Application passwords in WordPress provide a secure way to connect third-party apps and services to your site without exposing your main login credentials. They allow tools such as publishing assistants, automation platforms, or mobile apps to interact with WordPress using unique credentials tied to a user profile. While the feature is available by default in WordPress 5.6 and later, some setups may require additional steps or plugins to enable it.
Key Takeaway:
Application passwords in WordPress allow secure connections between your site and third-party apps through the REST API. If the option is missing, ensure your site runs WordPress 5.6 or higher, the REST API is enabled, and consider using plugins like Application Passwords Manager or WP Application Passwords to restore the feature.
What Are Application Passwords in WordPress?
Application passwords are a type of authentication method that allows external applications to connect to your WordPress site through the REST API. Unlike your regular login details, these passwords are generated for specific apps and can be revoked at any time without affecting your main account.
This means you don’t have to share your personal username and password with every tool that integrates with WordPress. Instead, you create an application password, assign it to the app, and manage it independently. For example, content automation software or external publishing apps can use an application password to post articles directly to your site without needing your primary credentials.
Prerequisites Before Enabling
Before enabling application passwords, make sure the following conditions are met:
- Your WordPress version is 5.6 or higher.
- The REST API is enabled on your site.
- Your account has sufficient permissions (Administrator or Editor).
- No security plugin or server setting is blocking REST API requests.
If these conditions are not met, the application passwords section will not appear in your user profile. You can find more details in WordPress’s official documentation.
Enabling Application Passwords by Default
If your site meets the prerequisites, you can generate an application password directly from the WordPress dashboard. Navigate to Users → Profile and scroll to the Application Passwords section. Assign a descriptive name for the app you are connecting to, then select Add New Application Password.
WordPress will display a randomly generated password only once. Copy it and store it securely, because it cannot be retrieved again. The password is then entered into the external application when prompted for WordPress authentication. From that point on, the app can interact with your site through the REST API without using your main credentials.
What to Do If Application Passwords Are Missing
Sometimes, the option does not appear even if you are on WordPress 5.6 or higher. This can happen for several reasons:
- The REST API has been disabled by a plugin or server configuration.
- Your hosting environment restricts application passwords by default.
- The user role does not have sufficient permissions.
In these cases, plugins can restore or enhance the feature. Examples include:
- Application Passwords Manager: provides administrators with full control to create, revoke, and monitor passwords.
- WP Application Passwords: a lightweight option that re-enables the feature if it is missing on your setup.
Installing and activating one of these plugins ensures the option appears in your profile, allowing you to generate passwords for third-party integrations.
Managing and Revoking Application Passwords
Each password should be labeled according to the app it belongs to. Clear naming helps track which applications are currently connected and prevents confusion when revoking access. If you stop using an app, delete its password immediately from your profile. Revoking access in this way does not affect your other integrations or your primary login credentials.
Security Best Practices
Application passwords should be treated with the same level of care as API keys. They grant direct access to your WordPress site, so secure handling is essential.
- Store them in a password manager rather than unsecured documents.
- Only create them for trusted applications that genuinely need access.
- Restrict generation of passwords to roles with appropriate permissions.
- Audit active passwords regularly and revoke any that are no longer needed.
Following these practices keeps integrations secure while minimizing risk.
Troubleshooting Common Issues
If application passwords still do not appear or function correctly, check for these common problems:
- User role restrictions: only Administrators and Editors can generate passwords.
- Security plugin conflicts: some plugins block REST API requests for security purposes. Adjusting their settings may be necessary.
- REST API disabled site-wide: plugins or server rules that disable the REST API can break integrations and cause compatibility problems. Re-enabling it usually resolves the issue.
- Hosting restrictions: certain managed hosting providers disable or limit the REST API for security reasons. Contacting support may be required.
For further details and technical guidance, consult WordPress’s official support documentation.
Conclusion
Application passwords in WordPress offer a secure and flexible way to connect third-party apps, automation tools, and publishing platforms to your site. By generating unique credentials tied to your user profile, you can safely integrate external services without compromising your main login details.
If your site is running WordPress 5.6 or higher, the feature should be available by default. If it is missing, enabling it through a plugin ensures the same functionality. Managing passwords carefully, revoking them when no longer needed, and following security best practices ensures both convenience and strong protection. With proper setup, application passwords provide a straightforward and reliable method for WordPress authentication.
