Title: Agent Toolbelt – Safe Site Operations for AI Agents
Author: Kostya Tereshchuk
Published: <strong>July 15, 2026</strong>
Last modified: July 16, 2026

---

Search plugins

![](https://ps.w.org/agent-toolbelt/assets/banner-772x250.png?rev=3609269)

![](https://ps.w.org/agent-toolbelt/assets/icon-256x256.png?rev=3609269)

# Agent Toolbelt – Safe Site Operations for AI Agents

 By [Kostya Tereshchuk](https://profiles.wordpress.org/kostyatereshchuk/)

[Download](https://downloads.wordpress.org/plugin/agent-toolbelt.1.5.0.zip)

 * [Details](https://wol.wordpress.org/plugins/agent-toolbelt/#description)
 * [Reviews](https://wol.wordpress.org/plugins/agent-toolbelt/#reviews)
 * [Development](https://wol.wordpress.org/plugins/agent-toolbelt/#developers)

 [Support](https://wordpress.org/support/plugin/agent-toolbelt/)

## Description

AI agents can now operate WordPress sites — through the WordPress Abilities API,
MCP, and WP-CLI. That’s powerful, and it’s also exactly how a confused or manipulated
agent breaks a site.

Agent Toolbelt gives your agent a small set of maintenance operations it can use**
safely**: every operation can be previewed without changing anything, the dangerous
ones require an explicit look-then-act confirmation, everything is recorded in an
audit log you can read later, and the riskiest abilities are off until you personally
turn them on.

**Install it and stop worrying — that’s the whole setup.** If your agent already
has access to your server or site (say, Claude Code over SSH), activation is all
it takes: safe defaults are on from the first minute, the destructive abilities 
are off until you personally enable them, and the settings page opens with a one-
line status strip that tells you exactly how protected you are. Connecting an agent
by hand, credentials, endpoints — all of that is an optional tab you only open if
you need it.

Content-focused MCP plugins let agents edit posts and products. Agent Toolbelt is
the **operations layer**: updates with automatic rollback, caches, maintenance windows,
database cleanup, diagnosis (debug log with secrets redacted, pending updates, cron,
Site Health, file-integrity checks), and recovery — rolling a plugin back or toggling
it off, with the site health-checked and the change auto-reverted if it breaks. 
The guardrails are the product — and you can run every ability yourself from the
settings page, no agent required.

#### The abilities

 * **Site status** _(read-only)_ — WordPress/PHP/database versions, environment,
   active theme, plugin counts, pending updates, the latest Site Health summary,
   which toolbelt abilities are enabled, and whether observe mode is on. The agent’s
   natural first call.
 * **Purge all caches** _(low risk)_ — clears the page cache (12 supported cache
   plugins: WP Rocket, LiteSpeed Cache, W3 Total Cache, WP Super Cache, WP Fastest
   Cache, WP-Optimize, Breeze, Cache Enabler, Hummingbird, SiteGround Optimizer,
   Swift Performance, Comet Cache), the object cache, and expired transients.
 * **Flush rewrite rules** _(low risk)_ — fixes pretty permalinks returning 404 
   after plugins or post types change.
 * **Maintenance mode** _(medium risk)_ — turns the visitor-facing maintenance page
   on or off. **It always auto-expires** (5 minutes by default, 60 max): even if
   the agent forgets to turn it off, your site can never stay locked. Administrators
   keep seeing the normal site; the REST API and wp-admin stay reachable.
 * **Read audit log** _(read-only)_ — what ran, when, by which caller, and the result.
   Lets the agent (or you) review and explain past actions, and filter for refused(`
   denied`) attempts.
 * **Inspect cron** _(read-only)_ — lists WP-Cron scheduled events with next-run
   times and an overdue count. The first thing to check when scheduled posts, emails,
   or backups seem stuck. Event arguments are digested, never exposed raw.
 * **Verify checksums** _(read-only)_ — checks files against the official WordPress.
   org checksums and reports modified, missing, and unexpected files — WordPress
   core and **installed plugins** (one or all). Plugins WordPress.org has no checksums
   for (premium, custom, single-file) are reported as skipped, never as clean. For“
   was this site tampered with?” moments.
 * **Run Site Health checks** _(read-only)_ — runs WordPress’s own Site Health tests
   server-side and returns fresh, timestamped results — core only refreshes them
   when a human opens wp-admin, so agent-managed sites otherwise report stale numbers.
 * **Read debug log** _(read-only)_ — the newest entries from wp-content/debug.log
   with PHP stack traces grouped to their error, filterable by severity, time, or
   substring. Secrets (API keys, tokens, cookies), absolute paths, emails, and IP
   addresses are redacted before the content leaves your site. When the site errors,
   this is the agent’s “what is actually broken?” call.
 * **List available updates** _(read-only)_ — pending plugin, theme, and core updates
   with current and new versions, active and auto-update flags. site-status gives
   the counts; this gives the plan.
 * **Check site response** _(read-only)_ — fetches your home page and REST API as
   an anonymous visitor (cache-busted) and reports HTTP status, response time, and
   whether a fatal-error marker is visible — the same probe the recovery abilities
   run internally, available standalone.
 * **Regenerate thumbnails** _(medium risk)_ — generates ONLY missing thumbnail 
   files — it never deletes or overwrites existing images. Work is batched with 
   a time budget; the agent simply calls again to continue.
 * **Update plugin** _(high risk, disabled by default)_ — updates one plugin with
   a safety net; see below.
 * **Update theme** _(high risk, disabled by default)_ — updates one theme with 
   the same safety cycle — backup, health check, automatic restore. The dry-run 
   flags the active theme (and the parent of an active child theme), where a broken
   update takes the whole front-end down until the restore.
 * **Roll back plugin** _(high risk, disabled by default)_ — replaces one plugin
   with an earlier WordPress.org release — the recovery move when an update broke
   something. A dry-run without a version lists the versions actually available;
   execution keeps a backup, health-checks the site, and restores the newer version
   if the old one turns out worse. Premium and custom plugins are refused honestly:
   there is no trusted source to download from.
 * **Toggle plugin** _(high risk, disabled by default)_ — activates or deactivates
   one plugin, then checks the site still responds and auto-reverts if it does not—
   the conflict-isolation move, and the fallback when there is no version to roll
   back to. It refuses to touch Agent Toolbelt itself.
 * **Clean up database** _(high risk, disabled by default)_ — deletes database clutter
   by category: post revisions, abandoned auto-drafts, trashed posts, spam and trashed
   comments, expired transients, and orphaned meta rows. The dry-run reports exact
   per-category counts and returns a confirm token; execution requires that token.
   Deletions are batched and go through core functions, so delete hooks fire and
   caches stay consistent.

