Complete guide for deploying MCP WordPress Server to production environments.
- Quick Start
- Docker Deployment
- Environment Management
- Security Configuration
- Performance Optimization
- Monitoring & Logging
- Backup & Recovery
- Troubleshooting
- Docker 20.10+ or Node.js 18+
- WordPress site with REST API enabled
- Application passwords or JWT authentication configured
# 1. Build verification
npm run build
npm test
# 2. Security scan
npm run security:scan
# 3. Performance validation
npm run test:performance
# 4. Coverage check
npm run coverage:full
# 5. Docker deployment
docker-compose up -d --build# Pull latest stable version
docker pull docdyhr/mcp-wordpress:latest
# Run with environment file
docker run -d \
--name mcp-wordpress \
--env-file .env.production \
-p 3000:3000 \
docdyhr/mcp-wordpress:latest# docker-compose.prod.yml
version: "3.8"
services:
mcp-wordpress:
image: docdyhr/mcp-wordpress:latest
restart: unless-stopped
ports:
- "3000:3000"
environment:
NODE_ENV: production
LOG_LEVEL: info
env_file:
- .env.production
volumes:
- ./config:/app/config:ro
- ./logs:/app/logs
- cache_data:/app/cache
healthcheck:
test: ["CMD", "npm", "run", "health"]
interval: 30s
timeout: 10s
retries: 3
networks:
- mcp_network
# Optional: Redis for enhanced caching
redis:
image: redis:7-alpine
restart: unless-stopped
command: redis-server --appendonly yes
volumes:
- redis_data:/data
networks:
- mcp_network
volumes:
cache_data:
redis_data:
networks:
mcp_network:
driver: bridge# Dockerfile.prod
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build
# Production stage
FROM node:18-alpine AS production
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001
WORKDIR /app
COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
COPY --from=builder --chown=nodejs:nodejs /app/package*.json ./
USER nodejs
EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD npm run health || exit 1
CMD ["npm", "start"]# .env.production
NODE_ENV=production
LOG_LEVEL=info
DEBUG=false
# WordPress Configuration
WORDPRESS_SITE_URL=https://your-production-site.com
WORDPRESS_USERNAME=production_user
WORDPRESS_APP_PASSWORD=xxxx xxxx xxxx xxxx xxxx xxxx
WORDPRESS_AUTH_METHOD=app-password
# Security
ENABLE_CORS=false
TRUSTED_ORIGINS=https://your-domain.com
API_RATE_LIMIT=100
API_RATE_WINDOW=900000
# Performance
CACHE_TTL=3600
CACHE_MAX_SIZE=1000
ENABLE_COMPRESSION=true
MAX_REQUEST_SIZE=10mb
# Monitoring
ENABLE_METRICS=true
METRICS_PORT=9090
HEALTH_CHECK_TIMEOUT=5000{
"sites": [
{
"id": "production",
"name": "Production Site",
"config": {
"WORDPRESS_SITE_URL": "https://main-site.com",
"WORDPRESS_USERNAME": "prod_user",
"WORDPRESS_APP_PASSWORD": "secure_app_password",
"WORDPRESS_AUTH_METHOD": "app-password"
}
},
{
"id": "staging",
"name": "Staging Site",
"config": {
"WORDPRESS_SITE_URL": "https://staging.main-site.com",
"WORDPRESS_USERNAME": "staging_user",
"WORDPRESS_APP_PASSWORD": "staging_app_password",
"WORDPRESS_AUTH_METHOD": "app-password"
}
}
],
"security": {
"enableRateLimit": true,
"maxRequestsPerWindow": 100,
"windowSizeMs": 900000,
"enableCors": false,
"trustedOrigins": ["https://main-site.com"]
},
"performance": {
"cache": {
"enabled": true,
"defaultTTL": 3600,
"maxSize": 1000
},
"compression": true,
"maxRequestSize": "10mb"
},
"monitoring": {
"enableMetrics": true,
"metricsPort": 9090,
"healthCheckTimeout": 5000,
"logLevel": "info"
}
}-
Application Passwords (Recommended)
# WordPress Admin → Users → Your Profile → Application Passwords # Generate unique password for MCP server WORDPRESS_APP_PASSWORD=xxxx xxxx xxxx xxxx xxxx xxxx
-
JWT Authentication
# Install JWT Authentication plugin # Configure JWT secret in wp-config.php define('JWT_AUTH_SECRET_KEY', 'your-secret-key'); define('JWT_AUTH_CORS_ENABLE', true);
# nginx.conf - Reverse proxy configuration
upstream mcp_wordpress {
server 127.0.0.1:3000;
keepalive 32;
}
server {
listen 443 ssl http2;
server_name api.yourdomain.com;
# SSL configuration
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
# Security headers
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# Rate limiting
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
limit_req zone=api burst=20 nodelay;
location / {
proxy_pass http://mcp_wordpress;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
proxy_read_timeout 86400;
}
}# Using Docker secrets (Docker Swarm)
echo "your_app_password" | docker secret create wp_app_password -
# Using Kubernetes secrets
kubectl create secret generic mcp-wordpress-secrets \
--from-literal=wp-app-password=your_app_password \
--from-literal=jwt-secret=your_jwt_secret// Production cache settings
const cacheConfig = {
// Memory cache
maxItems: 5000,
maxMemoryMB: 512,
// TTL settings (seconds)
ttl: {
posts: 1800, // 30 minutes
pages: 3600, // 1 hour
users: 7200, // 2 hours
media: 86400, // 24 hours
settings: 43200, // 12 hours
},
// Compression
enableCompression: true,
