WordPress for Cowork

Real Help — Real Fast

WordPress for Cowork
Support

Walkthroughs, fixes, and how-to guides — all in one place.

Browse the docs below, search the knowledge base, or ask the AI chat — it’s trained on these docs and answers most questions instantly.

Open an account first. An account at /my-account/ is what unlocks everything after purchase:
  • Re-download your .plugin file any time
  • Plugin updates and release notes
  • Support tickets tied to your license
  • Member-only updates, coupons, and renewal offers

Getting Started

Prerequisites

Before you begin, make sure you have the following:

  • Claude Cowork — the desktop app (download from claude.com)
  • A WordPress site running on HTTPS
  • Your .plugin file and license key — both are in your purchase email and on your My Account page

Step 1: Add your domain to the Cowork allowlist

Cowork sandboxes outbound network calls to a small allowlist. Until you add your WordPress domain to that list, every plugin call returns blocked-by-allowlist. This is the #1 cause of “plugin won’t connect” errors — do this first.

  1. In Claude Desktop, open Settings → Cowork → Network → Allowed Domains.
  2. Add your WordPress site’s domain (e.g., yourdomain.com).
  3. Fully close and reopen Claude Desktop. The allowlist is cached at session start, so changes don’t take effect mid-session.

Step 2: Install the Cowork plugin

WordPress for Cowork is a Cowork plugin (it installs into Claude Desktop’s Cowork mode — not into WordPress). The distribution is a .plugin file. There is no .zip, and you do not upload anything to wp-admin under Plugins → Add New.

  1. Download your .plugin file from your My Account page or your purchase email.
  2. In Claude Desktop, open Cowork mode and drag the .plugin file directly into the Cowork chat window. Cowork installs it automatically.
  3. (Alternative path: Settings → Plugins → drag the file in there. Both work.)
  4. You’ll see “WordPress for Cowork installed” and a list of slash commands.

Step 3: Connect your WordPress site with /wp-setup

  1. In Cowork, type /wp-setup and press Enter.
  2. Paste your site URL (e.g., https://yourdomain.com).
  3. Paste your license key (from your purchase email or the order receipt page).
  4. Generate a WordPress Application Password: in your WordPress admin, go to Users → Profile → Application Passwords. Name it Cowork and click Add New Application Password. WordPress shows you a 24-character password — copy it.
  5. Paste the Application Password back into the Cowork prompt. Done — your site is connected.

Note: If you don’t see the Application Passwords section in your WordPress profile, make sure your site is running on HTTPS — Application Passwords are not available over plain HTTP. If it’s there but the connection still fails, check the Security plugin troubleshooting guide.

Why you do the Application Password step yourself

You may have noticed that Cowork asks you to generate the Application Password manually rather than logging into your WordPress admin for you. That’s intentional. WordPress for Cowork won’t log into anything on your behalf without explicit permission — we don’t ask for your wp-admin username and main password, and Cowork doesn’t store them. The only credential the plugin ever sees is the Application Password you choose to hand over after generating it yourself, and that token can be revoked from your WordPress admin at any time to kill the connection cleanly.

Where your credentials live

All credentials are saved on your computer. Your site URL, license key, and Application Password live only inside Cowork’s local secret store on the machine you ran /wp-setup from. Nothing is saved on our servers. wordpressforcowork.com never sees your Application Password, and Anthropic doesn’t either. If we got breached tomorrow, the worst that could leak from our side is the email address you bought with — not your WordPress credentials, and not the contents of your site.

This applies to every site you connect. Agency and Enterprise customers who connect three, five, or fifty WordPress sites store every Application Password locally on their own machine. We never see them in aggregate or otherwise.

Step 4: Run your first command

Once connected, just describe what you want in plain English:

  • “Create a new page called About Us with a short intro paragraph.”
  • “Write a blog post about the top 5 benefits of using AI for WordPress.”
  • “Change my site’s accent color to teal.”

Claude will confirm what it’s about to do and ask before making changes.

