The Abilities API is designed to give AI agents powerful access to WordPress while keeping the site owner in control. Every ability passes through multiple security layers before executing. This page documents how those layers work.
Authentication
All ability calls are authenticated via WordPress Application Passwords. The MCP Bridge sends credentials with every request. The Adapter validates them against WordPress’s built-in application password system — the same system used by the REST API.
The authenticated user’s role determines their capabilities. An Editor can call content abilities but not plugin management. An Administrator can call everything. The ability system respects WordPress’s existing capability model.
Schema Validation
Every ability declares an input schema. WordPress core validates all input against this schema before the callback executes. Invalid input returns an error with the expected schema — so agents can self-correct. No unvalidated data reaches the callback function.
Permission Gating
The wp_abilities_suite_permissions option controls which CRUD tiers are enabled per module. Site owners can enable read-only access for diagnostics without exposing write or delete capabilities. This is independent of WordPress user roles — it’s an additional layer.
| Tier | Access | Default |
|---|---|---|
| Read | List, get, search, discover | Enabled |
| Write | Create, update, append | Requires Pro + explicit enable |
| Delete | Delete, trash, revoke | Requires Pro + explicit enable |
Filesystem Protection
The filesystem abilities (filesystem/write-file, theme/update-asset) implement multiple defenses:
- ABSPATH containment: All file paths are resolved with
realpath()and checked against ABSPATH. No path traversal possible. - Extension whitelist: Only
.css,.js,.json,.md,.txt,.htmlare writable..php,.phtml,.htaccess,.sh,.exe,.batare blocked. - Traversal pattern rejection: Paths containing
../are rejected before resolution. - Write permissions default OFF: Filesystem write abilities require explicit enable in the permissions option.
Annotations as Safety Signals
Every ability declares its safety profile through annotations: readonly, destructive, idempotent. AI clients use these to decide what’s safe to call without human confirmation. A well-behaved agent calls readonly abilities freely but pauses before destructive ones.