iThemes Security (renamed to Solid Security) blocks REST API access by default. One setting fixes it.
Set REST API to Default Access
- Solid Security → Settings → WordPress Tweaks.
- Find REST API.
- Set it to Default Access.
If you want extra paranoia
Set REST API to Restricted Access instead, then add wordpressforcowork.com to the allowed origins list.
What about “Disable XML-RPC”?
Leave it on if you’ve turned it on. Application Passwords (which Cowork uses) don’t go through XML-RPC, so disabling XML-RPC has no effect on Cowork Bridge.
If /wp-setup still fails
Check the Solid Security dashboard for blocked events on the /wp-json/coworkmcp/* path. Allow them from there.