Building & Design

How to build a page from a description

  1. Make sure your WordPress site is connected.
  2. Describe the page you want: “Build me a landing page for a photography service. It should have a hero section, a gallery grid, a pricing table, and a contact form.”
  3. Claude will generate the full HTML and CSS and create the page in WordPress.
  4. Review it live, then ask for any tweaks: “Make the hero text larger and center the pricing table.”

How to clone a site’s design using a URL

  1. Find a website whose style you’d like to match.
  2. Tell Claude: “Look at stripe.com and recreate that color palette and font style on my site.”
  3. Claude will fetch the site, extract its design tokens, and apply them to your WordPress theme.
  4. Review the result and refine: “Keep the font but use a darker background.”

How to update your site’s global theme

  1. Tell Claude what you want to change: “Update my site theme — dark background (#0d0d1a), white headings, purple accent (#7c3aed).”
  2. Claude will update your theme.json or inject global CSS as appropriate.
  3. Changes apply site-wide immediately. Ask Claude to revert if you don’t like the result.

Content & Publishing

How to write and publish a blog post

  1. Tell Claude the topic: “Write a 600-word blog post about why small businesses should use AI tools in 2025.”
  2. Claude will draft the post with a title, intro, body, and conclusion.
  3. Review and request edits: “Make the intro punchier and add a bulleted takeaways section at the end.”
  4. Say “Publish it” and Claude will push it live to your WordPress site.

How to add images to your content

  1. Once your post or page content is ready, ask: “Add a relevant featured image to this post.”
  2. Claude can source an image via URL or upload one you provide.
  3. To add an image inline: “Insert an image of a laptop after the second paragraph.”

How to update SEO metadata

  1. Tell Claude which page or post to update: “Update the SEO title and meta description for my About page.”
  2. Provide the text or let Claude generate it: “Write an SEO-optimized meta description for my homepage.”
  3. Claude will update the metadata via your SEO plugin (Yoast, Rank Math, or All-in-One SEO).

WooCommerce

How to manage products with Claude

  1. Tell Claude what you need: “Update the description for my ‘Leather Wallet’ product.”
  2. Claude will fetch the current product data and show you what it plans to change before making edits.
  3. You can batch updates too: “Update the price of every product in the ‘Summer Sale’ category to 20% off.”

How to check and update inventory

  1. Ask Claude: “Show me all products with stock under 10 units.”
  2. Review the list and say: “Set the stock for SKU WH-001 to 50.”
  3. Claude updates inventory in real time.

Site Management

How to back up your site

Automatic daily backups run on their own at ~3 AM site time — no setup needed after install. You can also trigger a backup any time by asking Claude.

Tell Claude: “Back up my site.” The plugin runs wp_backup server-side and saves a full JSON snapshot covering 12 content types: posts, pages, media, categories, tags, comments, menus, users, site settings, WooCommerce products, WooCommerce orders, and SEO metadata. The snapshot is .htaccess-protected on your server — not stored in a third-party cloud.

To list and restore: “Show me my recent backups” then “Restore from backup <ID>.” Claude calls wp_list_backups and wp_restore with the snapshot you choose.

Retention: 7 daily, 4 weekly, and 12 monthly snapshots are kept automatically — older ones auto-prune. If you need long-term archival, run a backup before any major change so the latest stays in the rotation.

Pre-flight prompt: on the first destructive action in a Cowork session, the plugin asks if you want a backup first. Say yes once and you’re covered for the rest of the session.

How to manage users and roles

  1. Ask Claude: “Add a new editor user with the email [email protected].”
  2. Claude will create the user and send a welcome email.
  3. To change a role: “Change John’s role from Subscriber to Author.”

How to fix a broken layout

  1. Describe the problem in plain English: “The hero section on my homepage is overlapping the navigation on mobile.”
  2. Claude will inspect the page CSS and identify the likely cause.
  3. It will propose a fix and ask before applying it.

