Switchboard DOCS
Docs
Get Started Get Lifetime Deal

Disable Application Passwords

WordPress 5.6 introduced Application Passwords — a way to generate unique passwords for external apps to access your site via the REST API. It’s useful for integrations, but it’s also another authentication method attackers can target. If you’re not using it, why leave the door open? This module closes it.

Use Cases

  • Remove an unused authentication method from your site
  • Reduce attack surface by eliminating app password endpoints
  • Enforce all authentication through your standard login system
  • Prevent users from creating API credentials you can’t easily audit
  • Simplify security by having one authentication path to monitor

How It Works

This is a toggle module — enable it and Application Passwords are disabled. No configuration needed.

When enabled:

  • The Application Passwords section disappears from user profiles
  • Existing application passwords stop working
  • The REST API endpoint for app passwords is disabled
  • No new application passwords can be created

What Are Application Passwords?

Application Passwords let you create unique passwords for external apps to use with the REST API. Instead of using your main password, you generate a separate password for each app:

Without this module:

  • Users see an “Application Passwords” section on their profile page
  • They can generate passwords like xxxx xxxx xxxx xxxx xxxx xxxx
  • External apps use these to authenticate API requests

With this module:

  • Application Passwords section is removed
  • Generation endpoints are disabled
  • Existing app passwords become invalid

Where Application Passwords Appear

In a normal WordPress installation:

  1. User Profile (Users → Profile)

    • “Application Passwords” section at bottom
    • Form to generate new passwords
    • List of existing passwords with revoke buttons

  2. REST API

    • Endpoint for creating passwords
    • Authentication using app passwords

This module removes both the UI and the functionality.

Who Uses Application Passwords?

Legitimate uses:

  • Mobile apps connecting to your site
  • Third-party services (Zapier, IFTTT)
  • Custom integrations via REST API
  • Automated publishing tools

If you don’t use any of these, Application Passwords are just unnecessary attack surface.

Verification

After enabling:

  1. Go to Users → Profile (your profile)
  2. Scroll to the bottom
  3. The “Application Passwords” section should be gone

If you previously created application passwords, they will no longer work for authentication.

FAQ

Will this break the WordPress mobile app?The WordPress mobile app can use Application Passwords, but it also works with standard login. If you use the official WordPress app, test it after enabling this module. You may need to re-authenticate using your main credentials.
What about Jetpack?Jetpack uses WordPress.com authentication, not Application Passwords. This module shouldn’t affect Jetpack functionality.
I have existing application passwords. What happens to them?They stop working immediately. Any apps using those passwords will fail to authenticate. You’ll need to set up alternative authentication for those apps or disable this module.
Can I disable this for specific users only?Not with this module — it’s site-wide. For per-user control, you’d need custom code or a different plugin.
Is this the same as disabling the REST API?No. This module only disables Application Passwords as an authentication method. The REST API itself continues to work. To restrict the REST API, use the separate “Disable REST API” module.
Why would I want Application Passwords enabled?If you use external apps that need API access (custom integrations, automation tools, mobile apps), Application Passwords provide a secure way to authenticate without exposing your main password. They can be revoked individually without changing your main credentials.

Security Considerations

Why disable Application Passwords?

  1. Reduced attack surface — Fewer authentication methods = fewer targets
  2. Simpler auditing — All logins go through one system
  3. No hidden credentials — Users can’t create API passwords admins don’t know about
  4. Defense in depth — If not needed, disable it

Why keep them enabled?

  1. Integration needs — Some apps require them
  2. Security benefit — App passwords don’t expose your main password
  3. Revocability — Can revoke individual app access without password change
  4. Convenience — Easier than OAuth for simple integrations

Not sure if you need Application Passwords? Disable this module and monitor for any broken integrations. If nothing breaks in a week, you probably don’t need them.

Application Passwords were introduced in WordPress 5.6. If you’re running an older version (not recommended), this feature doesn’t exist anyway.

PRO

Get access to all 147 modules with a single license

Upgrade to Pro
Prev
Custom Body Classes
Next
Custom Field Groups