Managing Plugin Settings via REST API, WP-CLI and MCP
Managing Plugin Settings via REST API, WP-CLI and MCP
From version 2.6.0, every site-wide AB Split Test setting is exposed as a single settings object that can be read and updated through the REST API, WP-CLI, and MCP (AI assistants). All three surfaces share the same setting names, validation, and behaviour.
Updates are partial: only the keys you provide are changed, everything else is left alone.
Permissions
All settings endpoints, commands, and tools require an administrator (manage_options capability, or network admin when the plugin is network-activated on multisite). Per-test endpoints are unchanged and still require edit_posts.
Secrets are write-only
Credential settings — license_key, openai_api_key, fathom_api_key, cloudflare_api_token, bunny_access_key — are never returned in plaintext. Reads return a masked object:
"openai_api_key": { "configured": true, "masked": "****7890" }- Send a new plaintext value to set a secret.
- Send an empty string
""to clear it. - Masked placeholders (
****xxxx) sent back are ignored — round-tripping the output of a read can never destroy a stored key. - Sending
"DISABLED"as theopenai_api_keyclears the key and turns ondisable_ai, matching the admin settings page.
REST API
GET /wp-json/bt-bb-ab/v1/settings — returns the full settings object (secrets masked).
POST /wp-json/bt-bb-ab/v1/update-settings — partial update.
Authenticate with an Application Password for an administrator account.
# Read all settings
curl -u "username:application_password" \
https://your-site.com/wp-json/bt-bb-ab/v1/settings
# Update two settings
curl -u "username:application_password" -X POST \
-H "Content-Type: application/json" \
-d '{"heatmaps_enabled": true, "heatmap_retention_days": 14}' \
https://your-site.com/wp-json/bt-bb-ab/v1/update-settingsResponse:
{
"success": true,
"updated": ["heatmaps_enabled", "heatmap_retention_days"],
"skipped": {},
"settings": { ...full settings object after the update... },
"message": "2 setting(s) updated."
}Unrecognised keys are never written — they are reported in skipped with the reason "unknown setting". Invalid values (for example a cdn_provider outside the allowed list) return a 400 error and nothing is saved.
WP-CLI
# List every setting (secrets masked)
wp absplittest get_settings
wp absplittest get_settings --format=json
# Update plugin-wide settings (no test ID)
wp absplittest update_settings --heatmaps_enabled=1 --heatmap_retention_days=14
# Set a secret (get_settings will show it masked)
wp absplittest update_settings --openai_api_key=sk-xxxx
# Array values accept JSON
wp absplittest update_settings --testable_post_types='["post","page"]'update_settings keeps its existing per-test behaviour when you pass a test ID:
# Still updates test 123, exactly as before
wp absplittest update_settings 123 --conversion_type=url --conversion_url=thank-youMCP (AI assistants)
Two tools are exposed alongside the existing test tools (see the MCP Integration Guide for setup):
absplittest/get-settings— read the full settings object (secrets masked)absplittest/update-settings— partially update any settings
// Example AI prompts:
"Turn on heatmaps and set retention to 14 days"
"Who receives the winner notification emails? Add jane@example.com"
"Disable AI features on this site"
"Switch the CDN provider to Cloudflare and set the zone ID"Available settings
Feature toggles (boolean)
| Setting | Default | Description |
|---|---|---|
disable_ai |
false | Disable all AI features globally |
test_ideas_enabled |
true | AI-powered test idea generation |
thompson_sampling_enabled |
false | Thompson Sampling (multi-armed bandit) allocation |
fingerprint_tracking_enabled |
false | Identify returning visitors by browser fingerprint |
uuid_tracking_enabled |
false | Identify returning visitors by stored UUID |
wait_for_cookie_consent |
false | Wait for cookie consent before tracking (GDPR) |
user_journeys_enabled |
false | User journey tracking |
session_replays_enabled |
false | Session replay recording |
heatmaps_enabled |
false | Heatmap recording |
variation_canonical_tags_enabled |
false | Canonical tags on variation pages |
clear_cache_on_update |
true | Clear site caches when tests are updated |
woocommerce_server_conversions_enabled |
false | Server-side WooCommerce conversion tracking |
hubspot_forms_enabled |
false | HubSpot form submission conversions |
weekly_reports_enabled |
true | Weekly summary report emails |
debug_logging_enabled |
false | Debug logging |
delete_tracking_data_on_uninstall |
false | Remove tracking tables on uninstall |
remote_access_enabled |
false | Agency Hub remote access |
agency_mode_enabled |
false | Agency mode (manage client sites) |
mcp_advanced_tools_enabled |
false | Advanced MCP site-editing tools |
Values and lists
| Setting | Type | Default | Description |
|---|---|---|---|
fingerprint_retention_days |
integer | 30 | Days to retain fingerprint data |
uuid_retention_days |
integer | 30 | Days to retain UUID data |
heatmap_retention_days |
integer | 30 | Days to retain heatmap data |
heatmap_page_scope |
enum | all | all or chosen pages |
heatmap_pages |
array | [] | Page IDs when scope is chosen |
testable_post_types |
array | [] | Post types eligible for testing (validated against registered public post types) |
woocommerce_conversion_statuses |
array | processing, completed, on-hold | Order statuses that count as conversions |
weekly_report_emails |
string | admin email | Comma-separated report recipients (invalid emails are dropped) |
winner_notification_emails |
string | admin email | Comma-separated winner notification recipients |
revenue_currency_symbol |
string | — | Currency symbol for revenue figures |
global_webhook_url |
string | — | Webhook URL receiving conversion payloads for all tests |
cdn_provider |
enum | none | none, cloudflare or bunny |
cdn_hostname |
string | — | CDN hostname for cache purging |
cloudflare_zone_id |
string | — | Cloudflare zone ID for purge API calls |
Secrets (write-only, masked reads)
| Setting | Description |
|---|---|
license_key |
Plugin licence key |
openai_api_key |
OpenAI API key for AI features |
fathom_api_key |
Fathom Analytics API key |
cloudflare_api_token |
Cloudflare API token |
bunny_access_key |
Bunny CDN access key |
Side effects
Updating settings programmatically applies the same side effects as saving the admin settings page:
- Enabling fingerprint or UUID tracking creates the tracking table and schedules the nightly cleanup job.
- Turning off weekly reports clears the report cron.
- Changing
testable_post_typesrefreshes the testable posts cache. - The frontend embed script is regenerated after every update.