Category: WordPress plugins

  • AI Provider for ChatGPT Is Now on WordPress.org

    AI Provider for ChatGPT Is Now on WordPress.org

    AI Provider for ChatGPT is now available in the WordPress.org plugin directory. It lets WordPress 7.0’s AI Client use an existing ChatGPT Free, Plus, or Pro account instead of a separate OpenAI API key, supporting text generation, chat history, tool use, JSON output, and model discovery.

    The update includes review-related fixes, documented external endpoints, namespaced plugin data, improved cleanup on uninstall, and a resolved stream error. The post also explains installation, connection through a pairing CLI, and limitations such as no Business or Enterprise support, no image generation, and reliance on OpenAI’s Codex CLI OAuth flow.

    A few weeks ago I wrote about a plugin I built to plug WordPress 7.0’s AI features into a ChatGPT subscription instead of a billed API key. Back then it lived on GitHub and you had to install it by hand.

    That changed. The plugin passed the WordPress.org review and is now live on the official plugin directory:

    AI Provider for ChatGPT on WordPress.org

    If you read the original write-up, this is the short version of what happened since, and how to get it now.

    What the plugin does

    WordPress 7.0 ships a built-in AI Client, and providers register against it. Every provider plugin I could find wanted an OpenAI API key, and that key is billed separately from your ChatGPT subscription. So if you already pay for ChatGPT Plus or Pro, you end up paying a second time to use AI inside WordPress.

    AI Provider for ChatGPT connects your existing ChatGPT account instead. No API key. Requests are routed through the same backend the Codex CLI uses, so usage runs against the plan you already have.

    Once it is connected, any plugin or theme that uses the WordPress AI Client can call ChatGPT the same way it calls Google or Anthropic: text generation with GPT-4o, GPT-4.1 and the o-series, multi-turn chat history, function calling and tool use, structured JSON output, and automatic model discovery.

    What is new since the GitHub-only version

    Getting through the WordPress.org review meant tightening a few things up. The notable changes:

    • All plugin-owned options, transients, and hooks are now prefixed so they cannot collide with anything else in WordPress’s shared namespaces.
    • Every external service the plugin contacts is documented in the readme, with the exact endpoints and what data is sent to each.
    • The configured state of the connector is read through the AI Client API rather than poking at the core option directly.
    • A “Missing the output key” error from the Codex responses stream was fixed.
    • Uninstall now cleans up the options and transients the plugin created.

    The security model is the same one described in the first post. The OAuth bundle is encrypted at rest with sodium_crypto_secretbox, keyed off your wp-config.php salts. The pairing endpoint uses a single-use token with a ten-minute lifetime, hashed before storage, with a per-IP rate limit.

    How to install it now

    You no longer need to clone anything. From your WordPress admin:

    1. Go to Plugins, Add New and search for “AI Provider for ChatGPT”.
    2. Install and activate it.
    3. Open Settings, ChatGPT and click Connect with ChatGPT.
    4. The screen shows a one-line command. Run it on any machine with a browser: npx @abdalsalaam/chatgpt-wp-connect https://your-site.example <pairing-token>
    5. Sign in to OpenAI in the window that opens. The WordPress tab connects itself. No copying secrets, no pasting tokens.

    After that the provider appears in the WordPress AI picker, and the models your account can reach show up automatically.

    If you already use the Codex CLI, the same screen has an Advanced option to paste or upload your existing ~/.codex/auth.json instead.

    The trade-offs still apply

    I said this in the first post and it is still true, so it stays here:

    • The OAuth consent screen says “Codex CLI” because that is the OpenAI-owned client whose ID the flow reuses. If OpenAI rotates or revokes it, the plugin breaks the same day.
    • This is the consumer ChatGPT backend, so there is no API data processing agreement. Prompts may be used for training unless your account has training turned off.
    • Only the Free, Plus, and Pro tiers work. Business, Edu, and Enterprise do not.
    • Image generation is not supported on this backend. For DALL-E or gpt-image, use the standard OpenAI provider with an API key.

    None of that is hidden. It is the honest cost of getting WordPress AI to run on a subscription you already pay for.

