Skip to main content
RapidDev - Software Development Agency
bubble-integrationsBubble API Connector

WordPress

Connect Bubble to WordPress using the WordPress REST API and Application Passwords — no OAuth dance, no token refresh. Base64-encode your username and application password, paste it into a Private Authorization header in Bubble's API Connector, and start reading or writing posts server-side. Bubble's server-side proxy eliminates the CORS issues that would block direct browser calls to your WordPress site.

What you'll learn

  • How to generate a WordPress Application Password in wp-admin
  • How to base64-encode HTTP Basic Auth credentials for Bubble's API Connector
  • How to create and initialize WordPress REST API calls in Bubble
  • How to build a CMS-powered repeating group displaying WordPress posts in Bubble
  • How to create and update WordPress drafts from a Bubble form
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Beginner15 min read45 minutesMedia & ContentLast updated July 2026RapidDev Engineering Team
TL;DR

Connect Bubble to WordPress using the WordPress REST API and Application Passwords — no OAuth dance, no token refresh. Base64-encode your username and application password, paste it into a Private Authorization header in Bubble's API Connector, and start reading or writing posts server-side. Bubble's server-side proxy eliminates the CORS issues that would block direct browser calls to your WordPress site.

Quick facts about this guide
FactValue
ToolWordPress
CategoryMedia & Content
MethodBubble API Connector
DifficultyBeginner
Time required45 minutes
Last updatedJuly 2026

WordPress REST API + Bubble: a CMS-powered Bubble app in under an hour

If your content lives in WordPress but your product experience is in Bubble, the WordPress REST API is the bridge. Application Passwords — introduced in WordPress 5.6 (December 2020) — make this connection as simple as generating a password in wp-admin, encoding it as HTTP Basic Auth, and dropping it into Bubble's API Connector. Because Bubble makes all API calls server-side, the CORS errors that would block a direct browser request to `yoursite.com/wp-json/` are completely avoided. The WordPress REST API lives at `yoursite.com/wp-json/wp/v2/` and exposes endpoints for posts, pages, media, categories, tags, and users. One important detail: WordPress returns text fields like titles, content, and excerpts wrapped in a `rendered` property containing HTML — for example, `title.rendered` and `content.rendered`. Bubble's text elements show raw HTML tags unless you strip them, so you need to either display HTML (using an HTML element) or clean the text in a Backend Workflow. Using the `_fields` URL parameter to request only the fields you need reduces response size significantly — a full post object with content can be 5–10 KB, while a metadata-only request for list views is under 500 bytes. This keeps WU consumption low and page loads fast.

Integration method

Bubble API Connector

Uses Bubble's API Connector with a Private Basic Auth header to call WordPress REST API endpoints server-side — fetching posts, pages, and media, or creating drafts from Bubble forms.

Prerequisites

  • A self-hosted WordPress site running version 5.6 or later — Application Passwords are available by default in WP 5.6+ (note: WordPress.com hosted sites use a different OAuth 2.0 setup, not Application Passwords)
  • wp-admin access with an Administrator or Editor user account — Application Passwords are generated per user in wp-admin → Users → Profile
  • A Bubble account (any plan) — the basic read integration works on the free plan; writing posts via Backend Workflows requires a paid plan
  • A base64 encoding tool — you will manually encode your credentials before pasting them into Bubble (browser-based tools like base64encode.org work fine)

Step-by-step guide

1

Generate a WordPress Application Password in wp-admin

Log into your WordPress site's wp-admin dashboard. Navigate to Users → Profile (or Users → All Users → click your username). Scroll down to the 'Application Passwords' section near the bottom of the profile page. In the 'New Application Password Name' field, enter a descriptive name like 'Bubble Integration' — this label is just for your reference and has no functional effect. Click 'Add New Application Password.' WordPress generates a password immediately and shows it once — copy it now, because you cannot retrieve it again. The format will look like a random string with spaces, for example: `abcd EfGH 1234 WXYZ mnop QRST`. Remove all spaces when you use it: `abcdEfGH1234WXYZmnopQRST`. Keep your WordPress admin username and this cleaned Application Password together — you will combine them in the next step. If you do not see the Application Passwords section, verify that your WordPress version is 5.6 or above (check Dashboard → Updates → 'Your site is up to date' shows the version). The feature is enabled by default but can be disabled by a security plugin.

