How-2 BLOG

i already created the key remember and it didnt work

If the Application Password didn’t work despite XML-RPC being enabled, Wordfence is likely still blocking the “handshake” because of its

Login Security rules. Since Word 2021 cannot handle 2FA codes, Wordfence defaults to rejecting the connection entirely.

You need to adjust one specific setting inside the Wordfence menu to allow “Skipped” 2FA for these external apps.

Step 1: Adjust Wordfence XML-RPC Settings

• In your WordPress dashboard, go to Wordfence > Login Security.
• Click the Settings tab at the top.
• Scroll down to find the section: Require 2FA for XML-RPC call authentication.
• Change this setting from “Required” to Skipped.
  • Note: This is necessary because Microsoft Word is an external app that cannot generate or send your 2FA code.
• Click Save at the top right.

Wordfence

Step 2: Ensure Application Passwords are Enabled in Firewall

Sometimes Wordfence disables the “Application Passwords” feature itself at the firewall level.

1. Go to Wordfence > All Options.
2. Expand the Firewall Options section, then the Brute Force Protection sub-section.
3. Look for Disable WordPress application passwords.
4. Ensure this box is Unchecked. If it was checked, uncheck it and click Save Changes.

WordPress.org +1

Step 3: Use a Fresh “Key” in Word

To rule out a “stale” or mistyped password, create one more fresh key:

1. Go to Users > Profile > Application Passwords.
2. Delete any old ones labeled “Word” and create a brand new one.
3. Copy the new 24-character code.
4. In Word, enter your Admin Username and paste the new 24-character code (no spaces are needed, though Word often handles them fine).
5. Ensure the URL is exactly https://how-2.codes.

If it still fails:
Try visiting https://how-2.codes in your browser. You should see a message saying: “XML-RPC server accepts POST requests only.” If you see any other error (like a “403 Forbidden” page), your web host might be blocking the file for security, and you would need to contact them to “whitelist” it.

These guides offer solutions for enabling application passwords and troubleshooting Wordfence XML-RPC connection issues:

How to Share Blog Post from Microsoft Word to WordPress?

Feb 5, 2023 — XMLRPC link, it should be like https://www.yoursite.com/xmlrpc.php. If you have installed WordPress on subdirectory then change th…

WebNots

How to enable Application Passwords in the free version?

Aug 8, 2025 — Plugin Support wfpeter. (@wfpeter) Hi @alanmlynch, Application passwords can be reenabled by unchecking “Disable WordPress applica…

WordPress.org

How to enable WordPress Application Passwords – Stalkfish

Jul 24, 2022 — Head to Wordfence > All Options > Firewall Options > Brute Force Protection, and uncheck Disable WordPress application passwords o…

Stalkfish

Login Security Options – Wordfence

Allow remembering device for 30 days. When this option is enabled, users can click a checkbox to remember their device for 30 days…

Wordfence

Did changing the XML-RPC setting to “Skipped” allow the connection to go through?

6 sites

• Login Security Options – Wordfence

Allow remembering device for 30 days. When this option is enabled, users can click a checkbox to remember their device for 30 days…

Wordfence

• How to enable WordPress Application Passwords – Stalkfish

Jul 24, 2022 — Head to Wordfence > All Options > Firewall Options > Brute Force Protection, and uncheck Disable WordPress application passwords o…

Stalkfish

• How to enable Application Passwords in the free version?

Aug 8, 2025 — Plugin Support wfpeter. (@wfpeter) Hi @alanmlynch, Application passwords can be reenabled by unchecking “Disable WordPress applica…

WordPress.org

Show all

i just have login security not the full wordfence suite

Even with just the

Wordfence Login Security plugin (not the full suite), the 2-Factor Authentication (2FA) and XML-RPC settings can still prevent Microsoft Word from connecting.

Wordfence +2

To fix this, you must adjust two key settings inside that specific plugin:

1. Change the XML-RPC 2FA Setting

By default, this plugin requires a 2FA code even for “hidden” app connections like Word. Since Word cannot provide a 2FA code, you must tell Wordfence to skip it for this specific type of login.

