WordCamp Asia 2026 wrapped on Friday in Mumbai with 2,281 attendees and one theme running through every session: AI. WordPress 7.0 was supposed to launch live at the event. It didn't (we covered the delay). But while the tech press fixates on the release date, the bigger story is what ships when 7.0 finally lands. WordPress is becoming an AI platform. A new Connectors API, a built-in AI Client, and an Abilities API will let any plugin talk to OpenAI, Anthropic, or Google through your site's shared API credentials. And right now, core ships no mechanism to cap what a plugin can spend.
How WordPress 7.0's AI Infrastructure Works
WordPress 7.0 introduces three new systems that work together. The Connectors API adds a Settings > Connectors screen to the WordPress admin where you configure your AI provider API keys once. Official provider plugins for Anthropic (Claude), Google, and OpenAI ship alongside core. Community-built connectors for Ollama, OpenRouter, and Mistral already exist. Configure a key, and every plugin on your site can use it.
The AI Client is the developer-facing layer. Plugin authors call wp_ai_client_prompt() and get text generation, image generation, structured JSON responses, or speech synthesis through a clean, provider-agnostic interface. They don't handle your credentials. They don't even need to know which provider you've chosen. The function takes a prompt and returns a result. It supports model preference fallback chains, so a plugin can request Claude first, fall back to GPT if unavailable, and keep working regardless.
The Abilities API (client-side JavaScript landing in 7.0, PHP side already in 6.9) lets plugins register capabilities with schemas and permissions. This is the foundation for browser agents and WebMCP integration: AI services will be able to discover what your WordPress site can do and interact with it programmatically.
For WordPress developers, this is a genuine step change. Before 7.0, every AI plugin reinvented the same settings page, the same key management, the same provider wrappers. That fragmentation is over.
As Felix Arntz, who authored the AI Client proposal on Make WordPress Core, put it: the system "allows arbitrary prompt execution" but "requires a high-privilege capability check, which by default is only granted to administrators." That's a sensible baseline for who can trigger AI calls from the browser. It does not, however, address what happens when server-side plugin code fires prompts without a human in the loop.
The Budget Problem Nobody Is Raising
Once you enter your API key in Settings > Connectors, every active plugin can call wp_ai_client_prompt(). There is no per-plugin budget. No request-rate cap. No monthly spending ceiling anywhere in core.
The wp_ai_client_prevent_prompt filter lets you block prompts by user capability (admin only, for example). It does not limit volume or cost. A plugin that fires an AI prompt on every page load, one that runs batch processing via wp_cron, or one with a loop that doesn't terminate cleanly could generate hundreds of pounds in API charges before you check your provider dashboard.
Greg Ziółkowski, who built the Connectors API, confirmed this directly in the Make WordPress Core proposal: API keys function as a "site setting, so every plugin can access it." That's the correct architecture for reducing fragmentation. It's also the reason you need external safeguards.
This isn't a design flaw. It's an early-stage architecture decision, and the community will build rate-limiting plugins quickly. Providers already have their own spend controls: OpenAI, Anthropic, and Google all let you set dashboard-level budget caps today. But WordPress core ships the accelerator without the brake pedal. For a small business owner who installs a plugin promising "AI-powered" features and doesn't monitor their Anthropic or OpenAI dashboard, the first invoice could be a genuine shock.
API keys stored in the WordPress database through the Connectors screen are also not encrypted in the current implementation (ticket #64789 is tracking this). If WordPress security is already on your radar, that's worth knowing. Store keys in environment variables or PHP constants instead, both of which the Connectors API supports as higher-priority sources.
Five Things to Do Before You Update
- Set spend limits on your provider dashboards. OpenAI, Anthropic, and Google all let you cap monthly spend. Do this before you enter any API key into WordPress.
- Audit every plugin that advertises AI features before activating it on a live site. Check whether it uses the new
wp_ai_client_prompt()function and how often it fires. - Only configure the providers you actually need. Don't connect all three just because the screen lets you.
- Keep your API keys in environment variables or PHP constants, not the database. The Connectors API supports this priority order, and it's more secure. Your hosting provider or WordPress host can help with this.
- If you're on a managed support plan, your agency should be handling this. That's what you pay them for. We monitor plugin behaviour, review updates before they go live, and catch exactly this kind of risk before it costs you money.