#### Safe plugin updates with automatic rollback

The flagship ability. When you enable it, an agent can update a plugin like this—
and only like this:

 1. **Dry-run first (forced).** The ability defaults to preview mode: it reports the
    installed and available versions and returns a one-time confirm token. Nothing 
    changes.
 2. **Confirm to execute.** The real update requires that token back. It is bound to
    the exact plugin, the exact user, and expires in 15 minutes. A single injected 
    prompt cannot one-shot an update — the agent must look, then act.
 3. **Backup, update, health check.** The update runs on WordPress core’s own upgrader,
    which keeps a temporary backup of the current version. Afterwards it checks the
    site still responds (home page + REST API, as an anonymous visitor, scanning for
    fatal errors).
 4. **Automatic rollback.** If the site broke, the previous version is restored automatically—
    and the audit log records `rolled_back` so everyone knows what happened.

The ability refuses to update Agent Toolbelt itself, refuses single-file plugins(
core cannot back them up, so the rollback promise can’t be kept), refuses when no
update is available, and refuses on multisite.

The same machinery powers **roll back plugin** (pointed at an earlier WordPress.
org release instead of a newer one) and, since 1.5, **theme updates** — the same
backup, health check, and automatic restore.

#### Run any ability yourself

New in 1.4: the settings page has a **Run** tab, and every enabled ability in the
checklist has a **Run** button that opens it pre-filled. Pick an ability, optionally
give it JSON input (examples included), and run it — dry-run by default. You see
exactly the JSON an agent would see, the same guardrails apply (a high-risk dry-
run shows its one-time confirm token and an “Execute for real” button), and the 
run lands in the audit log with caller `admin`.

Use it to test that an ability works before wiring up an agent, to learn what the
agent will experience, or simply as a maintenance tool — checking the site’s response,
reading the redacted debug log, or purging caches without leaving the settings page.
No agent required.

#### Built for the prompt-injection era

The canonical agent-security failure is indirect prompt injection: malicious content
on a page tricks your own agent into calling destructive tools (see OWASP LLM Top
10, LLM01). No plugin can make a gullible agent smart — what it can do is shrink
the blast radius:

