WordPress Application Passwords: Complete Setup Guide for Headless & API Access

WordPress Application Passwords were introduced in WordPress 5.6 as a native, secure way to allow external applications to interact with your WordPress site via the REST API — without giving them your real admin password.

If you're using any tool that publishes content to WordPress programmatically (including AutoPublish), you'll need to create an Application Password. Here's how to do it correctly.

What Are Application Passwords?

An Application Password is a randomly generated 24-character credential that:

• Grants API access to your WordPress site
• Can be revoked at any time without changing your main password
• Is separate from your admin login — compromising it doesn't expose your account
• Can have a descriptive label so you know which app it belongs to
• Works over HTTPS (required)

They're more secure than using your actual WordPress password because they're scoped to API access and can be instantly revoked if a tool is compromised or you stop using a service.

Prerequisites

• WordPress 5.6 or later (check: Settings → General → WordPress Version)
• Your site must use HTTPS (not HTTP) — Application Passwords are disabled on non-HTTPS sites
• The WordPress REST API must be enabled (it is by default, but some security plugins disable it)
• User role: Editor or Administrator (Authors and below can't create posts via API by default)

Step-by-Step Setup

Step 1: Go to Your User Profile

Log in to your WordPress admin dashboard. Navigate to Users → Profile (or hover over your name in the top bar and click "Edit Profile").

Step 2: Find Application Passwords

Scroll to the bottom of your profile page. You'll see a section called Application Passwords. If you don't see this section, check the Prerequisites section above — the most common cause is a non-HTTPS site or a security plugin blocking the REST API.

Step 3: Create the Password

1. In the "New Application Password Name" field, enter a descriptive name (e.g., "AutoPublish" or "Content Automation")
2. Click Add New Application Password
3. WordPress will display the generated password once — copy it immediately

The password format looks like: abcd 1234 EFGH 5678 ijkl 9012 — with spaces. Some tools require you to remove the spaces; others accept it as-is. AutoPublish accepts it either way.

Step 4: Enter Credentials in Your Tool

You'll need three things:

• WordPress URL: Your site's root URL (e.g., https://yoursite.com)
• Username: Your WordPress username (not your email — the actual username)
• Application Password: The 24-character password you just generated

Testing the Connection

To verify the connection works, you can test it directly from the AutoPublish dashboard:

1. Go to Dashboard → WP Sites
2. Click Test Connection on your site
3. AutoPublish checks /wp-json/ for REST API availability and validates your credentials

A successful test means: REST API is enabled, HTTPS is working, your credentials are correct, and the user has sufficient permissions.

Troubleshooting Common Issues

"Application Passwords section is missing from profile"

Causes:

• Site is not using HTTPS
• A security plugin (Wordfence, iThemes Security, etc.) has disabled Application Passwords
• Custom code in functions.php is blocking them (add_filter('wp_is_application_passwords_available', '__return_false'))

"REST API connection failed"

Causes:

• The REST API is disabled — check Settings → Permalinks (set to "Post name" or any option except "Plain")
• A firewall or security plugin is blocking external API requests
• The WordPress URL has a redirect (www vs. non-www mismatch)

"403 Forbidden" on API requests

Causes:

• The user account doesn't have sufficient permissions (needs Editor or Administrator role)
• The application password was created for a different user than the one specified in credentials

Security Best Practices

• Use a dedicated user account: Create a separate WordPress user (e.g., "api-publisher") with the minimum required role (Editor). This limits the blast radius if credentials are ever compromised.
• One application password per tool: Don't reuse the same Application Password for multiple tools. Label each one clearly.
• Revoke unused passwords: If you stop using a tool, immediately revoke its Application Password from your profile.
• Never share credentials in plain text: Store Application Passwords in a password manager or secrets vault, not in Slack or email.

Using Application Passwords with AutoPublish

Once your Application Password is created, adding your site to AutoPublish takes about 2 minutes:

1. Go to Dashboard → WP Sites → Add Site
2. Enter your WordPress URL, username, and Application Password
3. Click Test Connection to verify
4. Optionally add a default category, brand voice, and post status preference
5. Save — your site is now ready for automated publishing