What WordCamp Asia Told Us
AI dominated all three days in Mumbai. James LePage's opening session set the tone, and later sessions covered AI-driven development, autonomous testing, and plugin automation. Mary Hubbard's fireside chat addressed trust, security, and what responsible AI integration looks like in an open-source project. Matt Mullenweg joined the closing Q&A remotely with written responses touching on contributor growth, product direction, and the health of the open web.
The release squad published the revised schedule on 24 April. WordPress 7.0 is now confirmed for 20 May 2026, with RC3 on 8 May and RC4 on 14 May. The delay was about real-time collaboration's database architecture, not the AI features. The Connectors API, AI Client, and Abilities API are stable and shipping.
WordCamp India was also announced as the fourth flagship WordPress event for 2027, joining Asia, Europe, and US on the calendar.
The message from the conference floor was clear: AI isn't a sideshow for WordPress any more. It's infrastructure. And the security implications are real: the same week, Anthropic revealed that its Claude Mythos model had found thousands of zero-day vulnerabilities across every major operating system and browser. 365i tested the AI Connectors hands-on during beta and wrote up what they actually do in practice. If you want the technical detail before the release lands, that's worth reading.
Frequently Asked Questions
When does WordPress 7.0 actually ship?
The original 9 April 2026 date was missed. The release squad published the revised schedule on 24 April: WordPress 7.0 is now confirmed for 20 May 2026, with RC3 on 8 May and RC4 on 14 May. The delay was about real-time collaboration's database design, not the AI features.
Do I need an API key to use WordPress 7.0?
No. The AI features are entirely opt-in. WordPress 7.0 works without any API key configured. You only need a key if you want plugins to use AI features through the Connectors API. If you never visit Settings > Connectors, nothing changes for you.
Which AI providers does WordPress 7.0 support?
Official provider plugins ship for Anthropic (Claude), Google, and OpenAI. Community-built providers already exist for OpenRouter, Ollama, and Mistral. Any developer can create a provider plugin using the Connectors API.
Can a plugin run up my AI bill without my permission?
Technically, yes. Once you configure a provider in Settings > Connectors, any active plugin can call wp_ai_client_prompt() and generate API charges against your account. Core has no per-plugin budget, rate cap, or monthly ceiling. Set spend limits on your provider dashboard before entering your key.
How do I set a spend cap on my AI provider account?
OpenAI: Settings > Billing > Usage limits. Anthropic: console.anthropic.com > Plans & Billing > Spend limit. Google Cloud: set budget alerts in the Cloud Console billing section. All three let you set a hard monthly cap that stops API calls once the limit is reached.
What is the WordPress Abilities API?
The Abilities API lets plugins register their capabilities with structured schemas and permissions. The PHP side shipped in WordPress 6.9. The client-side JavaScript packages land in 7.0. It's the groundwork for browser agents and WebMCP: AI services can discover what your WordPress site offers and interact with it programmatically.
Should I update to WordPress 7.0 on day one?
For most small business sites, wait for the first patch release (7.0.1, usually within two weeks). Confirm your plugins and theme declare compatibility first. If you run AI-enabled plugins, set your provider spend caps before updating. Editorial teams who want real-time collaboration have the strongest reason to update early.
Will rate-limiting plugins be available for WordPress 7.0?
Almost certainly. The WordPress developer community moves quickly, and the wp_ai_client_prevent_prompt filter gives plugin authors a clean hook to build budget caps, per-plugin limits, and request-rate controls. Expect community solutions within weeks of the 7.0 release. Until then, provider-side spend caps are your safeguard.
Need Help Preparing for WordPress 7.0?
From plugin audits to API key governance to making sure your hosting stack is ready, we handle the preparation that turns a WordPress release into a smooth upgrade. Talk to us before 7.0 lands.
WordPress Development ServicesPublished: 12 April 2026 · Last reviewed: 26 April 2026 · Written by: Mark McNeece, Founder & Lead Developer, Press Forge
Editorially reviewed by: Mark McNeece on 26 April 2026 · Our editorial standards
Sources
- Introducing the Connectors API in WordPress 7.0 - Make WordPress Core (18 March 2026)
- Introducing the AI Client in WordPress 7.0 - Make WordPress Core (24 March 2026)
- The Path Forward for WordPress 7.0 - Make WordPress Core (2 April 2026)
- Celebrating Community at WordCamp Asia 2026 - WordPress News (11 April 2026)
- Extending the 7.0 Cycle - Matias Ventura, Make WordPress Core (31 March 2026)
