Least privilege connection
The agent signs in as a real, scoped WordPress user through OAuth or an Application Password, never an admin-equivalent key.
Home / Features
What it does, and what it refuses to do
The abilities are only half the plugin. The other half is the layer that decides whether a call is allowed to run: capability checks, an audit log, rate limits, and hard limits that hold no matter what the agent asks.
Each one is a rule the plugin holds for you, not a setting you have to remember to turn on. Green means reads, amber means guarded writes, blue means the machinery that gates everything.
The agent signs in as a real, scoped WordPress user through OAuth or an Application Password, never an admin-equivalent key.
Nothing is exposed on install. You switch on one ability at a time, and an update never widens access on its own.
A connection only sees the tools its user can run, and every call re-checks that capability before it runs.
Every call is written to a log in your own database, denied attempts included, with the argument keys but never the values.
Writes stay conservative. Deletes go to Trash where WordPress supports it, and the last administrator can never be removed.
Read content across WordPress core, plus a single site-wide search that spans every post type.
Add a per-minute rate limit, an IP allowlist, force-to-draft mode, or a title-length cap. All off until you set them.
The plugin calls no AI provider and makes no outbound requests of its own. Your client connects in. Zero telemetry.
Runs on the WordPress 6.9 Abilities API and the official MCP Adapter. No custom transport of ours in the path.
These hold whether an agent calls one ability or a hundred. None of them depend on the agent behaving well.
The agent connects as a real, scoped WordPress user through OAuth or an Application Password, never an admin-equivalent key.
Nothing is exposed until you enable it, and updates never silently widen access.
A connection only sees the tools its user can call, and every call re-checks that capability before it runs.
Every call is recorded, denied attempts included, with the principal and the argument keys, never the values. It lives in your own database.
No arbitrary option or meta access, no remote URL fetch, no code execution. Deletes go to Trash where supported; the last administrator can never be removed.
The plugin contacts no AI provider and no external service. Your AI client connects in; the plugin never reaches out. Zero telemetry.
Discovery and execution are checked separately. Seeing a tool and being allowed to run it are two different permissions.
The tool list a connection receives is filtered to the connected user's capabilities. An agent cannot list, or even learn about, a tool it has no right to run.
Filtered at connect time
Before an ability executes, the plugin checks that user's capability again. A tool that slipped through, or a permission that changed, is caught here, not trusted from the first check.
Re-checked on every call
Why two layers: a single check at discovery is easy to work around. Re-checking at execution means the agent never gets more reach than the WordPress user you bound it to, even if it asks for it directly.
Every call is recorded, denied attempts included, with the principal and the argument keys, never the values. It lives in a table on your site, so nothing about it leaves.
principal=editor tool=create-post keys=[title, status] result=ok The connection signs in as a real WordPress account you pick, through OAuth or an Application Password. Its reach is exactly that user's reach, no more.
Point the agent at a dedicated low-privilege user and it can only do what that user can do. Every call that follows is re-checked against that same account and written to the log.
The whole governance layer as one catalog, grouped by what it protects. Each row carries the same least-privilege badge you see in the console.
| Access | |
|---|---|
| Scoped user identity Read only | The agent authenticates as a real WordPress user you pick through OAuth or an Application Password, never an admin-equivalent key. |
| Filtered discovery Read only | A connection only lists the tools its user is allowed to run. An agent cannot see a tool it has no right to call. |
| Per-call capability check Guarded write | Before an ability runs, the plugin re-checks that user’s capability. Discovery and execution are gated separately. |
| Writes | |
| Guarded writes Guarded write | Writes stay conservative and every one is capability-checked. There is no arbitrary option or meta write. |
| Deletes go to Trash Guarded write | Where WordPress supports it, deletions move items to Trash rather than removing them for good. |
| Last administrator protected Denied | The last remaining administrator account can never be removed, whatever the agent asks. |
| No code or remote fetch Denied | The plugin runs no arbitrary code and fetches no remote URLs on the agent’s behalf. |
| Data | |
| No data leaves your site Read only | The plugin contacts no AI provider and makes no outbound calls of its own. Zero telemetry. |
| Personal-data integrations gated Guarded write | WooCommerce and ACF can reach real personal data, so they sit behind a clear admin notice before you enable them. |
| Rate limit and IP allowlist Off until enabled | Add a per-minute rate limit or an IP allowlist. Both stay off until you set them. |
| Force-to-draft and title cap Off until enabled | Force new content to draft, or cap title length. Optional guards, off until you turn them on. |
| Audit | |
| Every call logged Read only | Each call is recorded in a table in your own database, with the principal and the argument keys. |
| Denials logged too Denied | Refused attempts are written to the same log, so you can see what an agent tried to do and was stopped from doing. |
| Values never stored Read only | The log keeps argument keys, never the values, so it stays useful without hoarding sensitive content. |
On top of capability gating, you can add extra limits. They are opt-in, so nothing here narrows access without you asking for it.
153 abilities ship in the plugin, and every one of them starts off. Guardrails like these tighten the ones you do enable.
Some limits are not settings you could relax. They are missing from the plugin on purpose, so no agent and no configuration can reach past them.
There is no custom transport of ours in the path. The plugin rides on WordPress standards, and your AI client connects in.
Runs on the WordPress 6.9 Abilities API and the official MCP Adapter (no custom transport).
Free on WordPress.org, no paid tier, no API key to buy, no usage limits.
Requires WordPress 6.9+ and PHP 8.0+
Install it, keep everything off, and switch on one ability at a time as you build trust. The guardrails hold on every call, not just the first.
Least privilege by default. Every call capability-checked and logged.