    Try it

    The plugin is free and open source under GPL.

    If you install it, I would really like to hear how it goes, bug reports especially. Open an issue on GitHub or leave a review on the directory.

  • Plug WordPress 7.0 AI Into Your ChatGPT Subscription – Without an API Key

    WordPress 7.0 ships first-class AI providers. The reaction online has been almost entirely about the bill: drop in an Anthropic or OpenAI API key, forget you did it, and discover next month that a content workflow has been quietly burning tokens at full retail.

    The warning is fair. People will get charged. But the framing, that this is WordPress’s fault, misses where the policy actually lives.

    The vendor policy WordPress can’t fix

    Anthropic explicitly bans third-party apps from using Claude Pro/Max session auth. Claude Code is the exception because Anthropic owns it. Everyone else is told to use an API key billed against an API account, separate from the consumer subscription. So even if WordPress wanted to ship a “use your Claude subscription” option, Anthropic’s terms wouldn’t permit it.

    OpenAI is different in a way that matters. The Codex CLI authenticates with your ChatGPT account over OAuth and routes requests through the same backend that powers chatgpt.com, billed against your ChatGPT Plus/Pro plan rather than an API account. The login flow lives in their public repository. There is no policy banning third-party clients from doing what Codex does. The design is just publicly documented.

    That gap is what this plugin steps into.

    What I built

    AI Provider for ChatGPT is a WordPress plugin that registers ChatGPT as a first-class AI provider, the same surface as the official OpenAI, Anthropic, and Google plugins, but authenticates with your ChatGPT account instead of an API key. Once paired, every WP 7.0 AI feature on the site routes through your subscription. The server handles token refresh on its own. No API account, no per-token bills.

    The proof-of-concept I showed on LinkedIn required you to run codex login on your laptop and paste ~/.codex/auth.json into the plugin settings. It worked end-to-end on video, but it was a developer-only UX, so I never published it in that shape. The released version replaces the paste step with a companion CLI:

    npx @abdalsalaam/chatgpt-wp-connect https://your-site.example <pairing-token>

    Click Connect with ChatGPT in the WordPress admin, copy the command, run it on any machine that has a browser. The CLI opens an OpenAI sign-in page, runs the OAuth PKCE flow on 127.0.0.1:1455, then posts the resulting bundle to a one-time pairing endpoint on your site. The WordPress tab connects automatically. No copy-pasting of secrets.

    How it works

    The trick that makes the two-piece design work: OpenAI’s allowlist for the public Codex client only permits http://localhost:1455 (and 1457 as fallback) as redirect URIs. That restriction applies to the *authorize* step only. Token refresh and API calls have no such restriction. So once the bundle is paired, the WordPress server handles refresh and every subsequent API call on its own. The laptop is out of the loop forever.

    The pairing protocol

    A CLI on your laptop posting tokens to your server is exactly the kind of “convenience” feature that tends to be sloppy in the security model. The pairing endpoint has six properties worth naming explicitly:

    1. 256-bit, single-use token. Minted by an admin-only REST route.
    2. Hashed at rest. Only the SHA-256 is stored; the raw token never touches the database.
    3. 10-minute TTL. Issuing a new token revokes any prior outstanding one.
    4. Atomic redemption. Using delete_transient‘s boolean return value, so two concurrent redemptions can’t both win.
    5. Per-IP rate limit. 10 attempts per minute by default, filterable.
    6. Generic error responses. Parser internals never leak to unauthenticated callers.

    The OAuth bundle itself is encrypted at rest with sodium_crypto_secretbox, using a 32-byte key derived from AUTH_KEY and LOGGED_IN_KEY. The plugin refuses to read or write tokens when those salts are missing, shorter than 32 chars, or still set to the wp-config placeholder. A SQL dump alone is not enough to recover the tokens.

