Free on WordPress.org, built on the Abilities API

Let AI agents work in WordPress, on a leash you hold.

It turns WordPress into a governed MCP server: the agent connects as a real, scoped user, not an admin key. Nothing is exposed until you switch it on, and every call is checked and written to a log in your own database.

Install it with everything off. Turn on your first ability when you are ready, not before.

  • Free on WordPress.org
  • Zero outbound calls
  • No telemetry
  • Off by default
  • Every call audited
153+
governed abilities, every one off until you enable it
83
across WordPress core: reads, plus writes that stay guarded
70
from optional integrations, and only while their plugin is active

83 core plus 70 integrations, and the catalog keeps growing. Every count on this site is read from one file, so it never drifts from the plugin.

Control first. Capability second.

Other MCP plugins count their tools. This one governs them. These six guarantees hold on every connection and every call, not just the first one.

Least privilege by design

The agent connects as a real, scoped WordPress user through OAuth or an Application Password, never an admin-equivalent key.

Off by default

Nothing is exposed until you enable it, and updates never silently widen access.

Two-layer capability gating

A connection only sees the tools its user can call, and every call re-checks that capability before it runs.

Honest audit log

Every call is recorded, denied attempts included, with the principal and the argument keys, never the values. It lives in your own database.

Bounded by construction

No arbitrary option or meta access, no remote URL fetch, no code execution. Deletes go to Trash where supported; the last administrator can never be removed.

No data leaves your site

The plugin contacts no AI provider and no external service. Your AI client connects in; the plugin never reaches out. Zero telemetry.

See a governed call, and a refusal.

The tool call carries values. The audit log keeps only the argument keys, never the values, and it records the denials too.

agent-abilities · audit Governed
Agent asks Draft a launch note for the new plugin and keep it as a draft.
Tool call create-post { title: "Meet Agent Abilities", status: "draft" }
Running create-post
Capability Allowed edit_posts re-checked for user "editor": allowed
Audit log principal=editor tool=create-post keys=[title, status] result=ok
Result Draft #412 created. Nothing goes live without you.
Agent asks Delete the site administrator account.
Capability Denied delete_users on the last admin: denied
Audit log principal=editor tool=delete-user keys=[user_id] result=denied
Result Refused. The last administrator can never be removed.

An illustrative exchange. The second request asks to delete the last administrator. The site refuses, and the refusal is logged like everything else.

It all runs from one screen in your admin.

No external dashboard, no account with us. The plugin lives in wp-admin: your endpoint, the abilities you enabled, the agent users, and the audit log, all in your own database.

The Agent Abilities for MCP dashboard in WordPress admin, showing enabled abilities, recent agents, audit log entries, agent users, the MCP endpoint, and versions
The plugin dashboard in wp-admin. A real screenshot of the plugin.

Every control, in plain language.

The abilities are only half the plugin. This is the layer that decides whether a call is allowed to run, grouped by what it protects.

Access
Scoped user identity Read only The agent authenticates as a real WordPress user you pick through OAuth or an Application Password, never an admin-equivalent key.
Filtered discovery Read only A connection only lists the tools its user is allowed to run. An agent cannot see a tool it has no right to call.
Per-call capability check Guarded write Before an ability runs, the plugin re-checks that user’s capability. Discovery and execution are gated separately.
Writes
Guarded writes Guarded write Writes stay conservative and every one is capability-checked. There is no arbitrary option or meta write.
Deletes go to Trash Guarded write Where WordPress supports it, deletions move items to Trash rather than removing them for good.
Last administrator protected Denied The last remaining administrator account can never be removed, whatever the agent asks.
No code or remote fetch Denied The plugin runs no arbitrary code and fetches no remote URLs on the agent’s behalf.
Data
No data leaves your site Read only The plugin contacts no AI provider and makes no outbound calls of its own. Zero telemetry.
Personal-data integrations gated Guarded write WooCommerce and ACF can reach real personal data, so they sit behind a clear admin notice before you enable them.
Rate limit and IP allowlist Off until enabled Add a per-minute rate limit or an IP allowlist. Both stay off until you set them.
Force-to-draft and title cap Off until enabled Force new content to draft, or cap title length. Optional guards, off until you turn them on.
Audit
Every call logged Read only Each call is recorded in a table in your own database, with the principal and the argument keys.
Denials logged too Denied Refused attempts are written to the same log, so you can see what an agent tried to do and was stopped from doing.
Values never stored Read only The log keeps argument keys, never the values, so it stays useful without hoarding sensitive content.

What happens on every call.

Discovery and execution are gated separately, so an agent never gets more reach than the user you bound it to. Here is the path one call takes.

  1. Connect as a scoped user

    The agent authenticates through OAuth or an Application Password as a real, least-privilege WordPress account you pick. Never an admin key.

  2. See only what that user can call

    The tool list is filtered to the connected user’s capabilities. An agent cannot list a tool it has no right to run.

  3. Re-check on every call

    Before an ability runs, the plugin checks that user’s capability again. Discovery and execution are gated separately.

  4. Record it, denials included

    Every call lands in an audit log in your own database, with the principal and the argument keys, never the values.

