Skip to content

Security

Your site. Your server. Your control

BuildPress runs on your WordPress install. Your AI client connects directly to your server: no BuildPress relay, no cloud processing, no third-party middleman. The only thing leaving your site is the response your AI explicitly asked for.

Architecture

Self-hosted
by design.

BuildPress is a WordPress plugin that boots an MCP server inside your site. When your AI creates a page or reads your design tokens, it's connecting straight to your WordPress install.

No BuildPress-operated cloud, no proxy, no analytics pipeline.

Connects the same way the official WordPress mobile app does.

Direct connection, encrypted via HTTPS.

Your AI Client
Claude / Cursor
Your Server
BuildPress MCP
No cloud in between. Direct connection, encrypted via HTTPS.

Authentication

WordPress App Passwords. Nothing custom

BuildPress authenticates with WordPress Application Passwords, the same system that powers the WordPress mobile and desktop apps and thousands of integrations. No proprietary token format, no separate user store, no surface area we'd have to ask you to trust.

No proprietary auth

Standard WordPress security, maintained by the core team. Nothing custom to audit.

Instantly revocable

Revoke any App Password from wp-admin. Access stops immediately.

Per-user access

Each team member gets their own App Password. Track who did what in the audit log.

Plugin compatible

Works with Wordfence, Sucuri, iThemes Security, and any WordPress security plugin.


Access Control

Three independent kill switches

Layered controls you flip from wp-admin. Each one works on its own: disabling any single layer blocks all MCP access.

Master Switch

One toggle that turns the entire MCP server off. When it's off, the server returns nothing: no tools, no data, no responses, no auth. Flip it off when you're not actively building, on when you are.

Domain Locking

On activation, BuildPress locks itself to your site's domain. If the domain changes (site migration, DNS hijack, accidental staging clone), MCP access blocks automatically until you re-authorize it from wp-admin.

Idle Timeout

If you step away, BuildPress switches MCP access off for you. Pick a window of 1 to 10 hours; after that much inactivity, access turns off until you re-enable it from wp-admin (optional, off by default).


Transparency

Every AI action, logged.

BuildPress keeps a complete audit trail of every MCP tool call: timestamp, tool name, user, IP address, parameters, result.

Stored in your WordPress database, viewable from wp-admin, with retention you control.

Append-only from the AI's perspective: no MCP tool exists to modify or delete it.

If something happened, it's recorded on your own site, inside your wp-admin. Nowhere else.

Audit LogAppend-only
elementor_create_pagesuccess
elementor_add_elementsuccess
elementor_update_elementsuccess
wp_check_frontend_rendersuccess
wp_upload_mediasuccess
elementor_save_as_templatesuccess
buildpress_remembersuccess
AI can't modify or delete the audit log. If something happened, it's recorded.

Permissions

What AI can and cannot do

Every MCP tool is scoped to content and design. Anything that could compromise the install simply has no tool.

AI Can
  • Create, read, update, delete WordPress content
  • Manage Elementor pages, colors, typography
  • Create JetEngine data structures
  • Manage ACF field groups and values
  • Upload media from URLs
  • Write to project memory
  • Read site configuration
AI Cannot
  • Access wp-config.php or credentials
  • Install, activate, or delete plugins
  • Create or modify user accounts
  • Execute arbitrary PHP code
  • Access the filesystem directly
  • Modify the audit log
  • Write to security-sensitive memory

Data Handling

Where everything lives

Nothing about BuildPress is hosted by us, except a version-check endpoint that learns nothing but your installed version.

DataWhere It LivesSent Externally?
Site contentYour WordPress databaseNo
App PasswordsYour database (hashed)No
Audit logYour WordPress databaseNo
Project memoryYour WordPress databaseNo
Design tokensYour database (Elementor kit)No
MCP requestsIn-transit (HTTPS encrypted)To your AI client only
Plugin updatesVersion check to R2 CDNVersion number only

FAQ

Security questions

Let's build your next
WordPress project with AI.

Get BuildPress, activate it, and plug in the AI you already pay for. Build your first page through conversation, and when it's live, the feedback loop is already there for you, your team, or your clients.