Two common causes:
- Site is not on HTTPS. Application Passwords are disabled on HTTP sites by default. Enable HTTPS via your host or get a free Let’s Encrypt cert.
- A security plugin is blocking it. Wordfence, Solid Security, Sucuri, and WP Cerber sometimes hide or block Application Passwords. See the dedicated Security plugin is blocking the connection article.
Why you have to generate the Application Password yourself. WordPress for Cowork won’t log into your wp-admin on your behalf, by design. The plugin never asks for your WordPress username or main password, and we never store them — the only credential Cowork ever sees is the Application Password you generate yourself and paste into /wp-setup. That token can be revoked from your WordPress admin at any time, which cleanly disconnects Cowork without affecting your main login.
Where credentials live. Your site URL, license key, and Application Password are saved only on the computer you ran /wp-setup from, inside Cowork’s local secret store. Nothing is stored on our servers. wordpressforcowork.com never sees your Application Password, and neither does Anthropic. The worst that could leak from our side is the email address you bought with.