| 开发者 | heera |
|---|---|
| 更新时间 | 2026年7月14日 13:55 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
/.well-known/acme-challenge/ (SSL renewal) always stays reachable.?author=1 and REST /wp/v2/users leak, plus the users sitemap and oEmbed author), 404 author-archive pages, hide the WordPress version from the generator tag and asset URLs, drop the rarely-used auto-generated <head> discovery links, and neutralise XML-RPC. Nothing changes until you turn a switch on, and signed-in admins and the block editor are never affected. It's exposure hygiene, not a firewall — Agentimus stays a discovery layer, not a security suite..md to its URL. (Answering the page's own URL with markdown via an Accept: text/markdown header is also supported, but off by default: one URL with two possible bodies is unsafe behind a CDN that force-caches pages, and readers are the ones who find out. Enable it with a one-line filter where your caching is sound.)keywords and a line in the page's .md, so assistants understand each page's subject. Type your own, or let Agentimus fill them in from the post's own tags and categories. Nothing shows on the visible page.description, the lead of the page's .md, and the page's <meta name="description"> — replacing your theme's auto-generated one, while still standing aside for a dedicated SEO plugin. Leave it blank and Agentimus falls back to the excerpt, or a short summary of the page. A sub-switch keeps it out of your <head> if you'd rather it enrich only the AI data./agentimus-changes.json lists your recently added, updated and removed pages, with a ?since= filter, so an assistant re-checks only what changed instead of re-reading your whole site. On by default and advertised in your discovery document.sameAs) feed llms.txt and JSON-LD — the highest-signal lines for agent retrieval./.well-known/security.txt, so researchers and agents have a machine-readable way to report an issue..well-known convention, A2A agent cards, MCP-shaped tools). It puts a site's identity, capabilities and APIs in one predictable place:
.well-known endpoints — an RFC 9727 api-catalog, plus — only when the capability actually exists — an MCP server card and an Agent Skills index. Optional response signing (Web Bot Auth / HTTP Message Signatures, RFC 9421): sign the discovery documents with an Ed25519 key published at /.well-known/http-message-signatures-directory, so agents can verify they came from you. On by default; the private key stays on your server.agentimus folder to /wp-content/plugins/, or install via Plugins → Add New.The full documentation — a plain-English user manual and a developer reference — is at https://heera.github.io/agentimus/. It has step-by-step guides for every feature, plus the hooks, filters and endpoints for developers.
No. A setup wizard opens automatically the first time you visit the admin and walks you through everything in about a minute — you write a sentence about who you are and tick what AI assistants may read. Everything else runs on its own, and you can change any of it later.
Nothing your visitors see changes — there's no new front-end script, style or layout. Behind the scenes it publishes machine-readable files and signals (like llms.txt and a discovery document) that only AI assistants and crawlers read. It also stands down automatically next to SEO plugins, so it won't duplicate or fight your existing setup.
Activate Agentimus and run the one-minute setup wizard — that covers most sites. Then, depending on what you do:
By default, no — Agentimus makes no outbound HTTP requests out of the box, sends nothing to any external service, collects no analytics or telemetry, and stores the agent-activity log in your own database with no IP addresses. (One opt-in setting, Store IP addresses for flagged clients, can store IPs locally for flagged crawlers only — off by default; see External services.) The one external-service exception is the optional AI Visibility feature: if you enable it and add your own API key, Agentimus queries the AI provider(s) you chose (OpenAI, Perplexity, Gemini and/or Anthropic) to check whether they mention and cite you — only for the engines you turn on, and only when a check runs (on demand or on your schedule). Your keys stay on your server and nothing else is sent anywhere. See External services for the full disclosure. The discovery document includes a $schema value that identifies the document format (the same way a schema.org URL identifies a vocabulary); it is a label in the output, never fetched. The one place a request is made is the optional "Verify live" self-check on the readiness report — and that runs in your browser, fetching your own public URLs only when you click it; the server itself still makes no request.
No. JSON-LD output automatically stands down when Yoast, Rank Math, SEOPress, AIOSEO or The SEO Framework is active, so structured data is never duplicated. The other endpoints (llms.txt, markdown) don't overlap with SEO plugins.
If a static robots.txt file exists at your site root, or your CDN serves its own, it overrides WordPress's virtual robots.txt. The readiness report flags this. Remove the static file to let Agentimus manage the rules.
