WordPress for Cowork

Release Notes

Changelog

WordPress for Cowork — Changelog

v5.0.5 — 2026-04-30 (customer-facing — license-model rewrite + machine ID + update notices)

Changed

  • Removed all subscription / trial / “seats used” language across README.md, plugin.json, commands/wp-setup.md, and CONNECTORS.md. The plugin now correctly reflects the live one-time-purchase + 1-year-updates-included + optional yearly maintenance renewal model. Plans table replaced with current Solo $99 / Agency $399 / Enterprise from $414 pricing, “licenses included” framing, unlimited domains, 2 devices per user license. Stripe entry reframed from “subscription billing” to “checkout + optional yearly renewal.”
  • Dropped legacy CW-SOLO-* / WPCv3-* license-key format references from wp-setup.md step 1.
  • SKILL.md “How This Plugin Works” corrected from “shared-secret Bearer token” (v4.x stale wording) to “license-key Bearer token from WORDPRESS_COWORK_KEY.”
  • SKILL.md slash-commands table entry for /wp-setup updated from “Configure the shared secret” to “Activate your license key.”
  • Skill version bumped to 5.0.5.

Added

  • Machine ID generation in /wp-setup step 2. A stable UUIDv4 is generated on first setup and reused on every subsequent run. Stored in ~/.claude/plugin-config/wordpress-for-cowork.json alongside the license key. The license server uses this to recognize the device when checking the 2-device-per-user-license cap. Existing machine_id values are preserved on re-runs.
  • Persistent state expanded. Config file now also tracks last_setup_at, plugin_version, and a connected_sites array that grows as additional sites are connected via /wp-setup. Re-running /wp-setup preserves machine_id and connected_sites (only re-writes license_key, last_setup_at, plugin_version).
  • Update notice in /wp-setup step 3. Calls the public /wp-json/wpfc-release/v1/latest feed, compares to the bundled plugin version, and surfaces a one-line notice if a newer version exists. Severity-aware wording (critical → install before continuing, high → install soon, otherwise → install when convenient). Fails silently if the feed is unreachable.
  • maintenance_expired (403) error case in wp-setup.md — the plugin keeps working, but updates pause until renewal. Replaces the removed “trial expired” / “subscription lapsed” cases.
  • config file at ~/.claude/plugin-config/wordpress-for-cowork.json explicitly documented in the Notes section: license key + machine ID (UUIDv4) + last setup timestamp + plugin version + connected sites, mode 600.

Unchanged

  • Tool surface, endpoint URL, slash command set.
  • Auth model (license-key Bearer via WORDPRESS_COWORK_KEY).
  • Backup safety pre-flight prompt + server-side -32099 gate handling.
  • Security-plugin warning in wp-setup.md step 5 (carried over unchanged from 5.0.4).

Notes / not in this release

  • Server-side machine_id registration is not yet wired through mcp__wordpress__wp_setup. The hosted MCP at wordpressforcowork.com needs to accept a machine_id parameter and use it when applying the 2-device cap. Until that lands server-side, machine_id is generated and persisted on the client only — the server still falls back to IP-based device tracking. Tracked separately.
  • wp-admin JS heartbeat (the original H8 / [16] task) is moot under the current hosted-MCP architecture — the customer’s WordPress site no longer runs any of our plugin code, so there’s no surface to attach a JS heartbeat to. The license server already gets a heartbeat on every tool call (it sees IP + timing per call), which covers the original goal.

v5.0.4 — 2026-04-30 (customer-facing — proactive security-plugin warning)

Added

  • commands/wp-setup.md now has a “Before you generate an Application Password” callout listing the most common WordPress security plugins (Wordfence, iThemes/Solid Security, Sucuri WAF, WP Cerber, managed-host firewalls) and the specific toggle to flip in each. Links to the full troubleshooting guide on wordpressforcowork.com/support/. This was the #1 cause of “plugin won’t connect” support tickets — now caught proactively before the user even tries.

Unchanged

  • Tool surface, auth model, slash commands, endpoint URL, license-key flow.

v5.0.3 — 2026-04-30 (customer-facing — dead link cleanup)

Fixed

  • Replaced two stale /my-account/licenses/ references in commands/wp-setup.md with the new /my-account/devices/ portal URL. License Manager for WooCommerce free version doesn’t expose a /licenses/ endpoint, so those links were dead 404s.
  • Reframed “seat limit” 403 guidance as “device limit” 403 to match the new license model: each license can be registered to 2 devices (laptop + desktop). Customer manages registered devices at /my-account/devices/.

Unchanged

  • Tool surface, auth model, slash commands, endpoint URL, license-key activation flow.

Known stale (still pending — tracked separately as H7 / [16b])

  • README and wp-setup.md still reference subscriptions, “seats used”, trial expiration, and a CW-SOLO-* / WPCv3-* legacy license format. These need a wholesale rewrite to match the current one-time-purchase + maintenance + N-keys-per-tier + unlimited-domains model. Out of scope for this patch.

v5.0.2 — 2026-04-27 (customer-facing — backup-gate handling)

Added

  • wordpress-site-builder skill now handles server-side -32099 "Backup confirmation required" errors. New section in SKILL.md (after “Restoring later”) tells the skill to stop, surface the error to the user, and retry either after taking a fresh backup OR with _skip_backup_ack: true once the user opts to skip.

Why

The endpoint mu-plugin wpfc-backup-gate.php (deployed 2026-04-27) blocks destructive tool calls when the most recent on-disk backup is older than 60 minutes. The skill previously didn’t know about this error code and would have surfaced a raw JSON-RPC error to the user. With this update, the skill recognizes the gate, explains it, and routes the user to either take a backup or override.

Unchanged

  • Tool surface, auth model, slash commands, Plans table, pricing.
  • Endpoint URL.

v5.0.1 — 2026-04-27 (customer-facing — docs)

Fixed

  • README pricing table. Removed stale “verify Enterprise pricing” caveat (Enterprise pricing is now stable). Restated Enterprise as per-seat with a 6-seat minimum and added the implied $45/mo / $450/yr floor. Added a one-line note about ~17% annual savings.

Unchanged

  • Tool surface, auth model, commands, skill, endpoint URL.
  • Live site pricing — README now matches the Plans page.

v5.0.0 — 2026-04-27 (customer-facing)

Customer-facing release alongside v4.x internal build

This is the customer-facing variant of the plugin. The v4