Roger Montti, in his Search Engine Journal article “Security Researcher: WordPress 7.0 Could Trigger Rush To Steal AI API Keys,” examines new security concerns posed by WordPress 7.0’s AI features and the growing value of AI credentials.
The article focuses on comments from Oliver Sild, founder of the security company Patchstack. Sild warns that WordPress’s built-in AI features could give attackers new reasons to target sites. He explains that AI API keys, which allow access to paid services like OpenAI, Anthropic Claude, and Google Gemini, are now valuable targets because they can be misused to rack up costs or support large-scale malicious activities.
Montti points out that, unlike regular AI subscriptions, API keys are billed based on usage. If someone steals these keys, they could use them for things like automated content creation, phishing, social engineering, making malware, or getting into business workflows that use AI.
Montti also points to a recent WordPress 7.0 bug where browser autofill could reveal AI API keys. This bug let previously entered keys show up in plain text in autocomplete menus, which could be risky during screen sharing, on shared computers, or if someone else uses the same browser session. This issue highlights the special security problems that come with adding AI features.
The article also looks at a wider debate in the WordPress community about how AI is changing security. Sild says that WordPress weaknesses might attract more attackers now, since hacked sites could give access to both website data and valuable AI services and credentials.
Developers in the community took the discussion further, asking how WordPress stores sensitive data, how plugin permissions should work, and if the platform’s old design is ready for a time when websites often connect to outside AI systems.
Montti mentions that WordPress co-founder Matt Mullenweg disagrees with claims that WordPress is always insecure. He says sites can stay safe if they are well maintained. Still, security researchers warn that attackers are quick to take advantage of new bugs before they are fixed, so updating quickly and following good security habits is more important than ever.
The broader takeaway from Montti’s main point is that adding AI brings new security issues for WordPress site owners. Even if a site does not hold sensitive customer data, it could still be targeted if it has API keys for paid AI services. If those keys are stolen, owners could face big financial losses. As it expands its AI capabilities, the conversation is shifting from what AI can do for websites to how platforms can safely manage the credentials and services that power those new features.