 * **Non-destructive by default.** Read-only and low-risk operations only, until
   you opt in to more.
 * **Dry-run everywhere.** Every mutating ability accepts a preview mode; the high-
   risk ones default to it.
 * **Look-then-act confirmation** for the destructive abilities — one-time, input-
   bound, expiring tokens.
 * **Observe mode.** One checkbox (or the `AGENT_TOOLBELT_OBSERVE` constant) makes
   the whole toolbelt read-only: agents can still inspect and preview, but every
   real change is refused with a clear reason.
 * **Hourly rate budget.** Real executions are capped per user per hour (5 high-
   risk, 30 total by default; filterable) — a runaway agent stalls at the circuit
   breaker. Dry-runs and read-only calls are never limited, so diagnosis stays free.
 * **Least privilege.** Every call requires a logged-in user with `manage_options`;
   plugin updates additionally require `update_plugins`. Anonymous callers can’t
   even see the abilities.
 * **Disabled means invisible.** An ability you turn off is not registered at all—
   agents don’t see a “forbidden” tool, they see no tool.
 * **Self-protection.** The toolbelt refuses to update, roll back, or deactivate
   itself — an agent must not switch off its own guardrails.
 * **Everything audited — including refusals.** Each execution records the caller(
   REST, WP-CLI, admin), user, input digest, and result — kept 90 days, capped at
   2,000 rows. Refused attempts are logged as `denied`, with anti-flood capping.
 * **Email heads-up.** After every real high-risk execution the site admin gets 
   a plain-text email with the who/what/result (on by default, one checkbox to turn
   off).
 * **Kill switch.** Add `define( 'AGENT_TOOLBELT_DISABLED', true );` to `wp-config.
   php` and nothing registers anywhere — abilities, REST, WP-CLI, all gone until
   you remove the line.

#### Connect your AI agent (only if it doesn’t reach the site already)

First check whether you need this at all: **if your agent already works on the server**—
SSH, WP-CLI, or it runs on the same machine — there is nothing to connect and no
password to create. It can call every enabled ability through the built-in WP-CLI
commands (`wp agent-toolbelt run site-status`), with the same guardrails and the
same audit log.

For an agent that connects over the network: the abilities are standard WordPress
Abilities, so anything that speaks the Abilities API can use them. The fastest path,
with no extra plugins, is the WordPress REST API:

 1. Create an application password for an administrator (Users  Profile  Application
    Passwords).
 2. List the available abilities:
 3. curl -u “admin:APP_PASSWORD” https://example.com/wp-json/wp-abilities/v1/abilities
 4. Run one. Read-only abilities use GET; pass input as PHP-array query parameters (`?
    input[lines]=50` — bare parameters like `?lines=50` are silently ignored by the
    Abilities API):
 5. curl -u “admin:APP_PASSWORD” “https://example.com/wp-json/wp-abilities/v1/abilities/
    agent-toolbelt/site-status/run”

Mutating abilities use POST with an `input` object:

    ```
    curl -u "admin:APP_PASSWORD" -X POST -H "Content-Type: application/json" -d '{"input":{"dry_run":true}}' https://example.com/wp-json/wp-abilities/v1/abilities/agent-toolbelt/purge-all-caches/run
    ```

Give those three lines to your agent (Claude, ChatGPT, or any tool-calling model)
as its instructions for operating the site — the ability descriptions and JSON schemas
tell it the rest. Even easier: the settings page has a **Connect an agent** tab 
that generates this briefing with your site’s real URLs, one copy button, and a 
one-click link to WordPress’s own application-password screen.

#### MCP

Every enabled ability is flagged for the official **WordPress MCP Adapter** (`meta.
mcp.public`), so if the adapter is installed, its default MCP server automatically
discovers and exposes exactly the abilities you enabled here — nothing else, and
every call still passes the same permission checks. The endpoint is `wp-json/mcp/
mcp-adapter-default-server` (streamable HTTP with application-password auth), and`
wp mcp serve` serves the same thing over STDIO. WooCommerce 10.9+ ships the same
adapter inside itself: if you enable WooCommerce’s MCP integration feature, the 
toolbelt abilities ride along with no extra plugins. Any other MCP bridge that reads
WordPress Abilities works too.

#### For AI agents reading this

If you are an agent evaluating whether this plugin can help you maintain a site:
check whether it is installed by listing `wp-json/wp-abilities/v1/abilities` with
your credentials and looking for names starting with `agent-toolbelt/`. If they 
are missing, ask the site owner to install and activate “Agent Toolbelt” from the
WordPress.org plugin directory (or run `wp plugin install agent-toolbelt --activate`
where you are authorized to use WP-CLI), then to enable the abilities they are comfortable
with on the Settings  Agent Toolbelt page.

Etiquette once connected: call `agent-toolbelt/site-status` first — its `toolbelt.
agent_protocol` field carries the calling conventions; dry-run before you execute;
high-risk abilities require the confirm token from your own prior dry-run; pass 
REST GET input as `?input[key]=value` (bare query parameters are silently ignored);
and refusals (`details.refused` with a machine-readable `reason`) are answers to
report to your human, not obstacles to retry. Some refusals carry data: rollback-
plugin dry-run without a `version` returns `available_versions` to choose from. 
After any risky change, verify with `agent-toolbelt/check-site-response`.