Pro tip: Create the Application Password for a dedicated WordPress user with only the permissions your Bubble app needs — for example, a user with the Editor role for content reading and drafting, rather than using your Administrator account.

Expected result: You have a WordPress Application Password for your chosen user. The password is copied and stored safely — you will not be able to view it again in wp-admin.

2

Base64-encode your WordPress credentials

Bubble's API Connector does not automatically encode HTTP Basic Auth credentials — you must do this manually before pasting into the Authorization header. The format for Basic Auth is `username:password` (your WordPress username, a colon, then the Application Password with spaces removed). For example, if your username is `admin` and your Application Password is `abcd EfGH 1234 WXYZ mnop QRST`, the string to encode is `admin:abcdEfGH1234WXYZmnopQRST`. Open a browser tab and navigate to a base64 encoding tool (search 'base64 encode online' or use base64encode.org). Paste your `username:password` string and click Encode. You will get a base64 string like `YWRtaW46YWJjZEVmR0gxMjM0V1hZWm1ub3BRUlNU`. The full Authorization header value is `Basic YWRtaW46YWJjZEVmR0gxMjM0V1hZWm1ub3BRUlNU` — note the word `Basic` followed by a space, then your encoded string. Copy this full value. You will paste it into Bubble in the next step. Keep this encoded string private — it is equivalent to your username and password.

basic_auth_encoding_guide.txt
1// Format for base64 encoding:
2// Input string: admin:abcdEfGH1234WXYZmnopQRST
3// (WordPress username : Application Password with spaces removed)
4
5// Result (example — yours will differ):
6// Basic YWRtaW46YWJjZEVmR0gxMjM0V1hZWm1ub3BRUlNU
7
8// Full Authorization header value:
9// Authorization: Basic YWRtaW46YWJjZEVmR0gxMjM0V1hZWm1ub3BRUlNU

Pro tip: If you are building a multi-tenant Bubble app where different organizations have different WordPress sites, store each organization's encoded credentials in a Bubble data type field and reference it dynamically in the API Connector header.

Expected result: You have a complete Authorization header value in the format 'Basic [base64string]' ready to paste into Bubble's API Connector.

3

Add the WordPress API Connector in Bubble

In your Bubble editor, click the Plugins tab in the left sidebar. Click 'Add plugins,' search for 'API Connector,' find the one by Bubble (official), and click Install. After installation, click 'API Connector' in your plugins list to open the configuration panel. Click 'Add another API.' Name this API 'WordPress.' Set the Authentication dropdown to 'None or self-handled' — you will handle auth manually via the header. Set the base URL to your WordPress site's REST API root: `https://yoursite.com/wp-json/wp/v2` (replace `yoursite.com` with your actual domain). Under 'Shared headers,' click 'Add a header.' Set the key to `Authorization` and the value to the full `Basic [base64string]` you generated in step 2. Check the 'Private' checkbox next to this header — this is critical. When Private is checked, Bubble sends this header from its servers and it never appears in browser-side network requests. This is the core security model for this integration. Save the API configuration. You are now ready to add individual API calls.

wordpress_api_connector.json
1{
2 "api_name": "WordPress",
3 "base_url": "https://yoursite.com/wp-json/wp/v2",
4 "shared_headers": [
5 {
6 "key": "Authorization",
7 "value": "Basic <your_base64_encoded_credentials>",
8 "private": true
9 }
10 ]
11}

Pro tip: Verify your WordPress permalink structure is set to anything other than 'Plain' — the REST API requires pretty permalinks (Settings → Permalinks in wp-admin). If permalinks are set to Plain, the /wp-json/ route returns a 404.

Expected result: The WordPress API entry appears in your Bubble API Connector configuration with the Private Authorization header set. You are ready to add individual calls.

