XML-RPC publishing stopped working – “Incorrect Password” error
-
Hello,
I am experiencing issues with publishing posts to my WordPress.com site via xmlrpc.php. Everything was working fine until recently, but now I’m getting an “Incorrect Password” error, even though my credentials are correct and I can log in to the dashboard without any issues.
I have checked my settings, but I cannot find any recent changes that might have disabled this.
Is XML-RPC currently restricted for certain plans?
Are Application Passwords mandatory now for XML-RPC requests?
Are there any specific server-side blocks or security headers recently implemented on WordPress.com that would cause a 403 or auth error for XML-RPC?
I would appreciate any guidance on how to restore my remote publishing workflow.
Best regards,
-
It sounds like you’ve run into a common security pivot on WordPress.com, where traditional password authentication for remote services is being phased out in favor of more secure methods. The “Incorrect Password” error you’re seeing—despite your credentials being correct for the dashboard—is almost certainly because WordPress.com now requires Application Passwords for XML-RPC and REST API requests, especially if you have Two-Step Authentication enabled or if your account has been flagged by their automated security “heat maps.” To resolve this, you should navigate to your Profile Settings in the WordPress.com dashboard, locate the Security tab, and generate a unique 16 or 24-character Application Password specifically for your remote publishing tool; using this generated string in place of your main account password should bypass the 403 or authentication block immediately and restore your workflow.
-
Hi there,
Could you please confirm your website URL? Also, are you using WordPress.com or WordPress.org (self-hosted WordPress on third-party hosting)? This will help us understand your server environment and assist you accordingly.
-
@james3265166 – Thanks! AI suggested the same thing, but the problem is I don’t see an option to generate an app password. Could you show me where exactly to click for that? I’d really appreciate it.
@faisalahammad – I think this is a global issue; I’ve written a web app for several people, and they are all experiencing the same problem with this. Specifically, this concerns WordPress.com (Web 2.0) for example my test site: panelwp.wordpress.com
Thanks for your help with this.
-
To help you get that “Application Passwords” section visible, the most direct path is to access your Classic WP-Admin profile by adding /wp-admin/profile.php to the end of your site’s URL Once there, scroll toward the bottom of the page to find the section titled Application Passwords; if it is still missing, it is likely because your site is not currently running on a secure HTTPS connection, as WordPress automatically hides this feature on unencrypted sites for security reasons. Additionally, if you have a Business or Commerce plan, check the settings of any security plugins like Wordfence or Solid Security, as they often disable application passwords by default to prevent “Brute Force” attacks. Finally, on WordPress.com, this feature is sometimes tucked away under your Account Security settings within the Two-Step Authentication tab, and you may need to ensure 2FA is active before the option to “Add new application password” appears.
WordPress.com Forums 