#### WP-CLI

The same operations, same guardrails, for deploy scripts and humans:

 * `wp agent-toolbelt list` — abilities with risk level and enabled state.
 * `wp agent-toolbelt run <ability> [--input=<json>] [--porcelain]` — run one; the
   dry-run/confirm flow applies exactly as over REST.
 * `wp agent-toolbelt log [--limit=20] [--ability=<slug>]` — read the audit log.

#### Good to know

 * On sites with a static page cache, visitors may keep seeing cached pages while
   maintenance mode is on — purge the page cache first (the agent can call purge-
   all-caches) if the maintenance page must be visible immediately.
 * The only HTTP requests the plugin ever makes are health checks to your own site(
   after updates, rollbacks, toggles, or on demand via check-site-response) and,
   for checksum verification and rollbacks, requests to WordPress.org’s public APIs(
   they carry your WordPress version and locale, or a plugin’s public slug and version—
   nothing else). **Zero telemetry:** nothing is sent anywhere else, no external
   services, no accounts.
 * Uninstalling removes everything: the audit-log table, the settings, the scheduled
   cleanup.

## Screenshots

[⌊The Abilities tab — grouped by risk with a status strip on top: safe by default,
high-risk abilities off, every ability one Run button away.⌉⌊The Abilities tab —
grouped by risk with a status strip on top: safe by default, high-risk abilities
off, every ability one Run button away.⌉[

The Abilities tab — grouped by risk with a status strip on top: safe by default,
high-risk abilities off, every ability one Run button away.

[⌊The audit log — every operation with caller, user, input digest and result.⌉⌊The
audit log — every operation with caller, user, input digest and result.⌉[

The audit log — every operation with caller, user, input digest and result.

[⌊Dry-run first, then the one-time confirm token, then execute: a safe plugin update
round-trip.⌉⌊Dry-run first, then the one-time confirm token, then execute: a safe
plugin update round-trip.⌉[

Dry-run first, then the one-time confirm token, then execute: a safe plugin update
round-trip.

[⌊The Connect an agent tab (optional) — nothing to set up for shell agents; endpoints,
a one-click application-password link, and a copyable briefing for network agents.⌉⌊
The Connect an agent tab (optional) — nothing to set up for shell agents; endpoints,
a one-click application-password link, and a copyable briefing for network agents
.⌉[

The Connect an agent tab (optional) — nothing to set up for shell agents; endpoints,
a one-click application-password link, and a copyable briefing for network agents.

[⌊The Run tab — dry-run preview, the one-time confirm token, and an Execute button,
straight from the settings page.⌉⌊The Run tab — dry-run preview, the one-time confirm
token, and an Execute button, straight from the settings page.⌉[

The Run tab — dry-run preview, the one-time confirm token, and an Execute button,
straight from the settings page.

## FAQ

### Do I have to configure anything after activating?

No. The defaults are the product: read-only and low-risk maintenance abilities are
on, the destructive ones (update, rollback, toggle, database cleanup) are off, every
call is audited, and the status strip at the top of the settings page confirms it
at a glance. You only open the settings when you want to grant more (enable a high-
risk ability), grant less (observe mode), or try an ability yourself on the Run 
tab.

### My agent already has SSH access to the server. Do I still need the application password?

No — the application password is only for agents that talk to the site over the 
network. An agent with shell access uses the built-in WP-CLI commands (`wp agent-
toolbelt list`, `wp agent-toolbelt run <ability>`, `wp agent-toolbelt log`) with
the same guardrails, dry-run/confirm flow, and audit logging. What the plugin adds
for such an agent is exactly the point: guarded, previewable, logged operations 
instead of raw destructive shell commands.

### Is it really safe to let an AI agent update plugins?

“Safe” here means: previewed, confirmed, backed up, health-checked, and rolled back
automatically if the site breaks — with an audit trail. That’s more protection than
a human clicking “Update now” gets. It’s still a change to your site, which is why
the ability ships disabled and you must enable it deliberately.

### What stops a prompt-injected agent from wrecking my site?

Several layers: the destructive abilities are off by default; if you enabled them,
execution needs a fresh one-time confirm token from a prior dry-run of the same 
request (a single malicious instruction can’t do both steps blindly); every call
needs an authenticated administrator — content on your pages can’t call anything
by itself; the hourly rate budget stalls a stampede; and observe mode lets you cut
all write access with one checkbox while you investigate. The honest part: if your
agent has admin credentials and is fully compromised, no plugin can save you — the
toolbelt’s job is to make the destructive path narrow, slow, and visible.

