Application Passwords are passwords that applications can use, not humans. They allow you to authenticate with a service, without using your human login credentials.

They are linked directly to individual WordPress users.

By linking to users, it also implies the precise access permissions granted to an application when given access to your WordPress site.

For example, if you create an app password on your administrator account, the application will have full admin rights. But if you instead do so with an Editor user, you’ll limit what an application may be able to do.

You’ll see a section in the WP user profile page for managing these passwords:

Simply click to create a password and use this in-place of your login password when supplying credentials to service providers.


Shield supports Application Passwords feature.


For more information about what exactly this feature is, whether there are any security risks, and how Shield has been adapted, read this blog post here.