Connect WordPress to TeamDay

This guide covers connecting your WordPress site to TeamDay, managing credentials, and resolving common connection issues.

For a deep-dive on cross-office workflows and the WordPress MCP ecosystem, see the AI WordPress Management blog post.

Quick Start

WordPress.com

Open your TeamDay workspace → AI Teams → WordPress Studio
Click Data Sources → Connect → WordPress.com
Authorize with your WordPress.com account (OAuth — no passwords stored by TeamDay)
Start chatting: “Show me my recent posts”

Requirement: A WordPress.com paid plan with MCP enabled at wordpress.com/me/mcp.

Self-Hosted WordPress

Requirements: WordPress 6.9 or newer.

On your WordPress site:

Install the MCP Adapter plugin — Plugins → Add New → search “MCP Adapter” (or download from GitHub)
Activate the plugin
Go to Users → Your Profile → scroll to Application Passwords
Enter name “TeamDay”, click Add New Application Password
Copy the generated password (it won’t be shown again)

In TeamDay:

Open WordPress Studio → Data Sources → Connect → WordPress (Self-Hosted)
Enter your WordPress URL (e.g., https://myblog.com), username, and the application password
Click Connect

TeamDay connects to your site’s MCP endpoint automatically. No webhooks, no custom code.

How Credentials Work

Understanding how TeamDay handles your WordPress credentials explains why the agent should never ask you for them in chat.

Where credentials are stored

When you connect your WordPress site, TeamDay stores three things in your Space configuration:

Site URL — your WordPress address
Username — your WordPress login username
Application Password — the password you created for TeamDay

These are stored securely and never exposed in chat. They persist across sessions, timeouts, and restarts.

How the agent uses them

Every time you start a conversation (or resume one after a timeout), the agent receives:

MCP tools — If the MCP Adapter plugin is working, the agent gets structured tools to call WordPress abilities directly
REST API access — A pre-authenticated helper script that uses the same Application Password to call the WordPress REST API via curl

Both methods use credentials from your Space configuration. The agent is explicitly instructed that credentials are pre-configured and should never ask you for them.

What if credentials expire?

Application Passwords in WordPress don’t expire by default. But they can be:

Revoked — If you (or another admin) delete the Application Password from WordPress admin
Invalidated — If the WordPress user account is deleted or the username changes

If your credentials stop working, update them in Space Settings → Data Sources — not in chat.

MCP vs REST API

TeamDay uses two methods to interact with your WordPress site. Understanding the difference helps when troubleshooting.

MCP (Abilities API)

Uses the MCP Adapter plugin endpoint (/wp-json/mcp/mcp-adapter-default-server)
Provides structured tools the agent can discover and call
Depends on WordPress 6.9+ Abilities API
Currently limited — WordPress core only registers a few abilities

REST API

Uses the standard WordPress REST API (/wp-json/wp/v2/)
Available since WordPress 4.7 — mature and comprehensive
Supports all content management: posts, pages, media, comments, users, settings
Authenticated with the same Application Password as MCP

Key point: Even if MCP tools fail or return 0 abilities, the REST API still works. Your agent always has full WordPress management capabilities through the REST API fallback.

Troubleshooting

Agent asks for credentials

This should not happen. Your credentials are stored in Space Settings → Data Sources. The agent knows they’re pre-configured.

If the agent asks for your WordPress URL, username, or password:

Don’t enter credentials in chat — they can’t be stored there and are lost when the session ends
Check your TeamDay version — this was fixed in March 2026
If credentials actually need updating — go to Space Settings → Data Sources

MCP shows 0 tools

The MCP Adapter plugin may fail to expose tools if:

WordPress is below version 6.9
The MCP Adapter plugin isn’t activated
A security plugin blocks the /mcp/ endpoint
The Abilities API has no public abilities registered

This doesn’t affect the agent’s capabilities. TeamDay automatically provides REST API access when MCP tools are unavailable. The agent can still write posts, manage media, moderate comments, and do everything else through the REST API.

Authorization header stripped

Symptom: Unexpected token '<' is not valid JSON or 401 rest_not_logged_in.

This is very common on LiteSpeed servers (GreenGeeks, Hostinger, Namecheap, most cPanel hosts). The web server strips the Authorization header before it reaches WordPress.

Fix: Create wp-content/mu-plugins/fix-auth-header.php:

<?php
/**
 * Fix Authorization header stripped by LiteSpeed/Apache CGI/FastCGI.
 */
if ( ! isset( $_SERVER['HTTP_AUTHORIZATION'] ) ) {
    if ( isset( $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ) ) {
        $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
    } elseif ( isset( $_SERVER['CGI_HTTP_AUTHORIZATION'] ) ) {
        $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['CGI_HTTP_AUTHORIZATION'];
    }

    if ( ! isset( $_SERVER['HTTP_AUTHORIZATION'] ) && function_exists( 'getallheaders' ) ) {
        $headers = getallheaders();
        if ( isset( $headers['Authorization'] ) ) {
            $_SERVER['HTTP_AUTHORIZATION'] = $headers['Authorization'];
        } elseif ( isset( $headers['authorization'] ) ) {
            $_SERVER['HTTP_AUTHORIZATION'] = $headers['authorization'];
        }
    }
}

This uses PHP’s native getallheaders() to bypass server-level header filtering. Works on LiteSpeed, Apache CGI, and all other server configurations. See the full troubleshooting guide for alternative approaches.

401 Unauthorized

Common causes:

Authorization header stripped (most common on shared hosting) — use the mu-plugin fix above
Application Password revoked — check Users → Profile → Application Passwords in WordPress admin, then update in Space Settings → Data Sources
Wrong username — must be the WordPress login username, not display name or email
LiteSpeed cache — add ?_=timestamp to bust cache, or exclude /wp-json/ from LiteSpeed caching
Security plugin — whitelist /wp-json/mcp/ in Wordfence, miniOrange, or similar plugins

Subdirectory installs

Enter the full path where WordPress is installed:

https://example.com/blog/ if WordPress runs at /blog/
https://example.com/ if WordPress runs at the root

TeamDay appends the MCP endpoint path automatically. If you enter the wrong root, the connection will fail.

Security

Application Passwords

Application Passwords are the recommended authentication method for API access:

Scoped — they only grant REST API access, not WordPress admin login
Revocable — delete any time from Users → Profile → Application Passwords
Auditable — WordPress logs which Application Password was used for each request
Per-app — create a dedicated one for TeamDay, separate from other integrations

Revoking access

To disconnect TeamDay from your WordPress site:

In WordPress admin: Users → Profile → Application Passwords → delete the “TeamDay” entry
In TeamDay: Space Settings → Data Sources → remove the WordPress connection

Either step alone is sufficient — revoking the Application Password immediately blocks all API access.

Next Steps

AI WordPress Management — deep-dive blog post with cross-office workflows and advanced troubleshooting
WordPress Studio — product page with capabilities overview
MCP Servers Overview — how MCP connections work across all TeamDay integrations
MCP Plugins — OAuth integrations and advanced MCP configuration