WordPress for Cowork is two pieces working together: one in Cowork on your desktop, one on your WordPress site. Neither piece talks to our servers in the request path — your content stays on your host.
The two halves
- The Cowork-side plugin (
wordpress-for-cowork-v6.x.plugin) installs in Claude Cowork on your desktop. It provides the slash commands (/wp-setup,/wp-status,/wp-publish, etc.) and tells Claude about the 125 WordPress tools available. - Cowork Bridge (
cowork-bridge.zip) installs on your WordPress site like any WordPress plugin. On activation it auto-deploys a mu-plugin that exposes an MCP endpoint atyour-domain.com/wp-json/coworkmcp/v1/mcp.
The flow
When you type a request in Cowork, Claude figures out what tool(s) it needs, sends an HTTPS request to your site’s MCP endpoint, and the mu-plugin runs the operation on your WordPress install — same way wp-admin does, just driven by Claude instead of you clicking through.
What we see and what we don’t
- We see: license validation pings (a hash of your license key + the machine ID Cowork uses), so we can enforce the 2-device cap and your maintenance period.
- We don’t see: any of your WordPress content, your visitors, your customers, your orders, your comments, your media, or your tools/calls. None of it leaves your server during normal operation.
Why this matters
If our servers go down, your WordPress site keeps working. Your data is at no point in our possession. If we got breached tomorrow, the worst that could leak from our side is your email address and license key — never your site contents.