WordPress Integration

Agenties can operate WordPress sites through the ForgePress plugin. The plugin is the secure tunnel and executor; Agenties is the brain, workflow controller, guardrail layer, and skill-driven operator.

Architecture

Model

Agenties local app
  → MCP tools (risk-tier checked, confirmation gated)
    → ForgePress plugin REST API (/wp-json/forgepress/v1/*)
      → WordPress site

Layer	Responsibility
ForgePress plugin	Secure site tunnel, X-ForgePress-Key authentication, REST endpoints, PHP executor when enabled.
Agenties	Planning, workflow, risk-tier enforcement, write confirmation gates, audit trail, and MCP surface.
Skills	Builder and plugin knowledge: Gutenberg, WooCommerce, ACF, SEO, cache plugins, page builders.
MCP tools	Guarded controls the orchestrator can call — every write requires tier + confirmation text.

Note:The API key is stored locally and sent as an X-ForgePress-Key header on every request. It is never stored in plain text — Agenties uses its internal secrets store.

Risk tiers

WordPress capabilities are gated by tier. Each tier is cumulative — a higher tier unlocks all lower-tier operations. Tiers are set in Settings → WordPress and apply per project.

Tier	Typical operations
`read_only`	Status, site info, posts/pages, plugins/themes, options (default on connect).
`content_write`	Create and update draft posts and pages (status changes are blocked at this tier).
`admin_ops`	Plugin toggles, cache flush, WooCommerce option writes.
`db_ops`	Guarded SQL queries. Requires confirmation text + backupConfirmation for destructive queries. Blocks wp_users.
`php_exec`	Controlled PHP execution with explicit unlock consent. Dangerous patterns are scanned and blocked.

Tier order

read_only < content_write < admin_ops < db_ops < php_exec

Warning:Every write operation requires confirm: true and a specific confirmationText string (e.g. "CREATE DRAFT", "FLUSH CACHE"). This is enforced at runtime regardless of tier. DB DELETE/DROP/TRUNCATE also requires backupConfirmation: true.

MCP tools

Tool	Tier required	Purpose
`wordpress_status`	read_only	Read connection status, tier, and last capabilities scan.
`wordpress_get_site_info`	read_only	Read WordPress/PHP/site metadata from the plugin.
`wordpress_get_capabilities`	read_only	Detect active stack and get recommended skills list.
`wordpress_list_posts`	read_only	List posts with pagination and search.
`wordpress_list_pages`	read_only	List pages with pagination and search.
`wordpress_list_plugins`	read_only	List installed plugins.
`wordpress_list_themes`	read_only	List installed themes.
`wordpress_get_options`	read_only	Read WordPress options table values.
`wordpress_create_post`	content_write	Create a draft post (status always forced to draft).
`wordpress_update_post`	content_write	Update post content/title/excerpt (status changes blocked).
`wordpress_create_page`	content_write	Create a draft page.
`wordpress_update_page`	content_write	Update page title or content.
`wordpress_toggle_plugin`	admin_ops	Activate or deactivate a plugin by file path.
`wordpress_flush_cache`	admin_ops	Flush WP cache + WP Rocket / W3TC / LiteSpeed if present.
`wordpress_set_woocommerce_option`	admin_ops	Write a WooCommerce option key.
`wordpress_run_db_query`	db_ops	Run a guarded SQL query. Blocks wp_users writes.
`wordpress_unlock_php_exec`	php_exec	Unlock PHP execution for the session (requires consent string).
`wordpress_execute_php`	php_exec	Execute guarded PHP. Dangerous patterns are scanned.
`wordpress_set_access`	—	Set the Agenties-side risk tier for the project.

Tip:All write operations (content_write and above) are logged to .agenties/activity/wp-write-*.json. DB queries go to wp-db-*.json and PHP executions to wp-php-*.json for full audit trail.

Skills

Site-specific and builder knowledge lives in skills, not in code. After the capabilities scan, the orchestrator loads the right skill for the detected stack. Skills are auto-recommended from the detected builder and active plugin list.

Skill	When to use
`wordpress-core`	General WordPress read and admin operations playbook. Always load first.
`gutenberg-builder`	Reading and writing Gutenberg block content via the REST API.
`woocommerce-core`	Store audit, products, orders, and settings. Includes riskTier model for writes.
`elementor-builder`	Elementor page builder sites (auto-detected).
`bricks-builder`	Bricks page builder sites (auto-detected).
`divi-builder`	Divi page builder sites (auto-detected).
`acf`	Advanced Custom Fields — read and write field groups (auto-detected).
`rankmath-seo / yoast-seo`	SEO meta, sitemaps, and schema (auto-detected).
`wp-rocket / litespeed-cache`	Cache management and performance plugins (auto-detected).

Recommended workflow

Step	Action
1	Connect the site URL and API key in Settings → WordPress.
2	Agenties runs a capabilities scan automatically on connect.
3	Start in read_only — the default on every new connection.
4	Load the recommended skills for the detected stack.
5	Escalate tier only when a specific write task requires it.
6	Prefer draft post/page tools before DB or PHP.
7	Use php_exec only as a last-resort controlled execution path.

Warning:Use db_ops and php_exec on disposable or staging sites first. They are powerful by design and should always be paired with backups, confirmation gates, and audit logs.

← PreviousVercel Next →Knowledge Graph