I was connecting my Koala account to my WordPress website the other day, and I needed an application password to do this, so I thought I would write a guide and share it with you.
Application passwords are essential for you if you want to access your WordPress website securely through a third-party app.
These passwords protect sensitive data and site functionality, even when external applications connect to your website. Incorporating an application password into your WordPress site is a simple process that can significantly increase your site’s security.
Table of Contents
- Application passwords enhance security for WordPress sites by protecting sensitive data and site functions
- Creating and managing application passwords is crucial for website administrators and users
- Integrating application passwords enables limited access for third-party applications without sharing primary login credentials
Understanding Application Passwords in WordPress
Understanding how to create and manage application passwords is crucial for website administrators and users, regardless of user roles.
By setting up an application password, you grant third-party applications limited access to your website without giving them your primary login credentials. This added layer of security helps maintain the integrity of your WordPress website and helps you control access privileges for various applications and users.
WordPress 5.6 and Native Support
Starting from version 5.6, WordPress introduced native support for application passwords.
Application passwords are unique and serve only a single purpose, making managing, revoking, or checking their usage easier.
They are 24 characters long and generated without special characters, consisting of upper-case, lower-case, and numeric characters.
Security and Use Cases
Application passwords provide an extra layer of security by allowing you to create separate passwords for different apps or services, preventing unauthorised access to your site. This means you can grant access to a specific service without sharing your usual WordPress login credentials.
Some common use cases for application passwords include:
- Authenticating external apps that integrate with your WordPress site via REST API Requests.
- Providing access to your WordPress website for mobile apps.
- Allowing service providers to connect to your WordPress website without compromising your primary password.
With your application password generated, you can use it alongside your username(email address) to authenticate the app or service connecting to your WordPress site.
Remember to keep your application passwords safe and secure. Revoke access immediately if you suspect any suspicious activity or whenever you no longer need the app or service connected to your site.
Creating an Application Password
Now it’s time to create your application password for the third-party services you want to give application access through the REST API Endpoint.
It all sounds technical, but you don’t have to worry about the REST API Endpoint. The third-party services take care of that. You just need to go through the authentication method to create an application password.
Generating Application Passwords in the Dashboard
To create an application password in WordPress, you must first go to your WordPress dashboard. You’ll generally find this by navigating to your WordPress website’s URL, followed by
/wp-admin. Once logged in, head to the Users menu and select your user profile.
To create an application password, follow these steps:
- Log in to your WordPress dashboard.
- Go to Users > Your Profile (or the user’s profile for whom you’re creating the password).
- Scroll down to the Application Passwords section.
- Enter a descriptive name for the app or service requiring the password, and click Add New.
- WordPress will generate a unique 24-character password. Note this password, as it will not be displayed again.
And that’s it. Now you can use this as your user authentication method with third-party applications.
Pro-tip: Do not store your application-specific passwords anywhere. Create new app passwords for each new third-party application.
Using REST API
If the third-party application requires that you authenticate your application password via the REST API or you want to test it out, then here is how you do it.
A few steps need to be taken to authenticate your app with the REST API. First, ensure that the WordPress REST API is enabled on your website.
fetch() function as follows:
'Authorization': 'Basic ' + btoa('username:application_password')
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error(error));
Replace ‘username’ and ‘application_password’ with your respective WordPress username and the generated application password. This code snippet sends a request to the WordPress REST API using Basic Authentication.
Remember to follow best practices when storing and using your application password to maintain security. Keeping your app_id unique helps to differentiate and manage multiple application passwords.
Managing Application Passwords
Application passwords were introduced in WordPress 5.6 to provide a more secure way for users and applications to access APIs. This allows you to manage separate passwords for your website APIs like the REST API. To manage your application passwords, you must access your WordPress profile settings.
Revoke WordPress Application Passwords
You can’t update your WordPress application passwords. As soon as they’re generated, you can only create a new application password or revoke the app passwords if you suspect anything.
To revoke an existing application password, follow these steps:
- Log in to your WordPress website using your
- Navigate to your profile settings by clicking on your profile icon, usually in the admin dashboard’s top right corner.
- In your profile’s security settings, locate the section for application passwords.
- Find the password you want to revoke in the list of application passwords.
- To revoke an application password, click on the “Revoke” button next to it.
Revoked application passwords will no longer be valid for accessing your WordPress APIs, so ensure you adapt any connected applications accordingly.
Retrieving a List of Application Passwords
To see all your application passwords, follow these steps:
- Log in to your WordPress website using your
- Access your profile settings by clicking on your profile icon.
- Navigate to the security settings of your profile.
- In the application passwords section, you will find an array with all your stored passwords, their descriptions, and the date they were last used.
It’s essential to regularly review your application passwords to ensure they remain secure and up-to-date. Do not hesitate to revoke access to an application if it no longer needs it or if you have security concerns.