For a long time, WordPress required users to log in to their admin dashboards to complete tasks like creating blog posts, approving comments, and updating themes or plugins.
However, thanks to WordPress application passwords and its REST API, users can now do this through third-party services and applications.
But, what are WordPress application passwords? What does WordPress REST API mean? And how do they relate to each other?
We will answer all these questions in this post and discuss the benefits, generation, and storage of WordPress application passwords. We will also provide troubleshooting tips for common issues you might face while using WordPress application passwords.
Table of contents
- WordPress REST API and application passwords
- Benefits of using WordPress application passwords
- How to generate WordPress application passwords
- How does WordPress generate and store application passwords?
- Application passwords in action
- Best practices for using WordPress application passwords
- Common WordPress application password issues and their fixes
- Secure user accounts on your WordPress site
- Conclusion
- WordPress application passwords FAQs
WordPress REST API and application passwords
WordPress provides a REST API for software to interact with a website’s content and data. An API (Application Programming Interface) acts as a bridge that enables two different software applications to communicate with each other in a standardized way.
When it comes to WordPress, the REST API lets developers use standard HTTP methods to perform various operations, including retrieving a list of posts, creating new users, deleting comments, and much more.
Some of these requests require authentication, and that’s where WordPress application passwords come in.
You generate WordPress application passwords for third-party applications to authenticate themselves and take actions on your behalf. This lets them easily communicate with WordPress using its REST API and complete specific tasks like publishing a new blog post.
Benefits of using WordPress application passwords
WordPress application passwords benefit both users and developers. They are easy to use, compatible with two-factor authentication, improve security, and provide better access control.
Authenticated requests are easy to execute
WordPress REST API became part of the WordPress core in version 4.4 and developers started using the API for administrative purposes.
WordPress application passwords have made installing extra authentication plugins unnecessary and cookie spoofing obsolete. A third-party service can now authenticate itself with user-generated application passwords to act on the user’s behalf.
Improved security in comparison to cookie spoofing
Both oAuth and JWT provide a good amount of security because they don’t rely on shared user credentials to authenticate applications.
However, application passwords provide a more secure alternative for applications that require a user’s credentials to generate a spoofed cookie.
Also, note that application passwords are designed to only authenticate requests that come through the REST API. This means that bad actors can’t log in to your WordPress dashboard using application passwords.
Easier management
A WordPress user account has a single password to log in to the WordPress dashboard. Let’s say you shared this password with multiple third-party applications to allow them to authenticate themselves and execute REST API or XML-RPC API requests.
Revoking access for one of those applications would require you to change your account password and notify the rest of the applications about the password update.
WordPress application passwords don’t have this limitation because a single user account can generate multiple application passwords, allowing each application to have its unique password. You can revoke access to a single application at any time without affecting others.
How to generate WordPress application passwords
Both admin and non-admin users can generate an application password by logging into WordPress. An application’s access level will depend on the user role that generated its application password. For instance, an application cannot use the application password from an author to perform administrative tasks.
You can generate a new application password by navigating to Users > Profile from the WordPress dashboard. Then, scroll down to go to the Application Passwords section.
Enter a descriptive name for the application password in the New Application Password Name input field. This name should help you identify which third-party application uses this password.
Now, click on the Add New Application Password button to generate a random application password.
Save the generated application password in a safe location because you can’t retrieve it later. If you lose it, you’ll need to revoke the application password and generate a new one.
You can also see a list of previously generated application passwords on this page along with other information such as their creation time, the date they were last used, and the last IP address that used them.
How does WordPress generate and store application passwords?
WordPress uses the wp_generate_password() function to generate 24-character long application passwords. These passwords can only have uppercase letters, lowercase letters, and numeric characters.
WordPress displays these passwords to users in chunks of four characters to make it easier to read. Here is an example:
rvSz viia JbxI J1ij Yb6T rVrE
The space between these chunks is irrelevant. WordPress strips it out before hashing and verifying a password.
WordPress stores a hashed version of all user-generated application passwords in the usermeta table in its database, along with information like the password name, creation date, and last access time.
Application passwords in action
We can easily test application passwords using Postman and the WordPress API. For the purposes of this exercise, we will be using a local WordPress installation.
Using Postman, we can make a request to the API endpoint for posts as follows:
http://melapress.local/wp-json/wp/v2/posts
We can see the results in the lower section of the screenshot. Cool.
We will now attempt to access the settings endpoint. As you can see from the screenshot, we are not using any authentication. In fact, when we attempt to access settings, we get a rest_forbidden error.
This tells us that we need to authenticate ourselves to access the settings via the REST API. This is not a problem since we now know how to do that.
As the screenshot below shows, we have created a new application password which we’ve named Postman.
All we need to do now is choose Basic Auth from the Type drop-down menu and enter the credentials. This allows us to access the WordPress settings as shown in the screenshot below.
Best practices for using WordPress application passwords
Bad actors can’t use WordPress application passwords to log in to your WordPress accounts, making them safer to share. They are also nearly impossible to crack through brute-force attacks due to their length and mix of characters used. You can follow the tips below to make them even safer.
- Regularly check your generated application passwords. Revoke any application passwords you don’t recognize.
- A single WordPress account can have multiple application passwords. You should have one unique password for each third-party app, enabling you to revoke its access without disrupting the functionality of others.
