外掛標籤
開發者團隊
原文外掛簡介
WordPress 7.0 introduced the Abilities API. Any active plugin can register an ability and the WordPress AI feature can then invoke it, consuming whatever credits or tokens your AI provider charges per call. By default every registered ability is exposed, and there is no built-in way to see what is exposed or to limit it.
Codevera AI Access Control adds a single settings screen that lists every plugin which has registered AI abilities, grouped by source plugin, and lets you allow or block each plugin as a whole or each individual ability.
How it works:
The plugin watches every call to wp_register_ability() and records which plugin made the call.
The Settings -> Codevera AI Access screen groups those abilities by source plugin so you can see at a glance what is exposed.
Untick a plugin or a single ability and save. From the next request onwards, the AI feature can no longer see or invoke it.
Free:
Per-plugin and per-ability granular controls
Automatic detection of newly installed plugins that register AI abilities, with an in-admin notification so you can review them
Tamper-detect signature on the saved settings, with a fail-closed mode that blocks every non-core ability if the settings option is modified outside the plugin
Filter-level enforcement that neutralises a blocked ability before WordPress constructs it, plus a registry sweep that removes blocked abilities from the listings
Self-check that re-attaches the enforcement hooks on init, admin_init and rest_api_init if another plugin removes them
Search and filter inside each plugin card so large registries stay readable
No external requests, no telemetry, no licence checks
Works on multisite (per-site settings)
Translation ready
Works well for:
Sites where editorial staff use the WordPress AI feature and you want strict control over what context the AI can pull in
Agency sites where new plugins are installed regularly and you want to review their AI exposure before letting them in
Privacy-sensitive sites that need an explicit allow list of which plugins may expose data to an AI provider
Compliance-driven environments that need an auditable record of which plugins have been allowed to register AI abilities
Under the hood:
Uses only the official Abilities API surface: wp_register_ability_args, wp_abilities_api_init, wp_unregister_ability
Source attribution from debug_backtrace() of the file that called wp_register_ability, normalised to a plugin slug
HMAC-SHA256 signature on the settings option, keyed to a CVAIAC_SECRET constant or AUTH_SALT fallback
No frontend assets shipped, all code runs in admin and on the AI Abilities REST routes
No database tables, just two options in wp_options
External Services & Privacy
This plugin does not contact any external service. It reads only local WordPress data. No telemetry, no analytics, no licence checks, no remote update checks beyond what WordPress core itself performs.
The plugin stores two options in the wp_options table:
cvaiac_settings – your allow and block selections, signed with an HMAC-SHA256 signature
cvaiac_ability_sources – a map of ability name to source plugin slug, populated automatically as plugins register their abilities
cvaiac_schema_version – an integer that records the storage format version, used for migration
No personal data, no visitor data, and no AJAX requests to remote services.
When the plugin is uninstalled, all three options are removed.
Support
Email [email protected] for support, bug reports, or feature requests. Include your WordPress version, PHP version, a list of other plugins that register AI abilities, and a description of the issue with steps to reproduce.
Technical Requirements
Minimum:
WordPress 7.0 (required for the Abilities API)
PHP 7.4
Recommended:
WordPress 7.0 or higher
PHP 8.0 or higher
Privacy & Security
The plugin does not collect or transmit any personal data. The settings option is stored locally and signed with an HMAC keyed to a site-specific secret. The source-tracker option contains only plugin slugs and ability names that are already public to any code running on the site.
Form submissions use a nonce and require the manage_options capability. The enforcement hooks run on every request that loads the Abilities API, so blocking takes effect from the next request after a setting is saved.
This plugin defends against opportunistic interference such as another plugin writing directly to the settings option, removing the enforcement hooks, or re-registering an ability that has already been blocked. It does not claim to be a security boundary against a fully hostile plugin that has code execution in the same PHP process. The safest practice is still to only install plugins you trust.
Links
Website: https://codevera.ai
Support: [email protected]
