WordPress Security

Managing WordPress application passwords a hassle-free way


Using application passwords as a security measure was introduced in WordPress 5.6. This feature enables you and your users to generate and use separate passwords for accessing website APIs such as REST API. The WP Cerber plugin brings a set of tools to manage application passwords in an effective and secure way. In this article, we will also show you how to monitor the usage of application passwords and how to be notified when a user creates one.

We have to control application passwords

Although using application passwords brings an additional security barrier, the default WordPress implementation of application passwords is minimalistic and has the following issues.

  • Application passwords have no protection against brute-force attacks
  • We have no ability to disable or enable passwords for a specific user role
  • Standard, interactive user passwords can still be used to access website APIs.
  • We have no control over the use of passwords due to a lack of logging

Disabling application passwords

If you want to disable application passwords on your WordPress completely, set the “Application Passwords” setting to “Disabled.” This setting is located under the “User Policies” admin menu on the “Global” tab. Once it’s activated, users will no longer be able to create new passwords and use any of the passwords that were generated earlier. For advanced management, please read the rest of the article.

Use WP Cerber to manage application passwords

All the settings are located under the “User Policies” admin menu. To configure the use of application passwords for all users on your website, switch to the “Global” tab. To configure the setting for each user role separately, switch to the “Role-Based” tab. The settings configured for a role have a higher priority.

The WP Cerber setting you need to configure is named “Application Passwords”

Managing WordPress application passwords

Managing WordPress application passwords with WP Cerber

The default value of the setting is to permit the use of the application passwords the way how it’s implemented in WordPress. It implies using both, traditional passwords (that users use to log into your website via a login form) and application passwords when accessing website APIs. The setting in this case is “Enabled, access to API using standard user passwords is allowed”.

A more secure, advanced, and recommended way of using application passwords is to permit access to website APIs by using application passwords only. In this case, traditional interactive passwords cannot be used when accessing website APIs, even if the specified one is valid. Any attempt to get access to APIs will be denied. To achieve this, select “Enabled, no access to API using standard user passwords”.

The last and straightforward way of dealing with application passwords is to disable them with the setting set to “Disable”.

Configure settings for a specific user role

All the settings configured for a role have a higher priority than the global ones. So you can disable using application passwords globally for all users and enable them for a specific role only.

The default value for all roles is to use global settings configured on the “Global” tab. In the role settings, this option is named “Use global policies”. This means the role’s setting inherits all the changes made to the global settings.

If you select any other than the “Use global policies” option, that selected option will have an effect on the role instead of a setting configured on the “Global” tab.

Note: the role-based settings are available in the professional version of WP Cerber.

How to monitor application password usage

WP Cerber adds two new columns to the lists of users’ application passwords on their profile pages in the WordPress dashboard. Using links in those columns, you can check the Activity log. The “Authorized” column links navigate you to all logged events of using application passwords by the user. The links in the “Authorization Failed” column navigate you to all failed attempts to use website APIs when the user’s username or email was in use.

Monitoring application passwords in WordPress

Monitoring the usage of application passwords with WP Cerber

How to get notified when a user creates a new password

On the Activity log admin page, you can enable sending an email or a mobile notification when any user or a specified one creates a new application password. Go to the Activity log, select “User application password created” from the first select above the table and click Filter. Now, to enable notifications, you need to click the “Create Alert” button on the right. To configure the email address or the mobile device for notifications, switch to the “Notifications” tab.

Please read more on how to configure any notification you need: WordPress notifications made easy.

How to restrict access to REST API and XML-RPC

WP Cerber offers several options to restrict access and you can configure any combination of them. You can block access to these APIs completely by disabling them; you can permit or block access to these APIs from specific IP addresses by using IP Access Lists. Additionally, you can permit access to REST API for specific roles or to specific namespaces only. By configuring country-based access rules, you can permit or deny access to REST API or XML-RPC by a list of countries.

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.


I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments
There are currently no comments.