AI SEO Agents connect to your WordPress site via the REST API using Application Passwords — a secure, token-based authentication method built into WordPress 5.6+. This guide covers single-site setup, multi-site management, hosting provider considerations, security plugin compatibility, and troubleshooting common connectivity issues. If you have not yet created an account, start with the Quick Start Guide first.
Prerequisites
Before connecting your site, confirm that your WordPress installation meets the following requirements. Most modern WordPress hosts satisfy these out of the box, but some managed hosting providers or security plugins may restrict API access.
- WordPress 5.0 or later — Application Passwords became a core feature in WordPress 5.6, but the REST API has been available since WordPress 4.7. If you are running 5.0–5.5 you can install the Application Passwords plugin for backward compatibility.
- Admin-level user account — The Application Password must be created by a user with the Administrator role. Editor or Author roles do not have sufficient permissions for publishing and metadata updates.
- HTTPS enabled — Application Passwords require SSL in production. If your site still uses HTTP, install a free SSL certificate via Let's Encrypt or your hosting provider's built-in SSL tool.
- REST API accessible — The WordPress REST API must not be blocked by a security plugin,
.htaccessrule, or server firewall. You can test this by visitinghttps://yourdomain.com/wp-json/wp/v2/posts?per_page=1in your browser — you should see JSON output. - Application Password or API key — You will generate this in the next section. Alternatively, Enterprise customers can use a platform-issued API key for programmatic site management.
Creating an Application Password
Open WordPress Admin
Log in to your WordPress admin dashboard at yourdomain.com/wp-admin. Make sure you are logged in as a user with the Administrator role — Application Passwords are not available to lower-privilege roles.
Navigate to User Profile
Go to Users → Profile (or click your username in the top-right corner). Scroll down past the personal options, name, and contact info sections.
Scroll to Application Passwords
Near the bottom of your profile page, find the Application Passwords section. If you do not see this section, your WordPress version may be older than 5.6 or a security plugin may be hiding it. Enter a descriptive name like "AI SEO Agent" and click Add New Application Password.
Copy the Password
WordPress generates a 24-character password (displayed with spaces for readability). Copy it immediately — it cannot be viewed again after you leave the page. The spaces are optional; the API accepts the password with or without them. Store it in a password manager if you plan to use it across multiple integrations.
Adding Your Site in the Dashboard
Open Settings → Sites
In the AI SEO Agents dashboard, navigate to the Settings page and click the Sites tab. This is where all your connected sites are listed.
Click Add Site
Enter your WordPress URL (e.g., https://example.com), your WordPress username, and the Application Password you just created. The URL should be your site's root domain without a trailing slash. Do not include /wp-admin or /wp-json — the platform appends the correct API paths automatically.
Verify Connection
Click Verify. The platform tests connectivity by calling GET /wp-json/wp/v2/posts?per_page=1. A green checkmark confirms the connection is working. If verification fails, scroll down to the Troubleshooting section below or see Quick Start Guide for a walkthrough with screenshots.
Security note: Your WordPress credentials are encrypted at rest using AWS KMS and stored in AWS Secrets Manager. They are never logged, never stored in plain text, and never exposed in API responses. See Security Overview for full details on data protection.
Hosting Provider Notes
Different managed WordPress hosting providers have varying default configurations for REST API access. Below is a quick reference for the most popular hosts. If your provider is not listed, the Generic row applies.
| Hosting Provider | REST API Status | Notes |
|---|---|---|
| WP Engine | Enabled by default | No additional configuration needed. Application Passwords work out of the box. |
| Cloudways | Enabled, may need IP whitelist | If you use Cloudways' bot protection or IP-based firewall, add the AI SEO Agent IP range to your allowlist in the Cloudways security settings. |
| SiteGround | May need manual enable | SiteGround's security tools sometimes block REST API requests. Go to Site Tools → Security → Blocked IPs and ensure the API is not restricted. Also check the SG Security plugin settings. |
| Kinsta | Enabled by default | Kinsta does not block the REST API. If you use a custom firewall (e.g., Cloudflare), ensure /wp-json/ paths are whitelisted. |
| Bluehost / HostGator | Enabled by default | Shared hosting environments occasionally have ModSecurity rules that block API requests. Contact support if you get 403 errors. |
| Generic / Self-Hosted | Check .htaccess and server config | Verify that your .htaccess file does not contain rules blocking /wp-json/ paths. Common culprits: security plugins that add blanket API blocking rules, or server-level ModSecurity configurations. |
Security Plugin Compatibility
Most popular WordPress security plugins are compatible with AI SEO Agents, but some require minor configuration to allow REST API access. The platform authenticates using standard WordPress Application Passwords, so any plugin that supports this authentication method will work correctly.
- Wordfence — Fully compatible. If you have "Disable WordPress application passwords" enabled in Wordfence → All Options → Login Security, turn it off. Wordfence's firewall may also rate-limit API requests; increase the rate limit threshold if you plan to run frequent audits.
