This document provides comprehensive security guidelines for the MCP WordPress server, covering configuration, deployment, and best practices for maintaining a secure WordPress management environment.
NEVER store real credentials in:
- Configuration files (even if git-ignored)
- Source code
- Test files
- Documentation or examples
Instead, use:
- Environment variables for single-site deployments
- Secure credential management systems (HashiCorp Vault, AWS Secrets Manager)
- System keychains for local development
- Encrypted configuration files with separate key management
{
"sites": [
{
"id": "production",
"name": "Production Site",
"config": {
"WORDPRESS_SITE_URL": "${PROD_WP_URL}",
"WORDPRESS_USERNAME": "${PROD_WP_USER}",
"WORDPRESS_APP_PASSWORD": "${PROD_WP_APP_PASSWORD}"
}
}
]
}# Use a .env file for local development only
# Never commit this file to version control
export WORDPRESS_SITE_URL="https://your-site.com"
export WORDPRESS_USERNAME="your-username"
export WORDPRESS_APP_PASSWORD="xxxx xxxx xxxx xxxx xxxx xxxx"-
Use Application Passwords (Recommended)
- WordPress 5.6+ built-in feature
- Separate passwords for each application
- Easy to revoke without affecting main account
-
Rotate Credentials Regularly
- Set up automated rotation for production environments
- Use different credentials for development/staging/production
- Immediately revoke compromised credentials
-
Implement Rate Limiting
- Default: 60 requests/minute
- Configure based on your usage patterns
- Consider implementing progressive delays for failed auth attempts
All user inputs should be validated before processing:
// Example validation pattern
const validatePostId = (id: string): boolean => {
const numId = parseInt(id, 10);
return !isNaN(numId) && numId > 0;
};
// Path traversal prevention
const safePath = path.normalize(userPath);
if (!safePath.startsWith(allowedBasePath)) {
throw new Error("Invalid path");
}-
Error Handling
- Never expose internal error details
- Log errors server-side for debugging
- Return generic error messages to clients
-
Request Limits
- Implement request size limits
- Set appropriate timeouts
- Validate Content-Type headers
-
HTTPS Only
- Always use HTTPS for WordPress sites
- Validate SSL certificates
- Reject insecure connections
- All credentials are stored in environment variables
- No real credentials in configuration files
- Input validation implemented for all parameters
- Rate limiting configured appropriately
- Error messages don't expose sensitive information
- File upload restrictions in place
- Path traversal prevention implemented
- Dependencies are up-to-date (
npm audit) - Security headers configured
- Logging doesn't include sensitive data
- Weekly: Run
npm auditand update dependencies - Monthly: Rotate application passwords
- Monthly: Review access logs for anomalies
- Quarterly: Security audit of codebase
- Annually: Penetration testing (for production deployments)
-
Hardcoding Credentials
// β NEVER DO THIS const password = "actual-password-here"; // β DO THIS INSTEAD const password = process.env.WORDPRESS_APP_PASSWORD;
-
Logging Sensitive Data
// β NEVER DO THIS console.log(`Authenticating with password: ${password}`); // β DO THIS INSTEAD console.log("Authenticating user...");
-
Exposing Internal Errors
// β NEVER DO THIS catch (error) { return { error: error.stack }; } // β DO THIS INSTEAD catch (error) { logger.error('Internal error:', error); return { error: 'An error occurred processing your request' }; }
Add to your CI/CD pipeline:
- name: Security Audit
run: |
npm audit --production
npm run lint
# Add additional security scanners as neededPrevent accidental credential commits:
#!/bin/bash
# .husky/pre-commit
# Check for potential secrets
if git diff --cached --name-only | xargs grep -E "(password|secret|token|key).*=.*['\"].*['\"]" 2>/dev/null; then
echo "β οΈ Potential secret detected in staged files!"
echo "Please review and remove any real credentials before committing."
exit 1
fi{
"scripts": {
"security-check": "npm audit --production && npm outdated",
"security-fix": "npm audit fix"
}
}# Run as non-root user
USER node
# Don't expose unnecessary ports
EXPOSE 3000
# Use specific versions, not latest
FROM node:18-alpine@sha256:specific-hash
# Scan images for vulnerabilities
# docker scan mcp-wordpress:latest# Production deployment
docker run -d \
-e WORDPRESS_SITE_URL="${PROD_URL}" \
-e WORDPRESS_USERNAME="${PROD_USER}" \
-e WORDPRESS_APP_PASSWORD="${PROD_PASSWORD}" \
--read-only \
--security-opt no-new-privileges \
mcp-wordpress:latest- WordPress Security Best Practices
- OWASP Security Guidelines
- Node.js Security Checklist
- Docker Security Best Practices
If you discover a security vulnerability:
- Do NOT create a public GitHub issue
- Do NOT share details publicly
- Do create a security advisory on GitHub or contact the maintainer through repository issues
- Do provide detailed steps to reproduce
- Do suggest fixes if possible
The repository includes comprehensive automated security workflows:
-
CodeQL Analysis (
.github/workflows/codeql-analysis.yml)- Static code analysis for vulnerabilities
- Daily scheduled scans
- Custom security queries
-
Dependency Review (
.github/workflows/dependency-review.yml)- PR-based dependency security analysis
- License compliance checking
- Supply chain security validation
-
Secret Scanning (
.github/workflows/secret-scanning.yml)- TruffleHog and GitLeaks integration
- Custom pattern detection
- Environment file analysis
-
Dependabot (
.github/dependabot.yml)- Automated dependency updates
- Security-first update prioritization
- Grouped updates by category
jsondiffpatch XSS Vulnerability (CVE-2024-XXXXX)
- Severity: Moderate (CVSS 4.7)
- Location: Transitive dependency:
mcp-evalsβaiβjsondiffpatch@<0.7.2 - Impact: Development/testing environment only
- Status: No fix available (awaiting upstream update from mcp-evals)
- Mitigation:
- Vulnerability is in devDependencies only (not in production)
- HTML formatting functionality (affected by XSS) is not used by this project
- mcp-evals is only used for evaluation testing, not in production runtime
- Production dependencies: 0 vulnerabilities β
Why This Is Acceptable:
- Not shipped to production builds (devDependency only)
- XSS requires specific HTML diff rendering feature not used in our codebase
- Evaluation tooling (mcp-evals) only runs in controlled development/CI environments
- Monitoring for upstream fixes
| Date | Auditor | Findings | Actions Taken |
|---|---|---|---|
| 2025-10-02 | Claude AI | 3 moderate dev vulnerabilities | Documented jsondiffpatch XSS as dev-only |
| 2025-07-19 | Claude AI | Enhanced security workflows | Added CodeQL, Dependabot, Secret Scanning |
| 2025-06-29 | Claude AI | Exposed credentials in config | Documentation created |
| - | - | Input validation gaps | Recommendations provided |
| - | - | 0 production vulnerabilities | β Maintained clean production deps |
Remember: Security is not a one-time task but an ongoing process. Stay vigilant, keep dependencies updated, and follow these guidelines to maintain a secure WordPress management environment.