Changes to WordPress.com Authentication

April 26th, 2022

Recently WordPress.com revised its pricing structure, switching from a complex variety of paid plans to a simpler approach in which users can either stick with a free plan, or pay $15/month for a variety of upgraded features.

Among the features now offered at the $15/month level are plugins and custom themes, which used to be included only with the more expensive “business” plans. This is a great change for users, but it exposes a huge number of WordPress.com users to an authentication issue that previously only affected the higher-cost plans.

The problem: WordPress.com’s implementation of the WordPress XMLRPC API doesn’t accept standard WordPress.com “Application Passwords” for these updated blogs. Application passwords are the unique, generated passwords that you must use for 3rd party apps such as MarsEdit when you have enabled Two-Step Authentication on a blog.

Luckily there is a workaround. It requires deliving into the legacy “WP-Admin” interface of the affected site, and generating san application password in the standard WordPress back-end, independently from WordPress.com’s own higher-level interface.

In light of the increased number of users who will be needing to figure negotiate this change, I updated the Red Sweater help pages to more fully document the process for generating application passwords, whether you’re on a free WordPress.com plan, or one of the newly unified paid plans. Read more here:

Red Sweater Help: WordPress.com Authentication

It would be great if WordPress.com fixed their XMLRPC API support so that standard WordPress.com application passwords worked on upgraded sites. It’s always been a little ironic that the user experience for paying WordPress.com users, in this one respect anyway, is worse than it is for those with free sites.