- Sucuri — Fully compatible. If Sucuri's cloud proxy (WAF) is active, ensure it is not blocking POST requests to
/wp-json/endpoints. You may need to whitelist the AI SEO Agent user agent or IP range in the Sucuri dashboard. - iThemes Security (Solid Security) — Compatible with configuration. Disable the "REST API" restriction under Settings → Advanced → WordPress Tweaks or switch it from "Restricted Access" to "Default Access".
- All-In-One WP Security — Compatible. Ensure the "Disable WordPress REST API" option in the Firewall settings is unchecked.
Not sure if your security plugin is blocking the API? Visit https://yourdomain.com/wp-json/wp/v2/posts?per_page=1 in your browser while logged out. If you see a JSON response, the API is accessible. If you see a 403 or a blank page, a plugin or server rule is likely blocking it.
Multi-Site Management
Agency and Enterprise plans support connecting multiple WordPress sites. Each site gets its own site_id in the platform, and agent jobs can target specific sites. The site registry is stored in a dedicated DynamoDB table with per-user isolation — you can only see and manage sites you own. For agencies managing client sites, the Enterprise plan provides team-level access controls and unlimited site connections.
| Plan | Sites Included | Additional Sites |
|---|---|---|
| Starter | 1 | Not available |
| Professional | 5 | $10/mo per additional site |
| Agency | 25 | $5/mo per additional site |
| Enterprise | Unlimited | Included |
To connect additional sites, repeat the setup process above for each domain. Each site requires its own Application Password. You can switch between sites in the dashboard using the site selector dropdown, and agents can be configured to target a specific site or run across all connected sites. See Pricing for detailed plan comparison.
Troubleshooting
Below are the most common connection issues and how to resolve them. If you encounter a problem not listed here, contact support with the exact error message and your site URL.
| Issue | Cause | Solution |
|---|---|---|
| Verification fails with 401 | Invalid credentials | Regenerate the Application Password and update it in Settings. Ensure you are using the correct WordPress username (not the email address). |
| Verification fails with 403 | REST API blocked by security plugin | Whitelist the AI SEO Agent IP range or disable REST API restriction in your security plugin. See the Security Plugin Compatibility section above. |
| Timeout on verification | Server is slow or behind a CDN | Ensure your server responds to REST API requests within 10 seconds. If you use Cloudflare or another CDN, check that API requests are not being cached or challenged. |
| SSL certificate error | Self-signed or expired certificate | Install a valid SSL certificate. Let's Encrypt provides free certificates and most hosts offer one-click installation. Self-signed certificates are not supported. |
| Rate limiting (429 response) | Too many API requests in a short period | The platform includes built-in retry logic with exponential backoff. If you consistently hit rate limits, ask your hosting provider to increase the REST API rate limit, or space out bulk operations like audits. |
| Plugin conflict (500 error) | A WordPress plugin is crashing on API requests | Temporarily disable plugins one by one to identify the culprit. Common offenders: caching plugins that interfere with REST API responses, or poorly coded custom plugins that throw fatal errors on API endpoints. |
| Multisite (WordPress Network) setup | REST API paths differ for subsites | For WordPress Multisite, connect each subsite individually using its own URL (e.g., https://example.com/site2 or https://site2.example.com). Each subsite needs its own Application Password. |
| REST API returns HTML instead of JSON | Permalink structure misconfigured | Go to Settings → Permalinks in WordPress admin and ensure you are not using the "Plain" permalink structure. Any other option (Post name, Day and name, etc.) will work. |
Credential Rotation
For security best practices, you should rotate your Application Passwords periodically. The platform supports zero-downtime credential rotation — you can update your credentials in the dashboard at any time without interrupting running jobs.
- 1Create a new Application Password in WordPress admin (Users → Profile → Application Passwords). Give it a new name like "AI SEO Agent v2" to distinguish it from the old one.
- 2Update the credential in the AI SEO Agents dashboard at Settings → Sites → Edit. Replace the old Application Password with the new one and click Save.
- 3Verify the connection by clicking the Verify button. Confirm the green checkmark appears.
- 4Revoke the old Application Password in WordPress admin. Find the old password entry in the Application Passwords list and click Revoke. This invalidates the old credential immediately.
Running jobs are not affected by credential rotation. Each job caches the credentials at launch time, so a rotation mid-job will not cause failures. The new credentials take effect for the next job that starts after the update.
Related Documentation
- Quick Start Guide — Full account setup walkthrough from start to finish.
- Understanding Agent Workflows — How connected sites are used by the three pipelines.
- Security Overview — How credentials and data are protected.
- API Reference — Sites API endpoints for programmatic management.
- Enterprise Solutions — Multi-site management, team access, and custom integrations.
- Pricing — Compare plans and site connection limits.