9
Total Abilities
2
Read
2
Write
5
Delete
Overview
The Users module manages WordPress user accounts — listing users, creating new accounts, updating roles and metadata, and managing application passwords for API authentication. It also handles the destructive operations: deleting users and revoking their access credentials.
This module has a notably high delete count (5 out of 9 abilities) because application password management requires individual and bulk revocation capabilities.
Ability Reference
| Ability | Type | Description |
|---|---|---|
users/list | R | List users with filtering by role, search, and pagination. |
users/get | R | Get detailed information about a specific user by ID. |
users/create | W | Create a new WordPress user with username, email, role, and password. |
users/update | W | Update user fields: display name, email, role, password, meta. |
users/delete | D | Delete a user account. Requires a reassign user ID for their content. |
users/list-app-passwords | R | List all application passwords for a user. Shows name, created date, last used. |
users/create-app-password | W | Generate a new application password for API authentication. |
users/delete-app-password | D | Revoke a specific application password by UUID. |
users/delete-all-app-passwords | D | Revoke all application passwords for a user. Nuclear option for compromised accounts. |
Known Gotchas
users/delete requires reassign. When deleting a user, you must specify another user ID to reassign their content to. Without this, all their posts, pages, and media become orphaned. There is no undo.
Application passwords are the MCP bridge’s auth method. The bridge authenticates to WordPress using application passwords. Deleting all app passwords for the bridge user will lock out the AI agent. Always verify which user the bridge connects as before revoking.
Related Modules
Meta Module
13 abilities — user meta fields
Settings Module
6 abilities — site-wide configuration