MCP gives AI agents real capability. MCPWP should be introduced with clear scopes, read-first inspection, revocable credentials, and explicit handoff points before risky changes.
Connect the client and verify site info, active capabilities, and available tools before any content or layout changes.
Use the narrowest key that matches the job: content, Elementor, SEO, media, menus, or admin operations.
Treat API keys like deployment credentials. Rotate or remove them after short-term external access.
When a workflow exposes a plugin bug or missing feature, create an issue so launch and product work stay connected.
Do not claim magic AI safety. State the actual controls: endpoint authentication, scoped keys, read-only setup, logs where available, and operator review before destructive actions.
Any write-capable integration can cause harm if over-permissioned. MCPWP messaging should always recommend read-first setup and scoped keys.
For content and metadata, production workflows can be scoped. For risky layout, code, commerce, or broad automation work, staging is the safer default.
A key policy, first-connection checklist, rollback path, issue reporting path, and approval rules for destructive operations.