How to Disable the Application Passwords Feature in WordPress 5.6

WordPress version 5.6 has been released recently with some amazing changes, and the Application Passwords feature is one of them. However, turning on this feature can lead to some security issues. Therefore, some users want to disable the Application Passwords feature in WordPress 5.6.

The process is quite easy, you can do it manually or using a plugin. We’re going to walk you through it (step by step). However, you should spend 2 minutes to understand the Application Passwords feature first!

How Does Application Passwords Work?

Application Passwords is a new feature of WordPress 5.6 that allows external applications to request some permission on your WordPress website. When you accept their request, they can access some sections and perform some actions on your site.

Why Should We Disable Application Passwords in WordPress 5.6?

As for the security experts, enabling the Application Passwords feature will be very risky if users can’t control it. Why? Because this feature is also an open door for hackers / attackers to access your website.

Specifically, hackers can fake reputable applications and request permissions on your site. Once they succeed, they can bring away important data, and bring back lots of trouble.

In addition, if your website doesn’t have the SSL certificate, hackers on your network (or on the network between your site and the application) can see the application passwords. Therefore, if you don’t really need this feature, you better disable it.

Even when you need APIs, we still recommend that you shouldn’t give external applications too many permissions. Who knows what they can do with those important permissions?

Ok, now you understand the Application Passwords feature and why it can lead to security issues. Let’s move the important part - how to disable it!

Disable the Application Passwords Feature Using Plugin

As I mentioned above, the Application Passwords feature in WordPress 5.6 can be a security hole for hackers to utilize. Given that, many security services such as Wordfence, WebARX, Astra Security, etc automatically disable this feature. If you’re using them, you don’t need to do anything. Otherwise, you can use Disable Application Passwords plugin.

This is a new free plugin that is created only for disabling the Application Passwords feature. It’s one line of code, fast, and very easy-to-use. You can download it on wordpress.org, and then install and activate the plugin as usual.

After you finished activating the plugin, it will automatically disable the Application Passwords feature. To re-enable the feature, just simply deactivate the plugin. Easy peasy, right? However, if you don’t want to install a plugin just for this very simple task, you can use code as below. But don’t worry, the process is quite easy, even non-tech savvy can do it within our instruction.

Disable the Application Passwords Feature Manually

To disable this feature manually, add the below code to the functions.php file of your theme:

add_filter( 'wp_is_application_passwords_available', '__return_false' );

Note: The functions.php file is located in Appearance > Theme Editor.

In addition, you can specify who is allowed to use this feature in WordPress 5.6. For instance, I want to specify that only Administrators and Editors are able to use this feature. Thus, I enter this code into the functions.php file:

function your_prefix_customize_app_password_availability( $available, $user ) {
   if ( ! in_array( 'administrator', (array) $user->roles ) && ! in_array( 'editor', (array) $user->roles ) ) {
       $available = false;
   }
   return $available;
}
add_filter( 'wp_is_application_passwords_available_for_user', 'your_prefix_customize_app_password_availability', 10, 2 );

Note:

• The code that has this structure:  if ( ! in_array( 'administrator', (array) $user->roles ) && ! in_array( 'editor', (array) $user->roles ) ) {  is to point out who can use this feature. To allows any users with other specific user roles, you just need to replace 'administrator' or 'editor' with the desired user roles (for example, ‘author’).

To enable the Application Passwords feature in WordPress 5.6, just enter the following code to the functions.php file:

add_filter( 'wp_is_application_passwords_available', '__return_true' );

Done! Now you can easily disable / enable this feature whenever you want. If you want to enable it, just accept the requests from the applications that you really know who they are. In case you have troubles with security issues caused by hackers, this article may help you.

Last Words

When WordPress 5.5 was released, the Sitemaps feature brought some issues (conflict) to users who created sitemaps with plugins (you can fix it easily, just follow this tutorial). Now WordPress 5.6 comes with risks about security issues. So it seems to be risky when you upgrade to new versions of WordPress too early. Therefore, you better wait for a while before running the updates.

In addition, if your website doesn’t work well on new versions of WordPress 5.6, try downgrading WordPress to older versions. Sometimes the latest one may not be the best one!