WordPress 7.0 AI: What Site Owners Need to Know
WordPress 7.0 is releasing in mid-to-late May 2026, and for the first time, AI will be built directly into the platform. No third-party plugin required. You configure your API key once, every compatible plugin on your site can use it, and native AI features appear throughout the editor.
That’s a meaningful step forward for the platform. It’s also shipping with gaps that the launch announcements aren’t covering clearly. This post explains what’s new, what it means for your site in practice, and what you should check before you hand your API credentials to the platform.
What WordPress 7.0 Ships Natively
There are three interlocked AI systems built into core.
The AI Client
wp_ai_client_prompt() is a new PHP function that any plugin can call to access an AI provider. It works with OpenAI, Anthropic, and Google out of the box — plugin developers no longer need to build their own provider integration. For them, AI is now a platform utility, like the database API.
For you as a site owner, it means every plugin you have installed could potentially be making AI calls.
The Connectors Screen
This is the admin UI where you enter your API keys: Settings > Connectors. You enter your OpenAI or Anthropic key once, and that credential is available to every plugin on your site.
The convenience is real. Previously, five AI plugins meant five API key configuration screens, five provider accounts, five separate billing dashboards. The Connectors screen collapses that into one place.
But one shared credential also means one point of failure — and no native controls over who can use it.
The Abilities API and MCP Adapter
The Abilities API lets plugins declare what AI-related tasks they can perform: generate alt text, summarise a post, suggest related content, translate copy. The new MCP Adapter then exposes those declared abilities to external AI agents — Claude Desktop, Cursor, and other MCP-compatible tools.
For most site owners, this is background infrastructure. For developers building AI-connected workflows, it’s significant: your WordPress site can now act as an active participant in an AI agent conversation, not just a passive data source.
What This Replaces
A large segment of existing AI plugins built their value around owning the provider relationship — they were the bridge between WordPress and OpenAI. WordPress 7.0 removes that bridge:
- Plugins whose sole differentiator was “connects to OpenAI” are now redundant
- Basic content generation, alt text, and post summarisation are native Gutenberg features
- Plugins with their own API key configuration screens are now competing with a built-in settings screen
If you’re running AI plugins whose main job was provider integration, it’s worth auditing which ones earn their keep after 7.0 updates. Some will. Some are now doing what core does for free.
The Gaps That Matter
Here’s where the launch coverage gets thin.
No Per-Plugin Spending Controls
Once your API key is in the Connectors screen, any plugin that calls wp_ai_client_prompt() can use it. WordPress 7.0 ships with no per-plugin token budget, no monthly spending ceiling, and no rate cap.
There is one spending control: a filter called wp_ai_client_prevent_prompt that can block AI calls based on user capability. It’s a permission gate, not a spending meter. It won’t stop a plugin from running batch AI jobs in the background.
In practice: a plugin could process your entire product catalogue overnight, generate descriptions for thousands of posts, or run a scheduled content audit — all using your API key, all generating charges on your provider account. You’d find out when your billing alert fired, or when you checked your dashboard.
The WordPress community has already been vocal about this. The ask is straightforward: per-plugin token budgets and a WP Admin usage dashboard showing calls by plugin. That capability doesn’t exist in 7.0.
What to do now: Before you enter any API key in the Connectors screen, set a spend limit with your provider. OpenAI and Anthropic both have monthly billing caps you can configure in their dashboards. Set one — and make it conservative while you’re getting familiar with how AI usage actually behaves on your site.
No Audit Trail by Plugin
WordPress 7.0 shows aggregate AI usage in the Connectors screen. What it doesn’t show is which plugin generated which usage.
If your API bill spikes, you cannot open a WordPress dashboard and see “WooCommerce product importer ran 40,000 tokens last Tuesday.” That data doesn’t exist natively. The AI Client centralises the connection but not the accounting.
Security plugins log REST API calls, but AI prompt metadata — which plugin called, which model, how many tokens, what data was sent — is a different layer that none of them cover today.
API Keys Are Stored Without Encryption
Your API credentials in the Connectors screen are stored in the WordPress database without encryption. If your database is compromised — through a SQL injection, a backup leak, or a vulnerable hosting panel — those keys are readable.
This isn’t a new class of risk for WordPress, but AI API keys carry a different kind of consequence. A leaked database password locks your WordPress admin. A leaked OpenAI key runs up charges and potentially exposes whatever data your plugins have been sending to the provider.
No Plugin-Level AI Permissions
There is no allowlist or denylist for which plugins can make AI calls. Any plugin on your site that calls the AI Client gets access to your credential. A plugin you installed for a contact form, a slider, or an SEO audit gets automatic AI access if it later adds an AI feature.
Site owners have no native way to say “only these two plugins are allowed to use AI.” It’s all-or-nothing at the key level.
Before You Enable Native AI
A sensible sequence for sites where mistakes have real consequences:
1. Set provider-level spend limits first. OpenAI and Anthropic have billing controls in their dashboards. Cap your monthly exposure before entering any credentials in WordPress.
2. Audit your installed plugins. After 7.0 updates, identify which of your plugins declare AI Abilities or call the AI Client. Many won’t — but you should know which ones do before you hand them a live API key.
3. Review your database security. Unencrypted API key storage raises the stakes for database-level access. If your staging environment, backups, or third-party tools have database access, think carefully about what they can see.
4. Watch your provider dashboard weekly. For the first month after enabling AI features, check your API usage every week. Anomalies are easier to catch early than to investigate retroactively.
The Bigger Picture
WordPress 7.0’s AI architecture is well-designed. Provider-agnostic, extensible, built on hooks that third-party plugins can intercept. The foundation is right — and infrastructure is always the right place to start.
What’s missing is the governance layer: per-plugin budgets, usage accounting, encrypted credential storage, and permission controls for which plugins get AI access. These aren’t edge cases. They’re the controls a site owner needs to run AI confidently on a production site.
The wp_ai_client_prevent_prompt filter is the hook a governance layer would use — the correct interception point for applying per-plugin rules before a prompt reaches the provider. The mechanism exists. What’s needed is a tool built around it.
We’re working on exactly that. Our upcoming AI Governance plugin will sit alongside WordPress 7.0’s native AI and add the controls core doesn’t ship: per-plugin token budgets, a usage dashboard showing calls by plugin and model, hard budget enforcement when limits are hit, and encrypted API credential storage. The patterns come directly from our Agent Control Panel work.
If this is the kind of visibility and control you want over your site’s AI usage, check out axtolab.com and stay tuned.
The Bottom Line
WordPress 7.0 is a genuine step forward for AI on the platform. The native architecture is cleaner than anything the plugin ecosystem had assembled on its own. For a personal site or a small blog, enabling it is low-stakes.
For a WooCommerce store, a membership site, or any site that handles customer data or has meaningful API billing exposure: go in with eyes open. Set spend limits. Know which plugins are making AI calls. Watch the dashboards.
The platform shipped the foundation. The governance tools will catch up. In the meantime, the controls are on you.