Troubleshooting

My plugin isn’t showing any tools

  • Make sure you’ve installed the .plugin file by either dragging it into the Cowork chat window or via Settings → Plugins → drag the file there.
  • Start a new conversation after installing — tools activate at the start of a fresh session.

Claude says it can’t connect to my site

  • Make sure your WordPress domain is on the Cowork allowlist (Claude Desktop → Settings → Cowork → Network → Allowed Domains) and that you fully closed and reopened Claude Desktop afterward — see the allowlist guide.
  • Check that your WordPress Application Password is correct and hasn’t been revoked. Go to Users → Your Profile → Application Passwords and generate a fresh one if needed.
  • Confirm your site URL doesn’t have a trailing slash issue.
  • Make sure your site is on HTTPS — Application Passwords don’t work over HTTP.

I don’t see “Application Passwords” in my WordPress profile

  • Your site must be running HTTPS. Application Passwords are disabled on HTTP sites by default.
  • Some security plugins (Wordfence, etc.) can block Application Passwords. Check your security plugin settings and whitelist the REST API.

A change was made that I want to undo

  • Tell Claude: “Undo the last change you made.”
  • For page edits, WordPress revision history also lets you roll back — go to Pages → Edit → Revisions in wp-admin.

Plugin can’t connect? Check your security plugins first.

The most common reason WordPress for Cowork fails to connect is a security plugin on your WordPress site blocking Application Password authentication. If your plugin says “Authentication failed” or “Could not connect to your site”, the fix is almost always one of these:

Wordfence Security

Wordfence’s Login Security module blocks Application Passwords by default in some configurations. Two ways to fix:

  • In wp-admin, go to Wordfence → Login Security → Settings. Find the option labelled “Disable XML-RPC authentication” and turn it off (Application Passwords use the WordPress REST API, but Wordfence’s blocker often catches them too).
  • If you’d rather keep that locked down: Wordfence → Tools → Allowlisted IPs, and add your home/office IP plus any IP you’ll be using the plugin from. Traffic from those IPs is then allowed through.

iThemes Security / Solid Security

Go to Security → Settings → Configure → WordPress Tweaks. Find “REST API” and ensure it’s set to “Default Access” (not “Restricted Access”). If you have “Disable XML-RPC” enabled, that one is fine — Application Passwords don’t use XML-RPC.

Sucuri Security

Sucuri’s WAF can rate-limit or block REST API traffic. In the Sucuri dashboard, allowlist your IP under Firewall → Settings → Whitelist URL or IP. If you’re using Sucuri’s free plugin only (no WAF), no action needed.

WP Cerber

WP Cerber blocks REST API access by default. Go to WP Cerber → Hardening and disable “Block access to WordPress REST API except for any of the following”, OR add an exception for the routes /wp/v2/*.

Limit Login Attempts Reloaded / WPS Hide Login

Both of these are usually fine — Application Passwords bypass the standard login form so login-attempt limiters don’t see them. WPS Hide Login does NOT affect REST API endpoints, only wp-login.php.

Two-factor authentication (2FA) plugins

2FA plugins (Wordfence Login Security, Two Factor, Google Authenticator, etc.) only protect the wp-admin login form. Application Passwords are an entirely separate authentication path that bypasses 2FA by core WordPress design — not by us. So 2FA stays fully enabled for your humans logging into wp-admin, while WordPress for Cowork uses its own scoped Application Password. No changes needed to your 2FA setup.

Hosting-provider firewall (Hostinger, SiteGround, Kinsta, WP Engine, Pressable)

Some managed hosts have a host-level firewall that strips the Authorization header from incoming requests, which silently breaks Application Password auth. If you’ve ruled out plugin-level blocking and the connection still fails, contact your host’s support and ask: “Does your firewall pass through the HTTP Authorization header for Application Password authentication?” If they say no, ask them to enable it for your site (most will).

Quick test: is the Application Password actually working?