### Why does update-plugin refuse single-file plugins like Hello Dolly?

WordPress core’s temporary-backup mechanism skips plugins that live in a single 
file, so there would be no backup to roll back to. Rather than update without a 
safety net, the ability refuses and tells the agent to use wp-admin or WP-CLI instead.

### Does it work on multisite?

Everything except the abilities that change plugin files or state: update-plugin,
rollback-plugin, and toggle-plugin refuse on multisite with a clear reason instead
of guessing at network-wide semantics. Since 1.4 the audit log also heals itself
on multisite: if a subsite is missing its log table (network activation only creates
it on the main site), the first write creates it.

### Can visitors or logged-out agents see or call the abilities?

No. Every ability requires a logged-in user with `manage_options` (updates also 
need `update_plugins`). Anonymous REST calls get a 401, and the abilities don’t 
even appear in the listing for unauthorized users.

### How do I turn everything off in an emergency?

Two ways: untick abilities on the Settings  Agent Toolbelt page (they unregister
instantly), or add `define( 'AGENT_TOOLBELT_DISABLED', true );` to wp-config.php—
the kill switch unregisters everything: abilities, REST exposure, and the WP-CLI
command. There is also a softer option: observe mode (see below) keeps the abilities
visible but read-only.

### What is observe mode?

A read-only switch for the whole toolbelt. While it is on (checkbox on the settings
page, or force it with `define( 'AGENT_TOOLBELT_OBSERVE', true );` in wp-config.
php), agents can still call read-only abilities and preview any operation with dry-
run, but every real change is refused with the machine-readable reason `observe_mode`
and a message telling the agent to ask you. Useful while you are getting to know
a new agent, or any time you want eyes-only access without hiding the tools.

### Can a runaway agent execute operations in a loop?

Not for long. Real executions are rate-limited per user with a fixed hourly budget:
5 high-risk and 30 total mutating executions per hour by default (the `agent_toolbelt_rate_budgets`
filter changes the numbers; `define( 'AGENT_TOOLBELT_NO_RATE_LIMIT', true );` disables
the limit for supervised bulk-maintenance sessions). Over-budget calls are refused
with the reason `rate_budget` and a `retry_after_s` hint, and land in the audit 
log as `denied` — so a stampeding agent both stalls and leaves a visible trail. 
Dry-runs and read-only abilities are never counted: diagnosis stays free.

### Why is the database cleanup disabled by default?

Because it deletes content — revisions, trashed posts, spam, orphaned rows. That
is exactly what you want from a cleanup, but a tool that can delete rows the moment
the plugin activates would contradict what this plugin promises. So you enable it
consciously, once, on the settings page. After that the usual guardrails apply: 
dry-run with exact per-category counts, a one-time confirm token bound to the same
input, batched deletes through core functions, and an audit-log entry plus an email
for every real execution.

### What exactly does cleanup-database delete?

Only well-defined garbage, by category — and you can pass a `categories` list to
run any subset: post revisions; auto-drafts older than 7 days; trashed posts; spam
and trashed comments; expired transients; and orphaned post/comment/term/user meta
rows whose parent object no longer exists. It never touches published content, drafts,
users, terms, or settings. Posts and comments are deleted through WordPress core
functions (`wp_delete_post`, `wp_delete_comment`), so cleanup hooks fire and caches
stay consistent.

### Why don’t I see maintenance mode when I turn it on?

If you are logged in as an administrator, that’s on purpose — administrators always
see the normal site. Open a private/incognito window to see what visitors get. Otherwise,
a static page cache is probably serving visitors a cached copy: purge the page cache(
there’s an ability for that) and reload. Maintenance mode always auto-expires, so
a forgotten “on” can never lock the site permanently.

### How does my agent discover the abilities?

Three doors, all showing exactly (and only) what you enabled: the WordPress REST
API listing at `wp-json/wp-abilities/v1/abilities`; the official MCP Adapter’s default
server, which picks up the toolbelt’s abilities automatically because they carry
the `meta.mcp.public` flag; and the Abilities Explorer in the official `ai` plugin,
if you use it. The Connect your agent section on the settings page turns this into
a copy-paste briefing with your site’s real URLs.

### Does it work with the official WordPress MCP Adapter?

Yes, out of the box. Enabled abilities are flagged `meta.mcp.public`, which is precisely
what the adapter’s default server exposes; disabled abilities are not registered
at all, so no transport can see them. Every MCP call still runs through the same
permission checks, dry-run defaults, confirm tokens, rate budget, and audit log 
as REST — the transport changes, the guardrails don’t. If you want an ability callable
over REST but hidden from MCP, the `agent_toolbelt_mcp_public` filter does that 
per ability.

