In this issue of Delicious Brain Bytes, we track the final progress of WordPress 6.9 RC1 and the new Abilities API, explore the security advancements of the FAIR/Patchstack collaboration, preview the future of ACF Blocks, and much more!
WordPress 6.9 and the Abilities API
The final major WordPress release of 2025 is right around the corner. WordPress 6.9 Release Candidate 1 is now available, putting the release on track for its scheduled launch on December 2, 2025. The core team encourages all developers and users to test the RC1 build to ensure stability, particularly since new features like the improved Site Editor experience and the universal Command Palette are included.
The 6.9 release includes several key developer updates, such as enhancements to the DataViews components and the Interactivity API. However, the most foundational change is the introduction of the Abilities API.
The Abilities API is a new foundational system designed to transform how plugins, themes, and WordPress core expose their functionality. It allows developers to register self-contained units of functionality—an “ability”—with standardized inputs, outputs (using JSON Schema), and permissions.
This system is a key part of the broader AI Building Blocks initiative. By registering abilities using the new PHP functions, developers make their plugin features discoverable and executable by AI agents, automation tools, and other systems. Registered abilities are automatically exposed through a new REST API endpoint (wp-abilities/v1), creating a unified, machine-readable registry of functions. This eliminates the need for isolated functions or custom AJAX handlers, simplifying integration and offering developers a predictable method for building the next generation of AI-powered WordPress solutions.
Developers are urged to begin testing the RC1 and exploring the detailed documentation for the Abilities API now. You can download and test RC1 via the WordPress Beta Tester plugin or view the Abilities API documentation here.
A New Era for Custom Blocks with ACF
The Advanced Custom Fields (ACF) team is hosting a webinar to showcase the latest advancements in ACF Blocks and how modern developers are leveraging them for efficient, creative WordPress solutions.
The session will cover the full spectrum of ACF’s power, from fine-tuning the client editing experience to establishing structured data for the emerging “agentic web.” Speakers Rob Stinson and Iain Poulson will provide a quick “ACF 101” refresher before diving into a live demo of features from recent releases, highlighting how custom block creation has taken a significant leap forward. The team will also address how pairing ACF PRO with managed hosting platforms like WP Engine can unlock new workflow opportunities.
This session is designed to empower developers to build more efficient and creative solutions. The live webinar takes place on Wednesday, November 19, 2025, at 10am CT / 4pm GMT. Secure your spot now and discover the new capabilities transforming the custom block creation experience.
Solving the Plugin Discovery Crisis
A new plugin called Hidden Gems aims to fundamentally change how developers and users find quality software in the WordPress ecosystem. The plugin addresses a core issue: the default plugin directory prioritizes popular tools with millions of installs, leaving thousands of excellent, lesser-known plugins flying under the radar.
The Hidden Gems plugin solves this by adding a dedicated tab to the “Add New Plugin” screen, using a smart discovery logic built on “quality over popularity.” It defines a “hidden gem” as a plugin that maintains excellent ratings (3+ stars) but has low installation counts (often filtered to under 10K). This logic ensures that users bypass poor-quality, unknown plugins and well-known, established ones to find truly innovative solutions before they become mainstream.
For plugin developers, this tool creates a pathway for quality to be recognized without requiring a massive marketing budget. For users, it offers a competitive advantage by surfacing niche solutions and high-quality alternatives. The plugin includes advanced filtering options based on installation limits, quality thresholds, and more.
You can read the full story behind the plugin’s creation here and find the plugin itself on GitHub.
FAIR and Patchstack Build Security MVP at CloudFest Hackathon
As reported in The Repository, the decentralized architecture of the FAIR Package Manager recently took a major step toward robust security integration at the inaugural CloudFest USA Hackathon. A collaborative team from FAIR and Patchstack built a Minimum Viable Product (MVP) for the FAIR Software Security Assistant.
The project’s goal was to surface vulnerability warnings directly in the WordPress admin by translating Patchstack’s vulnerability data into FAIR’s trust labeling model. This model allows independent organizations to attach verified trust signals to plugins. FAIR technical steering committee co-chair Carrie Dils noted the process was crucial for figuring out “how we talk to the API, how we turn that into labels, and how we build rules around those labels.”
The resulting policy engine will allow hosts or site owners to define automated rules—such as automatically hiding critically vulnerable plugins from the search screen—addressing supply-chain security directly during plugin discovery. This MVP demonstrates a model where decentralization and security are designed to work together.
Understanding WP Engine’s Smart Search AI Model Context Protocol (MCP) Server
The Smart Search AI MCP Server is a powerful new feature in WP Engine’s AI Toolkit that transforms your WordPress site into a dynamic, real-time knowledge base for any external Large Language Model (LLM) you connect to it. When enabled, this server responds to requests from AI tools formatted using the Model Context Protocol (MCP) standard.
In this article, Fran Agulto discusses what MCP is, how to work with the Smart Search AI MCP Server, and how it enhances the Smart Search AI product.
Protecting Your WordPress Media: Private Files, Signed URLs, and Access Control
The WordPress media library serves us well for public content, but what about premium assets, private documents, or confidential client data? The default setup makes every uploaded file publicly accessible via a direct URL. This is a critical limitation for membership sites, digital product stores, and businesses sharing sensitive information.
Relying on direct links in your wp-content/uploads folder means anyone who finds the URL can access your content. This is a significant security risk and, for some sites, a potential loss of revenue.
In this article, we address that challenge. We’ll explore a solution to move beyond basic file storage and achieve granular control over your WordPress media, ensuring your valuable or confidential files are securely delivered only to those with proper authorization.
What’s the most interesting news you’ve come across recently? Pop by Twitter and let us know.