WordPress’s push toward AI-ready infrastructure includes a merge proposal targeting version 7.1, which would add three read-only abilities to the Abilities API first introduced in WordPress 6.9. The API provides a structured, permission-checked way for external tools, AI agents, and automated workflows to interact with WordPress data using typed inputs and outputs — think of it as a purpose-built surface for machine consumption, distinct from the REST API.

The three abilities proposed for 7.1 are core/read-settings, core/read-content, and core/read-users. Each is scoped to read-only operations and enforces WordPress’s existing capability system before executing — core/read-settings, for example, requires the manage_options capability, while core/read-users omits fields the current user lacks permission to see. The proposal is backed by active pull requests in both the WordPress/ai and wordpress-develop repositories.

Three pale-colored access keycards arranged on a grey surface, with a hand reaching in to adjust them.

WordPress 7.1 Would Give AI Agents Three Core Abilities

The WP AI Client, merged in WordPress 7.0, needs callable tools to do useful work. Without read abilities in Core, an AI agent connected to a WordPress site cannot reliably answer basic questions like what posts exist or which page is set as the front page. The proposal gives these agents a canonical, reviewed data surface rather than leaving the ecosystem to build competing implementations. It notes that multiple projects are already independently implementing the ability to retrieve a post — useful experimentation, but something that benefits from convergence. Each of the three new abilities serves a distinct purpose:

core/read-settings
Returns a flat name-to-value object of settings that have explicitly opted in via a show_in_abilities flag, supporting filtering by group or specific setting name.
core/read-content
Retrieves posts and other content from opt-in post types, supporting both single-item lookup and collection queries; advanced filters like meta_query are deferred to a future version.
core/read-users
Looks up individual users or collections by ID, email, login, or nicename, with role and published-post filters available; inaccessible fields are silently omitted per user.

This opt-in model mirrors how show_in_rest selectively exposed data to the REST API. Settings and post types must explicitly set show_in_abilities to become visible to ability consumers — meaning a value exposed over REST for UI purposes can, if merged as proposed, be kept out of agent reach entirely. Prompt-injection protection is explicitly out of scope: abilities return stored data as-is, and consuming agents are expected to treat results as tool output rather than instructions.

The longer-term roadmap, if merged as proposed, pairs each read ability with a corresponding manage ability. WordPress 7.2 is the target for core/manage-settings, core/manage-content, and core/manage-users, with coverage of comments, taxonomies, media, themes, and plugins planned to follow the same read-and-manage pattern. The proposal also eyes WebMCP, an emerging standard for browser-accessible tool discovery, noting that Core ability contracts could map directly to WebMCP tools once that standard stabilises — giving WordPress a clear path to broader agent compatibility without additional architectural work.