  5. Stay bounded by construction

    No arbitrary option access, no remote fetch, no code execution. Deletes go to Trash where supported.

153 governed abilities, and growing.

Curated WordPress actions, exposed to the agent as MCP tools. Each one is off until you switch it on, so the catalog is a menu, not a default.

83 across WordPress core

Reads, plus guarded writes. Deletes go to Trash where WordPress supports it.

  • Posts & Pages Guarded write

    Create, read, update, and revise posts and pages. New writes can be forced to draft.

  • Terms & Taxonomies Guarded write

    Read and manage categories, tags, and custom taxonomy terms.

  • Comments Guarded write

    Read, moderate, and reply to comments under the connected user’s capability.

  • Media Guarded write

    Browse the media library and manage attachments the user can access.

  • Post Meta Guarded write

    Read and write post meta, limited to an allowlist of keys. No arbitrary meta access.

  • Users Guarded write

    Read and manage users only as far as the connected user’s capabilities allow.

  • Site structure & menus Guarded write

    Read and adjust navigation menus and the site’s structure.

  • Revision history Read only

    Read the revision history of posts and pages. Read only.

  • Blocks & Templates Guarded write

    Read and manage reusable blocks and block templates.

  • Settings & site health Guarded write

    Read a bounded set of settings and site-health signals. No open settings access.

  • Site-wide search Read only

    Run a single search across every post type. Read only.

70 from optional integrations

Each set appears only while its host plugin is active, and stays off until you enable it.

  • WooCommerce 52

    products, orders, customers (touches real personal data, gated behind a clear notice)

  • Advanced Custom Fields 7

    read and write ACF field data

  • Rank Math SEO 5

    read and manage Rank Math data

  • Yoast SEO 3

    read and manage Yoast data

  • All in One SEO 3

    read and manage AIOSEO data

WooCommerce and ACF can reach real personal data, so they sit behind a clear admin notice before you turn them on.

The Abilities tab in the plugin admin, showing the total and enabled counts, category badges for each group, and the exposed content types with their read and write settings
The Abilities tab. Filter by category, and switch on one ability at a time. A real screenshot of the plugin.

Browse the full catalog

Where it works today.

6 clients connect right now, some directly and some through an open-source bridge that runs on your own machine.

Working today

Connect and start calling the abilities you enabled.

  • Claude Desktop Desktop app
  • Claude Code CLI and IDE
  • Cursor Code editor
  • VS Code Code editor
  • Windsurf Code editor
  • Gemini CLI Command line

Not yet

These want a streamable HTTP connector the adapter does not serve natively yet.

  • Hosted ChatGPT app planned
  • Gemini app planned

The bridge: Clients that cannot open a remote MCP connection use the open-source mcp-remote bridge, which runs on your own machine.

Two ways to connect. Both least privilege.

The agent acts as a real WordPress user you pick, never an admin-equivalent key. Choose the one that fits how you work.

OAuth

Approve once in the browser

Approve the agent once in the browser. No secret to store; the agent acts as your own account.

Application Password

Bind a low-privilege user

Point a dedicated low-privilege user at the endpoint. A guided screen builds the client config and checks the endpoint for you.

Illustrative endpoint (your real one shows on the Connection tab) https://your-site.com/wp-json/…/mcp
Optional guardrails, all off until you set them: Per-minute rate limit offIP allowlist offForce-to-draft mode offTitle-length cap off

Requires WordPress 6.9+ and PHP 8.0+. Free on WordPress.org, no paid tier, no API key to buy, no usage limits.

Questions, answered.

The short version. The full FAQ lives in the docs.

Is it safe to connect an AI agent to my WordPress site?

Yes, when the connection is scoped, which is what this plugin is built around. The agent connects as a real, least-privilege user you choose, every ability is off until you enable it, and every call is logged, denials included.

Does the agent get admin access?

No. The agent authenticates as whatever WordPress user you bind it to. Point it at the dedicated low-privilege user the plugin creates, and it can only do what that user can do. Each ability re-checks the capability before it runs.

Does it send my content to OpenAI, Anthropic, or Google?

No. The plugin connects to no AI provider and makes no outbound requests of its own. Your own AI client connects in and calls the abilities you enabled.

What is the difference between this and the WordPress REST API?

The REST API exposes raw endpoints. MCP describes your site’s abilities as discoverable tools an agent can reason about and call, and this plugin wraps each one in a governance layer: off by default, capability-gated on every call, and logged.

What happens if the agent tries to delete or break something?

It can only do what the user you bound it to can do, and the capability is re-checked before every call. Deletes go to Trash where WordPress supports it, so they can be restored, and the last administrator can never be removed no matter what the agent asks. Anything it is not allowed to do is refused, and the refusal is written to the audit log too.

How is this different from other MCP plugins for WordPress?

The difference is governance, not tool count. Every ability is off by default, the agent connects as a real least-privilege user rather than an admin key, each call re-checks the capability before it runs, and every call is written to an audit log in your own database, denials included. It is genuinely free on WordPress.org, with no paid tier waiting behind it.

Put AI to work in WordPress, on your terms.

Install it, keep everything off, and switch on one ability at a time as you build trust. You hold the leash the whole way.

Free on WordPress.org, with no paid tier waiting behind it.