This proposal expands the WordPress Core Abilities API in WordPress 7.1 with three read-only abilities: The Abilities API shipped in WordPress 6.9 as a foundation for registering discrete, permission-checked actions with typed input and output schemas. WordPress 6.9 included only a small initial set of Core abilities, including site, environment, and current-user information. Since then, […]
This proposal expands the WordPress Core Core is the set of software required to run WordPress. The Core Development Team builds WordPress. Abilities API An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. in WordPress 7.1 with three read-only abilities:
core/read-settingscore/read-contentcore/read-usersThe Abilities API shipped in WordPress 6.9 as a foundation for registering discrete, permission-checked actions with typed input and output schemas.
WordPress 6.9 included only a small initial set of Core abilities, including site, environment, and current-user information. Since then, we have been experimenting with PRs in the AI plugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party. and WordPress Core. The next useful step is a small, read-only expansion that lets agents and workflows understand the key data already managed by a WordPress site: settings, content, and users.
The goals for this proposal are:
The long-term direction is to organize Core abilities mostly in pairs:
core/read-content, that retrieves a single item or a collection.core/manage-content, that updates data or performs a user-intent action.Settings and post types will use a show_in_abilities flag so that registering something in WordPress does not automatically make it available to ability consumers. In the future, that flag could be used for post meta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. or user meta. Core will opt into a conservative default set of built-in settings and post types, similar in spirit to how show_in_rest made selected entities available to the REST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”)
https://developer.wordpress.org/rest-api/.
core/read-settingsReturns settings that have explicitly opted in to abilities. It returns a flat name => value object and supports filtering by group or by specific setting names. It requires the manage_options capability A capability is permission to perform one or more types of task. Checking if a user has a capability is performed by the current_user_can function. Each user of a WordPress site might have some permissions but not others, depending on their role. For example, users who have the Author role usually have permission to edit their own posts (the “edit_posts” capability), but not permission to edit other users’ posts (the “edit_others_posts” capability)..
This lets authorized tools answer questions such as “what is the site title?” or “which permalink-related settings are exposed?”
Relevant work:
core/read-contentRetrieves content from post types exposed to abilities. It supports single-item lookup and collection queries. The default response is lean, while more expensive or sensitive fields are returned when explicitly requested.
Relevant work:
Advanced query support, such as meta_query, tax_query, and date_query, is intentionally left for a future version. Those shapes may be valuable for agents and workflows, where a slower targeted query can be better than retrieving everything and filtering client-side, but they need a focused review.
core/read-usersRetrieves users through single-user lookup or collection mode. It supports lookup by fields such as ID, email, login, or nicename, and collection filters such as roles, published-post status, etc.
Users should only see data they are already allowed to see; inaccessible fields are omitted per user.
Relevant work:
The WP AI Client and other agentic integrations like mcp-adapter need abilities as the tools they can pass to agents and prompts. Without Core read abilities, those integrations can call a model but cannot reliably answer basic questions such as what posts exist or which page is the front page.
The ecosystem is already experimenting with its own versions of these abilities. For example, right now there are multiple projects implementing the ability to retrieve a post. That is healthy exploration, but the common entities should converge on shared Core contracts. A Core-provided base reduces repeated work and gives the community one place to review exposure, capabilities A capability is permission to perform one or more types of task. Checking if a user has a capability is performed by the current_user_can function. Each user of a WordPress site might have some permissions but not others, depending on their role. For example, users who have the Author role usually have permission to edit their own posts (the “edit_posts” capability), but not permission to edit other users’ posts (the “edit_others_posts” capability)., schema shape, and edge cases.
Abilities can present a shape that is natural to humans and models. The planned core/manage-content, for instance, could have an action property (publish, move-to-trash Trash in WordPress is like the Recycle Bin on your PC or Trash in your Macintosh computer. Users with the proper permission level (administrators and editors) have the ability to delete a post, page, and/or comments. When you delete the item, it is moved to the trash folder where it will remain for 30 days., …), so an agent asks for the same intent a human expresses by clicking a button, rather than having to know that “publish” means mutating post_status.
Abilities operate under different constraints than REST. In terms of what is available, we may have information (e.g., secrets) exposed via REST that is not exposed under abilities. And because abilities are invoked by agents and workflows rather than from a latency-sensitive front end, they can reasonably afford operations REST avoids. We keep advanced querying (e.g., meta_query) out of REST because it can be slow, but for an agent, a server-side meta query is still far cheaper than fetching everything and filtering client-side. This different latency budget is part of why a separate, abilities-shaped surface is worthwhile.
As WebMCP-style tool discovery and browser-accessible tool surfaces continue to evolve, having carefully reviewed Core abilities gives WordPress a path to becoming agent-ready as soon as WebMCP stabilizes. The same Core ability contracts can be mapped to WebMCP tools, so we can easily make WordPress agent-ready and expose its content in the format WebMCP accepts.
The proposed abilities are read-only and carry read-only annotations. They perform full permission checks before execution.
The security model is:
After the read abilities settle, the next layer is management abilities:
core/manage-settingscore/manage-contentcore/manage-usersFuture content work may also revisit advanced querying, including meta_query, tax_query, and date_query, building on the earlier exploration in wordpress-develop#10665.
We also plan to support more entities, specifically comments, taxonomies, media, themes, and plugins, following the same read/manage + opt-in pattern, with extra guardrails for higher-risk operations.
Feedback is welcome in the comments on this proposal, on the linked AI PRs, and in the #core-ai channel on WordPress Slack Slack is a Collaborative Group Chat Platform https://slack.com/. The WordPress community has its own Slack Channel at https://make.wordpress.org/chat/. If you maintain or are building abilities for these entities, we would especially like you to test the implementations and tell us if the shape, defaults, or permissions fit your use case. The goal is one baseline the whole ecosystem can build on.
| # | Наименование новости | Тональность | Информативность | Дата публикации |
|---|---|---|---|---|
| 1 | Merge Proposal: Guidelines built on Knowledge | 0 | 5 | 22-06-2026 |
| 2 | Merge Proposal: Design System Theming | 0 | 7 | 07-07-2026 |
| 3 | Roadmap to 7.1 | 5 | 7 | 19-06-2026 |
| 4 | Hiding the Classic block from the inserter in WordPress 7.1 | 0 | 7 | 23-06-2026 |
| 5 | WordPress 7.1 Release Party Schedule | 0 | 5 | 03-07-2026 |
| 6 | Bug Scrub Schedule for WordPress 7.1 | 2 | 4 | 03-07-2026 |
| 7 | WordPress 7.0.1 RC1 is now available | 0 | 5 | 01-07-2026 |
| 8 | The Classic block stays in the inserter for WordPress 7.1 | 0 | 5 | 07-07-2026 |
| 9 | WordPress 7.0 Release Retrospective | 7 | 6 | 22-06-2026 |
| 10 | Guidelines for Syncing Code From Gutenberg Into WordPress Develop | 0 | 7 | 30-06-2026 |