Codevera AI Access Control

WordPress 7.0 introduced the Abilities API. Any active plugin can register an ability and the WordPress AI feature can then invoke it, consuming whatever credits or tokens your AI provider charges per call. By default every registered ability is exposed, and there is no built-in way to see what is exposed or to limit it.

Codevera AI Access Control adds a single settings screen that lists every plugin which has registered AI abilities, grouped by source plugin, and lets you allow or block each plugin as a whole or each individual ability.

How it works:

1. The plugin watches every call to wp_register_ability() and records which plugin made the call.
2. The Settings -> Codevera AI Access screen groups those abilities by source plugin so you can see at a glance what is exposed.
3. Untick a plugin or a single ability and save. From the next request onwards, the AI feature can no longer see or invoke it.

Free:

• Per-plugin and per-ability granular controls
• Automatic detection of newly installed plugins that register AI abilities, with an in-admin notification so you can review them
• Tamper-detect signature on the saved settings, with a fail-closed mode that blocks every non-core ability if the settings option is modified outside the plugin
• Filter-level enforcement that neutralises a blocked ability before WordPress constructs it, plus a registry sweep that removes blocked abilities from the listings
• Self-check that re-attaches the enforcement hooks on init, admin_init and rest_api_init if another plugin removes them
• Search and filter inside each plugin card so large registries stay readable
• No external requests, no telemetry, no licence checks
• Works on multisite (per-site settings)
• Translation ready

Works well for:

• Sites where editorial staff use the WordPress AI feature and you want strict control over what context the AI can pull in
• Agency sites where new plugins are installed regularly and you want to review their AI exposure before letting them in
• Privacy-sensitive sites that need an explicit allow list of which plugins may expose data to an AI provider
• Compliance-driven environments that need an auditable record of which plugins have been allowed to register AI abilities

Under the hood:

• Uses only the official Abilities API surface: wp_register_ability_args, wp_abilities_api_init, wp_unregister_ability
• Source attribution from debug_backtrace() of the file that called wp_register_ability, normalised to a plugin slug
• HMAC-SHA256 signature on the settings option, keyed to a CVAIAC_SECRET constant or AUTH_SALT fallback
• No frontend assets shipped, all code runs in admin and on the AI Abilities REST routes
• No database tables, just two options in wp_options

External Services & Privacy

This plugin does not contact any external service. It reads only local WordPress data. No telemetry, no analytics, no licence checks, no remote update checks beyond what WordPress core itself performs.

The plugin stores two options in the wp_options table:

• cvaiac_settings – your allow and block selections, signed with an HMAC-SHA256 signature
• cvaiac_ability_sources – a map of ability name to source plugin slug, populated automatically as plugins register their abilities
• cvaiac_schema_version – an integer that records the storage format version, used for migration

No personal data, no visitor data, and no AJAX requests to remote services.

When the plugin is uninstalled, all three options are removed.

Support

Email info@codevera.ai for support, bug reports, or feature requests. Include your WordPress version, PHP version, a list of other plugins that register AI abilities, and a description of the issue with steps to reproduce.

Technical Requirements

Minimum:

• WordPress 7.0 (required for the Abilities API)
• PHP 7.4

Recommended:

• WordPress 7.0 or higher
• PHP 8.0 or higher

Privacy & Security

The plugin does not collect or transmit any personal data. The settings option is stored locally and signed with an HMAC keyed to a site-specific secret. The source-tracker option contains only plugin slugs and ability names that are already public to any code running on the site.

Form submissions use a nonce and require the manage_options capability. The enforcement hooks run on every request that loads the Abilities API, so blocking takes effect from the next request after a setting is saved.

This plugin defends against opportunistic interference such as another plugin writing directly to the settings option, removing the enforcement hooks, or re-registering an ability that has already been blocked. It does not claim to be a security boundary against a fully hostile plugin that has code execution in the same PHP process. The safest practice is still to only install plugins you trust.

Links

• Website: https://codevera.ai
• Support: info@codevera.ai