• Go to Login Security in your WordPress dashboard menu.
• Click the Settings tab at the top.
• Find the option: Require 2FA for XML-RPC call authentication.
• Set this to Skipped.
• Click Save at the top right.

2. Verify “Disable XML-RPC” is Unchecked

In that same Settings tab, verify that the option Disable XML-RPC authentication is Unchecked. If it is checked, Word cannot “see” your site at all.

3. Clear Out Old “Keys”

Since your previous Application Password didn’t work, it may be “stale” or blocked by the old settings.

• Go to Users > Profile.
• Scroll to the Application Passwords section.
• Delete any existing passwords you created for Word.
• Create a brand new one (e.g., name it “New Word 2021”) and copy the 24-character code.

4. Final Attempt in Word

• In the Word Blog Registration window, enter:
  • Username: Your exact Admin username.
  • Password: The new 24-character Application Password (paste it in).
  • URL: https://how-2.codes
• Click OK.

Important Tip: If you see an error that says “Application passwords have been disabled by Wordfence,” it means you need to uncheck a “Disable Application Passwords” box, which is sometimes hidden in the plugin’s main settings.

Did changing the setting to “Skipped” finally allow the “Account registration successful” message to appear?

• Login Security Options – Wordfence

Allow remembering device for 30 days. When this option is enabled, users can click a checkbox to remember their device for 30 days…

• Configuring WordFence for WordPress Security | by Phoenix Ignited

Jun 25, 2024 — General WordFence Login Security Settings In the Settings page under >WordFence > Login > Settings you can manage numerous setting…

• How to Use Wordfence Login Security to Protect WordPress

Jul 12, 2019 — Installing Wordfence Login Security. Wordfence Login Security is a great tool to protect WordPress. It takes all of the impressive…

i did all the settings u mentioned and still did not work

If you have adjusted all the

Wordfence Login Security settings (XML-RPC 2FA to “Skipped” and XML-RPC enabled) and are still failing to connect, the issue is likely a hidden block by your web host or a conflict with how Word 2021 handles the .codes domain.

Follow these advanced troubleshooting steps to identify the final roadblock:

1. Test the “Hidden Door” Directly

Open your web browser and go to: https://how-2.codes

• If you see: “XML-RPC server accepts POST requests only.” — The connection is open and active. The problem is likely your login credentials or Word settings.
• If you see: “403 Forbidden”, “404 Not Found”, or a blank page — Your web host (e.g., Bluehost, SiteGround, etc.) is blocking this file at a server level for security. You will need to contact their support and ask them to “Unblock xmlrpc.php” so you can use Microsoft Word.

WordPress.org +4

2. Check Wordfence “Learning Mode”

Sometimes Wordfence blocks “automated” logins like Word’s because it thinks they are a bot attack.

1. In WordPress, go to Wordfence > Dashboard > Manage WAF.
2. Set the Web Application Firewall Status to Learning Mode.
3. Try to connect in Word again. If it works, switch it back to “Enabled and Protecting” afterward.

WordPress.org +1

3. Verify the Word Connection URL

Microsoft Word is very picky about the URL format. In the registration window, ensure:

• URL: Must start with https:// (not http).
• Path: Must end with /xmlrpc.php.
• Full string: https://how-2.codes

Microsoft Learn

4. Try Your Email Instead of Username

In the User Name box in Word, try entering the Email Address associated with your admin account instead of the username. Pair this with a fresh Application Password (delete the old one and create a new one first).

RightBlogger

5. Flush Your Permalinks

A simple system refresh can sometimes clear the “404” errors Word might be seeing:

1. Go to Settings > Permalinks in your WordPress dashboard.
2. Do not change anything, just scroll to the bottom and click Save Changes. This “flushes” the site’s address map.

RightBlogger +1

These guides offer troubleshooting steps for WordPress connection errors, including issues with application passwords and URL formatting:

Troubleshooting Errors when using WordPress with RightBlogger

Feb 14, 2026 — Incorrect Username or Application Password. Sorry, you are not allowed to create posts as this user. – This is likely due to an in…

RightBlogger

I can’t register my WordPress website to Microsoft Word?

