Site Manager – Using AI Apps ChatGPT Claude Codex

Description

VideoWhisper Site Manager lets you manage WordPress posts and pages through external AI assistants such as ChatGPT (Custom GPT + Actions), Claude (MCP: web, desktop, mobile, CLI), and Codex (MCP). It exposes authenticated WordPress endpoints and setup guidance while you keep using your own AI account and subscription.

It provides:

• A secure REST layer for content operations (list, read, create, update, revert, reset)
• An MCP (Model Context Protocol) endpoint for Claude.ai, Claude Desktop, Claude CLI, Claude mobile apps, and Codex MCP clients
• A generated OpenAPI schema URL for GPT Actions import
• Guided onboarding with copy/paste values for ChatGPT Builder, Claude connector setup, and Codex MCP setup
• Turnkey OAuth onboarding for shared GPT / shared MCP workflows through a compatible Relay & OAuth Server
• WordPress Application Password onboarding for direct site-owned integrations
• Frontend user connection shortcode support for connected account workflows
• Safety controls: HTTPS enforcement, draft-first behavior, publish gating, read/write rate limiting, write quotas, IP allowlists, audit logs
• Extension points through WordPress hooks for custom authentication, tools, settings, content types, and admin UI additions

The plugin does not call OpenAI, Anthropic, or any AI provider directly. Your WordPress site exposes authenticated endpoints and setup guidance. You connect it to ChatGPT, Claude, or Codex yourself with your own account and subscription.

Ideal for

• Site owners who want to draft, edit, or review WordPress content by chat
• Teams using a dedicated WordPress user (recommended: Editor) for AI-assisted publishing workflows
• Mobile workflows: configure on desktop, use the GPT or Claude connector on phone/tablet
• Developer workflows where Codex can use MCP tools to inspect and update WordPress content

Supported Authentication

The onboarding flow recommends using one authentication option for clarity, but development and migration setups can enable more than one.

• Turnkey OAuth – recommended for most sites. Users connect through a compatible Relay & OAuth Server and can operate one or more connected sites from the same shared GPT or MCP connector.
• Application Passwords – direct WordPress authentication over HTTPS using WordPress core Application Passwords. Best for admin-owned custom GPT/MCP setups where credentials are managed by the site operator.
• Extension-provided authentication – developers can add custom OAuth, token validation, alternate connector metadata, or other authentication flows with the hooks listed below.

Connecting ChatGPT

1. Install and activate VideoWhisper Site Manager.
2. Open VideoWhisper Site Manager > Onboarding.
3. Create (or link) a dedicated WordPress user (recommended role: Editor).
4. Choose Turnkey OAuth for a shared GPT workflow, or create an Application Password from the onboarding page for a direct site-owned GPT.
5. In ChatGPT Builder (desktop), create a Custom GPT and import the plugin OpenAPI schema URL.
6. Use the provided copy/paste values for Configure, Actions, authentication, and privacy policy fields.
7. Test on desktop, then use the same GPT on mobile.

Connecting Claude (MCP)

The free plugin includes an MCP endpoint at /wp-json/videowhisper-site-manager/v1/mcp.

Claude.ai (web):

1. Go to claude.ai/customize/connectors.
2. Click the + button in the Connectors sidebar → Add custom connector.
3. Set a name and paste the MCP endpoint URL.
4. Authorize via Turnkey OAuth when connected to a compatible Relay & OAuth Server, or use an Application Password for direct setup.
5. The connector also works in the Claude mobile apps (iOS and Android) and desktop once authorized.

Claude CLI:

claude mcp add –transport http “YourSiteName” “https://yoursite.com/wp-json/videowhisper-site-manager/v1/mcp”

Automatic OAuth authorization requires a compatible Relay & OAuth Server. Without that connection, use WordPress Application Passwords over HTTPS.

Connecting Codex (MCP)

The onboarding flow includes Codex setup values for both direct and Turnkey MCP architectures. Codex can connect to the same Streamable HTTP MCP endpoint at /wp-json/videowhisper-site-manager/v1/mcp.

1. Open VideoWhisper Site Manager > Onboarding and enable Codex in the AI Tools selection step.
2. Choose Turnkey OAuth for shared relay access, or Application Passwords for direct site-owned MCP access.
3. Copy the generated Codex config.toml block or OAuth login command from the Codex onboarding tab.
4. Restart or reload Codex MCP settings, then use /mcp in Codex to confirm the WordPress MCP server is active.

