becomes possible when you combine WordPress + AI.

How to Connect AI Agents With WordPress Using MCP

You can use the quick links below to jump to any section:

What is a WordPress MCP and What Can It Do?

MCP stands for Model Context Protocol. It is as an open standard that lets AI assistants connect to outside tools and services.

Think of it as a universal adapter. Instead of every AI tool building a custom integration with every service, they all speak the same language, so any tool and service that support MCP can work together.

With a WordPress MCP, your AI assistant can see what your website supports and carry out tasks from a plain-text prompt. It does this using a connection WordPress already has built in (the REST API), so there’s nothing extra to install.

You can use WordPress MCP to manage your WordPress site and perform tasks including:

  • Draft and publish posts – Create blog posts as drafts, set titles, add categories and tags, and publish when you’re ready.
  • Upload media – Pull images from any public URL directly into your WordPress media library.
  • Manage categories and tags – Create or rename taxonomy terms and assign them to posts.
  • Run admin tasks – Flush your site cache, check which plugins are active, and activate or deactivate plugins.
  • Use plugin abilities – On WordPress 6.9+, many plugins register their own actions the AI can discover and run automatically

Each of these can be done from a plain-text prompt from your favorite AI tool like Claude Code, Cursor, ChatGPT, etc. I’ll show you the exact prompts once you’re fully set up.

What You Need Before Getting Started

  • Self-hosted WordPress 6.9 or later – With the REST API enabled (it’s on by default). You need version 6.9 or later for plugin abilities API which is allows you to use AI to manage plugins like AIOSEO, WPForms, etc.
  • A publicly accessible site – Your site must be reachable on the internet because local development sites won’t work unless exposed via a tunnel.
  • A free WPVibe account — You’ll create this during setup.
  • An HTTPS-enabled site — WordPress application passwords require SSL and they won’t function on http:// sites. See our guide on how to add SSL and HTTPS to WordPress.

Step 1. Set Up MCP on Your WordPress Website

The easiest way to add MCP to a self-hosted WordPress site is with WPVibe.ai. It’s free and runs on a hosted server, so there’s no infrastructure to configure. It also works with every major AI tool through a single setup.

You can read our full WPVibe review for a deeper look at everything it can do, but this guide covers what you need to get connected.

Other ways to set this up: There’s also an official WordPress MCP Adapter, which pairs with the new Abilities API in WordPress 6.9, but it’s built for developers and needs manual configuration.

Install and Activate the Vibe AI Plugin

First, you will need to install and activate the free WPVibe plugin. If you need any help, our guide on how to install a WordPress plugin covers each step.

Along with connecting your AI tools, the WPVibe plugin unlocks WP-CLI commands, theme file editing, and the plugin abilities that I talk about later in this guide.

Once activated, go to Vibe AI » Vibe AI in your WordPress dashboard. You’ll see the MCP server URL and a three-step setup guide.

Keep this tab open. You’ll need the URL in the next step.

The Vibe AI plugin admin page in wp-admin showing the three-step connection setup

Step 2. Connect Your AI Tools to WordPress

With WPVibe set up, connecting your AI tool takes under a minute. You add the same server URL to any AI client you use: https://mcp.wpvibe.ai/mcp.

You’ll find instructions on how to do this in the official WPVibe documentation. But let me show you exactly where to find that setting in some popular AI platforms.

Connecting Claude

If you’re just getting started, I recommend beginning with Claude.

The simplest method is to add the WPVibe URL once via Claude.ai on the web, and it syncs automatically to Claude Desktop, Claude Code, and the Claude mobile apps with no separate setup needed.

Note: On Team and Enterprise workspaces, only an Owner or Admin can add connectors. Individual members on those plans can authenticate with WPVibe once the admin has added it, or use the Claude Code method in step 3 below.

  1. Free, Pro, and Max plans: In Claude.ai, go to Customize » Connectors. Click the + button, select ‘Add custom connector’, and paste https://mcp.wpvibe.ai/mcp.
  2. Team and Enterprise (admin only): Go to Organization settings » Connectors. Click ‘Add’, select Custom » Web, and paste the WPVibe URL.
  3. Claude Code (any plan): In your terminal, run claude mcp add --scope user wpvibe --transport http https://mcp.wpvibe.ai/mcp. Then, open Claude Code, type /mcp, select wpvibe, and choose ‘Authenticate’.

Once saved, follow the on-screen prompt to authorize your WordPress site.

Connecting Claude.ai (Web) to WPVibe
Connecting ChatGPT

WPVibe is available directly in the ChatGPT App Marketplace, so both free and paid users can connect without copying server URLs or editing config files.