Jan 19, 2019 — Have you tried using https instead of http? For some reason, although I had already registered my blog in Word when I installed it…

Microsoft Learn

Application Password Setup – WordPress.org

Nov 3, 2024 — Also, Learning Mode can help easily allow operations if they’re being blocked as false-positives. From the Wordfence Dashboard cli…

WordPress.org

Is XMLRPC.php being blocked? – DigitalOcean

Nov 13, 2024 — Is XMLRPC. php being blocked? * Check . htaccess for Rules Blocking XML-RPC: Open your . htaccess file and look for any rules that…

DigitalOcean

Exploiting the xmlrpc.php on all WordPress versions – Lucian Nitescu

Jul 1, 2019 — Searching for XML-RPC servers on WordPress: Steps to check: Ensure you are targeting a WordPress site. Ensure you have access to t…

GitHub

What Is xmlrpc.php In WordPress And How To Disable It

Nov 28, 2023 — How to check if xmlrpc. php is running on a website or not? Before considering disabling XML-RPC, it’s essential to verify the sta…

WordPress Download Manager

Which message did you see when you visited the /xmlrpc.php link in your browser?

8 sites

• ‘XML-RPC methods missing on the server’ when trying to log …

Aug 26, 2024 — ‘XML-RPC methods missing on the server’ when trying to log in WordPress App. … What’s the URL of your site? … This files are u…

WordPress.org

• Is XMLRPC.php being blocked? – DigitalOcean

Nov 13, 2024 — Is XMLRPC. php being blocked? * Check . htaccess for Rules Blocking XML-RPC: Open your . htaccess file and look for any rules that…

DigitalOcean

• Troubleshooting Errors when using WordPress with RightBlogger

Feb 14, 2026 — Incorrect Username or Application Password. Sorry, you are not allowed to create posts as this user. – This is likely due to an in…

RightBlogger

Show all

XML-RPC enabled. where in the notes ytu told me to enamble XML-RPC enabled?

In modern versions of WordPress, the setting to enable

XML-RPC has been removed from the dashboard because it is enabled by default. However, since you are using Wordfence Login Security, you likely found the relevant settings under the plugin’s specific menu.

WordPress.org Codex +3

Here is exactly where those notes were mentioned in our conversation:

1. The Wordfence Settings (Where you currently are)

Since you mentioned having Wordfence Login Security, the “Enable” options are located here:

• Menu Path: Go to Login Security (or Wordfence > Login Security) > Settings tab.
• The Checkbox: Look for Disable XML-RPC authentication. To keep it “enabled,” this box must be UNCHECKED.
• The 2FA Rule: Look for Require 2FA for XML-RPC call authentication. This must be set to Skipped so Microsoft Word can connect without a 2FA code.

Wordfence +4

2. The “Remote Publishing” Notes (Older WordPress versions)

Earlier, I mentioned Settings > Writing > Remote Publishing.

Oryon Networks +1

• Note: If you do not see this section in your Writing settings, it simply confirms that your version of WordPress has it permanently turned “on” by default. You do not need to do anything else in that menu.

Bluehost +1

Summary of why it still isn’t working:

If XML-RPC is enabled in Wordfence and you are using a fresh Application Password, but Word still can’t connect, there are only two possibilities left:

1. Host Block: Your web hosting company has blocked the xmlrpc.php file at the server level. You can verify this by visiting https://how-2.codes in your browser. If it says “403 Forbidden,” your host is blocking it.
2. Jetpack Conflict: If you have the Jetpack plugin installed, it sometimes takes over XML-RPC management. You may need to check Jetpack’s settings to allow “Offline Blogging.”

WordPress Development Stack Exchange +1

What happened when you tried to visit https://how-2.codes in your browser just now?

