Skip to content

Disable Application Passwords

Disable Application Passwords disables WordPress application passwords site-wide: blocks REST/XML-RPC login with app tokens and hides the profile UI. Normal account passwords and logged-in REST access are unaffected.

  • Forces wp_is_application_passwords_available to false for the whole site.
  • Hides the Application Passwords UI on user profiles.
  • Existing stored tokens remain in the database but cannot authenticate until the module is off.
  • Does not change normal username/password login or cookie-authenticated REST for logged-in users.

Enable it if:

  • You do not use mobile apps, headless clients, or automation that need application passwords.
  • You want to remove an unused authentication surface.
  • You prefer other API auth methods and do not want users creating app tokens.
  1. Go to WP PowerSuite -> Modules.
  2. Open Security or search for “Disable Application Passwords”.
  3. Toggle Disable Application Passwords on.

Toggle it off anytime to restore application password availability.

  • Enable the module, then open a user profile as an administrator.
  • ✅ Pass: Application Passwords section is unavailable/hidden.
  • Try authenticating to REST with an application password.
  • ✅ Pass: authentication fails while the module is on.
  • ❌ Fail: confirm the module toggle is on and no mu-plugin re-enables application passwords.
  • App or automation broke after enabling. That client likely used an application password - turn the module off or switch the client to another auth method.
  • Tokens still listed in the database. Expected; they are stored but cannot authenticate while the module is on.
  • Need REST for enforced 2FA roles. See Two-Factor Authentication REST/XML-RPC settings; this module makes application passwords unavailable.
What does Disable Application Passwords do?

It disables WordPress application passwords site-wide so app tokens cannot authenticate and the profile UI is hidden.

Is Disable Application Passwords free?

Yes. Enable it under WP PowerSuite -> Modules.

Does it delete existing tokens?

No. Existing tokens stay stored but cannot authenticate until the module is turned off.

Does normal login still work?

Yes. Username/password login and logged-in REST cookie access are unaffected.

How do I turn Disable Application Passwords off?

Go to WP PowerSuite -> Modules, find Disable Application Passwords, and toggle it off.

Developer notes (hooks & filters)

Source: modules/disable-application-passwords/module.php. Boot: critical · context: admin, frontend, ajax, rest.

Hook: wp_is_application_passwords_available (forced to false at late priority).