How to generate a WordPress Application Password for Specter

This is the one credential Specter needs to talk to your WordPress site. It takes about a minute, and once it’s done you won’t touch it again unless you want to revoke access. If you’ve already finished the rest of the connection flow, this is the missing piece.

What an Application Password actually is

Since WordPress 5.6, every user account can mint per-application credentials from their profile screen. You give the credential a name (“Specter”), WordPress generates a 24-character password, and that password works only for REST API requests — not for logging into wp-admin. You can have a dozen of them on one account, name each after the app it belongs to, and revoke any individually without changing your main login. Same idea as a GitHub personal access token: a scoped, revocable secret you hand to an external tool without giving it the keys to the whole account.

Step by step

1. Log into your WordPress admin as the user you want Specter to act as. If you want Specter to see and edit everything, that’s an Administrator or Editor. If you want to scope it to a single author’s posts, use that author’s login.
2. Go to Users → Profile. (Or, if you’re managing someone else’s account, Users → All Users → click the user → scroll to the bottom.)
3. Scroll to the bottom of the profile page. You’ll find a section labeled Application Passwords. It’s after the bio, the colour scheme picker, and the rest of the personal options.
4. Type a name into the “New Application Password Name” field. Use “Specter” — future-you will thank present-you when there are six entries in the list and you have to figure out which one to revoke.
5. Click “Add New Application Password.” WordPress generates the password and shows it in a yellow box, formatted with spaces every four characters for readability (like abcd EFGH ijkl MNOP qrst UVWX). Specter handles the spaces, so you can paste it as-is.
6. Copy the password right now. This is the only time WordPress will ever show it. If you close the screen without copying it, you have to delete the entry and generate a new one — no recovery, by design.
7. Paste it into Specter along with your site URL and your WordPress username. Hit connect. Done.

The full connection walkthrough lives in connect Specter to WordPress if you want context for the other fields.

What scope it gets

Application Passwords inherit the exact permissions of the user who created them. There’s no extra “select what this token can do” step the way there is in some other systems — if the user is an Administrator, the Application Password can do anything an Administrator can do. If the user is an Author, it can only touch that author’s own posts.

So if you want to lock Specter down to a subset of the site, do it by picking the right user, not by trying to restrict the password itself. For most people running this on their own site, an Administrator-level password on your own account is the right answer — it matches what you’d be doing in the admin anyway.

Revoking access

If you sell the site, hand it over to a contractor, lose your laptop, or just stop using Specter — revoke the password. Same place: Users → Profile → Application Passwords. Each entry has a Revoke button. Click it; that password stops working immediately. Your main login is unaffected, and any other Application Passwords on the account keep working.

This is the single biggest reason to use Application Passwords instead of your main login. If something goes wrong, you cut one credential without changing your real password and without breaking the other tools on your account.

Why this is safer than using your main login

Never paste your actual WordPress login password into a third-party app — Specter or anything else. Application Passwords exist because the alternative is bad in three concrete ways: your main password is also your admin login, so a compromised tool means a compromised admin account; you can’t revoke your own login without changing it, which breaks every device you’re signed in on; and there’s no audit trail. An Application Password shows up by name in your profile so you can see which tool last used it. Specter only accepts Application Passwords for exactly these reasons.

Requirements and one common gotcha

• WordPress 5.6 or newer. Application Passwords landed in 5.6 (December 2020). Older than that, update WordPress — it’s overdue anyway.
• Section missing from your profile? A few security plugins disable the feature outright. Wordfence and iThemes Security are the usual suspects. Look for a setting like “Disable Application Passwords” and turn it off.
• 2FA plugin intercepting auth? If your 2FA plugin pushes every login through its flow, the connection from Specter will hang. Most 2FA plugins have an explicit checkbox to exempt Application Passwords — that’s the toggle you want. If yours doesn’t, switch to a 2FA plugin that respects app passwords.

Once the password is generated and pasted in, you can move on to actually using the synced folder — see bulk edit WordPress for SEO for what the connection unlocks.