4

Create a GET /posts call and initialize it

Inside the WordPress API Connector entry, click 'Add a call.' Name it 'Get Posts.' Set the method to GET and the path to `/posts`. Add URL parameters to control the response: `status` (value `publish`), `per_page` (value `10`), `page` (value `1`), `orderby` (value `date`), `order` (value `desc`), and `_fields` (value `id,title,excerpt,date,status,link,featured_media,categories`). The `_fields` parameter tells WordPress to return only those fields, dramatically reducing response size for list views. Under 'Use as,' select 'Data' — this allows you to bind the response array to a Bubble repeating group. Click 'Initialize call.' Bubble will send a real GET request to your WordPress site and receive a live array of posts. If successful, Bubble auto-detects the response fields: `items[].id`, `items[].title.rendered`, `items[].excerpt.rendered`, `items[].date`, `items[].link`. If you see 'There was an issue setting up your call,' check that your Authorization header is correct (the base64 encoding, the word 'Basic' with a space) and that your WordPress permalink structure is not set to Plain. If a security plugin blocks the request, check the WordPress server logs or temporarily disable Wordfence to test.

wordpress_get_posts.json
1{
2 "call_name": "Get Posts",
3 "method": "GET",
4 "path": "/posts",
5 "parameters": [
6 { "key": "status", "value": "publish" },
7 { "key": "per_page", "value": "10" },
8 { "key": "page", "value": "<dynamic>" },
9 { "key": "orderby", "value": "date" },
10 { "key": "order", "value": "desc" },
11 { "key": "_fields", "value": "id,title,excerpt,date,status,link,featured_media,categories" }
12 ],
13 "use_as": "Data"
14}

Pro tip: WordPress REST API returns HTML inside `title.rendered` and `excerpt.rendered`. For a clean Bubble text element, use a Dynamic Expression that applies ':converted to text' on the field value — this strips basic HTML tags in Bubble's expression engine.

Expected result: The 'Get Posts' call is initialized with detected response fields. You can see fields like `items title rendered`, `items excerpt rendered`, and `items date` available as data sources in Bubble.

5

Build a posts repeating group and editorial form

Add a Repeating Group element to your Bubble page. Set its type to 'WordPress Get Posts' and its data source to 'Get Posts from WordPress' (your initialized API call). Set per_page and page parameters dynamically if you want pagination. Inside the repeating group cell, add Text elements bound to: `Current cell's WordPress Get Posts title rendered` (post title) and `Current cell's WordPress Get Posts excerpt rendered` (converted to text to strip HTML). Add a Date/Time element bound to `date`. For featured images, you will need a separate GET `/media/[id]` call — the `/posts` endpoint returns the media ID, not the URL. For the editorial dashboard, add a Form group with Input fields for Title and Content, and a Create Post button. Wire the button to a Backend Workflow that POSTs to `/posts` with a JSON body containing title, content, and status set to draft. Add a header `Content-Type: application/json` at the call level for POST requests. RapidDev's team regularly builds Bubble editorial workflows like this — reach out at rapidevelopers.com/contact for a free scoping call if you want a more advanced workflow including category assignment and featured image upload.

wordpress_create_post.json
1{
2 "call_name": "Create Post",
3 "method": "POST",
4 "path": "/posts",
5 "headers": [
6 { "key": "Content-Type", "value": "application/json" }
7 ],
8 "body": {
9 "title": "<dynamic: Input Title's value>",
10 "content": "<dynamic: Input Content's value>",
11 "excerpt": "<dynamic: Input Excerpt's value>",
12 "status": "draft"
13 },
14 "use_as": "Action"
15}

Pro tip: For the 'Update post status' action (e.g., publishing a draft), use a POST to `/posts/[id]` with body `{"status":"publish"}`. WordPress REST API uses POST for both create and update operations — PATCH is also accepted.

Expected result: The repeating group displays WordPress posts with titles, excerpts, and dates. The Create Draft form successfully creates new posts in WordPress as drafts, visible in wp-admin.

6

Test, check privacy rules, and handle HTML in text fields

Preview your Bubble app and verify the repeating group loads posts correctly. Open Bubble's Logs tab (visible in the editor left sidebar) and check Workflow logs to confirm the API calls are completing with status 200 and to spot any WU consumption patterns. Now set up Bubble Data Privacy rules: go to Data tab → Privacy. If you create any Bubble data types that store WordPress content (for example, a CachedPost type that saves post IDs or metadata), add privacy rules restricting who can search for or modify those records — this prevents unauthorized data access through Bubble's API. For the HTML issue: WordPress's `title.rendered` and `excerpt.rendered` fields contain HTML entities and tags. In Bubble text elements, use the expression `:converted to text` to strip basic HTML. For full content (`content.rendered`), use a Bubble HTML element instead of a text element — paste the dynamic value directly into an HTML element to render the WordPress HTML properly in the browser. Test pagination by wiring a 'Next page' button to increment the `page` parameter value and refreshing the repeating group.

