Documentation / Permissions and Safety

Permissions and Safety

Updated May 6, 2026

Safety by Default

Agent Builder is designed with a “read-only by default” approach. When you first activate an assistant, it can read your site content but cannot change anything without your explicit permission.

Agent Builder Approval Queue showing pending actions awaiting admin review
The Approval Queue — review and approve or reject pending assistant actions

Permission System

Each assistant has granular permissions you control:

  • Read posts/pages — View content on your site
  • Write posts/pages — Create or modify content
  • Read settings — View WordPress options
  • Write settings — Change WordPress options
  • Read files — View theme and plugin files
  • Write files — Modify theme and plugin files

All write permissions are off by default. Enable only what each assistant needs.

Approval Workflow

Even with write permissions enabled, sensitive actions go through an approval process:

  1. The assistant proposes a change (e.g., “Create a new blog post titled…”)
  2. You see exactly what will change, including a preview
  3. You approve or reject the proposed change
  4. If approved, the change is applied and backed up

Audit Log

Every action taken by every assistant is recorded in Agent Builder → Audit Log. This includes:

  • What action was requested
  • Which assistant performed it
  • When it happened
  • Whether it was approved, rejected, or read-only

Automatic Backups

Before an assistant modifies any file or database table, Agent Builder automatically saves a snapshot of the original. This covers posts, options, terms, metadata, robots.txt, llms.txt, and more.

Backups are stored in wp-content/agentic-backups/. Agent Builder keeps up to 3 snapshots per database table and restores in one click from Agentic → Approval Queue → Backups. Restoring also saves the current state first, so you can undo the undo.

See Backups and Restore for the full guide.

Risk Levels

Every tool in Agent Builder is assigned a risk level that determines how it is handled. Risk levels range from 1 (read-only, auto-approved) to 5 (extreme, disabled by default). This means even if an assistant has write permissions enabled, low-risk reads are instant while high-risk changes always require your review.

  • Level 1 — Read-only: Auto-approved. No changes to your site. Examples: reading posts, listing plugins, querying the database.
  • Level 2 — Low write: Auto-approved in autonomous mode. Adds or modifies non-critical metadata. Examples: adding a tag, updating post meta.
  • Level 3 — Medium write: Requires confirmation. Modifies published content or settings. Examples: updating a post, changing a site option.
  • Level 4 — High write: Always requires confirmation. Deletes content or changes security-sensitive settings. Examples: deleting a post, changing a user role.
  • Level 5 — Extreme: Disabled by default. Must be explicitly enabled in Settings. Examples: arbitrary SQL execution, shell commands.

Frequently Asked Questions

Can an AI assistant make changes to my site without me noticing?

By design, no. All write actions at risk level 3 and above generate a confirmation prompt before executing. Even in autonomous mode (where the assistant can act without prompts), every action is recorded in the Audit Log. If you discover an unexpected change, the Audit Log shows exactly what was done, when, and by which agent — and the backup system lets you restore the previous state in one click.

What happens if I accidentally approve a destructive action?

Agent Builder saves a backup snapshot before executing any write action. If you approve a change and regret it, go to Agent Builder → Approval Queue → Backups and restore the previous state. Restoring also creates a snapshot of the current state first, so you can undo the restoration too. See Backups and Restore for the full guide.

Can I give different assistants different permission levels?

Yes. Permission sets are configured per assistant in Settings → Agents. You might give your Content Writer read and write access to posts while your Site Doctor only has read access to settings and files. An assistant can only use the tools its permission set allows — even if those tools are technically available in the system, they are blocked for that assistant if its permissions do not include them.

Can visitors on the front end trigger assistant actions?

Only within the limits you configure for that assistant. If you deploy a front-end agent that only has read-only permissions, visitors can ask it questions but it cannot change anything on your site. If you deploy a front-end agent with write permissions, visitors can trigger write actions — which is appropriate for some use cases (e.g., a form-filling agent) but requires careful permission scoping. See Frontend Chat Security for best practices.

Does Agent Builder protect against prompt injection attacks?

Agent Builder implements several layers of protection against prompt injection — attempts by malicious content on your site to hijack the assistant’s actions. Tool execution is validated server-side regardless of the LLM’s output, file system access is restricted to the WordPress directory, and SQL tools use parameterised queries. Extreme-risk tools are disabled by default specifically because they are the most susceptible to injection-driven misuse.

Related Articles

Browse all documentation →