Almost always it's working — here's how to confirm. The generated AI files are cached for up to an hour, so a change may not show instantly: open the file directly (for example yoursite.com/llms.txt) and refresh. The Readiness report's Verify live button fetches your real URLs from your browser and shows exactly what an agent receives — including anything your CDN is caching. If a file still isn't appearing, check that a static file or your CDN isn't overriding it (the report flags a static robots.txt, for instance).
Set Allow AI training to off under Settings → Crawler policy. That one switch publishes your choice in three places at once, so a crawler that ignores one still sees the others:
Content-Signal: … ai-train=no line (advisory).tdm-reservation: 1 (the W3C TDM Reservation Protocol), which reaches bots that never read robots.txt./.well-known/tdmrep.json — the recognized, machine-readable reservation, relevant under EU text-and-data-mining rules.X-Robots-Tag: noai, noimageai (off by default, honored by some platforms) and link an AI-usage policy URL.
Important — these are signals, not a wall. robots.txt, the header and tdmrep.json are standardized requests that compliant crawlers honor; they do not forcibly stop a bot. To actually refuse a crawler with a 403, add it to the crawler list or use scanner blocking (Crawler policy → Block specific crawlers / Block scanners), which Agentimus enforces at its generated endpoints.
Yes — list them under Block specific crawlers. That writes a per-name Disallow: / to robots.txt for each. The /.well-known/tdmrep.json opt-out file and the tdm-reservation header are site-wide — the standard has no per-bot dial — so per-bot blocking lives in robots.txt (and in scanner blocking for a hard 403), while the file and header carry your overall site-wide choice. (Those site-wide signals are published only when you block AI training; an open site publishes none.)
Out of the box Agentimus blocks nothing — it's a discovery layer, so every agent is served until you turn on the optional scanner blocking. Even then, an always-allowed list keeps trusted clients flowing: the major search engines (Googlebot, Bingbot, DuckDuckBot, Applebot, Yandex) are recognised automatically and never blocked or flagged, and the AI access tab shows them read-only so you know exactly what's trusted. You can add well-known AI assistants and answer engines (ChatGPT, Claude, Perplexity, …) with one click, or mark any client Allow from the activity review queue. Training crawlers (GPTBot, ClaudeBot, …) are deliberately not on the trust list — those belong to your separate AI-training choice, so trusting them here wouldn't quietly undo an opt-out you may have set.
Yes — the dashboard's "Traffic from AI" card counts real people who landed on your site from an AI assistant (ChatGPT, Perplexity, Gemini, …), detected from the visit's referrer and the utm_source tag some AI tools add to their links. It's the mirror of the activity log: that shows bots reading your content; this shows AI bringing you readers, with a by-source and top-landing-pages breakdown. Like the rest of the log it's first-party and aggregate-only — no IP, no per-visitor records, nothing sent anywhere. Some AI visits can't be detected (stripped referrers, Google's AI Overviews, cached pages), so read the figure as a floor: at least this many.
Honestly: it helps with one half of that, not the other. Agentimus makes your site discoverable and correctly understood — when an AI assistant looks at your site, it can find your content, read a clean version, and describe you accurately. That is what the plugin controls, and it does it well. But whether an AI spontaneously mentions you when someone asks a broad question ("best resources for X") is a matter of authority and reputation — earned over time through genuinely notable content that others reference. No plugin, llms.txt, or schema can manufacture that, and any tool promising "instant AI visibility" is overselling. Agentimus makes sure that when authority does bring an agent to your door, nothing is lost in translation.
No. The text endpoints are cached and CDN-friendly; there is no front-end JavaScript or CSS for your visitors (the optional, off-by-default WebMCP bridge adds a tiny script only when you enable it, and it stays inert in browsers without the API). The admin app loads only on the plugin's own screen.
No. Agentimus only describes what your site already makes public; it grants no new access. Removing or suppressing an item changes what is advertised, not what is reachable — the underlying endpoints behave exactly as before, behind their own authentication.
Yes — as an opt-in, on WordPress 6.9 or newer. Turn on Settings → Discovery → MCP server and AI tools you already use (Claude Code, Cursor, ChatGPT connectors) can talk to your site over the Model Context Protocol and run the same read-only, permission-checked tools your admin AI gets: readiness, AI traffic, bot identification, per-page readability and previews. Nothing becomes public — every request has to sign in with a WordPress login (an application password works), each tool keeps the same permission checks as the admin screens, and every call is recorded under More → Agent access. Off by default, and everything needed ships with the plugin.