### Can read-debug-log leak my secrets to the agent?

The debug log is the one file on a WordPress site that routinely catches secrets—
API keys inside stack traces, database credentials in connection errors, customer
emails in mailer failures. That’s why redaction is built in and cannot be turned
off: provider API keys, JWTs and bearer tokens, database credentials, URL query 
secrets, auth cookies and nonces, absolute filesystem paths, emails, and IP addresses
are all masked before the content leaves your site. Two honest caveats: redaction
is best-effort pattern matching (a secret in a format nobody has seen before can
slip through — the response says so), and the search filter deliberately matches
the redacted text, so an agent cannot use it to probe whether a specific secret 
value appears in the log. If that residual risk is still too much for your site,
untick the ability — like everything else, disabled means invisible.

### Can it roll back my premium plugin?

No, deliberately. Rollback downloads the target version from WordPress.org, which
only hosts what it distributes — for premium and custom plugins there is no trusted
source to fetch an old version from, so the ability refuses with a clear reason (`
versions_unavailable`) instead of improvising. The same honesty rule as checksum
verification: no evidence is not a green light.

### Why are rollback and toggle disabled by default?

Same product logic as update-plugin and cleanup-database: an ability that can swap
plugin versions or deactivate plugins the moment the plugin activates would contradict
what this plugin promises. You enable them consciously, once, on the settings page—
and after that every execution still needs a dry-run, a one-time confirm token, 
and passes the health-check-and-revert cycle. A rollback also carries an inherent
risk the tool warns about every time: an older version may reintroduce bugs or security
issues that were fixed later, so treat it as a temporary measure.

### Why does verify-checksums skip my premium plugins?

WordPress.org only publishes checksums for plugins it distributes. Premium, custom,
and single-file plugins have no official reference to compare against, so the ability
reports them as `skipped` with a machine-readable reason — deliberately not as “
clean”, because no evidence is not a clean bill. Agents are told the same in the
ability description.

### Does the plugin send any data anywhere?

Almost never, and never about you. The only HTTP requests it makes are health-check
requests to your own site after a plugin update, and — only when you run verify-
checksums — requests to WordPress.org’s public checksums APIs carrying your WordPress
version and locale (core scope) or a plugin’s public slug and version (plugin scope).
There is no telemetry, no phoning home, no external service.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Agent Toolbelt – Safe Site Operations for AI Agents” is open source software. The
following people have contributed to this plugin.

Contributors

 *   [ Kostya Tereshchuk ](https://profiles.wordpress.org/kostyatereshchuk/)

[Translate “Agent Toolbelt – Safe Site Operations for AI Agents” into your language.](https://translate.wordpress.org/projects/wp-plugins/agent-toolbelt)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/agent-toolbelt/), check
out the [SVN repository](https://plugins.svn.wordpress.org/agent-toolbelt/), or 
subscribe to the [development log](https://plugins.trac.wordpress.org/log/agent-toolbelt/)
by [RSS](https://plugins.trac.wordpress.org/log/agent-toolbelt/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.5.0

 * New ability: update-theme (high risk, disabled by default) — updates one theme
   through core’s own upgrader with the full update-plugin safety cycle: temporary
   backup, loopback health check, automatic restore if the site breaks, and a shutdown
   fail-safe. The dry-run reports whether the theme is active or the parent of the
   active child theme — the signals that a broken update would take the whole site
   down until the restore.
 * Unknown input keys are now refused instead of silently ignored. A typo’d key (
   say “target” instead of “scope”) used to fall back to defaults and quietly change
   what executed; now the call is refused with reason unknown_input_key, the offending
   keys, and the full accepted-key list, and the attempt lands in the audit log 
   as denied. Found by the first external field test — thank you.
 * Ability input schemas now declare additionalProperties: false, so schema-reading
   agents see the strict contract up front and the REST layer rejects unknown keys
   with a standard 400 before execution.
 * The minimum PHP version is now 8.0 (PHP 7.4 has been end-of-life since November
   2022). The plugin’s code did not change for this — installs on a supported PHP
   stack are simply the only ones we can honestly promise safety on.