    What you trade for the convenience

    This plugin works today and the engineering is real, but the trade-offs are not subtle and they belong above the fold:

    • Reused first-party client_id. The OAuth consent screen will say “Codex CLI” because that’s the OpenAI-owned app whose client_id is used. If OpenAI revokes or rotates that client, the plugin breaks the same day.
    • No API DPA. Traffic goes through the consumer ChatGPT backend. Prompts may be used by OpenAI for training unless the connected account has training opt-out enabled. If you’re processing customer data or anything covered by a data-processing agreement, this is the wrong tool. Use the official ai-provider-for-openai plugin with an API key.
    • Consumer plans only. Free / Plus / Pro work. Business / Edu / Enterprise do not.
    • No image generation. The Codex backend doesn’t expose DALL-E or gpt-image. Text generation, chat history, function calling, tool use, structured output via JSON schema all work.

    The honest framing is: this is a proof of concept that happens to be production-quality on the security and refresh-handling side. It’s appropriate for a personal site, an internal tool, or experimentation. It is not appropriate for a store handling customer data, and that’s a vendor-policy problem, not a plugin problem.

    What this means for you

    If you’ve been holding off on the WP 7.0 AI features because the API-account bill felt like a tax on experimentation, this gives you a way to use what you’re already paying for. If you’d rather not depend on an undocumented OAuth surface, the same WP AI Provider architecture supports cheaper paths. I’ve also published a Kimi connector (source on GitHub) that hits the standard Moonshot API with a straightforward key, at a fraction of OpenAI’s per-token cost.

    The broader ask, though, is at the platform layer. The reason the “drop in an API key and forget” pattern keeps producing surprise bills is that consumer subscriptions and developer APIs are two separate billing surfaces with no bridge between them. Codex CLI shows that the bridge is technically trivial. What’s missing is a vendor-blessed “Sign in with my subscription” flow that third-party apps can build on without standing on top of an OAuth client they don’t own.

    Try it

    Want the cheaper, no-OAuth alternative? Read the companion post: WordPress AI Connector for Kimi (Moonshot).

    # WordPress plugin
    https://github.com/Abdalsalaam/ai-provider-for-chatgpt
    
    # Pairing CLI
    npx @abdalsalaam/chatgpt-wp-connect <site-url> <pairing-token>

    Both are GPL-2.0-or-later. Issues and PRs welcome.

  • Gulf Currencies Symbols for WooCommerce

    Gulf Currencies Symbols for WooCommerce

    I just released version 2.0 of the Saudi Riyal for WooCommerce plugin, and it’s no longer just about the Saudi Riyal.

    The plugin now supports three Gulf currency symbols: Saudi Riyal (SAR), UAE Dirham (AED), and Omani Rial (OMR). So I renamed it from “Saudi Riyal Symbol for WooCommerce” to “Gulf currencies Symbols for WooCommerce.”

    Why I Built This

    WooCommerce doesn’t render the official Saudi Riyal symbol correctly. Same issue with the UAE Dirham and Omani Rial symbols. You end up with “SAR” or “AED” text instead of the actual symbol.

    This isn’t just about aesthetics. Saudi Arabia mandated the use of the new Riyal symbol for all businesses. The UAE and Oman have similar requirements for their currency symbols. If you’re running a WooCommerce store in these countries, you need to display the official symbol to stay compliant.

    The plugin fixes this automatically. No custom code, no messing with WooCommerce templates.

    What v2.0 Adds

    • UAE Dirham (AED) symbol support.
    • Omani Rial (OMR) symbol support.
    • Better symbol rendering in the WordPress admin dashboard

    Everything else from v1.x still works: frontend display, WooCommerce emails, PDF invoices, RTL support, and block-based Cart/Checkout compatibility.

    Compatibility

    I made sure this works with the tools people actually use:

    • WooCommerce emails
    • PDF Invoices & Packing Slips for WooCommerce
    • Challan – PDF Invoice & Packing Slip for WooCommerce
    • WOOCS – WooCommerce Currency Switcher
    • Multi Currency for WooCommerce (VillaTheme)
    • WooCommerce Multi-Currency

    If you’re using a currency switcher and selling in multiple Gulf currencies, the symbols will display correctly for each one.

    Install It

    The plugin is free and available on the WordPress plugin directory:

    Download Gulf currencies Symbols for WooCommerce

    Just install, activate, and the symbols work automatically. No configuration needed.

    Thanks!