Pro tip: WordPress.com-hosted sites (yoursite.wordpress.com) use OAuth 2.0, not Application Passwords. This tutorial covers self-hosted WordPress.org sites only. If your WordPress is on WordPress.com Business plan or higher, the API is available but requires a different authentication setup.

Expected result: The integration is working end-to-end: posts load in the repeating group, HTML is handled correctly in text and HTML elements, pagination works, and Bubble Logs show clean 200 responses from the WordPress API.

Common use cases

CMS-Powered Bubble App with WordPress Content

Let editorial staff manage content in WordPress's familiar editor while the customer-facing experience is entirely in Bubble. Fetch published posts on page load into a Bubble repeating group — title, excerpt, featured image, and publication date — keeping content and product in sync without any manual export.

Bubble Prompt

Build a Bubble page that loads WordPress posts into a repeating group showing the post title, published date, excerpt (stripped of HTML), and featured image, sorted by date descending with a 'Load more' button for pagination.

Copy this prompt to try it in Bubble

Bubble-Powered Editorial Dashboard

Build an internal tool in Bubble where editorial staff can see all WordPress drafts, click to update their status to 'publish' or 'private,' and create new draft posts using a Bubble form — without opening wp-admin.

Bubble Prompt

Create a Bubble admin page that lists WordPress drafts in a repeating group with title and status. Add a button to each row that calls the WordPress API to change status to 'publish', and a form below to create a new draft post with title, content, and excerpt.

Copy this prompt to try it in Bubble

WordPress Media Library Browser

Surface the WordPress media library in a Bubble page so non-technical team members can browse, search, and copy URLs of uploaded images — without logging into wp-admin. Use GET /media to list uploaded files with thumbnails and source URLs.

Bubble Prompt

Build a Bubble page with a repeating group that fetches the WordPress media library (GET /media) and displays each image as a thumbnail with its file name and a copy-URL button.

Copy this prompt to try it in Bubble

Troubleshooting

API Connector Initialize call returns 'There was an issue setting up your call' or a 401 Unauthorized error

Cause: The base64-encoded Authorization header is incorrect. Common causes: spaces not removed from the Application Password before encoding, the word 'Basic' missing from the header value, or the wrong WordPress username used (must match the account that generated the Application Password).

Solution: Re-encode your credentials carefully: copy the Application Password from wp-admin (you may need to revoke and generate a new one), remove all spaces, combine as `username:password_no_spaces`, and base64-encode the full string. The header value must be `Basic ` (with a space) followed by the encoded string. Paste the result back into the Bubble API Connector header and re-initialize.

401 Unauthorized despite correct credentials — Application Password appears valid

Cause: A security plugin (Wordfence, iThemes Security, All In One WP Security) has disabled Application Passwords or is blocking REST API requests from Bubble's server IP ranges.

Solution: Log into wp-admin and check your security plugin's settings. In Wordfence, look under Firewall → Blocking → check if REST API access is restricted. In iThemes Security, check Security → Settings → WordPress Tweaks → 'Filter Request Methods' or 'Disable File Editor.' Temporarily disable the security plugin and re-test. If that resolves it, add an allowlist rule for the REST API endpoint in the plugin settings rather than keeping it disabled.

WordPress REST API returns 404 for all /wp-json/ requests

Cause: WordPress permalink structure is set to 'Plain' (the default for some installations). The REST API requires pretty permalinks to work.

Solution: In wp-admin, go to Settings → Permalinks. Select any option other than 'Plain' — 'Post name' is recommended. Click 'Save Changes.' WordPress will update the .htaccess file and the /wp-json/ routes will become accessible. Re-test the Bubble API Connector Initialize call.

Post titles and excerpts display raw HTML tags (e.g., `<p>`, `&#8220;`) in Bubble text elements

Cause: WordPress REST API returns HTML in `title.rendered` and `excerpt.rendered` fields. Bubble's text elements display these as raw strings rather than rendering the HTML.

