Critical-risk tools in WordPress Developer MCP Server

Critical severity WordPress Developer MCP Server MCP Server 4 of 25 tools

4 of the 25 tools in WordPress Developer MCP Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.

Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.

Tools at critical risk

wpdev_auth_logout Destructive

Log out and clear WordPress.com authentication for Studio.
wpdev_fs_delete Destructive

Delete a file or folder inside a Studio site directory. Safe: only allows paths within the given sitePath.
wpdev_preview_delete Destructive

Delete a Studio preview site by its hostname (e.g.
wpdev_site_delete Destructive

Delete a Studio site. Destructive: requires confirm=true. Optionally move site files to trash.

Attacks that target this class

Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.

Destructive Action Autonomy
Privilege escalation via admin-only tools
Data exfiltration via tool chaining
Runaway Tool Loops

Critical-risk tools in WordPress Developer MCP Server

Tools at critical risk

Attacks that target this class

More on WordPress Developer MCP Server

Enforce policy on every WordPress Developer MCP Server tool call.