How to Disable Wordfence’s Application Password Block in WordPress

If you’re using WordPress Application Passwords to connect your website with external services such as mobile apps, automation tools, or custom integrations, Wordfence may prevent those connections if its Application Password protection is enabled.

Fortunately, disabling the block only takes a few minutes.

How to Disable the Wordfence Application Password Block

Follow these steps to allow WordPress Application Passwords:

  1. Log in to your WordPress admin dashboard.
  2. Navigate to Wordfence → Firewall.
  3. Expand the Brute Force Protection section or click Manage Brute Force Protection, depending on your version of Wordfence.
  4. Locate the setting labeled Disable WordPress application passwords.
  5. Uncheck this option.
  6. Click Save Changes.

Once the setting is disabled, WordPress will once again allow Application Password authentication for supported integrations.

Generate a New WordPress Application Password

After enabling Application Passwords:

  1. Go to Users → Profile.
  2. Scroll to the Application Passwords section.
  3. Enter a name for the application or service.
  4. Click Add New Application Password.
  5. Copy the generated password and use it with your application.

This feature allows secure authentication without exposing your primary WordPress login credentials.

What Are WordPress Application Passwords?

Introduced in WordPress 5.6, Application Passwords provide a secure method for third-party applications to authenticate with your website. They are commonly used with:

  • WordPress mobile apps
  • REST API integrations
  • Zapier
  • Make
  • Custom PHP scripts
  • External publishing tools
  • Automation platforms

Each application receives its own unique password, which can be revoked individually without affecting your main account password.

Still Having Problems?

If Application Passwords remain unavailable after disabling the Wordfence setting, another issue may be preventing access.

Common causes include:

  • Another security plugin is disabling Application Passwords.
  • Your website is not using HTTPS.
  • A custom plugin or theme contains code that disables Application Passwords.
  • A must-use (MU) plugin is overriding the feature.
  • Your web host has disabled REST API authentication.

How to Verify Application Passwords Are Enabled

Visit Users → Profile in your WordPress dashboard.

If the Application Passwords section appears near the bottom of your profile page, the feature is enabled. If it does not appear, another plugin, theme, or custom code is likely disabling the functionality.

Final Thoughts

Wordfence provides excellent security for WordPress websites, but its Application Password protection can interfere with legitimate API connections and third-party integrations. By disabling the Disable WordPress application passwords option in Wordfence’s Brute Force Protection settings, you can restore secure authentication while continuing to protect your site with Wordfence’s firewall and malware scanning features.

If problems persist, check for conflicts with other security plugins, custom code, or your hosting environment before troubleshooting the application itself.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.