How to Give Claude Code Access to Your WordPress Site
Most developers run Claude Code in a silo. Here’s how to break that wall.
You’ve seen what Claude Code can do in a local repo. It reads files, writes functions, runs tests, and ships commits without you typing a line. But the moment you need it to touch your WordPress site — create a post, update an option, deploy a theme change — you hit a wall. WordPress lives on a server. Claude Code lives in your terminal. The two don’t talk.
That gap is the problem this article solves.
By the end of this guide, you’ll have a working WordPress plugin that exposes a REST API your AI agents can actually authenticate against, call programmatically, and use to manage your site. No fragile workarounds. No copy-pasting between browser tabs.
Why WordPress Doesn’t Work With AI Agents Out of the Box
WordPress has a built-in REST API. It ships with every install. So why can’t Claude Code just use it?
Three reasons:
1. Authentication is designed for humans, not agents. The default WP REST API uses cookies and nonces — session-based auth that requires a logged-in browser. JWT plugins help, but they’re not built with agent workflows in mind. Token expiry, rotation, and rate limiting aren’t handled cleanly.
2. The default API doesn’t expose everything you need. You can CRUD posts. You can’t update arbitrary wp_options, trigger theme deploys, import media with custom metadata, or write to the filesystem. Agent workflows need all of these.
3. There’s no activity log. When a human clicks something, they remember it. When an agent makes 40 API calls in a sprint, you need a record. The default REST API has no per-action logging.
A purpose-built WordPress plugin for AI agent integration solves all three.
What the Plugin Needs to Do
Before writing a line of code — or asking Claude Code to write it — define what the plugin must handle:
| Capability | Why It’s Required |
|---|---|
| API key authentication | Agents don’t have sessions — they need a static, rotatable credential |
| Rate limiting | Prevent runaway agent loops from hammering your DB |
| wp_options read/write | Agent needs to read/update site configuration |
| Post create/update/delete | Core content management |
| Media import with metadata | Featured images with SEO filenames and alt text |
| File write (theme files) | Deploy theme edits without SSH for routine changes |
| Activity log | Audit trail of every agent action |
| Path validation | Restrict file writes to /themes and /uploads — never root |
If you’re building this from scratch, that’s a few hundred lines of PHP. If you want a pre-built version that handles all of this with HostGator-compatible security hardening, that’s what the WP Bloomwell AI Agent Bridge plugin does. More on that below.
Setting Up Claude Code to Call Your WordPress REST API
Assuming your plugin is installed and your API key is set, here’s how you wire Claude Code to it.
Step 1 — Store Your Credentials Securely
Never hardcode your API key in a prompt or a script. Add it to a local .env file:
# .env (never commit this)
WP_SITE_URL=https://yoursite.com
WP_AGENT_API_KEY=your-secret-key-hereThen source it in your shell or reference it in your Claude Code system prompt via an environment variable.
Step 2 — Test the Connection
Before building anything, verify the plugin is responding:
curl -X GET https://yoursite.com/wp-json/agent/v1/status
-H "X-Agent-API-Key: $WP_AGENT_API_KEY"Expected response:
{
"status": "ok",
"site": "yoursite.com",
"version": "1.0.0"
}If you get a 401, your key isn’t being passed or the plugin isn’t reading the header correctly. If you get a 406, ModSecurity is blocking the request — you’ll need to whitelist your IP or add a ModSecurity exception rule.
Step 3 — Give Claude Code the API Contract
In your Claude Code system prompt or in a CLAUDE.md file at the root of your project, document the available endpoints:
## WordPress API Access
Base URL: https://yoursite.com/wp-json/agent/v1/
Auth header: X-Agent-API-Key: [from env]
### Available endpoints:
- GET /status — health check
- POST /post/create — create a new post
- POST /post/update — update existing post by ID
- POST /option/get — read a wp_options value
- POST /option/update — write a wp_options value
- POST /media/import — import media from URL or local path
- POST /file/write — write content to a whitelisted theme file path
- GET /log/recent — fetch last 25 activity log entriesClaude Code will use this contract to make real API calls during agent runs — no hallucination, because it has the actual schema.
Step 4 — Run Your First Agent Task
Here’s an example Claude Code prompt that uses the integration end-to-end:
Create a new WordPress post with:
- Title: "How AI Agents Are Replacing Dev Ops Workflows"
- Category: Developer Tools
- Status: draft
- Content: [full article text]
Then set Rank Math postmeta:
- rank_math_focus_keyword: "AI agent devops automation"
- rank_math_title: [same as post title]
- rank_math_description: "150-char description here"
Use the WordPress API. Auth header is in $WP_AGENT_API_KEY.
Log the post ID after creation.Claude Code will chain those API calls, verify the response codes, and log what it did. You review the draft. One command, no browser.
The Security Layer You Can’t Skip
AI agents making HTTP calls to your WordPress site is powerful. It’s also a liability if you don’t lock it down.
Minimum security requirements for any WordPress agent plugin:
- Hash-based key comparison — store a bcrypt or SHA-256 hash of the API key, not the plaintext value
- Rate limiting — 100 requests per hour per key is a reasonable starting ceiling; drop it to 20 for untrusted environments
- Path validation — maintain an explicit allowlist: /themes/your-theme/ and /uploads/ only. Never allow writes to /plugins/, root, or wp-config.php
- Activity logging — every action should write to a custom DB table: timestamp, endpoint, IP, success/failure, post ID or file path affected
- IP restriction (optional) — for production sites, restrict the API key to your dev machine’s IP via $_SERVER[‘REMOTE_ADDR’] check
Without these, you’ve handed an LLM the keys to your site with no audit trail and no throttle.
Ready to Skip the Build? Use the WP Bloomwell AI Agent Bridge
Building this plugin yourself takes time — authentication logic, path validation, logging schema, rate limiter. If you want it done and running on your site this week without writing the plumbing, the WP Bloomwell AI Agent Bridge is the pre-built version.
It ships with:
- API key auth with hash comparison
- 11 endpoints covering posts, options, media, file writes, and DB queries
- Rate limiting (100 req/hour, transient-based)
- Activity log table with IP tracking
- HostGator ModSecurity compatibility notes included in the docs
→ See the WP Bloomwell AI Agent Bridge
If you want a custom integration — different endpoint schema, multi-site support, or Claude Code workflows specific to your stack — book a BEA session and we’ll spec it together.
What’s Next
Post #3 in this series goes deeper on REST API architecture: how to structure your WordPress site so an AI agent can read it semantically, not just mechanically. We’ll cover endpoint design patterns, response schema for agent consumption, and how to handle the WP nonce problem in headless contexts.
→ Turning WordPress Into an API Your AI Agent Can Actually Use (publishing soon)
Skip the debugging spiral.
Get in touch →