Writer: Jordan Sprogis
Editor: Lillian Castro
Reviewer: Cristian Lopez
Key Takeaways
- Model Context Protocol (MCP), introduced by Anthropic last year, is the new layer for agentic AI. If hosts don’t support agent-ready endpoints, their clients’ sites will be skipped entirely.
- Security concerns like prompt injection and tool shadowing already show the oncoming security issues, so it’s up to hosts to add guardrails.
Several hosts and builders have recently released their versions of Model Context Protocol (MCP) to integrate agentic AI into their core infrastructure. It’s a new open protocol that lets AI agents interact with a site’s tools, memory, and services using natural language.
One could view MCPs as APIs 2.0, but instead of static endpoints (one API talking to another), users can ask questions or make requests in natural language and agents respond using contextual awareness. As a new layer many are implementing into their infras, hosts will be expected to support it, too.
MCP was introduced by Anthropic in late 2024 and published publicly on GitHub. This means anyone can implement it (as long as the core structure is followed).
So when Wix “launches an MCP server” or Salesforce “adds MCP support,” it doesn’t mean they’re reinventing anything. Instead, they’re implementing the existing protocol into their own workloads so that the agents interact with their apps, sites, and tools seamlessly.
“Just like HTML became the standard for human-readable content, MCP endpoints are becoming the standard for model-readable services.” — Guy Ernest, Founder of AI startup aiOla
It’s why MCP’s nickname — the USB-C of AI apps — is no misnomer. Apple, Dell, and Google didn’t invent USBs, but they did build compatible ports and accessories that went with it. Doing so basically opens the communication between all internet agents and their content.
Since its release, big players like AWS, Microsoft, Wix, and Salesforce have been embedding their own MCP servers or compatible endpoints. General adoption is also scaling quickly:
- The AI agent market is expected to grow from $7.84 billion in 2025 to $52.62 billion by 2030
- AI agent usage is up 233% in six months, and over that same period, 8,000 customers have signed up to deploy Agentforce
- There’s an estimated 5,000 to 6,500 MCP servers that are live today
It’s too early for studies on MCP impact or productivity, but we are looking down the barrel at a future where traditional users will be replaced by agents.
History Repeats, But It’s Not About People
Hosts who were around during the rise of APIs and SEO tools will remember how fast the landscape shifted, and it’s happening again.
Marketers, for example, spent years learning how to write for Google’s crawlers, where SEO became a kind of code to crack. Now, they’ve got something else to figure out — but this time, it’s different, because it’s not about the people anymore.
So where SEO tools needed metadata and APIs required secure endpoints, MCP requires always-on agents, tools it can call on demand, and workflows triggered by NLP.
When a user types, “Find me the best flight from New York to Austin,” they’re no longer browsing dozens of sites to compare prices because the agent is the one scanning content, comparing results, and deciding what fits into that “best flight” context.
And for some hosting providers, that means your client’s website is either in the conversation or it’s not. If agents can’t access it through MCP, it might as well not exist.
Luckily, nobody needs to start from scratch. MCP is open-source, so anyone can adapt it into their existing stacks (though it works best in cloud, containerized, or VPS environments).
“I used to think that connecting apps to AI was complicated and risky … But this week, I learned that MCP makes it simple. We can now use trusted logins like Google or GitHub and securely connect AI models to real-world apps without extra hassle.” — Sharda Kaur, Microsoft Learn Student Ambassador
Naturally, there are some flaws — namely, security flaws, particularly around prompt injection and tool manipulation. Here are some of the latest updates on MCP security runs:
- 43% of MCP server implementations tested by Equixly had unsafe shell calls (commands executed from code)
- Invariant Labs found that attack hides malicious instructions inside the MCP tool’s description, which is invisible to the user but visible to the AI
- NeighborJack exploit showed how misconfigured MCP servers can be hijacked via prompt injection
- Stored-prompt injection via SQLite revealed tool misuse vulnerabilities
- Tool shadowing and preference poisoning can allow malicious servers to override agent behavior
There’s a common denominator here: overtrust.
Agents are designed to act like people, but systems treat them like trusted sources. It’s bad (for now) because MCP is a protocol, meaning there is no built-in security layer, so they don’t have the automatic capability to verify sources or flag suspicious behavior — and yes, it will absolutely follow instructions blindly.
This leads to something akin to a supply chain mess.
“One change in the supply chain can affect thousands of companies. And this all happens without detection,” Nick Mistry, SVP and CISO at supply chain security firm Lineaje, told HostingAdvice in a previous interview.
Soon enough, there will be a point when a fury of MCP-security-based tools with monitoring and authentication will be the new differentiator.
And not even just on the user-facing end, but also on the server-side for hosts: Imagine a world with agentic dashboards, where agents can fix, update, and optimize sites automatically. Some serverless MCPs are already live — which is something Wix and Vercel are already doing.
MCP is still new, but as with just about every exploding tool, it won’t be for long. Soon, it will be the standard across the board for just about everyone.