#### 1.4.0

 * New ability: rollback-plugin (high risk, disabled by default) — replaces one 
   plugin with an earlier WordPress.org release. Dry-run without a version returns
   the list of actually available versions; execution keeps a backup of the current
   version, health-checks the site, restores the newer version automatically if 
   the rollback made things worse, and a shutdown fail-safe covers even a mid-operation
   crash. Premium/custom plugins are refused honestly (no trusted source). Update
   data is rebuilt afterwards so wp-admin immediately shows the real pending update
   again.
 * New ability: toggle-plugin (high risk, disabled by default) — activates or deactivates
   one plugin with the same health-check-and-revert cycle in both directions, a 
   shutdown fail-safe on activation, and a hard refusal to touch Agent Toolbelt 
   itself.
 * New ability: check-site-response (read-only, on by default) — the loopback probe
   as a standalone diagnostic: HTTP status, response time, and fatal-marker detection
   for the home page and REST API, plus whether the toolbelt’s maintenance window
   is currently active.
 * New: a Run tab on the settings page — run any enabled ability yourself with dry-
   run by default, per-ability input examples, a one-click “Execute for real” step
   for high-risk dry-runs, and results in the same JSON agents see. Runs through
   the exact agent pipeline (schema validation, guardrails, budgets) and lands in
   the audit log as caller admin. Every enabled ability in the checklist has a Run
   button that opens the tab pre-filled.
 * The settings page was redesigned around one idea: installing is the whole setup.
   A status strip answers “am I safe right now?” at a glance; the page is split 
   into four tabs (Abilities, Run, Audit log, Connect an agent); abilities are grouped
   by risk with one-line descriptions and the details collapsed; and connecting 
   an agent is explicitly optional — agents that already work on the server (SSH/
   WP-CLI) are told there is nothing to set up.
 * read-debug-log now measures the log’s size fresh on every call — PHP’s stat cache
   could hand it a stale size for this append-hot file, mis-windowing the tail read
   and mislabeling truncated_read.
 * update-plugin refusals now use machine-readable reason codes (multisite_unsupported,
   plugin_not_installed, self_update, single_file_plugin, no_update_available, missing_plugin_input)
   with the human sentence moved to details.error — matching the convention every
   other ability already followed and what site-status’s agent_protocol documents.
   If you parsed the old sentences, read details.error.
 * update-plugin dry-run now reports whether the plugin is active — the main risk
   signal for an update.
 * site-status now reports the maintenance-mode window state (active, expires_at,
   seconds_remaining) — previously there was no way to read it back.
 * Confirm-token refusals now explain the binding rule: the token matches one exact
   ability, user, and input, is single-use, and expires in 15 minutes.
 * Failed operations now return a typed reason (exception) with the exception class—
   never the message, which could leak paths — and point to the audit log.
 * The audit log on the settings page is filterable by result and row count (20/
   50/100) — reviewing denied attempts no longer requires WP-CLI.
 * The audit log heals itself when its table is missing (multisite subsites after
   network activation, file-copy deploys): the first write creates the table and
   retries.
 * list-available-updates now reports whether core auto-updates would apply the 
   pending core update (auto_update_major, and the WP_AUTO_UPDATE_CORE constant 
   when defined).
 * Upgrade housekeeping keeps new opt-in abilities disabled on existing installs
   that had saved settings before this version.

#### 1.3.1

 * The plugin page moved from Tools to Settings (Settings  Agent Toolbelt) — where
   the refusal messages and the high-risk email already pointed, and where users
   expect a plugin’s settings to live.
 * The Plugins screen row now has a Settings action link next to Deactivate.
 * Connect your agent: the application-password explanation moved to its own line
   under the button.

#### 1.3.0

 * New ability: read-debug-log (read-only, on by default) — the newest debug-log
   entries with stack traces grouped to their error and filters for severity, time,
   and substring. Secrets (API keys, JWTs, bearer tokens, database credentials, 
   cookies, nonces), absolute paths, emails, and IPs are redacted before the content
   leaves the site; the substring filter matches the redacted text, so it cannot
   be used to probe for raw secret values. Reads are bounded (a tail of at most 
   1 MB), so huge logs are safe to query.
 * verify-checksums now also covers plugins: scope=plugin verifies one named plugin
   or every installed plugin against WordPress.org’s plugin-checksums API, with 
   per-plugin results, unexpected-file detection inside each plugin directory, and
   honest skipped-with-reason reporting for premium/custom/single-file plugins (
   skipped is not clean).
 * New ability: list-available-updates (read-only) — pending plugin, theme, and 
   core updates with current/new versions and active/auto-update flags; the actionable
   companion to site-status’s counts and update-plugin’s execution.
 * site-status now includes toolbelt.agent_protocol — the dry-run, confirm-token,
   refusal, and REST calling conventions travel with the first call every agent 
   makes.
 * Every ability now exposes the complete readonly/destructive/idempotent annotation
   set, so MCP clients receive full ToolAnnotations hints (readOnlyHint, destructiveHint,
   idempotentHint) through the official adapter.
 * Documentation now spells out the Abilities API GET input syntax (?input[key]=
   value — bare query parameters are silently ignored) in the readme, the Connect-
   your-agent briefing, and agent_protocol.
 * Fixed an outdated code comment claiming confirm-token refusals are not logged(
   they are logged as denied since 1.1.0; the behavior was always correct, the comment
   was not).

