WP-WC-MCP

This project implements a 'security-first' architecture with robust measures. It features extensive input validation using Zod schemas and custom `InputValidator` for SSRF protection (blocking internal IPs and dangerous protocols), SQL injection, XSS, and path traversal prevention. Authentication uses WordPress Application Passwords with a circuit breaker pattern and re-authentication logic. Authorization is enforced via WordPress capability checks mapped to specific tools. Sensitive data is automatically redacted from logs using Winston. Rate limiting (token bucket algorithm), batch operation limits, and secure Docker configurations (non-root user, resource limits, dropped capabilities) are also in place. Error messages are sanitized to prevent information disclosure. While highly secure, no system is 100% impervious to all possible attack vectors, hence a 9.