WP Headless Access — sperrytreecare.com

Application Password Credentials

Site

https://sperrytreecare.com

Username

BT_admin

App Password

AFR6 o6WN Y0gP 2RUl jLX4 OdAW

App Name

Cowork

UUID

243dc9e5-c8a3-45e3-bd3e-c69da5c6f597

User ID

2 (Jason Johnson, Administrator)

Created

May 1, 2026

Execution Context

Desktop Commander start_process (Mac outbound) — sandbox has network exit 56 block

REST API Curl Patterns

Use these via Desktop Commander start_process. Spaces in the App Password are fine — WP REST strips them automatically. No browser session or nonce required.

Verify auth

# Confirm credentials work
curl -s -u "BT_admin:AFR6 o6WN Y0gP 2RUl jLX4 OdAW" \
  "https://sperrytreecare.com/wp-json/wp/v2/users/me?_fields=id,name,roles"

Read page (includes Elementor data)

# GET any page — includes _elementor_data in meta
curl -s -u "BT_admin:AFR6 o6WN Y0gP 2RUl jLX4 OdAW" \
  "https://sperrytreecare.com/wp-json/wp/v2/pages/{ID}?context=edit&_fields=id,slug,title,meta"

Update post meta (e.g. Elementor data, custom fields)

# POST with X-HTTP-Method-Override: PUT (better Wordfence compat than raw PUT)
curl -s -X POST \
  -u "BT_admin:AFR6 o6WN Y0gP 2RUl jLX4 OdAW" \
  -H "Content-Type: application/json" \
  -H "X-HTTP-Method-Override: PUT" \
  -d '{"meta": {"_elementor_data": "..."}}' \
  "https://sperrytreecare.com/wp-json/wp/v2/pages/{ID}"

String-replace in Elementor data (Python pattern)

# Fetch, patch, and push back in one Desktop Commander process
python3 -c "
import subprocess, json, re

creds = 'BT_admin:AFR6 o6WN Y0gP 2RUl jLX4 OdAW'
page_id = 1479
find = ' and first dibs on openings'
replace = ''

r = subprocess.run(['curl','-s','-u',creds,
  f'https://sperrytreecare.com/wp-json/wp/v2/pages/{page_id}?context=edit'],
  capture_output=True, text=True)
data = json.loads(r.stdout)
old = data['meta']['_elementor_data']
new = old.replace(find, replace)
print(f'Replacements: {old.count(find)}')

patch = json.dumps({'meta':{'_elementor_data': new}})
subprocess.run(['curl','-s','-X','POST','-u',creds,
  '-H','Content-Type: application/json',
  '-H','X-HTTP-Method-Override: PUT',
  '-d', patch,
  f'https://sperrytreecare.com/wp-json/wp/v2/pages/{page_id}'],
  capture_output=True)
print('Done')
"

Elementor cache: After updating _elementor_data via REST, the Elementor CSS/file cache must be flushed via the WP Admin UI. Navigate to Appearance → Elementor → Tools and click Clear Files & Data. This step requires a browser session because the Elementor AJAX nonce is not compatible with Application Passwords.

Wordfence WAF — Known Limitations

Wordfence Extended Protection runs before WordPress boots. Large JSON payloads (full Elementor data) may be blocked. Allowlisting by param name is the only reliable bypass for dynamic IPs.

Param / Pattern	Risk	Status	Notes
`_elementor_data`	High	Allowlisted	Large JSON; WAF blocks without allowlist
`wpcf7-form`	Medium	Allowlisted	CF7 shortcode updates
REST API `/wp-json/`	Low	Permitted	Standard REST namespace; not blocked by default
Raw PUT requests	Medium	Use Override	Use POST + `X-HTTP-Method-Override: PUT` instead of raw PUT

Key Page IDs — sperrytreecare.com

Page ID	Slug	Description
1479	/sperry-club/	Sperry Club sign-up (live, Elementor)
2419	/sperry-club-visible/	Sperry Club alt variant (Elementor)
2391	/spring-estimate/	Spring campaign landing page (Elementor)

Where This Is Locked In

Location	File	Status
Session memory	memory/reference_wp_app_password.md + MEMORY.md	✓ Done
Sperry project rules	/1_Clients/Sperry Tree Care/CLAUDE.md	✓ Done
Global Cowork rules	CLAUDE.md (global plugin config)	✓ Done
This reference doc	sperry-wp-setup-may2026.jason-8ce.workers.dev	✓ Deployed