Least Privilege for WordPress AI Access
Mandate
AI agents are changing how WordPress is managed. Mandate helps keep their access scoped, auditable, and limited to the job at hand.
In Short
Mandate limits what an AI agent or connected app may do.
WordPress Application Passwords normally inherit the broad access of their user. Mandate adds an allowlist of capabilities, so an AI agent will have narrower access than the WordPress user account behind it.
No raw secret storage. No role editing. No changes to the user's normal browser sessions.
Security model
Mandate only narrows access.
Allow
- read
- edit_posts
- edit_published_posts
Block
- delete_posts
- upload_files
- manage_options
Preserve
- normal wp-admin access
- existing WordPress roles
- existing security controls
How it works
Pick the password. Limit the capabilities. Save the scope.
Select the user
Start from the WordPress account your tool already authenticates as.
Select the App Password
Scope one Application Password without changing normal wp-admin sessions.
Save the allowlist
Mandate checks the saved scope during authenticated API requests and limits capabilities that are not allowed.
Download Mandate
Install it from WordPress.org or inspect the source on GitHub.
Mandate is a focused guardrail for WordPress sites that connect to AI tools, automation systems, REST API clients, and MCP servers.
Get the plugin
Use the WordPress.org listing when it is available, or follow development from the public repository.