“WordPress connection failed” — common causes and fixes

When Specter can’t reach your WordPress site, the error usually shows up as one of:

• “Connection failed” / “couldn’t reach the site”
• 401 Unauthorized / “couldn’t authenticate”
• 403 Forbidden
• The connection test spins and times out

It’s almost always one of seven things. Walk through them in order — the top of the list is what trips people up most often.

1. Wrong site URL

Cause. Specter needs the full https:// URL of your WordPress site — the same address you’d type into a browser to reach the admin. Not just yoursite.com. Not the /wp-admin/ page. Not a URL with ?page= or a trailing path.

Fix. Use the bare site URL with the scheme: https://yoursite.com. If your site lives in a subdirectory (https://yoursite.com/blog), include that. Don’t include /wp-admin or /wp-json — Specter appends those itself.

2. Wrong username

Cause. The username you used to create the Application Password isn’t the one you pasted into Specter — easy to do if your site has multiple admins, or if you log in with an email but your actual WordPress username is different.

Fix. In wp-admin, go to Users → Profile and check the Username field (not the email). That’s the string Specter needs.

3. Application Password mis-copied (spaces matter)

Cause. This is the most common one. WordPress shows Application Passwords as four-character groups with spaces between them — like abcd EFGH 1234 ijkl MNOP wxyz. Those spaces are part of the password. If you stripped them out, or only copied part of the string, authentication fails with a 401.

Fix. Re-copy the entire password from WordPress, including the spaces, and paste it fresh into Specter. The Application Passwords guide shows exactly where to find and generate one.

4. Application Password revoked or deleted

Cause. Application Passwords can be revoked from the admin — sometimes by another admin, sometimes by a security plugin doing housekeeping, sometimes by you cleaning up old ones and forgetting which was which.

Fix. In wp-admin, go to Users → Profile → Application Passwords and check whether the one Specter is using still exists. If not, generate a new one and paste it into Specter. Don’t reuse names — give it something specific like Specter on my Mac.

5. REST API disabled by a security plugin

Cause. Wordfence, iThemes Security, Sucuri, and a handful of others can block unauthenticated requests to /wp-json/. Specter authenticates, but some of these plugins block the probe too, which fails before the credentials are even checked.

Fix. Hit https://yoursite.com/wp-json/ in a browser. If you get a JSON response, the REST API is up. If you get a 403, a 404, or a “REST API disabled” message, follow the REST API disabled guide — it walks through how to whitelist Specter without weakening the rest of your site’s protection.

6. Site behind HTTP Basic Auth

Cause. Some staging environments and managed hosts (WP Engine staging, some Kinsta setups, in-house staging boxes) sit behind an extra layer of HTTP Basic Authentication — the browser pops up a username/password box before the site itself loads. Specter’s request gets a 401 from the Basic Auth layer before WordPress ever sees it.

Fix. Either remove the Basic Auth layer for the duration of your sync, or whitelist your IP at the host level. There isn’t a clean way for Specter to pass two layers of auth in one request.

7. Cloudflare bot fight mode (or similar WAF)

Cause. Cloudflare’s “Bot Fight Mode” and “Super Bot Fight Mode,” along with similar WAFs in front of WordPress, can flag Specter’s REST API calls as bot traffic and block them with a 403 or a challenge page.

Fix. In your Cloudflare dashboard, either turn off Bot Fight Mode for the domain, or add a Page Rule / WAF exception that allows POST and GET requests to /wp-json/* from your IP. The same applies to most other WAFs sitting in front of WordPress.

Still failing?

If you’ve walked the list and none of them is it, the connect-to-WordPress guide has the full end-to-end setup flow — sometimes re-running it from the start surfaces the missing piece. If it’s still broken after that, email support@spectersync.com with the exact error string and which of the seven causes above you’ve already ruled out.