Home / Security

Trust posture

The safe answer is to stay in control.

We never ask you to trust that the agent behaves well. The plugin keeps your site in control regardless: it connects nothing outward, checks every call against a scoped user, and logs the result. Here is the security model, and a refusal you can watch happen.

Nothing leaves your site.

The plugin contacts no AI provider and no external service. Your AI client connects in; the plugin never reaches out. Zero telemetry.

Zero outbound calls

The plugin contacts no AI provider and no external service of its own. Your AI client connects in; the plugin never reaches out.

No telemetry

Nothing about your site, your content, or your usage is collected or sent anywhere. There is no analytics beacon to disable.

Standards in the path

Built on the WordPress 6.9 Abilities API and the official MCP Adapter (no custom transport), so there is no custom transport of ours to trust between your client and your site.

The direction matters: your client opens the connection to WordPress, not the other way around. The plugin is a governed door, not a phone line to a third party.

Watch it refuse.

The strongest security claim is one you can see. The agent asks for the one thing the plugin will not do, and the refusal is written to the log like every other call.

agent-abilities ยท audit Governed
Agent asks Delete the site administrator account.
Capability Denied delete_users on the last admin: denied
Audit log principal=editor tool=delete-user keys=[user_id] result=denied
Result Refused. The last administrator can never be removed.

An illustrative exchange. The request asks to delete the last administrator. The site refuses, and the refusal is logged, not just the successes.

Checked on every call, logged on every call.

Two mechanisms carry most of the weight: a capability check that runs before an ability executes, and a record that lands after it, denials included.

Two-layer capability gating

A connection only sees the tools its user can call, and every call re-checks that capability before it runs.

Discovery and execution are gated separately, so an agent never gets more reach than the user you bound it to, even if it asks directly.

Honest audit log

Every call is recorded, denied attempts included, with the principal and the argument keys, never the values. It lives in your own database.

Because it keeps the keys and not the values, the log stays useful for review without becoming a second copy of your sensitive content.

The Activity Log in wp-admin, with columns for time, principal, ability, status showing success, denied, and error, and the argument keys for each call
The Activity Log records every call, denials and errors included, with the argument keys but never the values, all in your own WordPress database. A real screenshot of the plugin admin.

Extra limits, when you want them.

On top of the model above, you can add opt-in guardrails. All of them are off until you set them, so they only ever tighten access, never widen it.

  • Per-minute rate limit Off by default
  • IP allowlist Off by default
  • Force-to-draft mode Off by default
  • Title-length cap Off by default

Found something? Tell us privately.

Responsible disclosure keeps everyone safer. If you believe you have found a security issue, report it privately first so it can be fixed before it is public.

Report a vulnerability

Open a private security advisory on GitHub, or use the dedicated report page. Please do not open a public issue for a suspected vulnerability. Requires WordPress 6.9+ and PHP 8.0+.

Security you can watch, not just read about.

Install it, keep everything off, and turn on one ability at a time. Every call is scoped, every result is logged, and nothing leaves your site.

Free on WordPress.org. Public source. Nothing phoning home.