How to connect Specter to your WordPress site

This is the first thing you do with Specter and the only setup that involves WordPress itself. Once it’s done, your posts and pages live as markdown in a folder on your Mac, and you don’t have to think about the connection again unless something changes on the WordPress side. If you’d rather follow a clickable walkthrough, start at the setup lander — this guide is the same thing in prose, with more on the edge cases.

What you need before you start

Three things:

1. Your site URL. The exact URL you’d type in a browser to load your homepage — https://example.com. If your site lives at a subdirectory (https://example.com/blog), use that full URL. Trailing slash optional, Specter normalizes it.
2. A WordPress username. The login name of the account whose posts and pages you want to sync. Specter will only see what that user can see, so if you want full-site access, use an Administrator or Editor.
3. An Application Password for that user. Not your regular login password. WordPress has had Application Passwords baked in since version 5.6 — they’re per-app credentials you can name, scope, and revoke without changing your main password. The full step-by-step is in generate a WordPress Application Password; generate one called “Specter” and copy it before you close the screen, because WordPress won’t show it to you again.

That’s it. No plugin to install, no theme changes, nothing to paste into wp-config.php.

Self-hosted vs WordPress.com

Specter talks to your site over the WordPress REST API. Anywhere that API is on and reachable, Specter works.

• Self-hosted WordPress (WordPress installed on your own host — Kinsta, WP Engine, SiteGround, Hostinger, a DigitalOcean droplet, your own server): works out of the box. The REST API is on by default. You’re the one who decides what plugins and security rules are in front of it, so if something is blocking it, you can fix it.
• WordPress.com: works only on the Business plan or higher (Business, Commerce, or Enterprise). The Personal and Premium plans don’t expose the REST API to outside applications, and there’s nothing Specter can do about that — it’s a platform restriction. If you’re on a lower plan and want this workflow, you’ll either need to upgrade or migrate to self-hosted.

If you’re not sure which one you have: log in and look at the admin URL. If it’s wordpress.com/..., you’re on WordPress.com. If it’s yoursite.com/wp-admin, you’re self-hosted.

The connection itself

Open Specter, choose WordPress as your site type, and paste in the three things above: URL, username, Application Password. Pick a local folder — this is where your posts and pages will land as .md files. A fresh empty folder is fine; an existing Obsidian vault works too.

Hit connect. Specter makes a single authenticated request to your site’s REST API, confirms the credentials work, and then starts pulling your content down. The first sync is the longest — a few hundred posts takes a minute or two. After that, syncs are incremental.

When it finishes, open the folder. You’ll see one markdown file per post and page, each with frontmatter at the top preserving the title, slug, status, date, categories, tags, featured-image URL, and your Yoast or Rank Math SEO fields. The body is plain markdown. From here you can edit anything in the folder with any tool you like, and Specter handles pushing the changes back — see bulk edit WordPress for SEO for the kind of work that’s now in reach.

When the REST API is the problem

If the connection fails, it’s almost always one of these:

• A security plugin is blocking REST API requests from outside the dashboard. Wordfence, iThemes Security, and a few others have a setting that locks the REST API down to logged-in admin sessions. You’ll need to allowlist Application Password requests (or your IP) for Specter to get through.
• A WAF or host-level firewall is rate-limiting or blocking authenticated API traffic. Cloudflare, Sucuri, and managed hosts sometimes have rules that look at the Authorization header. Whitelisting your IP usually fixes it.
• The Application Password got pasted with extra spaces. WordPress shows it with spaces every four characters for readability — Specter handles that, but a stray newline at the end will break it. Re-copy and try again.
• A 2FA plugin is intercepting Application Password auth. Some 2FA plugins force every login through their flow, including app passwords. The fix is in the Application Password guide — most of these plugins have a checkbox to exempt app passwords.

Once you’re connected

You don’t have to revisit any of this unless your URL changes, the user gets deleted, or you revoke the Application Password. The folder is now the surface you work against — edit one post in your text editor, or sweep the whole archive with a script or an AI. When you’re ready to push, Specter shows a dry-run preview of the diff first and asks before anything touches your live site.

That’s the whole point of the connection: get it set up once, then forget about it and work in the folder.