In ChatGPT, click ‘Apps’ in the sidebar and search for WPVibe. Then click ‘Connect’ on the app page and sign in with your WPVibe account when prompted.

After connecting, ChatGPT pre-fills ‘@WPVibe’ at the start of each message. You can delete it with backspace for prompts unrelated to WordPress. Leave it in place when following the authorization step below.

Connecting ChatGPT to WPVibe
Connecting Cursor

Cursor adds MCP servers through a JSON config file. In Cursor, go to Settings » MCP and click the ‘Add new global MCP server’ button. This opens the mcp.json file.

Add the following entry and save:

{
  "mcpServers": {
    "wpvibe": {
      "url": "https://mcp.wpvibe.ai/mcp"
    }
  }
}

Make sure you restart Cursor after saving.

WPVibe will appear in the MCP list once it connects.

Cursor Settings showing the MCP panel with an option to add a new global MCP server
Connecting Windsurf

In Windsurf, open the Cascade panel and click the ‘Plugins’ icon (puzzle piece). Search for WPVibe, click ‘Enable’, and complete the sign-in flow when prompted.

To configure manually instead, edit ~/.codeium/windsurf/mcp_config.json and add the following, then restart Windsurf:

{
  "mcpServers": {
    "wpvibe": {
      "serverUrl": "https://mcp.wpvibe.ai/mcp"
    }
  }
}

Note: Windsurf uses serverUrl (not url) in its config file. Using the wrong key will cause the connection to fail.

Authorize Your WordPress Site

With the MCP URL added to your AI client, go back to Vibe AI » Vibe AI in your WordPress dashboard.

Under step 3, you’ll find a ready-to-copy prompt with your site’s URL already filled in.

The WPVibe Setup Page

Paste that prompt into your AI chat. Your AI assistant will call WPVibe and return a one-click authorization link. Simply click it to approve the connection.

You never see or copy a password. WordPress and WPVibe handle the credentials securely in the background.

WPVibe site showing connected status in the Vibe AI plugin admin after authorization

What You Can Do Once You’re Connected (Worked Examples)

Once your AI tool is connected to WordPress, here are the first prompts I tried, including one for WooCommerce store owners.

My examples are from Claude Code terminal, but these will work with whichever AI tool you connected.

1. Write and Draft a Blog Post

Type this into your AI tool: ‘Create a draft WordPress post titled “How to Start a Blog” with an intro paragraph explaining why blogging is still worth it.’

AI Prompt for Drafting a New Post

Your AI assistant calls the WordPress REST API, saves the post as a draft, and returns a confirmation with a link to edit it in wp-admin.

Nothing goes live until you choose to publish it yourself.

A Draft Post Created Using AI
2. Upload a Photo to Your Media Library

Type: ‘Upload this image to my WordPress media library: [paste a public image URL]. Set the alt text to “A person working at a laptop”.’

AI Prompt for Adding a Public Image to Your WordPress Media Library

WPVibe validates the source URL, downloads the image, and adds it to your media library with the alt text you specified.

You can reference it in any post from there.

WordPress media library showing a newly uploaded image via MCP

Note: The prompt above uses a public URL, which is the simplest approach. Uploading a local file from your computer works too, but WPVibe will generate a browser upload link as an intermediate step.

3. Manage Your WooCommerce Store

WooCommerce 10.9 ships with native MCP support, which exposes product and order abilities through the same standard that WPVibe uses.

If your site runs WooCommerce, try: ‘Draft a new product called “Summer T-Shirt” with a short description and a price of $29.95.’

AI Prompt for Creating a New WooCommerce Product

The product saves as a draft in your store. Beyond creating products, your AI can also query orders, update their status, and add order notes, so you can handle routine store admin from the same chat window.

You can see the example below.

A New Product Created by AI and WPVibe

The next three examples go beyond WordPress’s built-in actions. On WordPress 6.9 or later, plugins can register their own actions (called ‘abilities’) that your AI discovers automatically, so if you use these tools, you can drive them from the same chat.

4. Optimize Your SEO with AI

If you use AIOSEO, then you can ask your AI to handle common SEO tasks from the chat window. It can check TruSEO scores, generate meta titles and descriptions, and run SEO audits.

My starting point was to ask it to find every post missing a meta description and write one for each.

Try this prompt: ‘Find all posts missing meta descriptions and write and apply them in one go.’

Claude Code chat showing prompt to find and apply missing AIOSEO meta descriptions

Your AI checks every post, writes the missing meta descriptions, and applies them through AIOSEO in one step.