10 sites

• How to Enable WordPress XML-RPC (And When You Should)

Jan 29, 2026 — When should you enable XML-RPC? You should enable XML-RPC on your WordPress site only when you have a specific need for remote acc…

Bluehost

• Login Security Options – Wordfence

Allow remembering device for 30 days. When this option is enabled, users can click a checkbox to remember their device for 30 days…

Wordfence

• The NoneNone Brute Force Attacks: Even Hackers Need QA

Dec 17, 2020 — What should I do? If you’re using Wordfence, our built-in brute force protection will protect your site against XML-RPC attacks. T…

Wordfence

Show all

i dont know how to do that

To check if your “hidden door” is open, you just need to visit a specific address in your web browser (like Chrome, Safari, or Edge)

.

Cloudways +1

How to check the link:

1. Open a new tab in your web browser.
2. In the address bar at the very top, type exactly: https://how-2.codes/xmlrpc.php
3. Press Enter.

What to look for:

• Success ✅: If you see a plain white screen with the text “XML-RPC server accepts POST requests only.”, then everything is set up correctly on your website. This means the problem is inside your Microsoft Word settings or the password you are typing.
• Blocked ❌: If you see an error like “403 Forbidden” or “404 Not Found”, it means your web host (the company you pay to keep your site online) is blocking this file for security reasons.

Sendible +2

If it is Blocked (403 or 404):

You cannot fix this in WordPress yourself. You will need to contact your web host’s support team (via chat or email) and tell them:

“I am trying to use Microsoft Word to post to my blog, but my server is blocking access to my xmlrpc.php file. Can you please whitelist or unblock it for me?”.

WordPress.org +1

Which message did you see when you typed that address into your browser?

6 sites

• xmlrpc.php in WordPress: How to Enable or Disable it – Cloudways

May 2, 2025 — How to Check if xmlrpc. php is Enabled on Your Site? There are a couple of ways to verify if xmlrpc. php is active or not against …

Cloudways

• Steps to take when you’re having trouble with WordPress

Is your xmlrpc. php is accepting POSTs? This is the page that Sendible uses to communicate with when posting to a WordPress blog. …

Sendible

• Help Center – Understand WordPress Error Messages – Wodify

Nov 28, 2025 — Step-By-Step How To Verify and Configure the XML-RPC Connection. In Wodify, go to Perform > Settings > Web Integration and confirm…

Wodify

Show all

XML-RPC server accepts POST requests only.

That is

great news! Seeing that message means the “door” is open and your website is perfectly ready to receive posts from Microsoft Word.

Since your site is ready but the connection is still failing, the issue is down to a specific detail in the Word Registration window. Please try these exact settings one more time:

The “Golden” Connection Settings:

• Blog Post URL: https://how-2.codes
  (Make sure there are no spaces at the beginning or end).
• User Name: Your WordPress Admin Username.
  (Try using your Email Address here if the username fails again).
• Password: A brand new 24-character Application Password.
  • Go to Users > Profile in WordPress.
  • Delete all old application passwords.
  • Create a new one named “Word Fix”.
  • Copy and paste that code directly into Word (don’t type it manually).
• Remember Password: Make sure this box is Checked.

One Last “Wordfence” Check:

Even though the page loaded in your browser, Wordfence might still block the login attempt itself.

• Go to Login Security > Settings.
• Look for “Allow XML-RPC authentication” (it should be Checked/On).
• Look for “Require 2FA for XML-RPC call authentication” (it should be Skipped).

If it still fails:
Sometimes Word 2021 struggles with the .codes extension. Try clicking the “Picture Options” button in the registration window and changing the “Upload to” setting to “None” just to see if it allows the account to register first.

Did you get a “Success” message after trying the Email Address instead of the Username?

ive just did this 2x now and it didnt work, do it a 3rd time?

If you’ve tried it twice with a fresh

Application Password and it still isn’t working, do not try a third time with the same steps. Doing it again won’t change the result because something is “silent blocking” the connection between Word and your site.

Since your browser shows the xmlrpc.php page is active, the “door” is open, but Wordfence or your Hosting Firewall is likely slamming it shut the moment Word tries to log in.

