WordPress 5.6 quietly added a new feature to every user’s profile page: Application Passwords. Scroll down to the bottom of Users → Your Profile, and you’ll see a section for generating passwords that external applications can use to authenticate with the REST API.
For most WordPress site owners — especially those running standard business sites, blogs, or WooCommerce stores — this feature goes completely unused. But it’s there, active, adding another authentication mechanism that attackers can potentially target.
If you’re not using it, there’s no reason to keep it enabled.
What are Application Passwords?
Application Passwords were introduced in WordPress 5.6 as a way to authenticate external applications with the WordPress REST API. Instead of using your main login password (which would be a security disaster), you generate a separate password specifically for each application.
Use cases include: mobile apps accessing your site, external services posting content via the API, automated publishing tools, and developer integrations.
Each application password is tied to a specific user account and can be revoked individually. They work with HTTP Basic Authentication — the application sends the username and application password with each API request.
Why should you care?
It’s an authentication vector you might not need. If you’re not using external applications that connect to your WordPress REST API, Application Passwords are an unused feature that adds potential risk. The principle of least privilege says: disable what you don’t use.
Each password is a potential target. Application Passwords bypass two-factor authentication. If you’ve set up 2FA on your admin account, application passwords provide an alternative entry point that doesn’t require the second factor. An attacker who obtains an application password has direct API access.
Users might generate them carelessly. On multi-user sites, any user can generate application passwords from their profile. They might not understand the security implications, generate passwords for testing and forget to revoke them, or share them insecurely.
They don’t expire. Application Passwords have no built-in expiration. Once generated, they remain valid until manually revoked. Forgotten application passwords sitting in user profiles are a latent security risk.
Brute force is possible. While application passwords are long (24 characters), the authentication endpoint is still accessible. Combined with a known username (from author enumeration), it’s another surface for automated attacks.
The quick fix
// Disable Application Passwords
add_filter( 'wp_is_application_passwords_available', '__return_false' );One line. The Application Passwords section disappears from all user profiles, and the authentication mechanism is disabled at the API level. Existing application passwords stop working immediately.
If you want to disable it only for specific roles (like subscribers and editors) while keeping it for administrators:
// Disable Application Passwords for non-admin users
add_filter( 'wp_is_application_passwords_available_for_user', function( $available, $user ) {
return user_can( $user, 'manage_options' );
}, 10, 2 );The one-click solution
OvKit includes Disable Application Passwords under Features → Security. One toggle disables the feature globally. Clean, reversible, no code.
What happens after you fix this?
- Application Passwords section disappears from user profile pages
- REST API Basic Authentication via application passwords is disabled — that entry point is closed
- 2FA can’t be bypassed via application passwords
- Users can’t accidentally generate and forget about active credentials
- Zero impact on normal WordPress operations — login, admin, and Gutenberg work exactly as before
FAQ
How do I know if I’m using Application Passwords?
Go to Users → Your Profile and scroll to the Application Passwords section. If there are any passwords listed there, an application is (or was) using them. Check with your team before disabling. If the section is empty and you don’t use external apps to manage your WordPress site, you’re safe to disable.
Will this break the WordPress mobile app?
The official WordPress mobile app can use different authentication methods. If you use it with Application Passwords, yes — it would stop working. Most WordPress mobile app users connect through Jetpack or XML-RPC instead. If you do use the mobile app, test before disabling.
What if I need Application Passwords later?
Re-enabling is instant. Remove the filter (or toggle off in OvKit), and the feature returns. No data is lost — though previously generated passwords would have been invalidated and would need to be recreated.
Related reads: