MD Pabel

“Application Passwords Have Been Disabled by Wordfence” — Fix It (Step-by-Step)

Written by

in

Quick Fix: Enable Application Passwords

If Wordfence is blocking your application passwords, follow this 30-second fix:

  1. Go to Settings: Navigate to Wordfence → All Options.
  2. Find Brute Force: Scroll down to the “Brute Force Protection” section.
  3. Uncheck the Box: Find “Disable WordPress application passwords” and uncheck it (set to Off).
  4. Save: Click “Save Changes” and clear your cache.

What Are Application Passwords (and Why Wordfence Blocks Them)

Application Passwords let trusted apps/services (like Zapier, Make, or publishing tools) access your WordPress account without your normal login password. They use the WordPress REST API to talk to your site securely.

Why you’re seeing the error message:

Wordfence disables this feature by default to prevent bots from trying to guess these passwords. The block usually happens at two levels:

  • The Setting: A checkbox explicitly turning the feature off.
  • The Firewall (WAF): Blocking the API connection itself.

We’ll fix these in order—safest first.

WordPress user profile showing Application Passwords section disabled message

Fix 1 — Re-enable Application Passwords in Wordfence

This is the most common cause. Wordfence hides the menu item in your User Profile unless you flip this switch.

  1. Go to Wordfence → All Options.
  2. Scroll to Brute Force Protection (or search the page for application passwords).
  3. Find “Disable WordPress application passwords” and set it to Off/Un-checked.
  4. Click Save Changes at the top/bottom.
  5. Clear any page/cache plugin if you’re using one, then retest.

Tip: If you don’t see this toggle, your Wordfence version/UI may differ. Move on to Fix 2—you’ll still be able to generate and use application passwords by allowing the specific action through the firewall.

Wordfence Brute Force Protection settings showing the Disable WordPress application passwords checkbox

Fix 2 — Let the Firewall Learn (Temporary)

Sometimes the setting is off, but Wordfence’s Web Application Firewall (WAF) still blocks the request when you try to create or use the password. It thinks the API connection is a bot.

  1. Wordfence → Firewall → Manage WAF.
  2. Switch Firewall Status to Learning Mode (temporary).
  3. In another tab, create the application password (see the next section).
  4. Return to Firewall and switch back to Enabled and Protecting.
  5. Wordfence → Tools → Live Traffic: review what was allowed during learning; if you see a rule that would block future requests, add a targeted allowlist rather than pausing the firewall again.

⚠️ Warning: Only keep Learning Mode on while you perform the intended action. Turn it back on to full protection immediately after.

Wordfence Firewall status options showing Learning Mode selection

How to Create a New Application Password (The Right Way)

  1. In WordPress, go to Users → Your Profile (or the target user’s profile).
  2. Scroll down to find Application Passwords.
  3. Enter a name/label (e.g., “Zapier – Blog Publishing”).
  4. Click Add New Application Password.
  5. Copy the generated password immediately and store it safely—it’s shown only once.

WordPress user profile interface for adding a new application password

Test it quickly (For Developers):

# Replace site.com, user, and app_password below
curl -X GET https://site.com/wp-json/wp/v2/users/me \
  -u user:app_password

You should get a JSON response for the authenticated user. If it’s a 401/403 error, recheck Fix 1 & 2.

Use Application Passwords Safely (Best Practices)

Opening up API access introduces some risk. Follow these rules to stay safe:

  • Minimum scope: Create app passwords per integration (one for Zapier, one for Make). Don’t reuse them.
  • Rotate & Revoke: Delete unused/old app passwords regularly.
  • Limit by role: If a tool only needs to edit posts, create a user with the “Editor” role and give that user the app password. Do not give it to an Admin user unless necessary.
  • Monitor: Check Wordfence → Tools → Live Traffic for suspicious hits on the API.
  • 2FA still matters: App passwords bypass normal login, but keep 2FA enabled for dashboard logins.

Troubleshooting (Common Errors)

  • “Disabled by Wordfence” still shows:
    • Confirm Fix 1 is saved.
    • Update Wordfence to the latest version.
    • Check wp-config.php for the line WP_DISABLE_APPLICATION_PASSWORDS and delete it.
  • 401 Unauthorized during API calls:
    • Make sure you’re using username:app_password (not your normal password).
    • If you changed the username, recreate the app password.
  • 403 Forbidden:
    • The Firewall is blocking the route—switch to Learning Mode (Fix 2) to capture the exact rule, then add a targeted allowlist.

FAQs

Q1: Is it safe to re-enable application passwords?
A: Yes—if you restrict them to specific users and revoke unused tokens. They are safer than sharing your real Admin password with third-party tools.

Q2: Will 2FA block application passwords?
A: No. Application passwords are a separate authentication method designed for API use. They bypass 2FA, which is why you must protect them carefully.

Q3: Should I pause Wordfence to make it work?
A: Don’t fully pause the plugin. Use Learning Mode temporarily or add targeted allowlists. Pausing the firewall leaves your site open to hacks.

More posts