Open a terminal on your computer and run (replace placeholders with your values):

curl -u "your-username:xxxx xxxx xxxx xxxx xxxx xxxx" https://your-site.com/wp-json/wp/v2/users/me

If you see your user details in the response — your Application Password works and the issue is somewhere else. If you see {"code":"rest_not_logged_in"} or similar, the security plugin or host firewall is blocking it.

Catch problems early: monitor your site’s uptime

The faster you find out your site is down, the fresher the backup you can restore from. WordPress for Cowork keeps 7 daily, 4 weekly, and 12 monthly snapshots from your wp_backup commands and the v4.1.0 pre-flight prompt — older ones auto-prune. Once a snapshot rolls off, it’s gone. So the sooner you find out something’s wrong, the more recent your restore point will be.

An external uptime monitor closes that gap. Pick one and set it up before launch, not after.

Recommended: UptimeRobot (free)

UptimeRobot pings any URL every 5 minutes from real internet locations and alerts you when it stops responding. The free tier covers 50 monitors, which is way more than any single site needs.

  1. Sign up at dashboard.uptimerobot.com/sign-up with your real email.
  2. Click Add Monitor → choose Keyword type.
  3. URL: https://your-site.com/ (replace with your actual site)
  4. Keyword: any short string that always appears on your site (e.g. your site name). UptimeRobot alerts when the page either fails to load or loads but the keyword is missing — catches both crashes and “white screen of death” cases.
  5. Interval: 5 minutes (free tier minimum).
  6. Alert contacts: add your email — and ideally a second channel (SMS, Telegram, Slack, or webhook) so an email outage doesn’t keep you in the dark about the site outage.
  7. Save.

When the alert fires

UptimeRobot tells you the site went down. Don’t restore yet. Open Cowork and tell Claude:

"My site is showing as down. Investigate before doing anything destructive."

Claude will check the most likely causes first, in order:

  • Hosting status — is the host itself reporting an outage? UptimeRobot can’t tell the difference between your site dying and your hosting provider dying.
  • DNS and SSL — has the cert expired, or is DNS resolving correctly?
  • Recent changes — was a plugin or theme activated/updated in the last hour? That’s the most common cause of a sudden white screen.
  • Error logs — PHP error log entries with timestamps near the outage.
  • Database connection — can WordPress reach its database?
  • Security plugin lockout — Wordfence or Cloudflare WAF blocking your IP, or rate-limiting legitimate traffic?

Most outages are one of these and have a small, surgical fix — deactivate one plugin, whitelist an IP, restart the host’s PHP-FPM, etc. No backup restore needed.

Restore as a last resort. If the investigation shows actual data corruption, a malicious file injection, or a botched edit, then ask Claude:

"List my recent backups, then restore from the most recent one before the incident."

A restore wipes any changes made since that snapshot, so save it for cases where there’s no targeted fix.

Other monitors that work fine

If you already use one, no need to switch: BetterStack, Pingdom, HetrixTools, updown.io, or your hosting provider’s built-in monitor. Any URL pinger with email or webhook alerts works.

Earn 25% on every referral — Affiliate program

Refer customers to WordPress for Cowork and earn 25% commission on every sale that comes through your link. Whether you write about WordPress tools, run a YouTube channel, or just have a few clients you’d like to send our way — sign up and start earning.

  • Sign up or log in: /affiliate-area/
  • Grab your unique referral link from your affiliate dashboard.
  • Get paid 25% on every Solo, Agency, or Enterprise license sold through your link.

Questions about commissions, payouts, or terms? Use the chat bubble in the corner and we’ll get back to you.

Knowledge base & tickets

Browse the Knowledge Base for step-by-step articles on installation, licensing, backups, security plugins, and more — the same articles the AI chat draws from.

If your question isn’t covered (or the AI chat couldn’t resolve it), submit a ticket. Include your license key and a clear description — replies go back to you via your account dashboard and email.

Still need help?

Use the chat bubble in the bottom-right corner — it’s a real support channel, not a generic FAQ bot. Include your license key and a clear description of the issue, and we’ll get back to you within 24 hours on business days.