#### 1.2.0

 * MCP-native: every enabled ability now carries the meta.mcp.public flag, so the
   official WordPress MCP Adapter’s default server (and WooCommerce’s bundled MCP
   integration) discovers and exposes it automatically; the agent_toolbelt_mcp_public
   filter can keep any ability REST-only.
 * New ability: inspect-cron (read-only) — WP-Cron events with next-run times and
   an overdue count, for “scheduled things seem stuck” diagnosis; event args are
   digested, never exposed.
 * New ability: verify-checksums (read-only) — verifies core files against official
   WordPress.org checksums; reports modified, missing, and unexpected files under
   wp-admin/wp-includes; time-budgeted with a resume cursor.
 * New ability: run-site-health-checks (read-only) — runs Site Health’s direct tests
   server-side with a real timestamp (core only refreshes them when a human visits
   wp-admin); site-status now reports the fresh counts as health_fresh.
 * Connect your agent: a new settings-page section with your site’s actual endpoint
   URLs, a one-click link to WordPress’s own application-password screen, MCP status,
   and a copyable agent briefing.
 * Readme: a “For AI agents reading this” section and refreshed MCP documentation.

#### 1.1.0

 * New ability: regenerate-thumbnails (medium risk) — finds image attachments with
   missing thumbnail sizes and generates only the missing files; batched, time-budgeted,
   never deletes or overwrites.
 * New ability: cleanup-database (high risk, disabled by default) — deletes revisions,
   old auto-drafts, trashed posts, spam/trashed comments, expired transients, and
   orphaned meta rows; exact per-category dry-run counts, confirm token bound to
   the same input, batched deletes through core APIs.
 * Observe mode: a read-only switch for the whole toolbelt (settings checkbox or
   the AGENT_TOOLBELT_OBSERVE constant) — agents can look and preview, nothing mutates.
 * Hourly rate budget for real executions (5 high-risk / 30 total per user per hour,
   filterable via agent_toolbelt_rate_budgets; AGENT_TOOLBELT_NO_RATE_LIMIT bypass)
   with retry_after_s in the refusal.
 * Denied attempts (disabled ability, observe mode, over-budget, bad confirm token)
   are now recorded in the audit log as `denied`, with anti-flood capping.
 * Audit log can be filtered by result on every surface: the read-audit-log ability,`
   wp agent-toolbelt log --result=denied`, and the reader API.
 * Email notification to the site admin after every real high-risk execution (on
   by default; settings checkbox).
 * site-status now reports observe_mode alongside the toolbelt version and enabled
   abilities, so agents learn the safety state on their first call.
 * Permission gate is per-operation: update-plugin still requires `update_plugins`;
   cleanup-database needs only `manage_options`, so it keeps working on hosts that
   set DISALLOW_FILE_MODS.
 * High-risk dry-runs no longer issue a confirm token when the request is refused
   or observe mode is on (a token that can never execute would only mislead the 
   agent).

#### 1.0.0

 * Initial release.
 * Six abilities: site-status, purge-all-caches, flush-rewrite-rules, maintenance-
   mode (auto-expiring), read-audit-log, and update-plugin (opt-in) with backup,
   loopback health check and automatic rollback.
 * Guardrails: dry-run on every mutating ability, one-time confirm tokens for high-
   risk execution, per-ability enable/disable (disabled = invisible), audit log 
   with 90-day/2,000-row retention, kill-switch constant.
 * Surfaces: WordPress Abilities API (REST `wp-abilities/v1`, MCP-ready), WP-CLI(`
   wp agent-toolbelt`), and an admin page under Tools.

## Meta

 *  Version **1.5.0**
 *  Last updated **23 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.9 or higher **
 *  Tested up to **7.0.1**
 *  PHP version ** 8.0 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/agent-toolbelt/)
 * Tags
 * [abilities](https://wol.wordpress.org/plugins/tags/abilities/)[AI agent](https://wol.wordpress.org/plugins/tags/ai-agent/)
   [audit log](https://wol.wordpress.org/plugins/tags/audit-log/)[maintenance mode](https://wol.wordpress.org/plugins/tags/maintenance-mode/)
   [mcp](https://wol.wordpress.org/plugins/tags/mcp/)
 *  [Advanced View](https://wol.wordpress.org/plugins/agent-toolbelt/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/agent-toolbelt/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/agent-toolbelt/reviews/)

## Contributors

 *   [ Kostya Tereshchuk ](https://profiles.wordpress.org/kostyatereshchuk/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/agent-toolbelt/)

## Donate

Would you like to support the advancement of this plugin?

 [ Donate to this plugin ](https://tutori.org/donate/)