Getting Started with WordPress Application Passwords for Safe Integrations

Learn what WordPress Application Passwords are, when to use them, and how to set them up safely so third?party tools can access your site without sharing your main login password.

What Are WordPress Application Passwords and Why They Matter

WordPress Application Passwords let you create separate, revocable passwords for apps and services that need API access to your site (for example, Zapier, mobile apps, or deployment scripts). Instead of giving these tools your main login password, you generate a unique credential just for that integration, which you can disable at any time without affecting your own login.Source

These passwords are:

• Tied to a specific WordPress user account.
• Used for programmatic access (REST API, some XML-RPC), not for normal browser logins.
• Stored hashed in the database and only shown once when created.
• Individually revocable, so you can cut off one tool without changing others.

If you plan to connect your WordPress site to external services, learning to use Application Passwords is a safe, modern way to do it.

Before You Start: Requirements and Safety Basics

Before creating Application Passwords, confirm these basics:

• Use HTTPS (SSL/TLS): Application Passwords are intended for secure, encrypted connections. Make sure your site loads over https:// and not http://.
• Use strong primary passwords: Your main WordPress password should still follow modern guidance (long, unique, and not reused elsewhere). NIST’s digital identity guidelines emphasize strong, user-friendly authentication practices and regular credential management.Source
• Limit admin accounts: Only trusted people should have Administrator access, since they can create Application Passwords for any user.
• Know who owns each integration: Decide which user account each external tool should act as (for example, a dedicated “Integrations” user).

How to Create an Application Password in WordPress

Follow these steps using a desktop browser for the clearest view.

Step 1: Log in as the Correct User

• Go to your WordPress login page (usually /wp-login.php).
• Log in as the user that the integration should act as. For example, if a content automation tool will publish posts, log in as an Editor or Administrator created for that purpose.

Step 2: Open Your Profile

• In the left admin menu, go to Users ? Profile (or Users ? All Users, then click Edit under the correct user).

Step 3: Find the “Application Passwords” Section

Scroll down the profile page until you see a section labeled Application Passwords. If your site is correctly configured and the feature is enabled, you should see:

• A text field to name the new password (for example, “Zapier – Blog Automation”).
• A button such as Add New Application Password or Create New Application Password.

Step 4: Generate and Store the Password

1. Enter a clear, descriptive name for the integration (include the tool name and purpose).
2. Click the button to generate the password.
3. WordPress will display a long password, usually grouped with spaces for readability.
4. Copy the password immediately and paste it into a secure password manager or directly into the external tool’s configuration. It will not be shown again after you leave or refresh the page.Source

Step 5: Connect the External Tool

Most tools that support WordPress Application Passwords will ask for:

• Your site URL (for example, https://example.com).
• Your WordPress username (login name).
• The Application Password you just generated (without spaces, if the tool requires).

Follow that tool’s specific instructions to complete the connection.

What You Should See

After creating an Application Password and saving your profile:

• The Application Passwords section will list each password by the name you gave it.
• You may see additional details such as when it was created, last used, and the last IP address that used it.Source
• The external tool should confirm a successful connection or be able to perform a test action (for example, fetching posts or creating a draft).

If the tool reports an authentication error, double-check that:

• The username is correct.
• The password was copied exactly (no extra spaces at the beginning or end).
• Your site is accessible over HTTPS from the tool’s servers.

How to Review, Revoke, and Rotate Application Passwords

Good security hygiene means treating Application Passwords like any other sensitive credential.

Review Existing Passwords

• Go to Users ? Profile for the relevant user.
• In the Application Passwords section, review the list of active passwords.
• Confirm that each one is still needed and clearly named.

Revoke Access for a Single Integration

If you stop using a tool or suspect its credentials may be compromised:

1. Find the corresponding Application Password entry by name.
2. Click the Revoke or Delete link next to it.
3. The external tool will immediately lose access and will fail on its next request.

Rotate Credentials Periodically

Modern security guidance recommends rotating long-lived credentials on a schedule and after any suspected incident.Source A simple rotation process:

1. Create a new Application Password for the same tool.
2. Update the tool’s configuration to use the new password.
3. Confirm it works.
4. Revoke the old Application Password.

Troubleshooting: When the Application Passwords Section Is Missing

If you don’t see the Application Passwords section on the user profile page, check the following common causes:

1. Site Not Using HTTPS

On many setups, Application Passwords are only available when the site is served over HTTPS. If your site is still using plain HTTP, the section may be hidden entirely.Source

Ask your host or technical partner to:

• Install an SSL certificate.
• Force all traffic to use https://.
• Update any hard-coded http:// URLs if necessary.

2. Security Plugin Has Disabled Application Passwords

Some security plugins include an option to disable Application Passwords entirely. For example, Wordfence exposes a setting under its options to turn them off for sites that don’t use them.Source

If you use a security plugin:

• Open the plugin’s settings page.
• Look for options mentioning “Application Passwords” or “REST API authentication.”
• Ensure the feature is enabled or not explicitly disabled.

3. Server-Level Basic Authentication on /wp-admin

If your hosting provider or developer has added an extra username/password prompt to protect /wp-admin (often called HTTP Basic Authentication), WordPress Application Passwords may be disabled or incompatible.Source

In that case, talk to your host or developer about either:

• Removing the extra Basic Auth layer, or
• Using a different integration method that doesn’t rely on Application Passwords.

Practical Best Practices for Non?Technical Site Owners

You don’t need to be a developer to manage Application Passwords safely. Use these simple rules:

• One integration, one password: Don’t reuse the same Application Password across multiple tools.
• Name clearly: Include the tool name and purpose in the label so you can recognize it later.
• Revoke when in doubt: If you’re not sure whether something is still needed, revoke it. You can always create a new one.
• Pair with good access control: Combine Application Passwords with appropriate WordPress roles and capabilities so each integration only has the access it truly needs.Source

Handled this way, Application Passwords give you a safer, more controlled way to let trusted tools work with your WordPress site—without ever sharing your main login password.