WordPress released version 6.9 in December 2025, introducing a new framework that changes how the platform communicates with external tools. The update added support for WordPress Abilities API and the Model Context Protocol (MCP), allowing WordPress sites and plugins to describe their capabilities in a structured, machine- and human-readable format.
The change reflects a broader shift in how websites are managed. AI agents, automation tools, and developer environments are increasingly used for monitoring, configuration, troubleshooting, and support. Until now, these tools had limited visibility into what WordPress could safely do or how plugin functionality should be accessed.
With Abilities API and MCP, WordPress moves toward a model where actions are clearly declared, permission-aware, and discoverable at runtime. This makes it easier for AI tools to interact with WordPress in predictable and controlled ways.
Why WordPress Introduced Abilities API
WordPress has always offered flexibility through its plugin ecosystem and extensible architecture. However, much of this flexibility depended on implicit knowledge. External tools often had to rely on documentation, assumptions, or custom integrations to interact with WordPress features.
As AI tools became more capable, contributors identified a consistent limitation. Automation systems could not easily determine:
- What actions a WordPress site supports
- Which plugin features are safe to automate
- What inputs and outputs an action expects
- Whether the current user is allowed to perform an action
The WordPress Abilities API framework was introduced to solve this problem. Instead of hiding functionality behind internal APIs or admin screens, WordPress can now explicitly declare supported actions in a machine-readable format.
The framework was announced in November 2025 and released with WordPress 6.9 as part of the WordPress AI Team’s AI Building Blocks for WordPress initiative.
The official announcement is available on the WordPress developer site for those who want a deeper technical context.
What WordPress Abilities API Are
A WordPress API Ability represents a single, well-defined action that WordPress core or a plugin can perform. Each ability is registered with metadata that explains how the action works and who can execute it.
An ability typically includes:
- A clear name and description
- A structured input definition
- A structured output definition
- An execution callback
- A permission check aligned with WordPress roles
wp_register_ability(
'example/get-provider-name',
[
'label' => 'Get Provider Name',
'description' => 'Fetch the name of the connected SSO provider',
'category' => 'sso',
// Input schema
'input_schema' => [
'type' => 'object',
'properties' => [],
'additionalProperties' => false,
'default' => [],
],
// Output schema
'output_schema' => [
'type' => 'object',
'properties' => [
'success' => [ 'type' => 'boolean' ],
'message' => [ 'type' => 'string' ],
'provider_name' => [ 'type' => [ 'string', 'null' ] ],
],
'required' => [ 'success', 'message', 'provider_name' ],
],
// Permission check
'permission_callback' => function () {
return current_user_can('manage_options');
},
// Execution callback
'execute_callback' => function () {
// Fetch provider name from WP options
$provider_name = get_option('example_provider_name');
return [
'success' => true,
'message' => 'Provider name retrieved successfully.',
'provider_name' => $provider_name ?: null,
];
},
// Metadata for REST/MCP exposure
'meta' => [
'show_in_rest' => true,
‘mcp’ => [
‘public’ => true,
]
],
]
);
This structure allows external systems to understand actions without inspecting source code. It also ensures that every automated action follows WordPress’s existing security model.
Abilities API do not replace REST APIs or existing workflows. Instead, they provide an additional layer that makes WordPress self-describing and easier to integrate with AI-driven systems.
The Role of MCP and the WordPress MCP Adapter
While Abilities API define what actions exist, the Model Context Protocol (MCP) defines how AI tools discover and execute those actions.
MCP is an open protocol designed to connect AI agents with external systems in a contextual way. Instead of requiring predefined endpoints, MCP allows tools to query a system at runtime and learn what actions are available.
To support this, WordPress introduced a WordPress MCP adapter. This adapter exposes registered Abilities API through MCP so that AI tools can interact with them dynamically.
The WordPress MCP adapter:
- Exposes all registered Abilities API
- Allows AI tools to discover actions at runtime
- Provides schemas for inputs and outputs
- Enforces WordPress permission checks
- Maintains context across multi-step workflows
On WordPress.com, the MCP adapter is secured using OAuth. When an AI tool connects, authentication happens through the browser. Permissions are inherited from the logged-in WordPress user, and access can be managed or revoked at any time.