Yes, if you're on WordPress 7.0 and have set up an AI provider under Settings → AI. Then Draft with AI appears on the AI description field, Suggest with AI on the Topics field, and Fix with AI on any AI Readability row that needs work. Agentimus asks your AI through WordPress's shared connectors — it never sees or stores your API key, and nothing is sent anywhere if you haven't set a provider up (the buttons simply don't appear). Every suggestion arrives as ordinary editable text in the field: you read it, change it, and save the post yourself. Nothing is written for you.
No — it needs its own API keys, and that's on purpose. A visibility check is graded on the sources each engine cited, and WordPress's shared connectors hand back only the answer text; the list of cited sources is dropped before Agentimus could read it. Reading those sources means talking to each engine's own API, so AI Visibility keeps its own keys (Settings → AI Visibility). They stay on your server and are used for nothing else.
Add a single optional action — no dependency, no library. If Agentimus isn't installed the hook simply never fires:
add_action( 'wpdiscovery_register', function ( $registry ) {
$registry->register( array( 'id' => 'acme', 'title' => 'Acme', 'type' => 'commerce' ) );
} );
Agentimus also fires the product-aliased agentimus_register; you may hook either. See examples/integrate-your-plugin.php for the full resource schema (capabilities, endpoints, auth, agent cards, MCP tools).
Registration is a single action, but Agentimus exposes more for deeper integrations, grouped by stability:
wpdiscovery_register action with its $registry->register() / add_well_known() API, plus agentimus_entity_types and the agentimus_cache_flushed action.agentimus_envelope, agentimus_documents, agentimus_mcp, agentimus_agent_skills, agentimus_well_known_routed, agentimus_post_types, agentimus_security_txt.examples/all-hooks-reference.php.
Yes. The discovery document implements the WP_Discovery Protocol, an openly-licensed (CC BY 4.0) specification — not a format private to this plugin. Read the spec, the 1.0 JSON Schema and worked examples at https://heera.github.io/wp-discovery-protocol/ (source and conformance tests: https://github.com/heera/wp-discovery-protocol). Agentimus is its reference implementation.
Accept: text/markdown). One address with two possible answers is only safe if every cache in front of your site respects "never store this" — and a common CDN setup (Cloudflare "Cache Everything" with an Edge TTL) overrides that instruction, stores the Markdown under the page's address, and then serves it to human visitors. It hit this plugin's own author: an AI crawler found a post seconds after publication, asked for Markdown, and readers got raw Markdown until the cache expired. No header an origin can send prevents that, and the person who finds out is your reader — so the convenience is now opt-in. Nothing is lost: every page still has its Markdown twin at /its-slug.md, a separate address a cache can never confuse with your article, and agents are still pointed to it from the page's Link header, from llms.txt and from the discovery documents. If your caching is sound (no CDN, or one that honours no-store), turn it back on with one line: add_filter( 'agentimus_negotiate_markdown', '__return_true' );Accept: text/markdown), and marks that answer "never cache me". A CDN configured to override origin cache headers (Cloudflare "Cache Everything" with an Edge TTL, and the equivalent elsewhere) ignored that, stored the Markdown under the page's URL, and served it to everyone — so a freshly published post, fetched first by an AI crawler, could render as raw Markdown for readers until the cache expired. The no-store instruction is now sent in the CDN-specific headers an edge honours in preference to Cache-Control, so the Markdown answer can't be stored. If your CDN caches it anyway, the new agentimus_negotiate_markdown filter turns page-URL negotiation off entirely; the .md address of every page keeps working, and agents find it exactly as before (it's advertised in the page's Link header, in llms.txt and in the discovery documents).Accept header was matched with a plain substring test, so a request saying "HTML first, Markdown if you must" (text/html;q=0.9, text/markdown;q=0.8) was answered with Markdown. Quality values are now honoured as the standard requires: Markdown is served only when the client actually ranks it above HTML, and a tie goes to HTML. No browser sends text/markdown at all, so no browser can be answered with it.agentimus_match_admin_scheme) turns matching off.?author[]= request no longer triggers a PHP notice, and several small internal flags are now loaded more efficiently on every request.