Application Passwords is a new feature in WordPress version 5.6. It's used to make authenticated requests to various WordPress APIs. However, this feature can be utilized by bad guys to gain control of your website. Therefore, it's recommended to turn off this feature when you upgrade your website to WordPress 5.6.
Why Do We Need to Disable the Application Passwords Feature?
First, you should learn about the use of Application Passwords. This feature allows external applications to request some permissions on your website, and each application is granted a specific password to sign in. After that, these applications can implement some actions on your behalf via the WordPress REST API.
It sounds convenient. However, not every website needs APIs, and granting permission for an external application can lead to security issues. For instance, attackers can name their application as a reputable brand and then trick you to grant them authority via Application Passwords. After that, they can change your website and steal your data at different levels, depending on the permissions you granted them. Moreover, if your WordPress website doesn't have an SSL certificate, attackers on your network or the networks between your website and the application sites can see the passwords.
Thus, if you don't really need APIs, it's highly recommended to disable the Application Passwords feature when you upgrade your site to WordPress 5.6. You can do it manually or using plugins, and below are the detailed instruction:
Disable the Application Passwords Feature Using Plugin
If you are using security plugins / services like Wordfence, WebARX, Astra Security, etc, they will automatically disable the Application Passwords feature and you don't need to lift a finger. Otherwise, you can use a dedicated plugin - Disable Application Passwords. This is a new free plugin created to solve your problem with the Application Passwords feature, so you can install and activate the plugin right on the Admin Dashboard as usual.
Upon activation, the Application Passwords feature will be automatically disabled. If you need to enable this feature again, just deactivate the plugin. It's super easy, right? This plugin is very lightweight and easy-to-use. However, if you're not a fan of having a lot of plugins on a site, try using code like the second way below.
Manually Disable the Application Passwords Feature
To completely disable Application Passwords, add the following code to the functions.php
file of your theme:
add_filter( 'wp_is_application_passwords_available', '__return_false' );
Also, you can restrict users who can use the Application Passwords feature. For example, if you want to allow only administrators to use this feature, enter the following code to the functions.php
file:
function my_prefix_customize_app_password_availability( $available, $user ) { if ( ! user_can( $user, 'manage_options' ) ) { $available = false; } return $available; } add_filter( 'wp_is_application_passwords_available_for_user', 'my_prefix_customize_app_password_availability', 10, 2 );
Re-enable the Application Passwords Feature
As I mentioned above, some security services automatically disable the Application Passwords feature. But how can we re-enable it? This can be done easily by adding this code to the functions.php
file:
add_filter( 'wp_is_application_passwords_available', '__return_true' );
However, keep in mind that you should not give these applications important permissions. Besides, only grant permission to applications that you know exactly where it comes from and what it will do on your WordPress website!
Last Words
New versions, along with offering amazing features, sometimes come with some problems. For example, the Sitemaps feature in WordPress 5.5 may cause duplication and conflict with sitemaps created by plugins (If you want to fix it, refer to this article on how to disable the Sitemaps feature in WordPress 5.5).
From WordPress 5.6, all websites run on WordPress 5.6 will be automatically upgraded to the latest WordPress version. But if you're not ready to get it yet, you can still downgrade WordPress to any version.
Finally, don't forget to follow us to keep up with the latest news about WordPress.
Helpful and informative. I didn't know about this Application Passwords Feature. For the first time, I have seen in your article. Really Important thing for the WordPress site owners.Thanks for sharing.
I was worried about this new application feature of WordPress and contacted regarding this to my host. They shared this link. I would say it is really helpful and thanks for the article.
This is a very important recently added feature. Since who works with headless, has more flexibility. However, it is always a good idea to disable it if there is no particular use.
Thanks for article!