← Back to blog

WordPress · March 28, 2026 · 7 min read

The Complete Guide to WordPress Application Passwords for API Integrations

Application Passwords are the secure, role-scoped credential WordPress recommends for REST API access. In this guide you'll learn how to create them, restrict their scope, rotate them safely, and troubleshoot the most common connection errors we see at FluxWriter.

By FluxWriter Team

The Complete Guide to WordPress Application Passwords for API Integrations

Why Application Passwords (and not your real password)

Built into WordPress core since 5.6, Application Passwords let an external tool — like FluxWriter — authenticate to the REST API without ever seeing your real account password. They are:

If you're still pasting your admin password into third-party tools, stop today.

Creating one (the right way)

  1. In WP Admin, go to Users → Profile (or edit a dedicated integration user).
  2. Scroll to Application Passwords.
  3. Enter a name like FluxWriter and click Add New Application Password.
  4. Copy the generated password immediately — WordPress only shows it once.

The password looks like abcd EFGH 1234 ijkl MNOP 5678. The spaces are decorative; you can paste it with or without them.

The "dedicated user" pattern

For production sites, create a separate WP user with the Editor role and generate the Application Password from that account. Reasons:

Common connection errors and fixes

Rotating safely

Application Passwords don't expire on their own. Rotate them every 6–12 months, or immediately if a teammate leaves. The flow is: generate the new one, paste it into FluxWriter and click Test Connection, then revoke the old one from WP Admin.



← All posts