Features

• MCP endpoint for Claude.ai, Claude Desktop, Claude CLI, Claude mobile apps, and Codex — implements MCP Streamable HTTP transport (protocol 2025-03-26)
• ChatGPT / GPT Actions integration via generated OpenAPI schema URL (/wp-json/videowhisper-site-manager/v1/openapi)
• GPT Actions onboarding aligned with current auth UI, including Application Password and Turnkey OAuth setup paths
• One-click Application Password creation for the dedicated operator user (plaintext shown once, not stored long-term)
• Guided onboarding with copyable values for:
  • GPT Name, Description, Instructions, Conversation Starters
  • MCP endpoint URL, Claude connector setup instructions (Claude.ai, Desktop, CLI), and Codex MCP configuration snippets
  • Action authentication values, Schema URL, Privacy Policy URL
  • curl examples and credential samples
• Authentication options:
  • Turnkey OAuth for shared GPT / shared MCP workflows through a compatible Relay & OAuth Server
  • Application Passwords for direct site-owned admin integrations
  • hook-based extension points for additional authentication methods
• REST endpoints for listing, reading, creating, and updating WordPress posts/pages
• Context endpoint for site and content context used by MCP tools
• Content revert/reset helpers backed by revision snapshots
• dry_run support for safer create/update previews before writing
• Draft-first workflow and optional publish permission (Allow publish)
• HTTPS enforcement for plugin endpoints by default (with dev-only HTTP override setting)
• Per-user rate limiting with separate defaults for read traffic (10/minute), write actions (5/minute), and hourly write quotas (30/hour)
• FansPaysite support for frontend shortcode styling, dark/light mode, and Pro menu icon fields when the FansPaysite theme is active
• IP allowlists for Application Password and Turnkey OAuth traffic
• External OAuth URL hardening (HTTPS-only with external-host validation)
• Configurable short cache TTL for external bearer-token validation (default: 10s)
• Categories and tags support
• Generic SEO metadata fields (plugin-owned keys)
• Audit logging endpoint for administrators
• Settings endpoint for administrators
• Public protected resource metadata for OAuth-aware clients
• Provider Terms of Use and Privacy Policy links when supplied by connected services
• User connection shortcode ([vwsm_user_connect]) for account-based connection flows
• Admin notices and onboarding reminders for incomplete setup
• Recommended GPT/Claude/Codex capabilities guidance

Extension Hooks

Developers can extend this plugin without editing core files. Common hooks include:

1. Settings and admin UI: vwsm_settings_defaults, vwsm_settings_normalized, vwsm_admin_settings_save, vwsm_rest_settings_payload, vwsm_settings_tab_label, vwsm_settings_form_publishing_rows, vwsm_settings_form_security_rows, vwsm_settings_form_rate_limits_rows, vwsm_settings_form_logs_revisions_rows, vwsm_settings_form_turnkey_oauth_rows, vwsm_settings_form_authentication_rows, vwsm_settings_form_application_passwords_rows, vwsm_settings_form_content_rows, vwsm_settings_form_admin_rows, vwsm_settings_form_attachments_rows, vwsm_settings_form_fomantic_rows, vwsm_settings_form_after_core_rows, vwsm_auth_methods_section.
2. Authentication and OAuth metadata: vwsm_oauth_server_url, vwsm_authorization_server_url, vwsm_rest_401_headers, vwsm_external_oauth_onboarding_urls, vwsm_onboarding_oauth_tab_content, vwsm_handle_external_register_gpt.
3. OpenAPI, MCP, and tools: vwsm_mcp_server_name, vwsm_mcp_extra_tools, vwsm_mcp_dispatch_tool, vwsm_mcp_site_context, vwsm_openapi_components, vwsm_openapi_document, vwsm_write_rate_limit_mcp_tools.
4. Content and sanitization: vwsm_allowed_content_types, vwsm_revision_limit, vwsm_revision_gradient, vwsm_supported_extra_allowed_html_tags, vwsm_allow_extra_allowed_html_tags.
5. User connection workflows: vwsm_user_connect_handle_post, vwsm_user_connect_after_sections, vwsm_user_connect_tools_data, vwsm_user_connect_gpt_url.
6. Operator and environment behavior: vwsm_default_operator_username, vwsm_use_current_user_mode.

Disclaimer

This plugin provides infrastructure for operating a WordPress site with external AI chatbots and agents. The site owner is solely responsible for the actions enabled through this functionality, including content created or changed by AI tools, credentials and access tokens, backups, privacy compliance, and any publishing or policy consequences.

AI-generated content can be inaccurate, defamatory, plagiarized, non-compliant, or otherwise unsuitable for publication. Review AI output and tool activity before publishing. Keep publishing disabled unless you fully understand and accept the risk.

Use HTTPS, protect Application Passwords and OAuth credentials, restrict access where possible, monitor logs, and maintain independent backups. Use at your own risk.

Privacy

This plugin stores the following data on your WordPress site:

• Plugin settings in WordPress options (for example: publish, rate limit, HTTPS, IP allowlist, authentication, and provider URL settings)
• Audit log entries in a custom database table (*_vwsm_audit_logs)
• Optional dedicated operator user ID reference in WordPress options (when using onboarding helper)
• Short-lived transient for one-time Application Password display after creation (plaintext is not stored long-term)
• Short-lived transient cache for external bearer-token validation, when Turnkey OAuth is used
• Optional connected service account tokens, site keys, server URLs, and provider policy links used for remote account and Turnkey OAuth workflows

Audit logs may include:

• Authenticated WordPress user ID
• Request route and method
• Sanitized request/response summaries
• Timestamp and IP address

This plugin does not send data to third-party AI services by itself.
This plugin does not include telemetry/analytics tracking by default.

Site owners are responsible for:

• Securing the site with HTTPS
• Managing WordPress users and Application Passwords
• Configuring GPT sharing safely (recommended: Only Me)
• Reviewing the privacy implications of any external AI service connected to the site’s API