Use case · REST API escape hatch (advanced)

Call any WordPress REST endpoint from chat.

When the curated tools don't cover what you need, <code>wp_rest_call</code> lets the agent hit any allowed REST endpoint. Allowlist-scoped, sensitive paths blocked, capability-checked.

The problem you actually have

No matter how comprehensive a tool catalog gets, there’s always the one weird thing : a custom CPT specific to your industry, a niche plugin REST endpoint, a one-off WooCommerce extension call. You don’t want to hardcode tool support for every plugin in the WordPress ecosystem.

Without an escape hatch, the agent says “I can’t do that” and you fall back to phpMyAdmin or the REST API console. With an escape hatch you keep the conversation flowing.

The trick is making the escape hatch safe: allowlist for REST namespaces (you opt in to which plugins’ endpoints the agent can hit), block list for sensitive paths (users, settings, plugin install/activate), DELETE blocked entirely.

How the assistant solves it

You type the request in plain English inside wp-admin. The agent picks wp_rest_call (plus wp_get_post_meta, wp_set_post_meta as needed) and walks the steps below.

  1. In settings, you toggle on Advanced mode for the chat. (Off by default.)
  2. You ask: “query my custom CPT ‘product_review’ for the last 10 reviews above 4 stars.”
  3. The assistant calls wp_rest_call with method=GET, path=/wp/v2/product_review, query={per_page: 10, orderby: rating, order: desc}.
  4. It interprets the response, presents the reviews in chat.
  5. For mutations: it calls wp_rest_call with method=POST/PUT/PATCH (DELETE is hard-blocked). The user’s capabilities are still checked WP-side.
  6. Every call is logged to animam_action CPT with the full path and body.

Before vs after

Without the assistantWith the assistant
CoverageCurated tools cover ~80% of admin tasks~99% (only WP-blocked things stay out: user mgmt, plugin install, theme switch)
SafetyYou’re tempted to grant full DB accessAllowlist + blocklist + capability check + audit log
DiscoverabilityYou don’t know which plugins expose whatwp_get_site_info returns active plugins + their REST namespaces

Where it stops

  • Off by default. You explicitly opt-in via Settings > Animam > Advanced mode. Per-tool gating means it’s hidden from the LLM until you turn it on.
  • DELETE method is hard-blocked. For destructive operations, use a curated tool that has confirm-token semantics, or do the deletion yourself.
  • Sensitive REST paths (users, settings, plugins, themes) are blocked even with advanced mode on. The blocklist is in plugin code, not user-configurable.
  • Allowlist of REST namespaces by default: /wp/v2/, /wc/v3/, /rank-math/v1/, /yoast/v1/. Other plugins (WPForms, Forminator, CF7, MailPoet, Brevo) are toggled in admin settings.

FAQ

Why isn't this on by default?

Because it’s an escape hatch, not a default flow. The curated tools cover what most people need; the escape hatch is for the long tail. Off-by-default is the safe stance.

Can the agent install a plugin via REST?

No — that path is in the blocklist (/wp/v2/plugins). For plugin management, you use wp-admin directly.

Plan?

Admin or Bundle. Advanced mode toggle is on the Admin and Bundle plans only.

Cover the long tail without losing the safety rails.

Free plan, no card. Or read the full admin assistant page.

Start the Admin plan — €29/mo