WordPress 7.0 ships on May 20, 2026. The headlines focus on AI Connectors — enter your OpenAI or Anthropic key once, and any compatible plugin can use it. That’s useful. But it’s not the real story.
The real story is the stack underneath. WordPress is assembling the infrastructure for an agent-addressable plugin ecosystem. If you manage WordPress sites with 15–40 plugins, or you’re an agency maintaining a portfolio of them, the next 12–18 months will reshape how you evaluate what you install.
The Four Layers, Plainly
Connectors give WordPress a single place to store provider credentials and connection metadata. WordPress 7.0 ships with three default connectors: OpenAI, Anthropic, and Google. A site owner enters an API key once. Any plugin built against the AI Client can reference that connection instead of each plugin managing its own key storage, its own settings page, its own provider logic.
The AI Client is a provider-agnostic PHP API. Plugins send prompts and receive results through a consistent interface instead of writing custom integration code for each model provider. Because the API allows arbitrary prompt execution, it’s restricted to administrators by default — a reasonable constraint given what’s at stake.
The Abilities API is where this gets architecturally interesting. It lets plugins register discrete units of work — fetching data, updating records, running diagnostics — as standardized, typed “abilities.” Each ability declares its inputs, outputs, permission callbacks, and executable logic. The Abilities API actually shipped in WordPress 6.9, not 7.0. But it becomes substantially more important now that the rest of the AI stack exists to consume it.
The MCP Adapter bridges the gap between WordPress abilities and external AI agents. It converts registered abilities into Model Context Protocol tools that agents like Claude Desktop or Cursor can discover and execute. The adapter respects the permission checks defined in each ability — agents can only do what an authorized user could already do.
What This Looks Like in Practice
Consider a WooCommerce store with 200 products. A plugin could register an ability called get_products_missing_attributes — typed inputs (attribute names to check, product category filter), typed output (a list of product IDs with missing fields), a permission callback requiring manage_woocommerce, and an executable function that queries the database.
An SEO plugin could expose suggest_metadata_updates. A forms plugin could offer summarize_recent_submissions. An analytics plugin could register find_pages_with_weak_answer_readiness.
The useful part isn’t just that an AI agent can call these. It’s that the calls are typed, permissioned, and inspectable. An external agent discovers what’s available, sees the schema, understands what inputs are required, and knows what permissions are enforced — before it executes anything.
But none of this is automatic. Plugins still need to register abilities, define schemas, set permission callbacks, and decide how those abilities are exposed through MCP. Your site doesn’t become “open to agents” on May 20 just because you updated WordPress.
The Two-Tier Plugin Ecosystem
Here’s our opinion: most plugins will not expose high-quality abilities immediately. The API exists, but adoption takes time. Plugin developers need to decide which operations to surface, write proper schemas, and test permission boundaries.
This creates a split. Tier one: plugins that participate in the AI operations layer — discoverable, typed, composable by agents. Tier two: plugins that still work fine for humans clicking through wp-admin, but that agents have to route around with scraping, brittle REST assumptions, or manual handoff.
Over the next 12–18 months, “Does this plugin expose safe, documented abilities?” will become a buying signal. Agencies evaluating plugins for client sites will start asking this the same way they already ask about update frequency or security track record.
Agent-Ready Must Mean Operator-Safe
A typed function an agent can call is powerful. It’s also a new operational boundary that demands serious attention.
Abilities need narrow scopes — not broad “do anything” endpoints. They need rate limits so a misbehaving agent can’t hammer your database. They need audit trails so you can see what happened and who authorized it. They need confirmation gates for destructive or public-facing actions — deleting products, publishing content, modifying user roles.
WordPress history has plenty of examples where integration endpoints became attack surfaces because authentication or capability checks were too loose. The REST API’s early days taught that lesson. XML-RPC taught it harder. The Abilities API has good structural defaults — permission callbacks are part of the registration contract — but the implementation quality per plugin will vary. Agency teams should audit which abilities a plugin registers the same way they audit which REST endpoints a plugin exposes.
Where PressBot Fits
We built PressBot around the operational discipline this direction points toward: a 99-tool WordPress admin agent with typed tool calls, permission-aware execution, and confirmation required before destructive, bulk, public-facing, or security-sensitive actions. Our agent does lookup-before-create — it checks what exists before modifying anything. Our Trusted Plans for AI Visibility already structure site capabilities around what AI systems need to see.
We’re not going to claim PressBot is fully integrated with WordPress 7.0’s Core AI Client, Connectors, or Abilities API today. Those APIs are new, and the ecosystem needs time to settle. But they’re natural integration targets for us — the architectural assumptions match what we already enforce.
If you’re running WordPress sites and want an AI agent that already operates with these principles — typed tools, safe execution boundaries, and real admin capabilities — PressBot is available now at pressbot.io.