This adapter removes the need for API keys, custom tokens, or additional software installations.
How We Support Abilities API at miniOrange
At miniOrange, we have long focused on WordPress security and authentication. Our WordPress plugins support SAML SSO, OAuth SSO, LDAP, two-factor (2FA) authentication, and other identity and access management (IAM) use cases commonly used in enterprise environments.
With the introduction of WordPress Abilities API, we have adopted this framework across our WordPress plugins. This ensures that our plugin capabilities can be discovered and used by AI tools and automation platforms in a clear and secure way.
Importantly, this adoption does not change how administrators configure or use our plugins. Existing admin screens, settings, and workflows remain unchanged. Abilities API simply provide a structured interface that external systems can understand.
How This Looks in Action
Let’s look at a simple example to understand how the Abilities API and the Model Context Protocol (MCP) work in practice.
An administrator is managing a WordPress.com site that uses the miniOrange WordPress SAML SSO plugin. The site is on a paid plan, MCP is enabled, and the administrator has connected an MCP-enabled AI tool such as Cursor using the standard login flow. The connection is approved in the browser, and Cursor operates with the same permissions as the administrator.
During a login attempt, the administrator encounters an issue and sees the error code WPSAMLERR004.
Instead of searching documentation or opening a support ticket right away, the administrator asks Cursor something simple and conversational, such as:
I’m seeing WPSAMLERR004 during SSO login. Can you help me fix this?
What Cursor Does Next
Cursor does not guess or apply changes on its own. It follows a structured process using the WordPress MCP adapter.
- Cursor asks WordPress what actions are available through MCP.
- WordPress responds with a list of registered Abilities API from core and installed plugins.
- Among them is an Ability exposed by the miniOrange plugin that is designed to handle WPSAMLERR004.
How the Ability is Used
Once the relevant Ability is identified, the following steps happen:
- The Ability checks whether the current user has the required permissions.
- It reviews the X.509 certificate configuration used by the plugin.
- The input and output data are validated using predefined schemas.
- If a configuration correction is required, it is applied safely.
After the Ability completes its work, Cursor responds to the administrator with clear next steps.
- The administrator is asked to retry the SSO login.
- If the login succeeds, the issue is considered resolved.
- If the issue continues, Cursor advises contacting samlsupport@xecurify.com for further assistance.
Why Abilities and MCP Matter
Together, the Abilities API and MCP unlock several key benefits:
- Discoverability: You can see everything a site can do without digging through code or documentation.
- Interoperability: Plugins and tools can work together without custom integration logic.
- Security and governance: Every action includes permission checks and registration metadata.
- Consistent interfaces: Labels and descriptions make it easier to surface actions in admin UIs and hide unauthorized ones.
- AI readiness: Automation platforms and LLMs can safely explore and use site capabilities on their own.
What We’re Planning Next
Our work with the WordPress Abilities API is just the beginning. As this framework continues to evolve, we’re actively building toward the next phase of how our plugins integrate with AI tools and automation platforms.
Our upcoming focus includes:
- Supporting multiple large language models (LLMs), including offerings from OpenAI and Google Gemini, Claude, etc.
- Enhancing the MCP adapter with OAuth support to enable stronger security and simpler authentication.
- Expanding the number of abilities across our plugins to cover more real-world workflows and use cases.
These efforts are aimed at making our WordPress plugins more interoperable, easier to automate, and ready for the next generation of AI-assisted workflows.
Conclusion
WordPress Abilities API and the Model Context Protocol represent a foundational change in how WordPress interacts with AI and automation systems. Instead of hiding functionality behind internal APIs, WordPress can now explain what it does, how to use it, and who is allowed to do so.
miniOrange’s adoption of Abilities API across our WordPress plugins ensures that identity and security workflows are ready for this new era. Administrators gain smarter tooling, AI assistants gain clarity and safety, and WordPress becomes a platform that AI can work with confidently.
Leave a Comment