The “Nuclear” Test (To find the culprit):

To prove if it’s Wordfence or something else, try this for 5 minutes:

1. Deactivate Wordfence Login Security: Go to Plugins > Installed Plugins and click Deactivate on the Wordfence Login Security plugin.
2. Try to Register in Word: Use your normal Admin Password (not the application one).
3. Result A: If it works, then Wordfence is definitely the blocker, and we need to tweak a specific “Brute Force” setting inside it.
4. Result B: If it still fails, then your Web Host has a “Web Application Firewall” (WAF) that hates Microsoft Word.

Why this happens with .codes domains:

Some security systems see a connection coming from a desktop app (Word) to a non-standard domain like .codes and flag it as a “bot attack.”

Who is your web hosting company? (e.g., Bluehost, Namecheap, HostGator?) Knowing this will help me tell you exactly which “Security Shield” they have that we need to turn off.

how do i check the firewall situation

Checking your “firewall situation” means looking at three different layers that could be blocking the connection between Microsoft Word and your blog. Since you’ve already confirmed the “door” is open (via the

xmlrpc.php link), one of these layers is likely rejecting the login attempt itself.

1. Check your Website’s Host Firewall

Many hosting companies (like Bluehost, SiteGround, or HostGator) have their own “Web Application Firewall” (WAF) that blocks external apps like Word to prevent attacks.

fozzy.com

• How to check: Log in to your hosting control panel (cPanel or similar). Look for icons like “IP Blocker,” “ModSecurity,” or “WAF.”
• What to look for: Check the “Security” or “Firewall” section to see if xmlrpc.php is explicitly disabled.
• The easy way: Contact your host’s support chat and ask: “Is there a server-side firewall blocking XML-RPC POST requests to my site? I’m trying to connect Microsoft Word.”.

All About Cookies +2

2. Check the Windows Desktop Firewall

Sometimes your own computer blocks Word from “talking” to the internet in a specific way.

• How to check: Click the Start button, type Allow an app through Windows Firewall, and press Enter.
• What to look for: Find Microsoft Word in the list. Ensure both the Private and Public boxes next to it are checked.
• Test: Temporarily disable your antivirus or Windows Defender for 60 seconds and try to connect in Word. If it works, your local security software is the culprit.

Microsoft Learn +1

3. Check for a “Hidden” Wordfence Block

Even with just Login Security, Wordfence can “throttle” or block IPs that try to log in too many times.

• How to check: In your WordPress dashboard, go to Wordfence > Tools > Live Traffic.
• What to look for: Try to connect in Word, then immediately refresh the Live Traffic page. Look for a red entry that says “Blocked”. If you see your own IP address being blocked, click the button that says “Add to Allowlist” next to that entry.

University of Wisconsin–Madison

Summary of the “Blocks”

Who is your web hosting company? If I know the host, I can give you the exact clicks to find their specific firewall settings.

8 sites

• How to allow Microsoft Edge to access the network in your firewall or …

Mar 2, 2026 — * 1 answer. Sort by: Most helpful. TaoLi. 66,515 • Independent Advisor. Mar 2, 2026, 4:03 AM. Hello, Open Settings → Privacy & sec…

Microsoft Learn

• Web Hosting – WordPress Security with WordFence

Apr 7, 2020 — Instructions on how to install and configure it are provided below and optimized for use with the UW Theme. * First starting on yo…

University of Wisconsin–Madison

• How to Find Out Who Is Hosting Any Website – Elegant Themes

Jan 24, 2023 — How to Find A Website’s Host * Finding out who is hosting a website is as simple as entering the URL into the Find Hosting field. …

hostinger

Since you are using

Hostinger, there is a high chance the connection is being blocked by a specific security setting in their hPanel (their custom control panel). Hostinger often disables XML-RPC by default to prevent attacks.

Follow these steps to check and fix the “firewall” at the Hostinger level:

1. Enable XML-RPC in Hostinger hPanel

Hostinger allows you to toggle the “door” on or off from your hosting dashboard.

• Log in to your Hostinger hPanel.
• Go to Websites and click Manage for your domain (how-2.codes).
• On the left sidebar, go to Advanced > PHP Configuration.
• Click the PHP Options tab.
• Scroll down to find xmlrpc.
• Ensure the box is CHECKED. If it was unchecked, check it and click Save at the bottom.