Getting Started with WordPress AI Governance
Published
Getting Started with WordPress AI Governance
Letting AI agents modify your WordPress site sounds risky—until you add governance. This guide shows you how to safely connect Claude Code (or any MCP-compatible agent) to WordPress using WP Navigator.
By the end of this tutorial, you’ll run your first governed AI action: policy check → diff preview → approval → publish.
What You’ll Learn
- ✅ Why AI governance matters for WordPress
- ✅ How to install and configure WP Navigator
- ✅ Setting up Model Context Protocol (MCP) connections
- ✅ Creating your first policy rule
- ✅ Running a governed AI action
Prerequisites
Before starting, you’ll need:
- WordPress 6.4+ with admin access
- PHP 8.0+ installed
- Claude Code (or another MCP-compatible agent)
- Application Password for WordPress API authentication
Don’t worry—we’ll walk through each step.
Why WordPress Needs AI Governance
AI agents like Claude Code can perform incredible WordPress tasks:
- Update plugin settings across all sites
- Standardise SEO metadata
- Fix broken links programmatically
- Audit security configurations
But without governance, agents can:
- ❌ Delete critical data
- ❌ Change live content without review
- ❌ Modify plugin configurations incorrectly
- ❌ Break site functionality
WP Navigator adds the safety layer: every action goes through policy → diff → approval before touching your site.
Step 1: Install WP Navigator
Download from WordPress.org
- Go to Plugins → Add New in WordPress admin
- Search for “WP Navigator”
- Click Install Now, then Activate
Or download directly: WordPress.org/plugins/wp-navigator
Verify Installation
After activation, you should see WP Navigator in your WordPress admin sidebar.
Navigate to WP Navigator → Dashboard to confirm the plugin is active.
Step 2: Create Application Password
WordPress uses Application Passwords for secure API authentication.
Generate Your Password
- Go to Users → Profile in WordPress admin
- Scroll to Application Passwords section
- Enter application name: “Claude Code MCP”
- Click Add New Application Password
- Save the generated password—you won’t see it again!
Example password format: abcd 1234 efgh 5678 ijkl 9012
Security Note
Application Passwords are revocable and site-specific. If compromised, delete them from your WordPress profile—no need to change your main password.
Step 3: Configure WP Navigator
Set Your Policy Level
WP Navigator uses an 8-category policy system:
| Policy Category | Controls | Default |
|---|---|---|
| Posts & Pages | Content creation/editing | READ |
| Media | Upload/delete files | DENY |
| Plugins | Install/activate/settings | READ |
| Themes | Install/activate/customise | DENY |
| Users | Create/modify users | DENY |
| Settings | Site configuration | READ |
| Comments | Moderate comments | WRITE |
| Database | Direct DB access | DENY |
Hierarchy: DENY < READ < EDIT < WRITE
Configure Your First Policy
- Go to WP Navigator → Policies
- Select “Posts & Pages” category
- Choose policy level:
EDIT- Allows reading and editing existing content
- Blocks creating new posts (requires
WRITE)
- Click Save Policy
This lets agents review and modify existing content but not create new posts—perfect for starting safely.
Step 4: Connect Claude Code via MCP
Model Context Protocol (MCP) is the open standard for connecting AI agents to tools.
Add MCP Server to Claude Code
Edit your Claude Code config (~/.claude/config.json):
{
"mcpServers": {
"wp-navigator": {
"url": "https://yoursite.com/wp-json/wpnav/v1/mcp",
"headers": {
"Authorization": "Basic <base64-encoded-credentials>"
}
}
}
}Generate Authorization Header
Base64-encode your credentials:
echo -n "username:application-password" | base64Replace username with your WordPress username and application-password with the password from Step 2.
Example:
echo -n "admin:abcd 1234 efgh 5678" | base64
# Output: YWRtaW46YWJjZCAxMjM0IGVmZ2ggNTY3OA==Use this output in the Authorization header:
Authorization: Basic YWRtaW46YWJjZCAxMjM0IGVmZ2ggNTY3OA==Test the Connection
Restart Claude Code, then ask:
“Can you connect to my WordPress site?”
Claude should confirm connection and show available capabilities based on your policies.
Step 5: Run Your First Governed Action
Let’s update a post title—safely.
The Workflow
All WP Navigator actions follow this workflow:
- Policy Check - Does policy allow this action?