compressionLevel: 6,
};-- WordPress database indexes for REST API performance
ALTER TABLE wp_posts ADD INDEX idx_post_status_type_date (post_status, post_type, post_date);
ALTER TABLE wp_posts ADD INDEX idx_post_name (post_name);
ALTER TABLE wp_postmeta ADD INDEX idx_meta_key_value (meta_key, meta_value(191));# docker-compose.scale.yml
version: "3.8"
services:
mcp-wordpress:
image: docdyhr/mcp-wordpress:latest
deploy:
replicas: 3
resources:
limits:
cpus: "0.5"
memory: 512M
reservations:
cpus: "0.25"
memory: 256M
restart_policy:
condition: on-failure
delay: 5s
max_attempts: 3
environment:
NODE_ENV: production
networks:
- app_network
nginx:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./ssl:/etc/ssl/certs:ro
depends_on:
- mcp-wordpress
networks:
- app_network# Built-in health check endpoint
curl -f http://localhost:3000/health || exit 1
# Detailed health check
npm run health
# Performance metrics
curl http://localhost:9090/metrics{
"timestamp": "2025-08-11T04:50:00.000Z",
"level": "info",
"message": "Request completed successfully",
"context": {
"method": "GET",
"endpoint": "/posts",
"duration": 145,
"statusCode": 200,
"cacheHit": true,
"siteId": "production"
}
}# monitoring/docker-compose.yml
version: "3.8"
services:
prometheus:
image: prom/prometheus
ports:
- "9090:9090"
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
- prometheus_data:/prometheus
grafana:
image: grafana/grafana
ports:
- "3001:3000"
environment:
GF_SECURITY_ADMIN_PASSWORD: admin
volumes:
- grafana_data:/var/lib/grafana
- ./grafana/dashboards:/etc/grafana/provisioning/dashboards
loki:
image: grafana/loki
ports:
- "3100:3100"
volumes:
- ./loki-config.yml:/etc/loki/local-config.yaml
- loki_data:/tmp/loki
volumes:
prometheus_data:
grafana_data:
loki_data:# Backup configuration
tar -czf config-backup-$(date +%Y%m%d).tar.gz \
.env.production \
mcp-wordpress.config.json \
docker-compose.prod.yml
# Cache backup (if needed)
docker exec mcp-wordpress tar -czf - /app/cache > cache-backup-$(date +%Y%m%d).tar.gz
# Database backup (if using local DB)
docker exec postgres pg_dump -U postgres wordpress > db-backup-$(date +%Y%m%d).sql# 1. Stop services
docker-compose -f docker-compose.prod.yml down
# 2. Restore configuration
tar -xzf config-backup-20250811.tar.gz
# 3. Pull latest image
docker-compose -f docker-compose.prod.yml pull
# 4. Start services
docker-compose -f docker-compose.prod.yml up -d
# 5. Verify health
npm run health# Check memory usage
docker stats mcp-wordpress
# Adjust cache limits
export CACHE_MAX_SIZE=500
export CACHE_MAX_MEMORY_MB=256
# Restart service
docker-compose restart mcp-wordpress# Test WordPress connectivity
curl -I https://your-wordpress-site.com/wp-json/wp/v2/
# Check authentication
npm run test:auth
# Verify application password
wp user application-password list admin --allow-root# Check cache hit rate
curl http://localhost:9090/metrics | grep cache_hit_rate
# Monitor request latency
curl http://localhost:9090/metrics | grep request_duration
# Check for memory leaks
docker exec mcp-wordpress node --inspect=0.0.0.0:9229 dist/index.js# Test SSL connection
openssl s_client -connect your-domain.com:443 -servername your-domain.com
# Check certificate expiration
echo | openssl s_client -connect your-domain.com:443 2>/dev/null | openssl x509 -noout -dates# Enable debug logging
export DEBUG=true
export LOG_LEVEL=debug
# Restart with debug enabled
docker-compose restart mcp-wordpress
# View debug logs
docker-compose logs -f mcp-wordpress# CPU profiling
docker exec mcp-wordpress node --prof dist/index.js
# Memory profiling
docker exec mcp-wordpress node --inspect=0.0.0.0:9229 dist/index.js
# Heap snapshots
docker exec mcp-wordpress node -e "
const v8 = require('v8');
const fs = require('fs');
const heapSnapshot = v8.writeHeapSnapshot();
console.log('Heap snapshot written to', heapSnapshot);
"- Pre-deployment: Build → Test → Security Scan → Performance Check
- Deployment: Docker build → Environment setup → Service start → Health check
- Post-deployment: Monitoring setup → Backup configuration → Performance validation
- 56.37% test coverage with c8 integration
- 485 ESLint violations (down from 506, ongoing optimization)
- Multi-site support with centralized configuration
- Enhanced caching with TTL and LRU eviction
- Structured logging with context and sanitization
- Security hardening with rate limiting and CORS
- Performance monitoring with metrics and health checks
- Daily: Health checks, log review, performance metrics
- Weekly: Security updates, cache optimization, backup verification
- Monthly: Full security audit, performance benchmarking, dependency updates
- Quarterly: Architecture review, capacity planning, disaster recovery testing
🚀 Production Ready: MCP WordPress Server is now fully prepared for enterprise production deployments with comprehensive monitoring, security, and performance optimization.