Solid Security Application Passwords

Application Passwords is now part of WordPress Core since 5.6. Solid Security is extending it with User Groups, API Type, and Read Only support. 




You can use username/password authentication for REST API requests so you can lock down the REST API (per our recommendation) while still allowing external tools that use the REST API to connect.


This feature is also useful for users who need to leave XML-RPC active but don’t want the application password they give to an app or other tool to be valid for the REST API (and vice-versa).


Note: App passwords can be easily revoked and can never be used for traditional logins to your website. Also, any issues with the Core feature should be directed to the WordPress Forums.


Using the API Types with Application Passwords


To enable Application Passwords with the API Types, please go to Security -> Settings -> Features -> Login Security and enable the Two-Factor Authentication feature (if not already enabled). 



Once it is enabled, please go to User Groups -> Administrator Users, scroll down to Two-Factor settings, and enable Application Passwords.



Once the settings are enabled, visit Users -> Your Profile from the WordPress dashboard.



From here, you’ll be prompted to name your new application password and select which API Type. You can also set the permission to "Read Only".


API Types:


  • Valid for REST API requests
  • Valid for XML-RPC requests


REST API Permissions


  • Read and Write: The application password can access and modify data.
  • Read-Only: The application password can access data but cannot modify data.


Once you’ve completed your settings for your new application password, click the “Add New Application Password” button. Copy the generated password and make sure to save it in a secure location.



Solid Security will keep a general record of all the generated app passwords, including the password name, API types, REST API permission, date created, date last used, and the last IP address.


You can always revoke passwords at any time using the individual “Revoke” buttons or the “Revoke all application passwords” button at the bottom of the list.


Developer Documentation


Solid Security uses Basic Authentication to pass the Application Password. You should pass the user's WordPress username as the Basic Auth Username and the Application Password as the Basic Auth Password.




wp_remote_get( $url, array(
'headers' => array(
'Authorization' => 'Basic ' . base64_encode( "{$username}:{$app_pass}" ),
) );




jQuery.ajax( url, {
beforeSend: function ( xhr ) {
'Basic ' + btoa( username + ':' + app_pass )
} );
Have more questions? Submit a request