Auto-publish to your WordPress blog.

Type your site address, click Connect, and approve ScoutRival on your own WordPress. No plugin, no developer app, nothing to copy. ScoutRival can then publish (or draft) your BlogCraft articles straight to your blog.

// ONE CLICK

You no longer create an Application Password by hand. Enter your site address, click Connect WordPress, and approve ScoutRival on your own site — WordPress issues the credential itself. The manual method still works if your site can't use the one-click flow.

This works with self-hosted WordPress (5.6 or newer, served over HTTPS) — the kind you run on your own hosting. WordPress has a built-in approval screen that lets an app post on your behalf without ever seeing your real password. Nothing to install.

Connect in one click

1

Channels → Publish → WordPress

In ScoutRival, open Channels and find the WordPress card under Publish.

2

Type your site address

Just the address — yourblog.com or https://yourblog.com. No username, no password.

3

Click Connect WordPress

A window opens on your own site, at WordPress's built-in Authorize Application screen. If you're not currently logged into your WordPress admin, it asks you to log in first — that's your site's own login page.

4

Click “Yes, I approve of this connection”

WordPress generates the credential itself, hands it to ScoutRival, and the window closes. The card turns Connected. You never see or copy a password.

5

Click Post a test

ScoutRival puts a small sample post on your site as a draft and links to it. That proves the connection end to end. Delete the draft afterwards — it exists only to prove the path works.

What you'll see on your own site

The approval screen belongs to WordPress, not to ScoutRival — it's a standard part of every WordPress install since version 5.6. A few things about it surprise people:

  • It looks like your WordPress admin, because it is. Your theme, your admin bar, and any plugin notices your site shows will appear on it. That's normal.
  • It may ask you to log in first, and if you have a security plugin that puts a CAPTCHA on your login page, you'll see that too. Both belong to your site — ScoutRival can't skip or remove them.
  • It prints the address it will send you back to (“You will be sent to user.scoutrival.com/wp/cb?k=…”). That's WordPress showing you where the credential is going, on purpose.
  • The password never appears on screen and you never handle it. WordPress passes it straight to ScoutRival, which stores it encrypted.
// SECURE BY DESIGN

The credential WordPress issues is an Application Password: it only grants API access, never your real login, and you can revoke it any time from Users → Profile → Application Passwords — it's listed there as “ScoutRival”. Revoking it instantly cuts off publishing.

// WHO YOU APPROVE AS MATTERS

ScoutRival inherits the rights of the WordPress user who approves it. Approve as an Administrator, Editor or Author and it can publish. Approve as a Contributor — who can write but not publish in WordPress — and ScoutRival tells you so, and pins the connection to Draft only rather than failing later.

If one-click isn't available

Before sending you anywhere, ScoutRival asks your site whether it accepts this kind of connection. If it doesn't, you'll see a message and the Application Password form instead of a dead end. There are three common reasons:

// #1 REASON · HTTPS

WordPress only offers Application Passwords on a secure (HTTPS) site. If your address starts with http:// (no padlock), the feature is off by design. Add a free SSL certificate — almost every host offers one-click Let's Encrypt — and switch your site to https://.

  • A security plugin switched it off. Wordfence turns Application Passwords off by default, and Solid Security (formerly iThemes) does too. Open the plugin's settings and look for “Application Passwords” or “Disable application passwords” and switch it back on.
  • HTTPS but still unavailable? Your site sits behind a CDN or proxy that ends SSL at the edge — Hostinger, Cloudflare, a load balancer — and forwards the request to WordPress over plain HTTP. WordPress's is_ssl() then returns false and the feature stays hidden even though visitors see a padlock. The fix is below.
  • Your WordPress API is blocked. Some security plugins and firewalls block /wp-json/ entirely. ScoutRival will tell you if it can't reach it.

The CDN fix — a must-use plugin

If your site is HTTPS but WordPress still thinks it isn't, add a must-use plugin. This is the most reliable method: it loads on every request, doesn't depend on your theme, and a brand-new file bypasses PHP OPcache, so it takes effect immediately even when edits to existing files appear to do nothing.