- An application authenticating itself using a WordPress application password will have the same rights as the account that generated the application password. Always follow the principle of least privilege to ensure an application only has the permissions it requires to function correctly. For example, if an application only needs to manage content on a website, generate its application password through an account with editor privileges instead of administrative privileges.
- Keep a WordPress activity log and regularly audit access records and changes.
Common WordPress application password issues and their fixes
Now, let’s discuss common issues users face when using WordPress application passwords and their fixes.
WordPress application passwords are disabled
Some security plugins automatically disable WordPress application passwords to improve security. Others let you disable or enable them manually.
Disabling them makes sense only if you aren’t using them. Otherwise, they provide a secure way of using the WordPress REST API with third-party applications.
If a security plugin has disabled application passwords on your website, you will see something like the above image. If you can identify the plugin that disabled the application passwords feature, you can update the plugin settings to enable them again.
Sometimes, a theme can also disable application passwords.
Adding a specific code snippet to your theme’s functions.php file can also disable application passwords. You should contact a developer to remove code that disabled application passwords.
Lack of permissions to perform an action
Application passwords let a third-party app act on a user’s behalf. Therefore, the app can only perform actions permitted for the user’s assigned role.
For example, if a user is an Author, a third-party app won’t be able to use the application passwords they generate to manage other user’s posts. This is because only editors or administrators can edit other user’s posts.
If a third-party application cannot complete a task, look into the permissions associated with the user account that generated its application password.
Lost or forgot an application password
WordPress shows you an application password only once when you generate it. You cannot change or reset it. This is unlike WordPress account passwords that you can reset using multiple methods.
If you forgot or lost an application password, you should revoke it and generate a new one.
Secure user accounts on your WordPress site
All WordPress application passwords are a random mix of 24 lowercase, uppercase, and numeric characters. The long length and randomness protect it against brute-force attacks.
Since bad actors will have difficulties cracking your application password to gain unauthorized access, they may try to exploit some other vulnerability in your website. Weak user account passwords are one such source of vulnerability.
Luckily, there are steps you can take to protect your website against such threats.
Enforce strong password policies
You can reduce the impact of brute-force attacks by enforcing strong password policies using the Melapress Login Security plugin.
The plugin allows you to specify a minimum password length for user accounts. You can also enforce the use of at least one lowercase, uppercase, numeric, and special character.
Implement login limitation policies
Someone using brute-force attacks will try to log in using a lot of passwords hoping one of them is correct.
You can implement login policies where a user account is blocked after a specified number of attempts. Then, you can specify whether the account stays blocked or is unblocked after some time to stop or drastically slow down the attack.
Enforce two-factor authentication
Brute-force attacks are just one way bad actors target accounts. They can also use phishing attacks to trick users into revealing their account credentials.
A phishing attack relies on users revealing their account credentials to what they think is an authority figure or a legitimate website.
You can implement two-factor authentication on WordPress to set up a good defense against attacks using stolen or leaked credentials. However, using two-factor authentication adds an extra login step. So, you should try your best to make the whole process effortless for your users.
The WP 2FA plugin helps you provide multiple 2FA methods to users. Users can choose the method that is most convenient for them.
The 2FA policies you define using WP 2FA are configurable per-role or site-wide. You can also make 2FA compulsory and give users a grace period to comply.
It is a good idea to let users configure backup methods to access their accounts if the primary authentication method is unavailable. You can configure WP 2FA to allow users to set up secondary 2FA methods to log in if the primary methods are unavailable.
Conclusion
Many third-party services and applications, including Zapier and the official WordPress mobile app, use WordPress application passwords to make authenticated API calls.
We discussed several benefits of WordPress application passwords in this post like better security and the ability to revoke an application password independently.
Overall, WordPress application passwords provide a secure way for third-party applications to interact with the WordPress API.
After reading this post, you should also be able to generate and manage your own accounts’ application passwords.
WordPress application passwords FAQs
There are a few other methods that applications can use to make authenticated requests to the REST API.
WordPress OAuth Authentication
People who want to authorize third-party applications through this method have to install a plugin like WP REST API – OAuth 1.0a Server first.
Any third-party application that wants to make authorized REST API calls will have to begin by making an access request. The OAuth plugin intercepts this request and handles the authorization.
The third-party application will get an access token to make future authenticated REST API requests once you confirm that it is authorized to do so.
JSON Web Token
Using a JSON Web Token to authenticate third-party WordPress REST API requests also requires you to install a plugin that generates a JWT (JSON Web Token).
The JWT contains encoded information about the user such as their user ID, username, and roles among other things. It also contains a digital signature created using a secret key defined in your WordPress wp-config.php file.
The server sends this JWT back to the client. The client can store this token somewhere to make authenticated requests in the future.
Cookie Spoofing
Some third-party applications relied on cookie spoofing to make authenticated requests.
Such applications simulated a browser session and logged in to the WordPress admin area to get an authentication cookie. Then, they pretended to be that user to make authenticated API requests.
This is bad because users had to give away their account credentials to be able to use the functionality the third-party application provides.
Application passwords in WordPress are passwords you provide to third-party applications so they can make authenticated requests. This allows them to perform actions on a WordPress website on your behalf.
You can create an application password from the User Profile page in the WordPress dashboard. You can create multiple application passwords per user account and assign one application password for every third-party application you use.
You can find a list of all your generated application passwords on the User Profile page after you log into the WordPress dashboard.