Solution: For titles and short excerpts, use the Bubble expression `:converted to text` on the field value — this strips basic HTML tags. For full post content (`content.rendered`), use an HTML element instead of a text element and bind the dynamic value directly — the browser will render the HTML correctly.

POST /posts call creates the post but returns a 403 Forbidden error

Cause: The WordPress user account whose Application Password is being used does not have the 'publish_posts' or 'edit_posts' capability. This happens if the user role is Subscriber or Contributor.

Solution: The user account linked to the Application Password needs at least the Editor role to create and update posts. Go to wp-admin → Users → All Users, click the user, and change their role to Editor or Author (Author can create and edit their own posts; Editor can manage all posts). Alternatively, create a dedicated WordPress user for the Bubble integration with the appropriate role.

Best practices

  • Create a dedicated WordPress user account specifically for the Bubble integration with only the permissions your app needs (Author or Editor role, not Administrator) — this limits exposure if the Application Password is ever compromised.
  • Use the `_fields` URL parameter in every GET request to limit the fields returned by WordPress. A full post object can be 5–10 KB; a metadata-only request is under 500 bytes, significantly reducing WU consumption and page load times.
  • Mark the Authorization header as Private in Bubble's API Connector — this is the most important security setting. Without Private, the base64-encoded credentials appear in client-side network requests and can be extracted from browser DevTools.
  • Add Bubble Data Privacy rules for any Bubble data types that store cached WordPress content — prevent unauthorized searching or modification of content records through Bubble's API.
  • Handle the HTML content of `title.rendered` and `content.rendered` appropriately: use `:converted to text` for short strings in text elements, and use HTML elements for full post content to render formatting correctly.
  • Monitor WordPress server logs after launch to catch any IP-based rate limiting from your WordPress host or security plugins — Bubble's server IPs can look like bot traffic to aggressive firewalls.
  • Test on a staging WordPress site before going live — a misconfigured API call sent to production can accidentally publish or modify posts if your form or workflow has a bug.

Alternatives

Frequently asked questions

Does this integration work with WordPress.com (hosted) sites?

No — WordPress.com uses OAuth 2.0 for API access, not Application Passwords. This tutorial covers self-hosted WordPress.org installations running version 5.6 or later. WordPress.com Business plan and above exposes the REST API but requires registering a WordPress.com developer application and implementing OAuth 2.0 — a significantly more complex setup.

Why do I need to manually base64-encode my credentials?

Bubble's API Connector does not automatically encode HTTP Basic Auth credentials — it passes the header value exactly as you enter it. You must encode `username:password` to base64 yourself and include the word 'Basic' followed by a space before the encoded string. Online tools like base64encode.org handle this in seconds.

Do I need a paid Bubble plan to use this integration?

Reading WordPress posts in a Bubble repeating group works on the free Bubble plan using the API Connector. Writing posts (creating drafts, updating status) from a Bubble form also works on the free plan using the API Connector Action type — you do not need Backend Workflows for basic read/write operations. Backend Workflows become necessary only for scheduled sync tasks or complex multi-step operations.

Can I upload images from Bubble to the WordPress media library?

Yes, but it is more complex. The WordPress REST API accepts multipart/form-data uploads at POST /media. You would need to capture the file in Bubble using a File Uploader element, then pass the file to an API Connector call with Content-Type: multipart/form-data and a Content-Disposition header. This is technically possible in Bubble but requires careful configuration of the call body.

How do I display WordPress content with proper formatting in Bubble?

WordPress returns content with HTML formatting in the `content.rendered` field. Use an HTML element in Bubble (not a Text element) and bind it to the `content.rendered` value — the browser renders the HTML properly, including paragraphs, bold, links, and images. For titles and short excerpts, use the Bubble expression ':converted to text' to strip basic HTML tags.

What if my WordPress host blocks Bubble's API requests?

Some managed WordPress hosts or security plugins rate-limit or block requests from cloud server IP ranges. Check the WordPress server error logs or your hosting provider's security dashboard. If Bubble's requests are being blocked, you may need to allowlist Bubble's server IP ranges in your WordPress host's firewall settings or configure your security plugin to allow REST API access.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Integrations are where projects stall

We wire Bubble integrations like this one every week — auth, webhooks, edge cases included. Fixed-price builds from $13K, delivered in 6–10 weeks.

Talk to an integration engineer

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.