A

Create the mu-plugins folder

In your host's File Manager (or over SFTP), go to wp-content/. If there isn't already a mu-plugins folder, create one — exact name, lowercase: wp-content/mu-plugins/.

B

Add the file

Inside it, create a file named scoutrival-app-passwords.php with this content:

wp-content/mu-plugins/scoutrival-app-passwords.php · HTTPS sites only<?php
/* Force-enable Application Passwords behind a CDN/proxy that ends SSL at the edge. */
// 1) Tell WordPress the request is secure (the CDN already serves HTTPS).
$_SERVER['HTTPS'] = 'on';
// 2) Force the Application Passwords feature on, overriding host/plugin gates.
add_filter( 'wp_is_application_passwords_available', '__return_true', PHP_INT_MAX );
C

Try Connect again

Must-use plugins activate automatically — there's nothing to enable. Go back to ScoutRival and click Connect WordPress; the one-click flow will now work.

// WHY A NEW FILE

Many hosts cache compiled PHP with OPcache. After you edit wp-config.php or functions.php, the server may keep running the old version for minutes, so your change “does nothing.” A new file in mu-plugins has no cached copy, so it runs instantly — which is why this works when in-place edits seem to fail.

Connect with an Application Password

You can always wire it up by hand — click Use an Application Password instead on the WordPress card. It's the same credential, created manually.

1

Open your WordPress profile

Log into wp-adminUsers → Profile, and scroll to Application Passwords.

2

Create one named ScoutRival

Type ScoutRival and click Add New Application Password. WordPress shows a one-time password like abcd efgh ijkl mnop qrst uvwx — copy it now, you won't see it again. (Keep the spaces; they're fine.)

3

Paste it into ScoutRival

Enter your site URL, your WordPress username (your login name, not your display name) and the Application Password, then click Connect.

Publish from BlogCraft

Once a site is connected, publishing a finished article takes two clicks — no copy-paste, no re-formatting.

6

Open the article in the BlogCraft editor

From the BlogCraft hub, open the article you want to publish.

7

Click Publish → your site

In the top action bar, click Publish ▾, then choose Publish to yourblog.com. ScoutRival saves your latest edits, sends the article, and opens the result in a new tab.

// ONE SITE, EVERY ARTICLE

A connected WordPress site can publish any of your articles — it shows in the Publish menu labelled by its domain. Running an agency? Connect a different WordPress under each brand on the Channels page, and each site appears as its own publish target.

Publish modes

  • Draft only — ScoutRival saves the article as a draft in WordPress; you publish it yourself.
  • Queue for review — it's staged in ScoutRival; one click publishes it.
  • Auto-publish — approved BlogCraft articles publish to your blog automatically.

Post a test always creates a draft, whatever mode you're in — a connection test must never put a test post on your live blog.

Troubleshooting

  • “This site has one-click connect switched off.” Application Passwords are disabled — see If one-click isn't available. Usually HTTPS, Wordfence, or a CDN.
  • “Its WordPress API is blocked.” A security plugin or firewall is blocking /wp-json/. Allow it, or use the Application Password method.
  • Approved, but the connection failed? Some hosts strip the security header WordPress uses to check credentials, so WordPress behaves as though nothing was sent. ScoutRival detects this and automatically switches to a second, header-free method — so on most such sites it just works. If it can't, ask your host to enable HTTP Authorization headers (CGIPassAuth On).
  • Connected, but everything lands as a draft? The WordPress user you approved as can't publish — they're a Contributor. Reconnect as an Administrator, Editor or Author.
  • Nothing happened when you clicked Connect? Your browser blocked the popup. Allow popups for user.scoutrival.com, or click again — we fall back to the same tab.
  • “Connect WordPress first” in the Publish menu, even though you connected? Confirm the card shows Connected on Channels → Publish, then hard-refresh the editor so it reloads with the latest connection.
  • On WordPress.com (hosted)? Application Passwords may be unavailable there. Self-hosted WordPress is what's supported today.
  • Revoke access anytime from Users → Profile → Application Passwords in WordPress (look for “ScoutRival”), or click Disconnect in ScoutRival.
Still stuck?
Contact support