You can use username/password authentication for REST API requests so you can lock down the REST API (per our recommendation) while still allowing external tools that use the REST API to connect.
This feature is also useful for users who need to leave XML-RPC active, but don’t want the application password they give to an app or other tool to be valid for the REST API (and vice-versa).
Once you’ve updated to iThemes Security Pro 3.7.0, visit Users > Your Profile from the WordPress dashboard.
Click the “Add a new application password” button.
From here, you’ll be prompted to name your new application password.
You’re also given the following options:
API Types:
- Valid for REST API requests
- Valid for XML-RPC requests
REST API Permissions
- Read and Write: The application password can access and modify data.
- Read-Only: The application password can access data but cannot modify data.
Once you’ve completed your settings for your new application password, click the “Create application password” button. Copy the generated password and make sure to save it in a secure location.
iThemes Security will keep a general record of all the generated app passwords including the password name, API types, REST API permission, date created, date last used and the last IP.
You can always revoke passwords at any time using the individual “Revoke” buttons or the “Revoke all application passwords” button at the bottom of the list.
Developer Documentation
iThemes Security uses Basic Authentication to pass the Application Password. You should pass the user's WordPress username as the Basic Auth Username and the Application Password as the Basic Auth Password.
WordPress
wp_remote_get( $url, array(
'headers' => array(
'Authorization' => 'Basic ' . base64_encode( "{$username}:{$app_pass}" ),
)
) );
JavaScript
jQuery.ajax( url, {
beforeSend: function ( xhr ) {
xhr.setRequestHeader(
'Authorization',
'Basic ' + btoa( username + ':' + app_pass )
);
}
} );