Subscribing to RSS feeds on private sites


RSS feeds are a useful way to receive notifications about new posts and comments on your labbook. Feed readers are included in most desktop email software such as Thunderbird, which periodically download and display new posts from your site. However, if your site is configured to be private (i.e. it requires a login), these feeds are by not accessible by your feed reader using the normal feed URL. ALP provides a means to access such feeds even on private sites, and this page describes how.

Credentials and RSS feeds

RSS feeds are retrieved by your reader software using the same means your browser uses to retrieve websites: HTTP. The typical way to configure access to feeds (or web pages) on private sites is to embed a valid username and password in the URL like so:

This is called HTTP authentication. One issue with this approach is that it can represent a significant security risk: your normal username and password used to log in to your site would get sent over a potentially insecure HTTP request and would appear in the server logs. Anyone obtaining this URL would be able to get full access to your site. HTTP authentication using your normal WordPress password is therefore disallowed by ALP on private sites.

In place of using your standard login for feed URLs, ALP provides the ability to create application passwords. These are special passwords, linked to your account, which when used only allow access to your site in a non-interactive way. These allow access to feeds on private sites via HTTP authentication. There is still an element of risk, but you have more control over it – see below.

A note on security

Even though application passwords are in some ways more secure than using your normal password as a means to retrieve private feeds, note that they still allow some access to your site to anyone who obtains your application password, including write access such as the ability to delete posts, users and even whole blogs. They would however only be able to do this non-interactively (via the REST API), and, should you suspect your application password has been seen by someone else, you can revoke it any time from the administration area.

The main point is: care is still required not to leak application passwords for accounts on your site, especially for privileged accounts such as researchers or administrators. For extra security you may wish to create or ask your administrator to create a low-privilege read-only user account (e.g. one with a Subscriber role) and corresponding application password just for feeds, to limit potential damage caused by a leaked application password.

WordPress developers are as of writing investigating alternative mechanisms to authenticate via the REST API rather than cookie-based authentication, which might allow a feed reader to work with ALP without application passwords. If such a feature becomes part of core, the application passwords feature may be removed in a future ALP release.

Configuring your feed reader’s access to your private site’s feed

Access to feeds on private sites can be configured by combining an application password with a feed reader such as Thunderbird. The steps in the following sections show you how to do this.

Creating an application password

First of all, ensure that the application passwords feature is enabled in your ALP installation. Your administrator has to check the Enable application passwords setting in the ALP settings page:

The “Enable application passwords” setting must be enabled to use application passwords.

Once it’s enabled, you (using your account) should go to the Application Passwords page in the administration area, found under the Users heading in the sidebar:

On the page that loads, give a name to the application password. In this case we’re calling it Thunderbird:

Click Add New Application. A new password will be generated and shown in the table to the right:

Now you need to configure your feed reading software to use the feed and the application password. See the next section.

Configuring feed reader software to use the feed URL

There are currently only instructions for Thunderbird fully documented here. The process for other software may be slightly different; for example, in some software you may be able to specify a username and password and feed URL. In such cases, use the public feed URL for your site, which you can find in the right sidebar of any page on the front end:

For the username specify your normal login username, and for the password specify the application password you just generated (spaces don’t matter).

For other software which does not provide a means to specify a username and password, such as Thunderbird, you have to build your own custom URL. Instructions for that are in the following section.

Building a custom URL for feed readers without password fields

Start with the same feed URL as shown above. It should look something like this:

Before the domain part, which in the above example is, add the following:

where username is your normal login name and password is the application password you copied (spaces don’t matter).

At this point, the URL should look something like this:

https://john:hidGL 02Uv3 25Jip qaTU1 jz7Vw

In Thunderbird, add a new feed and use this URL. Instructions for doing that can be found here.

At this point, you should have your feed reader configured to access posts from your private site using an application password – you’re done!


# Date User Information
1683 months agoSean Leaveyadded note about potentially removing application passwords&nbsp(current)
1673 months agoSean Leavey(original)