- Diff Preview - Show exact changes before applying
- Human Approval - You review and approve
- Publish - Changes applied only after approval
Example: Update Post Title
Ask Claude Code:
“Update the title of post ID 123 to ‘New Title Here’”
What Happens:
- Policy Check: ✅ Posts & Pages =
EDIT(allowed) - Diff Preview:
- Old Title: "Original Post Title" + New Title: "New Title Here" - Approval Prompt: Claude asks: “Apply this change?”
- You Respond: “Yes” or “No”
- Publish: Title updates only after your approval
Check the Audit Log
Go to WP Navigator → Audit Log to see:
- Timestamp of action
- Agent that requested it
- Policy checked
- Diff shown
- Your approval decision
- Final status
PRO users get 90-day audit retention—FREE users get 30 days.
Understanding Policy Levels
As you get comfortable, adjust policies for different capabilities:
DENY - Block Completely
No access. Agent can’t read or write this category.
Use for: Database, user management, critical settings.
READ - Read-Only
Agent can view data but not modify anything.
Use for: Audits, analysis, reconnaissance.
EDIT - Modify Existing
Agent can update existing items but not create new ones.
Use for: Content updates, fixing existing posts.
WRITE - Full Access
Agent can create, update, and delete items.
Use for: Trusted automation workflows.
Next Steps
You’ve successfully set up WordPress AI governance! Here’s what to explore next:
1. Add Plugin Adapters (PRO)
WP Navigator includes adapters for popular plugins:
- Elementor - Modify page layouts
- Yoast SEO - Update meta descriptions
- WooCommerce - Manage products
- And more - See all adapters
2. Configure Per-Plugin Permissions (PRO)
Set granular policies for individual plugins:
WooCommerce: EDIT (update products, not delete)
Yoast SEO: WRITE (full metadata access)
Elementor: READ (audit only, no changes)3. Set Up Automated Backups (PRO)
Enable pre/post-apply snapshots:
- Automatic backups before changes
- One-click rollback if needed
- 30-day snapshot retention
4. Explore Advanced Features (PRO)
- 3-State Control: ON/READ_ONLY/OFF with auto-expiry
- Agent Lease System: Heartbeat tracking with automatic expiry
- CloakPipe Integration: Automated error reporting to GitHub
Common Questions
Can I use this with ChatGPT or Gemini?
Yes! WP Navigator works with any MCP-compatible agent:
- Claude Code ✅
- Claude Desktop ✅
- Gemini CLI ✅
- Custom MCP agents ✅
What if I accidentally approve a bad change?
PRO users get automated backups and one-click rollback. Restore your site to pre-change state instantly.
FREE users get full audit logs showing exactly what changed. Manually revert using WordPress admin or database backup.
Does this slow down WordPress?
No. WP Navigator only activates when an agent makes an MCP request. Zero performance impact on normal WordPress operation.
Can I test policies without risk?
Yes! Use READ policies to let agents audit your site without making changes. Test workflows in a staging environment before production.
Security Best Practices
- Start with restrictive policies (
READorDENY) - Use staging sites to test before production
- Rotate Application Passwords regularly
- Monitor audit logs for unexpected activity
- Enable PRO backups for critical sites
Troubleshooting
Agent Can’t Connect
- Verify Application Password is correct
- Check Base64 encoding has no extra spaces
- Confirm WordPress REST API is enabled
- Test MCP endpoint:
https://yoursite.com/wp-json/wpnav/v1/mcp
Policy Blocks Expected Action
- Review policy level: might need
EDITinstead ofREAD - Check category: action might fall under different category
- View audit log: explains exactly why action was blocked
Diff Not Showing
- Ensure WP Navigator is version 1.0.6+
- Check agent is MCP-compatible
- Verify policy isn’t
DENY(blocks diff generation)
Conclusion
You’ve successfully added AI governance to WordPress! Your agents can now:
✅ Safely modify WordPress through MCP protocol ✅ Follow policy rules for every action ✅ Show diffs before applying changes ✅ Require human approval for all modifications ✅ Log every action for accountability
Next: Explore WP Navigator PRO for advanced features like deep adapters, automated backups, and per-plugin permissions.
Resources
Questions? Join the discussion on GitHub Discussions or get support at WordPress.org Support.