Connect AI assistants to your security data

Query scan results, manage sites, and investigate vulnerabilities through Claude, ChatGPT, Cursor, or any MCP-compatible client.

https://mcp.wpsec.com/sse
Setup

Quick Start

Get your MCP key from the WPSec dashboard, then add the config below to your AI client.

Terminal
claude mcp add wpsec \
  --transport sse \
  --url https://mcp.wpsec.com/sse \
  --header "Authorization: Bearer mcp_YOUR_SECRET_HERE"
~/.claude/claude_desktop_config.json
{
  "mcpServers": {
    "wpsec": {
      "type": "sse",
      "url": "https://mcp.wpsec.com/sse",
      "headers": {
        "Authorization": "Bearer mcp_YOUR_SECRET_HERE"
      }
    }
  }
}
Cursor Settings → MCP → Add Server
# Add a new MCP server in Cursor settings:

Name:    WPSec
Type:    SSE
URL:     https://mcp.wpsec.com/sse
Headers:
  Authorization: Bearer mcp_YOUR_SECRET_HERE
ChatGPT → Custom GPT → Actions
# In your Custom GPT configuration:

1. Go to Configure → Actions → Create new action
2. Set Authentication to Bearer Token
3. Enter your MCP secret as the token
4. Server URL: https://mcp.wpsec.com/sse
Generic SSE Configuration
Transport:  SSE
URL:        https://mcp.wpsec.com/sse
Header:     Authorization: Bearer mcp_YOUR_SECRET_HERE

# Endpoints:
#   GET  /sse        → event stream
#   POST /messages/  → JSON-RPC messages
Capabilities

Available Tools

ToolDescriptionScope
wpsec_list_sitesList all your registered sitesread
wpsec_get_site_statusCheck if a site is secure, vulnerable, or erroredread
wpsec_get_scan_reportFull report with vulnerabilities, plugins, and themesread
wpsec_get_scan_historyRecent scans and their statusesread
wpsec_search_vulnerabilitiesSearch vulnerabilities across all sitesread
wpsec_check_pluginCheck a plugin for known vulnerabilitiesread
wpsec_check_wordpressCheck a WordPress version for known vulnerabilitiesread
wpsec_trigger_scanQueue a new security scanwrite
wpsec_add_siteRegister a new site for monitoringwrite
wpsec_pause_sitePause automatic scanningwrite
wpsec_resume_siteResume scanningwrite
wpsec_configure_webhookSet webhook URL for scan notificationswrite
Authentication

Getting your MCP key

1

Create an MCP key

Go to wpsec.com/account/api.php → MCP Access Keys → Create MCP Key

2

Choose a scope

Read — view scans and reports. Write — also trigger scans, add sites, manage webhooks.

3

Copy the secret

Format: mcp_xxxxxxxx_.... Shown once — it's hashed and cannot be retrieved.

60

Requests / minute

Per-user limit across all tools.

10

Scans / hour

Per-site rate limit for trigger_scan.

Example

How it works

You
Are any of my sites vulnerable?
Claude
wpsec_list_sites(status="all")
wpsec_get_site_status(site_url="https://example.com")
wpsec_get_site_status(site_url="https://shop.example.com")
✔ example.com — Secure
✘ shop.example.com — 2 vulnerabilities found

shop.example.com has issues. Want the full report?
You
Yes, show me.
Claude
wpsec_get_scan_report(site_url="https://shop.example.com")
1. WooCommerce < 8.5.1 — XSS in checkout. Fix: update to 8.5.1.
2. WordPress 6.4.1 — PHP object injection. Fix: update to 6.4.3.

Both have patches available. Want me to trigger a rescan after you update?