Changes to Authentication

April 26th, 2022

Recently revised its pricing structure, switching from a complex variety of paid plans to a simpler approach in which users can either stick with a free plan, or pay $15/month for a variety of upgraded features.

Among the features now offered at the $15/month level are plugins and custom themes, which used to be included only with the more expensive “business” plans. This is a great change for users, but it exposes a huge number of users to an authentication issue that previously only affected the higher-cost plans.

The problem:’s implementation of the WordPress XMLRPC API doesn’t accept standard “Application Passwords” for these updated blogs. Application passwords are the unique, generated passwords that you must use for 3rd party apps such as MarsEdit when you have enabled Two-Step Authentication on a blog.

Luckily there is a workaround. It requires deliving into the legacy “WP-Admin” interface of the affected site, and generating san application password in the standard WordPress back-end, independently from’s own higher-level interface.

In light of the increased number of users who will be needing to figure negotiate this change, I updated the Red Sweater help pages to more fully document the process for generating application passwords, whether you’re on a free plan, or one of the newly unified paid plans. Read more here:

Red Sweater Help: Authentication

It would be great if fixed their XMLRPC API support so that standard application passwords worked on upgraded sites. It’s always been a little ironic that the user experience for paying users, in this one respect anyway, is worse than it is for those with free sites.