Disable Application Passwords
Disable Application Passwords disables WordPress application passwords site-wide: blocks REST/XML-RPC login with app tokens and hides the profile UI. Normal account passwords and logged-in REST access are unaffected.
What it does
Section titled “What it does”- Forces
wp_is_application_passwords_availableto false for the whole site. - Hides the Application Passwords UI on user profiles.
- Existing stored tokens remain in the database but cannot authenticate until the module is off.
- Does not change normal username/password login or cookie-authenticated REST for logged-in users.
When to use it
Section titled “When to use it”Enable it if:
- You do not use mobile apps, headless clients, or automation that need application passwords.
- You want to remove an unused authentication surface.
- You prefer other API auth methods and do not want users creating app tokens.
When not to use it
Section titled “When not to use it”How to enable it
Section titled “How to enable it”- Go to WP PowerSuite -> Modules.
- Open Security or search for “Disable Application Passwords”.
- Toggle Disable Application Passwords on.
Toggle it off anytime to restore application password availability.
How to test it
Section titled “How to test it”- Enable the module, then open a user profile as an administrator.
- ✅ Pass: Application Passwords section is unavailable/hidden.
- Try authenticating to REST with an application password.
- ✅ Pass: authentication fails while the module is on.
- ❌ Fail: confirm the module toggle is on and no mu-plugin re-enables application passwords.
Troubleshooting
Section titled “Troubleshooting”- App or automation broke after enabling. That client likely used an application password - turn the module off or switch the client to another auth method.
- Tokens still listed in the database. Expected; they are stored but cannot authenticate while the module is on.
- Need REST for enforced 2FA roles. See Two-Factor Authentication REST/XML-RPC settings; this module makes application passwords unavailable.
What does Disable Application Passwords do?
It disables WordPress application passwords site-wide so app tokens cannot authenticate and the profile UI is hidden.
Is Disable Application Passwords free?
Yes. Enable it under WP PowerSuite -> Modules.
Does it delete existing tokens?
No. Existing tokens stay stored but cannot authenticate until the module is turned off.
Does normal login still work?
Yes. Username/password login and logged-in REST cookie access are unaffected.
How do I turn Disable Application Passwords off?
Go to WP PowerSuite -> Modules, find Disable Application Passwords, and toggle it off.
Developer notes (hooks & filters)
Source: modules/disable-application-passwords/module.php.
Boot: critical · context: admin, frontend, ajax, rest.
Hook: wp_is_application_passwords_available (forced to false at late priority).