Disables WordPress application passwords site-wide: blocks REST/XML-RPC login with app tokens and hides the profile UI. Normal account passwords and logged-in REST access are unaffected. Existing tokens remain stored but cannot authenticate until this module is off. May break mobile apps, headless sites, and automation that rely on application passwords.