WordPress 7.0 AI: API Key Theft Risk Surfaces on Launch Day

WordPress 7.0 "Armstrong" was released without its promised real-time collaborative editing feature. Instead, its new AI infrastructure is raising security concerns. A security researcher warns that API credentials, now stored in WordPress admin dashboards, are a new target for hackers. These paid API keys can be worth thousands of dollars. The platform is used by 43% of the web. The real-time collaboration feature was dropped due to issues like recurring bugs and server load. WordPress 7.0 instead shipped with a three-component AI substrate. This includes the WP AI Client, the Connectors API, and a JavaScript version of the Abilities API. The WP AI Client allows plugin developers to send prompts to large language models through a single interface. The Connectors API handles credentials, letting administrators enter an API key once for various providers. This means every plugin using the WP AI Client inherits that connection. This change matters because it creates a new and valuable target for cybercriminals across a significant portion of the internet.