WordPress connector — Application Password + REST API
Application Password setup for the WordPress REST API, plus what each plugin family unlocks during a migration to Insites.
WordPress's permission model is per-user, not per-resource. You generate an Application Password against an Administrator account, and the REST API exposes whatever that user can see. Active plugins (WooCommerce, ACF, WPForms, etc.) extend the API surface — see the plugin table below for what each unlocks.
Generate the Application Password
Confirm the WordPress version
Confirm the site runs WordPress 5.6 or newer. Application Passwords were added in 5.6 and are the recommended REST auth path. Older sites need the legacy Application Passwords plugin.
Sign in as Administrator
Sign in as an Administrator (not Editor/Author — those roles can't read every endpoint we need).
Open Profile → Application Passwords
Go to Users → Profile, scroll to Application Passwords.
Create the password
Name it
Insites Studioand click Add New Application Password. Copy the generated password — WordPress only shows it once.Paste into the connector form
In the Studio connector form, paste the WordPress username, the Application Password, and the site URL (e.g.
https://yoursite.com).
Core REST endpoints we read
These are the standard /wp/v2/* endpoints any modern WordPress site exposes. The connector pulls each in turn. Every entry needs to be reachable for the migration to be complete.
| Endpoint | Module | Why we need it |
|---|---|---|
/wp/v2/pages | CMS | Static pages — About, Contact, Services. The backbone of any WordPress migration. |
/wp/v2/posts | Data | Blog posts and any custom post types exposed in REST. Becomes Data module records on the new instance. |
/wp/v2/media | Assets | Every image and uploaded file in the Media Library. Pulled through the asset pipeline so URLs are rewritten. |
/wp/v2/users | CRM | Site authors and registered users become CRM contacts. Required so post bylines on the migrated site point at someone. |
/wp/v2/categories + /wp/v2/tags | Data | Taxonomies for posts. Without them, the migrated blog loses its archive navigation. |
/wp/v2/menus + /wp/v2/menu-items | CMS layout | Site navigation. Available out of the box on WP 5.9+; older sites need the WP-REST-API V2 Menus plugin. |
Plugin-driven endpoints (if installed)
WordPress's real complexity is in plugins. The connector detects each plugin family and pulls its data when present. If a plugin isn't installed, we silently skip — but anything missing here is data that won't make the migration.
| Plugin | Module | Why we need it |
|---|---|---|
| WooCommerce | Ecommerce | Products, variations, orders, customers, coupons, shipping zones. Required for any WooCommerce store. Generated separately under WooCommerce → Settings → Advanced → REST API. |
| Advanced Custom Fields (ACF) | Data | Custom fields attached to posts and pages. Without it, every ACF field on every post is lost. Available via /wp/v2 once "Show in REST API" is on per field group. |
| WPForms / Gravity Forms / Contact Form 7 | Forms | Form definitions and submissions. WPForms and Gravity expose REST endpoints; CF7 needs Flamingo or a similar plugin to capture submissions in the database first. |
| Yoast SEO / Rank Math | CMS | Per-post meta titles, descriptions, canonical URLs, OG tags. Without it the migrated site loses every SEO override the team ever wrote. |
| Polylang / WPML | CMS | Multi-language post relationships. Required for any multilingual WordPress site so translated pages stay linked. |
Don't share these
| Item | Why |
|---|---|
| Editor / Author / Subscriber roles | Always generate the Application Password against an Administrator account. Lower roles can't read every endpoint we need (drafts, private posts, all custom post types). |
| WP-CLI access | Studio doesn't need shell access, just REST API access. Don't share SSH or wp-cli credentials. |
| Database credentials | Never hand over MySQL credentials. Studio works entirely through the REST API. |
Token storage (alpha)
The Application Password is kept in your browser's localStorage so a refresh or shared link doesn't lose the migration session. It's sent to the Insites server only at the moment of a connection test or import run, and is never logged. Before GA we'll switch to a server-side token exchange so the password never touches the browser.
Revoke the Application Password from Users → Profile after the migration completes — see other connector guides.