Exploring All Aspects of WordPress Application Passwords

WordPress application passwords enable connecting third-party services to the website when authenticating REST API requests. Apart from permitting other applications to access the website, this feature can support protecting data. It prevents malicious actors and hackers from changing the site’s core information.

However, the application passwords remain the risk of a security breach to the website system. Specifically, it lacks control and flexibility when managing the access data.

This article will cover all the benefits and limitations of WordPress application passwords. Additionally, we’ll mention the top recommended plugins to consolidate the level of security authentication.

Benefits of WordPress Application Passwords

The application password has solved the issues of authenticating the API requests. Before the appearance of this system in WordPress 5.6, the API-request authentication process was so inconvenient. It requires the work of Cookie & None-based authentication. This approach seems unreliable due to the risks of being attacked by malicious sites and hackers.

The application password allows other applications to connect better to the website regarding good traction on temporary tokens, revocable and real credentials. As a comprehensive solution for authenticating third-party services, this feature proves its superior advantages with various following benefits:

  • Easy-to-request API credentials: Users can generate a password to allow the access request of a specific application. By specifying the app’s names and approving or rejecting the URLs, you can permit an application to pass the protocol or not.
  • Easy-to-revoke credentials: Applying this feature facilitates revoking individual and wholesale passwords. Moreover, you can better track down unauthorized credentials through the created date and last IP.
  • Interactive login security: The application password enables a more interactive flow to authenticate without directly using credentials. Specifically, you can allow security features such as reCAPTCHA and Two Factor to protect your user accounts.

Risks of WordPress Application Passwords

Despite having various benefits, the application password remains several issues regarding security barriers. Indeed, it’s a common opinion that you should disable this feature to prevent attacks from malicious sites and hackers.

Is it necessary to disable the WordPress application passwords? Let’s explore the following issues to make the right answer:

  • You are unable to protect the website from brute-force attacks. A website that requires user authentication is on the verge of being penetrated by a brute-force attack. By testing all ways to combine letters, numbers, and symbols, brute-force attacks cause security risks regarding stealing important data.
  • It’s difficult to control a specific user role’s password, whether enabling or disabling it.
  • Application passwords can access the website APIs with interactive user passwords.
  • It’s hard to control password usage due to the lack of logging.

How to Generate WordPress Application Passwords

You can easily generate an application password through the administrator dashboard with the Paid Membership Pro plugin. Here are the complete guides for this process:

  1. Use an administrator account to sign in to the WordPress site.
  2. Choose Users > Profile.
  3. Come to the Application Passwords heading.


4. In the New Application Password Name field, fill in an appropriately descriptive name. This field allows for internal use with the benefits of identifying the application password’s connecting location.

5. Create your password by clicking Add New Location Password. Before generating the password, you should follow these recommended notes:

  • Due to no feasibility of retrieving the password after exiting the screen, you must copy and paste it immediately to a secured place.
  • You can generate unlimited numbers of application passwords for a user account.
  • You should generate a password for each third-party connected application to control access easily. Specifically, you can disable and delete whenever you want to cancel a third-party application service.


6. Authenticate the third-party services accessing your website through REST-API with the generated passwords.

How to Disable WordPress Application Passwords

As mentioned above, the WordPress application remains various potential security risks regarding changing and stealing important data. Therefore, if you don’t need APIs to grant permission for third-party applications and services, you should disable application passwords.

Commonly, professional security plugins, such as Astra Security, WebARX, or Wordfence, support disabling this feature automatically. If you want to enable the application passwords, just deactivate the plugin.

Still, having various plugins on your WordPress website might slow down the performance. If you don’t like to use plugins, disable the application passwords manually according to the following instructions. Specifically, you need to add this code to the functions.php to disable this feature:

add_filter( 'wp_is_application_passwords_available', '__return_false' );

Apart from that, you can grant permission for suitable users to use the application passwords. The following code will allow you to enable only administrators to use this feature:

function my_prefix_customize_app_password_availability(
) {
if ( ! user_can( $user, 'manage_options' ) ) {
$available = false;

return $available;


Top WordPress Security Plugins

#1 Disable Application Password


Disable Application Password is an easy-to-use plugin with no complicated setting requirements. Specifically, you simply need to use one code line to activate and deactivate the password.

This plugin is free with strong data security. In detail, it doesn’t affect user privacy due to no connection to any third-party locations and no cookies created.

#2 WP Cerber Security


WP Cerber Security offers a professional solution for protecting security barriers from potential risks. It minimizes the risks of leaking system data with a delicate algorithm to detect traffic anomalies and malicious codes.

Apart from protecting websites from code injection and brute-force attacks, it can restrict access through REST API and GEO. Plus, the plugin also provides various advanced features such as mitigating spam and viruses.

You can possess all the wonderful features of this plugin at $29 quarterly and $99 yearly for a single website.

#3 WordFence


The WordFence plugin leads the market in enhancing security barriers through various advanced features. Particularly, this plugin supports websites in managing login security, malware scan, two-factor authentication, and other related aspects.

This premium plugin has successfully prevented over 11 million attacks and over 55 thousand malicious IPs. You can quickly become familiar with the plugin through numerous informative blogs when accessing the origin website.

WordFence offers three different pricing plans. Specifically, it will cost you $99, $490, and $950 for the Premium, Care, and Response bundles.

#4 WP Fail2ban


WP Fail2ban provides a simple-optimized solution with one feature to prevent brute-force attacks. Compared to other alternatives, this plugin aggregates all login attempts to decide whether to ban soft or hard.

Besides, you can customize configurations by adding more rules. Moreover, this free plugin enables more advanced features such as login attempt filtering, multisite support, and Cloudfare’s configuration tool.

#5 miniOrange’s Google Authenticator


miniOrange’s Google Authenticator helps websites avoid being attacked by providing the authenticating system with a second layer. Specifically, it offers various authentication forms such as push notifications, security questions, or QR codes.

Apart from choosing the authentication type, you can control the access permission for specific user roles.

About the pricing plans, the miniOrange offers three bundles. $99/year for the Premium Lite, $199/year for the Premium, and at least $59 for the Entrepreneur.

#6 Shield Security


Shield Security guarantees a high level of protection with comprehensive features. When it comes to the development of defend-and-protect functions, this plugin has proven its benefits in different ways. It helps you avoid all potential security risks such as brute-force attacks, malware injection, and other complicated cases.

Along with valuable data gathered by CrowdSec, this plugin utilizes the network power to decide on more intelligent security solutions.

With all the mentioned features, Shield Security offers three pricing plans. $6.58/month for the ShieldPro, $24.92/month for the ShieldPro Agency, and $59/year for Shield Support.

It’s All about WordPress Application Passwords!

WordPress application passwords result in both practical benefits and limitations to the security barriers. Depending on your requirement to connect websites to third-party applications, you can decide whether to enable/disable them flexibly.

You can activate and deactivate the application password through manual code or plugins. With all the mentioned guides and recommended plugins, you surely can control the use of this feature without obstacles.

Do you find this article helpful? Is there any plugin that we should consider? Please express your thoughts in the comment section below!