Sign-In Security and User Profiles
Overview
The WPiko Chatbot Pro Mobile App is designed to use WordPress-native account security instead of a separate login system. Users sign in with their WordPress username and an Application Password, while access is limited to Administrators and WPiko Agents.
This page explains who can use the app, how sign-in works, and how names and avatars are shown in live chat.
Who Can Sign In
Supported Roles
The Mobile App is intended for:
- Administrators
- WPiko Agents
WPiko Chatbot Pro creates and syncs the required Mobile App capabilities for these users.
Required Capabilities
Depending on the account, access can include:
- Access the Mobile App
- View conversations
- Reply to conversations
- Manage live takeover sessions
- Manage push notifications
Sign-In Method
Application Passwords Only
The Mobile App expects:
- WordPress username
- WordPress Application Password
It does not use the normal WordPress login password.
This reduces exposure of the main account password and makes it easier to revoke app access without changing the user’s primary login credentials.
Security Behavior
HTTPS Requirement
Same-Origin API Access
The Mobile App is served from the same website that provides the REST API. Cross-origin access is restricted for the Mobile App API namespace.
Brute-Force Protection
The Mobile App login flow includes request throttling for repeated failed authentication attempts.
Session Storage and Remember Me
By default, the Application Password is stored only for the current browser session.
If Remember me on this device is enabled, the credentials are saved on that device until the user logs out.
Revoke Access from User Profile
Revoke a Single Device or App Login
If a device is lost, replaced, or should no longer access the Mobile App:
- Go to Users > Profile.
- Find Application Passwords.
- Locate the password created for the Mobile App.
- Revoke or delete it.
That immediately blocks future API access for that Application Password.
Best Practice
Create a separate Application Password for each device or user. This makes revocation cleaner and avoids affecting other devices.
Profile Display Name
What Name Appears in the App
When a team member takes over a conversation, the app uses the WordPress user’s public display name.
This comes from:
Users > Profile > Display name publicly as
If no display name is set, WordPress falls back to the username or login name.
Recommended Setup
For a cleaner live chat experience, set a display name such as:
- Maria
- Support Team
- John from Sales
This name is used in takeover notices and admin reply labels.
Avatars
How Avatar Display Works
The Mobile App and takeover system rely on WordPress avatar functions.
That means avatar output can come from:
- Gravatar
- A local avatar plugin that integrates with WordPress avatar APIs
- A fallback initial when no avatar is available
Gravatar Support
If the WordPress user has a Gravatar configured for their account email, it can be displayed automatically.
Local Avatar Support
If your site uses a plugin such as a local avatar plugin that hooks into WordPress avatar output, that avatar can also appear in the Mobile App and takeover interface.
Fallback Behavior
If no avatar is available, WPiko falls back to a simple initial-based avatar so the live chat interface still shows a clear human identity.
Troubleshooting Sign-In
“Authentication failed” Message
Check the following:
- Use the WordPress username, not the email address
- Use an Application Password, not the normal WordPress password
- Confirm the account is Administrator or WPiko Agent
- Confirm the Mobile App feature is enabled
- Confirm the Pro license is active
“Access denied” Message
This usually means the account is signed in successfully, but does not have the required Mobile App permissions.
