Skip to main content
Security & Trust

Your client sites are safe with us

We know you're trusting us with access to your clients' websites. Here's exactly how AutoPublish protects credentials, isolates data, and keeps your sites secure — no vague promises, no marketing speak.

Application Passwords Only
Never your admin credentials
AES-256 Encrypted at Rest
All API keys and credentials
Zero Plugin Installs
Native WP REST API — no site footprint
Per-Account Data Isolation
Row-level security on every table
WordPress Security

The WordPress connection explained

WordPress Application Passwords were introduced in WordPress 5.6 specifically to allow third-party tools to connect without sharing your main admin password. They're the officially recommended, secure way to integrate with WordPress.

How the connection works

Your WP Admin
You generate the App Password
App Password
Unique, limited scope
AutoPublish
Receives & encrypts
Post Created
Only posts — nothing else

Why Application Passwords are safer

  • Your main admin password never leaves your computer
  • Each tool gets its own separate, unique password
  • You control exactly what permissions each tool has
  • Revoke one tool without affecting others
  • Native WP feature — no plugin needed

What AutoPublish requests

  • Create and edit blog posts (wp/v2/posts)
  • Upload featured images (wp/v2/media)
  • Set SEO meta via Yoast/RankMath REST API
  • Set publish date and post status
  • How to revoke: WP Admin → Users → Your Profile → Application Passwords → Delete

What we can and cannot do

Full transparency about the scope of our access.

AutoPublish CAN

  • Create and edit blog posts
  • Upload featured images
  • Set SEO meta (Yoast / RankMath)
  • Set publish date and status

AutoPublish CANNOT

  • Access admin settings or configuration
  • Install, update, or remove plugins
  • Create, delete, or modify user accounts
  • Access other passwords or credentials
  • View private pages, orders, or customer data
  • Change site settings or theme files

Data security details

Every layer of our security model, explained plainly.

Encryption at Rest

All API credentials are stored with AES-256 encryption. Even AutoPublish team members cannot view your passwords in plaintext. Decryption only happens transiently when a publish job runs.

Per-Account Data Isolation

Every user's sites, jobs, credentials, and content are completely isolated from other accounts. We use Supabase Row Level Security (RLS) on every database table — a different account cannot access your data by design.

No Plugin Required

Unlike competitors who require installing a plugin on your client's site, AutoPublish uses native WordPress REST API + Application Passwords. Zero footprint on the site. Nothing to maintain, nothing to uninstall, nothing that can be exploited.

Instant Revocation

Don't trust us anymore? Delete the Application Password from your WordPress admin in 10 seconds. Our access is instantly and permanently revoked — no support ticket, no uninstall process, no waiting.

Security on Ghost, Shopify, and HubSpot

The same principle applies across all platforms: minimum necessary scope, maximum transparency.

👻

Ghost

AutoPublish uses a Ghost Admin API key scoped to content creation only. The key cannot access site settings, members data, or billing. Revoke it instantly from Ghost Admin → Integrations.

🛍

Shopify

We use Shopify's Partner API with the minimum scopes required: write_content (blog posts) and read_content only. No access to orders, customers, payments, or product inventory.

🔶

HubSpot

AutoPublish connects via a HubSpot Private App with blog-only permissions. It cannot access contacts, deals, CRM records, or marketing automation workflows.

Security FAQ for agencies

Can AutoPublish access my client's admin panel?

No. WordPress Application Passwords grant access only to the specific capabilities defined when creating them. AutoPublish requests post-creation scope only — it cannot access admin settings, user management, plugin configuration, or any data outside of blog posts. The REST API endpoint we use is /wp/v2/posts and /wp/v2/media (for featured images) only.

Where are my API keys stored?

API keys and credentials are stored in our database with AES-256 encryption. The encryption key is stored separately from the database (in environment variables on our server infrastructure). This means even if the database were somehow compromised, the credentials would be unreadable without the separate encryption key.

What if I want to revoke access?

Go to your WordPress admin → Users → Your Profile → Application Passwords, and delete the AutoPublish password. Access is revoked instantly and permanently. For Ghost, go to Admin → Integrations. For Shopify, go to Partner Dashboard → Apps. You don't need to contact us or go through any process.

Do you store the published content?

We store a record of what was published (title, URL, job ID, timestamp) for your dashboard history. We do not permanently store the full article body after publishing. The content is generated, published to your CMS, and the generation data is discarded after 30 days.

Is there an audit log of what AutoPublish does?

Yes. Your AutoPublish dashboard shows a complete job history: every article generated, when it was published, to which site, and the publish status. WordPress also keeps its own revision history for every post AutoPublish creates, so you have a full record on the CMS side as well.

Trusted by Agencies

Ready to connect your first site?

Sign up free and connect your first WordPress, Ghost, or Shopify site. 3 free credits included. No plugins. No admin password required.

Start Free — 3 Credits Included For Agencies

No credit card required · No plugin installs · Cancel anytime