Wordfence is the most common cause of /wp-setup failures. Two settings to check before contacting support.
1. Disable XML-RPC authentication setting
WordPress for Cowork doesn’t use XML-RPC, but Wordfence sometimes lumps it with REST API protection — turning that setting on can also gate the REST routes Cowork Bridge needs.
- Wordfence → Login Security → Settings.
- Find “Disable XML-RPC authentication”. Set it to OFF.
2. Allowlist the MCP route in Live Traffic
- Wordfence → Tools → Live Traffic.
- If you see blocked requests from your own
/wp-json/coworkmcp/*route, click Allow on one. - Create a permanent allowlist rule so Wordfence stops flagging them.
If you’d rather keep it locked down
Allowlist your home/office IP under Wordfence → Tools → Allowlisted IPs. Traffic from those IPs is allowed through regardless of Wordfence’s other rules.
Two-factor authentication
Wordfence’s 2FA only protects the wp-admin login form. Application Passwords (which Cowork uses) bypass 2FA by core WordPress design — not something we did. You can leave 2FA fully on; it doesn’t affect Cowork.