WordPress · March 28, 2026 · 7 min read
The Complete Guide to WordPress Application Passwords for API Integrations
Application Passwords are the secure, role-scoped credential WordPress recommends for REST API access. In this guide you'll learn how to create them, restrict their scope, rotate them safely, and troubleshoot the most common connection errors we see at FluxWriter.
By FluxWriter Team
Why Application Passwords (and not your real password)
Built into WordPress core since 5.6, Application Passwords let an external tool — like FluxWriter — authenticate to the REST API without ever seeing your real account password. They are:
- Scoped to the user's role (so a Editor-role app password can't install plugins).
- Individually revocable without changing your login.
- Auditable — each one has a name and a "last used" timestamp.
If you're still pasting your admin password into third-party tools, stop today.
Creating one (the right way)
- In WP Admin, go to Users → Profile (or edit a dedicated integration user).
- Scroll to Application Passwords.
- Enter a name like
FluxWriterand click Add New Application Password. - Copy the generated password immediately — WordPress only shows it once.
The password looks like abcd EFGH 1234 ijkl MNOP 5678. The spaces are decorative; you can paste it with or without them.
The "dedicated user" pattern
For production sites, create a separate WP user with the Editor role and generate the Application Password from that account. Reasons:
- Revoking the integration is one-click without touching your admin account.
- Audit logs cleanly attribute every API-published post to "FluxWriter" instead of you.
- If the credential ever leaks, the blast radius is bounded by the Editor role.
Common connection errors and fixes
- "401 Unauthorized" — almost always a wrong username. The username is the WP login name, not the email or display name.
- "REST API disabled" — a security plugin (Wordfence, iThemes) has blocked unauthenticated REST. Whitelist the
/wp-json/wp/v2/postsendpoint or allow Application Password auth specifically. - "403 from server" — the host (often managed WP) is stripping the Authorization header. Add
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1to.htaccess, or contact the host. - "Cannot create posts" — the user role is too low. Editor or above is required.
Rotating safely
Application Passwords don't expire on their own. Rotate them every 6–12 months, or immediately if a teammate leaves. The flow is: generate the new one, paste it into FluxWriter and click Test Connection, then revoke the old one from WP Admin.