High-risk tools in WordPress Developer MCP Server
5 of the 25 tools in WordPress Developer MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
wpdev_site_startExecuteStart a Studio site. Returns site URL and admin username.
-
wpdev_site_stopExecuteStop a Studio site or all sites.
-
wpdev_wpExecuteRun WP-CLI commands on a Studio site. Use deliberately because WP-CLI can be slower than file reads/writes. Prefer compact output with --format=json and --fields for list comman...
-
wpdev_site_inspectExecuteInspect a local WordPress site route with a real browser. Use this after creating or changing a site to verify structure, visible content, console errors, failed requests, respo...
-
wpdev_update_mcpExecuteUpdate the WordPress Developer MCP Server to the latest version.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.