Christopher Ross

WordPress Application Passwords

Published:

WordPress Application Passwords are a built-in authentication method that lets external tools, scripts, and REST API clients connect to a WordPress site without using the account’s main login password.

The plain version

Your WordPress login password is the key to your front door. Application Passwords are separate keys — each one scoped to a specific tool or integration — that you can hand out and revoke individually without changing the front-door lock.

If a plugin or script uses an Application Password and that key is later leaked, you revoke it. Your main account stays intact. Without Application Passwords, a leaked credential means changing your password everywhere you use it — which is a much larger problem.

When they ship and where to find them

Application Passwords were added to WordPress core in version 5.6 (December 2020). They live in your WordPress admin under Users → Profile → Application Passwords. Generate one by giving it a name (like “Content sync script” or “AIOS pipeline”), copy the generated password immediately — it is only shown once — and store it in your environment variables or a secrets manager.

How authentication works

Application Passwords use HTTP Basic Authentication. The username is your WordPress username; the password is the generated Application Password (spaces optional — WordPress strips them). In a curl request:

curl -u "your_username:xxxx xxxx xxxx xxxx" 
  https://yoursite.com/wp-json/wp/v2/posts

Always use HTTPS. Sending credentials over HTTP exposes them in transit.

What they are not for

Application Passwords authenticate REST API requests. They do not work for wp-login.php (the standard WordPress login form) or for XML-RPC. If a plugin or integration requires XML-RPC credentials, that is a different authentication path — and a sign to reconsider whether the integration belongs on your site at all, since XML-RPC carries its own security risks.

Security practice

  • Name each Application Password after the thing that uses it — so you can identify it when reviewing
  • Revoke passwords when an integration is decommissioned
  • Never share the generated password in a chat thread or email — use a secrets manager
  • Store them in environment variables in code, not hardcoded in scripts

Application Passwords are the right way to give a script or external service write access to WordPress. Before they existed in core, plugins filled this gap with their own implementations — most of which are now unnecessary.

Product names referenced on this page — including WordPress — are trademarks or registered trademarks of their respective owners. Training offered here is independent and is not affiliated with, endorsed by, or sponsored by any of these companies.

Work with Christopher

WordPress infrastructure, LMS, and publishing platform work. 20 minutes to see if it's a fit.

Book a discovery callBack to Writing

Have a WordPress, LMS, or AI ops project in mind?

Book a 20-minute discovery call — $275/hr CAD, no retainer

Related work