On March 20, WordPress.com launched 19 write capabilities through its MCP server. That means AI agents can now create posts, edit content, publish pages, manage comments, restructure your categories, and fix media metadata -- all autonomously, all through natural language commands.
This isn't a beta. It's live. And it matters more than most people realize.
What actually happened
WordPress powers 43% of all websites and holds a 60.5% CMS market share. So when the platform opens its doors to autonomous AI agents with write access, the ripple effect is massive.
Here's the thing most coverage is getting wrong: this only applies to WordPress.com hosted sites. Not self-hosted WordPress. The 43% stat covers everything -- but the MCP write features are limited to sites hosted on WordPress.com specifically.
That distinction matters. A lot.
If your site is on WordPress.com, AI agents can now push content to your live site through the platform's OAuth layer. If you're self-hosted, you'd need a separate adapter or third-party plugin. The experiences are completely different, and the security implications are completely different.
The platform control question nobody's asking
The headline everyone ran with was "AI can publish to WordPress." The more interesting story is what's underneath that headline.
Every WordPress.com MCP connection routes through one company's OAuth, one company's API, one company's servers. Self-hosted WordPress can't use it. The AI capability is the feature. The platform dependency is the product.
This is the same company that tried to charge hosting providers 8% royalties on WordPress-related revenue. The same company whose centralization moves triggered a community revolt and a Linux Foundation intervention called FAIR -- a whole initiative to create vendor-neutral package management because the community didn't trust a single entity controlling software distribution.
Now that same entity controls AI agent access to your site.
I'm not saying that's evil. I'm saying it's a pattern worth noticing.
The security surface is already cracking
This isn't hypothetical. CVE-2025-11749 hit a popular AI plugin with over 100,000 installations. The plugin exposed bearer tokens through the REST API when its MCP "No-Auth URL" feature was enabled. Unauthenticated attackers could escalate to full admin access. Six exploit attempts were blocked within 24 hours of disclosure.
The fix was a single parameter change: show_in_index => false. One line. But every site that had the feature enabled needed to rotate tokens immediately because exposed credentials may have already been harvested.
That's one plugin, one implementation, one vulnerability. WordPress saw 11,334 new vulnerabilities across its ecosystem in 2025 -- a 42% increase over 2024, with more high-severity findings than the previous two years combined.
WordPress 7.0, planned for April 2026, is expected to bake AI agent access directly into core. A WP AI Client, an expanded Abilities API, and the MCP Adapter as first-class features. When that happens, the security surface moves from one platform's controlled implementation to thousands of plugin developers building their own MCP endpoints with varying levels of competence.
The safeguards WordPress.com built are genuinely good. Drafts by default. Trash instead of hard deletes. Role-based permissions. Per-capability toggles. Activity logging. Credit where it's due.
But WordPress.com's careful implementation won't matter when the broader ecosystem does it with less care. And based on the 2025 vulnerability numbers, "less care" is a generous description.
Non-human identities are piling up
Every AI agent connected via MCP is a non-human identity with persistent access to your site. Security researchers are already warning about "Shadow MCP" -- unauthorized MCP instances operating outside any governance framework.
Think about it this way. You probably know how many people have admin access to your site. Do you know how many AI agents do? Do you know which ones have write access? Do you know what happens to that access when you cancel a subscription or switch tools?
These are identity management questions that most organizations barely handle for humans. Now multiply by autonomous software agents that don't show up in your team directory.
WooCommerce is next
If AI agents can manage posts and pages, product listings are the obvious next step. Pricing. Inventory. Storefront layouts. The autonomous action surface extends from content into commerce.
When an AI agent can change your product prices or edit your checkout flow without a human reviewing the change, "who controls your site" stops being a philosophical question and starts being a financial one.
What this actually means for you
If you're running a business on WordPress.com, you now have a decision to make about how much platform control you're comfortable with. That's not a scare tactic. It's just the reality of what this launch means.
If you're self-hosted, you'll face the same decision when WordPress 7.0 ships with MCP in core. The plugin ecosystem will fill the gap before then, with all the security variance that implies.
Either way, the architecture of your web presence matters more than it did last week. Who hosts your site, who controls the publishing layer, how authentication works, what happens when an agent goes sideways -- these aren't abstract concerns anymore.
We build and manage web infrastructure for clients across a dozen industries. Some have been with us for over 13 years with zero security incidents. The reason isn't that we're paranoid. It's that we think about these questions before they become problems.
If you're looking at your WordPress setup and wondering whether your architecture is ready for a world where AI agents have write access -- that's a conversation worth having. First one's free.
Subscribe at kief.studio for the companion resource on this topic, or come talk about it in our Discord.