Application Passwords

 

You can use username/password authentication for REST API requests so you can lock down the REST API (per our recommendation) while still allowing external tools that use the REST API to connect.

This feature is also useful for users who need to leave XML-RPC active, but don’t want the application password they give to an app or other tool to be valid for the REST API (and vice-versa).

Note: App passwords can be easily revoked, and can never be used for traditional logins to your website.

Once you’ve updated to iThemes Security Pro 3.7.0, visit Users > Your Profile from the WordPress dashboard.

Click the “Add a new application password” button.

From here, you’ll be prompted to name your new application password.

You’re also given the following options:

API Types:

  • Valid for REST API requests
  • Valid for XML-RPC requests

REST API Permissions

  • Read and Write: The application password can access and modify data.
  • Read-Only: The application password can access data but cannot modify data.

Once you’ve completed your settings for your new application password, click the “Create application password” button. Copy the generated password and make sure to save it in a secure location.

iThemes Security will keep a general record of all the generated app passwords including the password name, API types, REST API permission, date created, date last used and the last IP.

app-passwords-list

You can always revoke passwords at any time using the individual “Revoke” buttons or the “Revoke all application passwords” button at the bottom of the list.

Developer Documentation

iThemes Security uses Basic Authentication to pass the Application Password. You should pass the user's WordPress username as the Basic Auth Username and the Application Password as the Basic Auth Password.

WordPress

wp_remote_get( $url, array(
'headers' => array(
'Authorization' => 'Basic ' . base64_encode( "{$username}:{$app_pass}" ),
)
) );

JavaScript

jQuery.ajax( url, {
beforeSend: function ( xhr ) {
xhr.setRequestHeader(
'Authorization',
'Basic ' + btoa( username + ':' + app_pass )
);
}
} );
Have more questions? Submit a request
Powered by Zendesk