“Application Passwords Have Been Disabled by Wordfence” — Fix It (Step-by-Step)

September 12, 2025MD Pabel Team

TL;DR (Quick Fix)

  1. Wordfence setting: Wordfence → All OptionsBrute Force ProtectionDisable WordPress application passwords = OffSave Changes.
  2. If still blocked: Wordfence → FirewallManage WAF → switch to Learning Mode → create the app password → switch back to Enabled and Protecting.
  3. Test: Create a fresh app password in Users → Your Profile → Application Passwords, then verify with a quick API call (example below).
  4. Harden: Limit to necessary users only, rotate old app passwords, and monitor Live Traffic for abuse.

What Are Application Passwords (and Why Wordfence Blocks Them)

Application Passwords let trusted apps/services access your WordPress account without your normal login password (think: publishing tools, integrations, automations). They use HTTP Basic Auth over the WordPress REST API.

Why you’re seeing the message:

  • A Wordfence setting is explicitly disabling them.
  • The firewall is blocking the REST endpoint during creation or use.
  • Site/hosting code (e.g., wp-config.php constant) is disabling the feature globally.

We’ll fix these in order—safest first.

Fix 1 — Re-enable Application Passwords in Wordfence

  1. Go to Wordfence → All Options.
  2. Scroll to Brute Force Protection (or search the page for application passwords).
  3. Find “Disable WordPress application passwords” and set it to Off/Un-checked.
  4. Click Save Changes at the top/bottom.
  5. Clear any page/cache plugin if you’re using one, then retest.

Tip: If you don’t see this toggle, your Wordfence version/UI may differ. Move on to Fix  —you’ll still be able to generate and use application passwords by allowing the specific action through the firewall.

Fix 2 — Let the Firewall Learn (Temporary)

Sometimes Wordfence’s WAF blocks the request that creates/uses an application password.

  1. Wordfence → Firewall → Manage WAF.
  2. Switch Firewall Status to Learning Mode (temporary).
  3. In another tab, create the application password (see the next section).
  4. Return to Firewall and switch back to Enabled and Protecting.
  5. Wordfence → Tools → Live Traffic: review what was allowed during learning; if you see a rule that would block future requests, add a targeted allowlist rather than pausing the firewall again.

⚠️ Only keep Learning Mode on while you perform the intended action. Turn it back on to full protection immediately after.

Create a New Application Password (The Right Way)

  1. In WordPress, go to Users → Your Profile (or the target user’s profile).
  2. Find Application Passwords.
  3. Enter a name/label (e.g., “Zapier – Blog Publishing”).
  4. Click Add New Application Password.
  5. Copy the generated password and store it safely—it’s shown only once.

Test it quickly (example):

# Replace site.com, user, and app_password below
curl -X GET https://site.com/wp-json/wp/v2/users/me \
  -u user:app_password

You should get a JSON response for the authenticated user. If it’s a 401/403, recheck Fix 1–3 and Live Traffic logs.

Use Application Passwords Safely (Best Practices)

  • Minimum scope: Create app passwords per integration (one per tool).
  • Rotate & revoke: Delete unused/old app passwords regularly.
  • Limit by role: Prefer Editor for content tools instead of full Admin.
  • Monitor: Wordfence → Tools → Live Traffic for suspicious hits.
  • Rate limiting: Wordfence → Rate Limiting: keep sensible caps to slow abuse without breaking legitimate API use.
  • 2FA still matters: App passwords bypass normal login, but keep 2FA enabled for dashboard logins.

Troubleshooting (Common Errors)

  • “Disabled by Wordfence” still shows:
    • Confirm Fix 1 is saved.
    • Update Wordfence to the latest version.
    • Temporarily try Fix 2 to create the password, then revert.
    • Check wp-config.php for WP_DISABLE_APPLICATION_PASSWORDS.
  • 401 Unauthorized during API calls:
    • Make sure you’re using username:app_password (not your normal password).
    • If you changed the username, recreate the app password.
    • Verify HTTPS and that a proxy/CDN isn’t stripping Authorization headers.
  • 403 Forbidden:
    • Firewall is blocking the route—switch to Learning Mode to capture the exact rule, then add a targeted allowlist.
  • No Application Passwords section visible:
    • Your WP version is too old (feature arrived in WP 5.6+), the user role can’t use it, or a plugin/server setting is hiding it. Check Fix 3.

FAQs

Q1: Is it safe to re-enable application passwords?
A: Yes—if you restrict to necessary users, rotate/revoke unused tokens, and monitor with Wordfence. They’re safer than sharing your real password.

Q2: Will 2FA block application passwords?
A: No. Application passwords are a separate auth method for API use. Keep 2FA on for dashboard logins.

Q3: Should I pause Wordfence to make it work?
A: Don’t fully pause the plugin. Use Learning Mode briefly or add targeted allowlists. Broad pauses increase risk.

Q4: Can I restrict an app password to certain actions?
A: Not granularly in core WordPress. Create a separate low-privilege user for the integration when possible.

Q5: Do I need HTTPS?
A: Strongly recommended so your Authorization header (with the app password) isn’t exposed.

0 Comments

💬

No comments yet. Be the first to share your thoughts!

0/2000

By commenting you agree to our terms.

About the author

About the Author

MD Pabel

MD Pabel

MD Pabel is the Founder and CEO of 3Zero Digital, a leading agency specializing in custom web development, WordPress security, and malware removal. With over 7+ Years years of experience, he has completed more than3200+ projects, served over 2300+ clients, and resolved4500+ cases of malware and hacked websites.

3Zero DigitalLinkedInGitHubLeetCodeHackerRankMediumDev.toX (Twitter)