WordPress 7.0 — AI Agent Infrastructure and API Key Theft Risk

AI relevance: WordPress 7.0 "Armstrong" ships the WP AI Client, Connectors API, Abilities API, and an official MCP adapter — turning the world's largest CMS into a structured, agent-addressable platform where AI API keys are now stored in every wp-admin dashboard.

• WordPress 7.0, released May 20, dropped its planned real-time collaborative editing feature but shipped a three-component AI infrastructure in core: the WP AI Client (provider-agnostic PHP API for LLM prompts), the Connectors API (credential layer with Anthropic, Google, and OpenAI as default providers), and the JavaScript counterpart to the Abilities API.
• The Abilities API (introduced server-side in 6.9, now with JS support in 7.0) lets plugins, themes, and core expose named capabilities with structured input/output schemas and permission callbacks — effectively turning every plugin into a self-describing toolset discoverable by external agents.
• The WordPress MCP Adapter, distributed as a separate package, bridges the Abilities API to the Model Context Protocol. Once installed, registered abilities can be invoked as MCP tools by Claude Desktop, Claude Code, Cursor, and VS Code.
• The Connectors API centralizes AI provider keys in a single Settings screen. Every plugin calling the WP AI Client inherits that connection. This means a single plugin vulnerability on any of the 43% of websites running WordPress now exposes credentials that can be worth thousands of dollars.
• Patchstack founder Oliver Sild warned publicly that the combination of WordPress 7.0's AI infrastructure and the platform's existing plugin vulnerability rate creates a new economic attack surface: stolen AI API keys can fund phishing campaigns, run bot networks, or generate malware — entirely at the victim's expense.
• Unlike standard password or session tokens, AI API keys represent prepaid or billable access to large language models. A compromised key can generate unlimited tokens until the victim notices billing spikes.
• The strategic direction is clear even though the MCP adapter is not bundled in core: WordPress is building a future where 43% of websites become agent-callable endpoints with standardized tool interfaces.

Why it matters

WordPress has never had a built-in mechanism for third-party agents to enumerate and invoke site capabilities at scale. The Abilities API + MCP Adapter changes that architecture fundamentally. Combined with the platform's historically high plugin vulnerability rate, any agent-calling infrastructure becomes a high-value target for credential theft and lateral movement.

What to do

• If running WordPress 7.0, audit which plugins have access to the Connectors API and restrict AI key scope per-provider where possible.
• Monitor billing alerts on all AI provider accounts linked to WordPress instances — stolen keys are often abused at scale before billing anomalies surface.
• Treat the wp-admin Settings > Connectors screen with the same access controls as any credential store; consider IP-restricted admin access.
• Site operators running the MCP adapter should inventory which abilities are exposed and apply least-privilege permission callbacks.

Sources:

• Tech Times — WordPress 7.0 Ships AI Agent Infrastructure
• Search Engine Journal — WordPress 7.0 Security Concerns Over AI API Keys
• WordPress 7.0 "Armstrong" Release Announcement
• WordPress 7.0 Field Guide