Security best practices
Locking down AI Connector for production: HTTPS, OAuth scope, rate limits, audit log review, and incident response.
Updated
AI Connector is built to be safe by default — OAuth-first, scoped capabilities, rate-limited, audit-logged. But “safe by default” still leaves choices to make for production sites. This guide walks through the ones that matter.
Use HTTPS in production
OAuth 2.1 requires HTTPS in production. This is a spec requirement, not an Axtolab choice — without it, OAuth tokens travel over plaintext and can be intercepted.
If your site is on HTTP:
- Get a free certificate via Let’s Encrypt
- Most managed WP hosts include SSL automatically (SiteGround, WP Engine, Cloudways, Kinsta)
- Cloudflare’s free tier provides edge SSL even if your origin is HTTP
If you can’t enable HTTPS yet, AI Connector still works locally, but production OAuth flows will be blocked. Application Passwords work over HTTP but with weaker security guarantees.
Scope each connection to the smallest set of capability groups
Every AI connection in the AI Connector has a capability set built from named groups and presets. Configure under AI Connector → Connections → (your connection) → Permissions.
The built-in capability groups are:
read— site info, content listing, media search, SEO analysis (always-on)create_edit— create drafts, update content, clone, post-meta writespublish— publish or schedule (separate from edit on purpose)trash_restore— destructive operations, gated separatelymedia_manage— upload, update, set featured image, inline imagestaxonomy— create / assign termsauthors— assign authors (subject to author allowlist)seo— write SEO meta (Yoast / Rank Math / AIOSEO)image— AI image generation + stock photos (add-on gated)upload_portal— drag-and-drop upload sessions for non-technical users
Pick one of the named presets — or define a custom set:
| Preset | Groups | Use case |
|---|---|---|
read_only | read | Audit / monitoring agents |
seo_specialist | read, seo | An SEO assistant that should not touch content |
media_manager | read, media_manage | Asset organisation, alt-text fill-in |
draft_only | read, create_edit, media_manage, taxonomy, seo, image, upload_portal | Drafting agents that shouldn’t publish |
content_manager | read, create_edit, publish, media_manage, taxonomy, authors, seo | Editorial agents (no destructive operations) |
standard | All of the above plus image, upload_portal | Default for typical workflows |
full_access | Every group, including trash_restore | Trusted admin agents only |
A connection’s scope can only narrow over time, never widen — to grant more capability, revoke the old connection and create a new one.
Set rate limits per IP
Default rate limits in the free core: 60 requests per minute per IP. This catches runaway loops and reduces the blast radius of a compromised agent.
Adjust under AI Connector → Settings → Rate Limits:
- Per-IP limit — connections from the same IP share this budget
- Per-connection limit — each individual OAuth connection has its own budget
- Burst window — the rolling time window the limit applies over
For agencies running multi-tenant setups, pair this with the Multisite add-on which enforces per-subsite limits separately.
Review the audit log regularly
The free core writes a basic audit log: every tool call, the connection that made it, timestamp, and outcome. Find it under AI Connector → Audit Log.
What to look for:
- Tool calls outside expected hours (an agent acting at 3am you didn’t authorize)
- Spike in failed calls (rate-limit hits, bad permissions)
- Connections you don’t recognize (an old test agent that should be revoked)
The free log is append-only but stored in the standard WP database — a privileged user can drop the table. For tamper-resistance, dedicated per-agent identities, and approval workflows, see the User Management add-on.
Don’t grant manage_options casually
manage_options is the WP capability that allows changing site settings, installing plugins, adding users with admin role. If you grant this scope to an OAuth connection, the agent has effectively the same power as a site admin.
Don’t.
There’s almost never a real-world reason an AI agent needs manage_options for normal content workflows. If you find yourself reaching for it, ask whether you really want the agent doing the thing you’d be granting it for, or whether that task should stay manual.
Set up the kill switch
The kill switch suspends all AI connections site-wide with one click. It’s at the top of AI Connector → Connections.
Use it when:
- An agent is misbehaving and you need to stop it now
- A connection has been compromised
- You’re in incident response and want to freeze AI activity while you investigate
- You’re doing maintenance work and want zero AI traffic during it
The kill switch leaves connection records intact — when you flip it back, all existing connections resume without re-authorization. It only blocks request execution, not connection state.
Rotate Application Passwords periodically
If you’re using Application Passwords for any agent (not OAuth), rotate them every 90 days. Generate a new one, update your client config, then delete the old one.
OAuth tokens don’t need this — they refresh automatically and are scoped to the connection record, not your user identity.
Production checklist
Before connecting an AI agent to a live, customer-facing WordPress site:
- HTTPS is enabled on the entire site
- Rate limits are set to a value that caps realistic abuse without breaking real workflows
- You’ve reviewed the OAuth scope on each connection and removed any unnecessary capabilities
- The audit log is something you’ll actually look at — set a calendar reminder if needed
- You know where the kill switch is
- You’ve tested revocation: pick a test connection, click revoke, confirm the agent stops working
Incident response: agent misbehaving
If you suspect an AI agent has gone wrong:
- Hit the kill switch at AI Connector → Connections → Kill Switch. This stops all activity immediately.
- Review the audit log for what the agent did — filter by the suspect connection, sort by most recent.
- Check your content for the actions the agent took. WordPress revision history covers post edits; you can roll back individually.
- Revoke the connection specifically (not just kill-switch — full revoke).
- Re-enable the kill switch to restore other connections.
- Investigate root cause — was the agent misconfigured, was the OAuth scope too broad, was the rate limit too high?
Document the incident. If a pattern emerges across agents, tighten defaults.
Where to go next
- User Management add-on — tamper-resistant audit + approval workflows
- AI Agent Billing Protection add-on — spend caps and budgets
- OAuth setup — for connection scoping details
- Troubleshooting