Application Passwords


With Application Passwords you are able to authenticate users without providing their passwords directly. Instead, a unique password is generated for each application without revealing the user’s main password. Application passwords can be revoked for each application individually.


Requesting Password for Application

To request a password for your application, redirect users to:

and use the following GET request parameters to specify:

  • app_name (required) – The human readable identifier for your app. This will be the name of the generated application password, so structure it like … “WordPress Mobile App on iPhone 12” for uniqueness between multiple versions. If omitted, the user will be required to provide an application name.

  • success_url (recommended) – The URL that you’d like the user to be sent to if they approve the connection. Two GET variables will be appended when they are passed back — user_login and password — these credentials can then be used for API calls. If the success_url variable is omitted, a password will be generated and displayed to the user, to manually enter into your application.

  • reject_url (optional) – If included, the user will get sent there if they reject the connection. If omitted, the user will be sent to the success_url, with ?success=false appended to the end. If the success_url is omitted, the user will be sent to their dashboard.

Creating Application Password Manually

  1. Go the User Profile page of the user that you want to generate a new application password for. To do so, click Users on the left side of the WordPress admin, then click on the user that you want to manage.
  2. Application Passwords セクションが表示されるまで下へスクロールしてください。通常ページの一番下にあります。
  3. Within the input field, type in a name for your new application password, then click Add New.
    Note: The application password name is only used to describe your password for easy management later. It will not affect your password in any way. Be descriptive, as it will lead to easier management if you ever need to change it later.
  4. 「新規追加」ボタンをクリックすると、新しいアプリケーションパスワードが表示されます。 今後はもう表示されませんので、これをどこか安全なところに必ず保存してください。このパスワードを紛失した場合、再度取得することはできません。


WordPress REST API

このテストは以下の技術を使っていますが、あらゆる REST API リクエストが使えます。

  • WordPress REST API
  • cURL
  • Mac OSX または Linux
  • Mac または Linux ターミナル
  • ローカルホストで実行中のローカル開発環境 (例: MAMP、XAMPP、DesktopServer、Vagrant)

Make a REST API call using the terminal window to update a post. Because you are performing a POST request, you will need to authorize the request using your newly created base64 encoded access token. If authorized correctly, you will see the post title update to “New Title.”

curl --user "USERNAME:APPLICATION_PASSWORD" -X POST -d "title=New Title" http://LOCALHOST/wp-json/wp/v2/posts/POST_ID

When running this command, be sure to replace USERNAME and APPLICATION_PASSWORD with your credentials (curl takes care of base64 encoding and setting the Authorization header), LOCALHOST with the location of your local WordPress installation, and POST_ID with the ID of the post that you want to edit.


このテストは以下の技術を使っていますが、あらゆる XML-RPC リクエストが使えます。

  • XML-RPC が WordPress 内で有効
  • cURL
  • Mac OSX または Linux
  • Mac または Linux ターミナル
  • ローカルホストで実行中のローカル開発環境 (例: MAMP、DesktopServer、Vagrant)

Once you have created a new application password, it’s time to send a request to test it. Unlike the WordPress REST API, XML-RPC does not require your username and password to be base64 encoded. To begin the process, open a terminal window and enter the following:

curl -H 'Content-Type: text/xml' -d '<methodCall><methodName>wp.getUsers</methodName><params><param><value>1</value></param><param><value>USERNAME</value></param><param><value>PASSWORD</value></param></params></methodCall>' LOCALHOST

In the above example, replace USERNAME with your username, and PASSWORD with your new application password. This should output a response containing all users on your site.

Plugin History

This is a feature plugin that is a spinoff of the main Two-Factor Authentication plugin.


  • New application passwords has been created.
  • お持ちのアカウントに少なくとも1つのアプリケーションパスワードが作成されると、それらを表示し、必要に応じて使用状況を表示したり取り消すことができるテーブルが見られるようになります。


Search for “Application Passwords” under “Plugins” → “Add New” in your WordPress dashboard to install the plugin.

Or install it manually:

  1. Download the plugin zip file.
  2. Go to PluginsAdd New in your WordPress admin.
  3. 「プラグインのアップロード」ボタンをクリックします。
  4. ダウンロードしたファイルを選択します。
  5. 「プラグインをインストール」をクリックします。
  6. 有効化します。

Using Composer

Add this plugin as a Composer dependency from Packagist:

composer require georgestephanis/application-passwords


9月 21, 2018
This is freakin awesome. I'm using it as a dependency in a new plugin I'm making. I finally got it working, and it seems easier to use than OAuth. All these millions of WordPress sites are going to start getting connected together in new ways. This is a great first step.
3月 25, 2018
It is very convenient to generate & revoke passwords from within the user profile page... thanks to the dev!
1月 17, 2018
working mode is okay, but hoping for the best version


Application Passwords はオープンソースソフトウェアです。以下の人々がこのプラグインに貢献しています。


“Application Passwords” をあなたの言語に翻訳しましょう。

開発に興味がありますか ?

コードを閲覧するか、SVN リポジトリをチェックするか、開発ログRSS で購読してみてください。


See the release notes on GitHub.