Home / Features

What it does, and what it refuses to do

Every capability ships with its guardrail.

The abilities are only half the plugin. The other half is the layer that decides whether a call is allowed to run: capability checks, an audit log, rate limits, and hard limits that hold no matter what the agent asks.

The governance layer, in nine parts.

Each one is a rule the plugin holds for you, not a setting you have to remember to turn on. Green means reads, amber means guarded writes, blue means the machinery that gates everything.

Least privilege connection

The agent signs in as a real, scoped WordPress user through OAuth or an Application Password, never an admin-equivalent key.

Off by default

Nothing is exposed on install. You switch on one ability at a time, and an update never widens access on its own.

Two-layer capability gating

A connection only sees the tools its user can run, and every call re-checks that capability before it runs.

Honest audit log

Every call is written to a log in your own database, denied attempts included, with the argument keys but never the values.

Guarded writes

Writes stay conservative. Deletes go to Trash where WordPress supports it, and the last administrator can never be removed.

Reads across core

Read content across WordPress core, plus a single site-wide search that spans every post type.

Optional safety controls

Add a per-minute rate limit, an IP allowlist, force-to-draft mode, or a title-length cap. All off until you set them.

No data leaves your site

The plugin calls no AI provider and makes no outbound requests of its own. Your client connects in. Zero telemetry.

Built on open standards

Runs on the WordPress 6.9 Abilities API and the official MCP Adapter. No custom transport of ours in the path.

Six guarantees on every connection.

These hold whether an agent calls one ability or a hundred. None of them depend on the agent behaving well.

Least privilege by design

The agent connects as a real, scoped WordPress user through OAuth or an Application Password, never an admin-equivalent key.

Off by default

Nothing is exposed until you enable it, and updates never silently widen access.

Two-layer capability gating

A connection only sees the tools its user can call, and every call re-checks that capability before it runs.

Honest audit log

Every call is recorded, denied attempts included, with the principal and the argument keys, never the values. It lives in your own database.

Bounded by construction

No arbitrary option or meta access, no remote URL fetch, no code execution. Deletes go to Trash where supported; the last administrator can never be removed.

No data leaves your site

The plugin contacts no AI provider and no external service. Your AI client connects in; the plugin never reaches out. Zero telemetry.

Two-layer capability gating.

Discovery and execution are checked separately. Seeing a tool and being allowed to run it are two different permissions.

Layer 1, Discovery

See only what the user can call

The tool list a connection receives is filtered to the connected user's capabilities. An agent cannot list, or even learn about, a tool it has no right to run.

Filtered at connect time

Layer 2, Execution

Re-check before the call runs

Before an ability executes, the plugin checks that user's capability again. A tool that slipped through, or a permission that changed, is caught here, not trusted from the first check.

Re-checked on every call

Why two layers: a single check at discovery is easy to work around. Re-checking at execution means the agent never gets more reach than the WordPress user you bound it to, even if it asks for it directly.

An honest audit log, in your own database.

Every call is recorded, denied attempts included, with the principal and the argument keys, never the values. It lives in a table on your site, so nothing about it leaves.

Illustrative log entry principal=editor tool=create-post keys=[title, status] result=ok
  • Who acted. The WordPress user the connection was bound to, so you can trace every call back to a real principal.
  • Keys, not values. The log keeps which arguments were passed, never their contents, so it stays useful without hoarding sensitive content.
  • Denials too. A refused call is written to the same log, so you can see what an agent tried to do and was stopped from doing.

The agent is a scoped user, never an admin key.

The connection signs in as a real WordPress account you pick, through OAuth or an Application Password. Its reach is exactly that user's reach, no more.

Illustrative endpoint (your real one shows on the Connection tab) https://your-site.com/wp-json/…/mcp

Point the agent at a dedicated low-privilege user and it can only do what that user can do. Every call that follows is re-checked against that same account and written to the log.

Every control, in plain language.

The whole governance layer as one catalog, grouped by what it protects. Each row carries the same least-privilege badge you see in the console.

Access
Scoped user identity Read only The agent authenticates as a real WordPress user you pick through OAuth or an Application Password, never an admin-equivalent key.
Filtered discovery Read only A connection only lists the tools its user is allowed to run. An agent cannot see a tool it has no right to call.
Per-call capability check Guarded write Before an ability runs, the plugin re-checks that user’s capability. Discovery and execution are gated separately.
Writes
Guarded writes Guarded write Writes stay conservative and every one is capability-checked. There is no arbitrary option or meta write.
Deletes go to Trash Guarded write Where WordPress supports it, deletions move items to Trash rather than removing them for good.
Last administrator protected Denied The last remaining administrator account can never be removed, whatever the agent asks.
No code or remote fetch Denied The plugin runs no arbitrary code and fetches no remote URLs on the agent’s behalf.
Data
No data leaves your site Read only The plugin contacts no AI provider and makes no outbound calls of its own. Zero telemetry.
Personal-data integrations gated Guarded write WooCommerce and ACF can reach real personal data, so they sit behind a clear admin notice before you enable them.
Rate limit and IP allowlist Off until enabled Add a per-minute rate limit or an IP allowlist. Both stay off until you set them.
Force-to-draft and title cap Off until enabled Force new content to draft, or cap title length. Optional guards, off until you turn them on.
Audit
Every call logged Read only Each call is recorded in a table in your own database, with the principal and the argument keys.
Denials logged too Denied Refused attempts are written to the same log, so you can see what an agent tried to do and was stopped from doing.
Values never stored Read only The log keeps argument keys, never the values, so it stays useful without hoarding sensitive content.

Optional guardrails, all off until you set them.

On top of capability gating, you can add extra limits. They are opt-in, so nothing here narrows access without you asking for it.

  • Per-minute rate limit Off by default
  • IP allowlist Off by default
  • Force-to-draft mode Off by default
  • Title-length cap Off by default

153 abilities ship in the plugin, and every one of them starts off. Guardrails like these tighten the ones you do enable.

What it will not do, by construction.

Some limits are not settings you could relax. They are missing from the plugin on purpose, so no agent and no configuration can reach past them.

  • No arbitrary option or meta access
  • No remote URL fetch on the agent’s behalf
  • No arbitrary code execution
  • Deletes go to Trash where WordPress supports it
  • The last administrator can never be removed

No bespoke server to trust.

There is no custom transport of ours in the path. The plugin rides on WordPress standards, and your AI client connects in.

Built on open standards

Runs on the WordPress 6.9 Abilities API and the official MCP Adapter (no custom transport).

Simple to run

Free on WordPress.org, no paid tier, no API key to buy, no usage limits.

Requires WordPress 6.9+ and PHP 8.0+

Control you can see, on every call.

Install it, keep everything off, and switch on one ability at a time as you build trust. The guardrails hold on every call, not just the first.

Least privilege by default. Every call capability-checked and logged.