iThemes Security Application Passwords

Application Passwords is now part of WordPress Core since 5.6.
iThemes Security is extending it with User Groups, API Type and Read Only support.

Issues with the Core feature should be directed to the WordPress Forums.

You can use username/password authentication for REST API requests so you can lock down the REST API (per our recommendation) while still allowing external tools that use the REST API to connect.

This feature is also useful for users who need to leave XML-RPC active, but don’t want the application password they give to an app or other tool to be valid for the REST API (and vice-versa).

Note: App passwords can be easily revoked, and can never be used for traditional logins to your website. 

Using the API Types with Application Password

To Enable the Application Password with the API Types, please go to Security > Settings > Features > Login Security and enable the Two Factor Authentication feature (if not already enabled). Screen_Shot_2022-05-25_at_3.21.40_PM.png

Once it is enabled, please go to User Groups > Administrator Users > scroll down to Two Factor settings > and enabled Application Password. Screen_Shot_2022-05-25_at_3.22.54_PM.png

Once the settings are enabled, visit Users > Your Profile from the WordPress dashboard.

Click the “Add a new application password” button.

From here, you’ll be prompted to name your new application password.

You’re also given the following options:

API Types:

  • Valid for REST API requests
  • Valid for XML-RPC requests

REST API Permissions

  • Read and Write: The application password can access and modify data.
  • Read-Only: The application password can access data but cannot modify data.

Once you’ve completed your settings for your new application password, click the “Create application password” button. Copy the generated password and make sure to save it in a secure location.

iThemes Security will keep a general record of all the generated app passwords including the password name, API types, REST API permission, date created, date last used and the last IP.


You can always revoke passwords at any time using the individual “Revoke” buttons or the “Revoke all application passwords” button at the bottom of the list.

Developer Documentation

iThemes Security uses Basic Authentication to pass the Application Password. You should pass the user's WordPress username as the Basic Auth Username and the Application Password as the Basic Auth Password.


wp_remote_get( $url, array(
'headers' => array(
'Authorization' => 'Basic ' . base64_encode( "{$username}:{$app_pass}" ),
) );


jQuery.ajax( url, {
beforeSend: function ( xhr ) {
'Basic ' + btoa( username + ':' + app_pass )
} );
Have more questions? Submit a request
Powered by Zendesk