See our complete AIOSEO setup guide to get it configured first.

AIOSEO meta description field in WordPress showing an AI-generated meta description
5. Manage Landing Pages and Maintenance Mode

If you use SeedProd, then your AI can manage your coming soon page, maintenance mode, and landing page settings without going into wp-admin.

For example: ‘Check if maintenance mode is currently active’ or ‘Enable the coming soon page.’

6. Build a Form with AI

If you use WPForms, then your AI can build forms from a plain-English description.

Try: ‘Create a contact form with name, email, and a message field.’ WPForms creates the form in your dashboard, ready to configure and embed.

Before using this, make sure you enable write access under WPForms » Tools.

Enabling MCP Write Access for WPForms

WPForms Lite supports basic field types. Paid plans add phone, date/time, file upload, and more.

See What Your Site Can Do

You don’t have to guess which of your plugins support this. Because WPVibe automatically discovers every registered ability, you can just ask your connected AI: ‘What can you do on my WordPress site?’

It will list the abilities your installed plugins expose, so the answer stays accurate no matter which plugins you run.

Is WordPress MCP Safe?

I had the same concern when I first tested this. Here’s how WPVibe handles security.

WordPress manages the connection using application passwords, a built-in feature that creates a separate password for each external tool you connect. The AI only gets the permissions of the user account you connected.

So, it’s worth connecting with a limited, non-admin account rather than your main administrator login. If you create a dedicated Editor-role user for the connection, then the AI can only do what an Editor can do.

WPVibe encrypts your application password before storing it, using a separate key for each site, and keeps it on secure servers hosted by Cloudflare. Every connection between your AI client, WPVibe, and your WordPress site is encrypted too, so your credentials are never exposed along the way.

WPVibe also doesn’t store your conversation content. It stays within your AI client.

On the WordPress side, new posts always save as drafts and deletions go to the trash rather than permanent deletion.

To fully revoke access at any time, go to Users » Profile in your WordPress dashboard and scroll down to the Application Passwords section to delete it.

Troubleshooting Connection Issues

Connecting your AI client to WordPress is the step that trips people up most often.

If the connection fails or WPVibe doesn’t appear, then work through these checks:

  • WPVibe isn’t in your client’s tool or MCP list – Restart the AI client after saving the config. New MCP servers only load on a fresh start.
  • The connection fails silently in Windsurf – Windsurf uses the serverUrl key, not url. The wrong key produces no error message, so double-check it.
  • Application passwords won’t authenticate – Your site must run on HTTPS. Application passwords don’t work over http://.
  • Your AI client can’t reach the site – The site has to be publicly reachable. A local development site won’t connect unless you expose it through a tunnel.
  • Authorization keeps failing – Re-check that you pasted the correct MCP server URL: https://mcp.wpvibe.ai/mcp.

Frequently Asked Questions About WordPress MCP

Is WPVibe free?

Yes. WPVibe has no API key costs and everything in this guide works on the free plan. There is now a paid Pro plan (early-access pricing, $99 per year) that adds higher daily usage limits and priority support, not new features, so you don’t need it for anything covered here.

Does WordPress MCP work with all AI tools?

WPVibe works with Claude.ai (web), Claude Desktop, Claude Code, ChatGPT, Cursor, and Windsurf. Because MCP is an open protocol, any new AI tool that adopts the standard will work with the same WPVibe setup automatically.

Does WordPress MCP work with WordPress.com?

No, not through WPVibe. WordPress.com has its own built-in MCP setup that works differently. This guide covers self-hosted WordPress (WordPress.org) only.

Do I need WordPress 6.9 to use MCP?

No. You can create posts, upload media, and run admin tasks on WordPress 6.0 or later. WordPress 6.9 is only required if you want to use plugin abilities like those from All in One SEO or SeedProd.

Can I connect more than one WordPress site to WPVibe?

Yes. WPVibe supports multiple sites under one free account. Install the Vibe AI plugin on each additional site and complete the site authorization step. Your existing WPVibe account covers all your sites.

What happens if I disconnect WPVibe from my site?

You can remove a site from WPVibe in the plugin admin or on wpvibe.ai at any time. To fully revoke access, also delete the credential under Users » Profile » Application Passwords.

I hope this article helped you get WordPress MCP set up on your site. You may also want to see our guide on the best AI Automation Tools for WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Connect AI Agents With WordPress using MCP (Step by Step) first appeared on WPBeginner.



from WPBeginner https://ift.tt/WXxVcpL
via IFTTT