The Application Passwords feature in iThemes Security Pro just got a new update: the ability to limit an application password to only being usable for XML-RPC requests or REST API requests.

To take advantage of this update, you’ll need to to be running iThemes Security Pro 3.7.0.

This update allows for using username/password authentication for REST API requests so you can lock down the REST API (per our recommendation) while still allowing external tools that use the REST API to connect.

This feature is also useful for users who need to leave XML-RPC active, but don’t want the application password they give to an app or other tool to be valid for the REST API (and vice-versa).

Note: App passwords can be easily revoked, and can never be used for traditional logins to your website.

Once you’ve updated to iThemes Security Pro 3.7.0, visit Users > Your Profile from the WordPress dashboard.

Click the “Add a new application password” button.

From here, you’ll be prompted to name your new application password.

You’re also given the following options:

API Types:

  • Valid for REST API requests
  • Valid for XML-RPC requests

REST API Permissions

  • Read and Write: The application password can access and modify data.
  • Read-Only: The application password can access data but cannot modify data.

Once you’ve completed your settings for your new application password, click the “Create application password” button. Copy the generated password and make sure to save it in a secure location.

iThemes Security will keep a general record of all the generated app passwords including the password name, API types, REST API permission, date created, date last used and the last IP.


You can always revoke passwords at any time using the individual “Revoke” buttons or the “Revoke all application passwords” button at the bottom of the list.

Lock Down Access to the REST API & XML-RPC with iThemes Security Pro

With iThemes Security Pro, you can restrict access to the REST API and disable XML-RPC. To customize these settings, visit the WordPress Tweaks settings from within the Settings page in iThemes Security.


WordPress’ XML-RPC feature allows external services to access and modify content on the site. Common example of services that make use of XML-RPC are the Jetpack plugin, the WordPress mobile app, and pingbacks. If the site does not use a service that requires XML-RPC, select the “Disable XML-RPC” setting as disabling XML-RPC prevents attackers from using the feature to attack the site.

Available settings options:

  • Disable XML-RPC – XML-RPC is disabled on the site. This setting is highly recommended if Jetpack, the WordPress mobile app, pingbacks, and other services that use XML-RPC are not used.
  • Disable Pingbacks – Only disable pingbacks. Other XML-RPC features will work as normal. Select this setting if you require features such as Jetpack or the WordPress Mobile app.
  • Enable XML-RPC – XML-RPC is fully enabled and will function as normal. Use this setting only if the site must have unrestricted use of XML-RPC.

Multiple Authentication Attempts per XML-RPC Request

WordPress’ XML-RPC feature allows hundreds of username and password guesses per request. Use the recommended “Block” setting below to prevent attackers from exploiting this feature.

Available settings options:

  • Block – Blocks XML-RPC requests that contain multiple login attempts. This setting is highly recommended.
  • Allow – Allows XML-RPC requests that contain multiple login attempts. Only use this setting if a service requires it.


The WordPress REST API is part of WordPress and provides developers with new ways to manage WordPress. By default, it could give public access to information that you believe is private on your site. For more details, see our post about the WordPress REST API here.

Available settings options:

  • Restricted Access – Restrict access to most REST API data. This means that most requests will require a logged in user or a user with specific privileges, blocking public requests for potentially-private data. We recommend selecting this option.
  • Default Access – Access to REST API data is left as default. Information including published posts, user details, and media library entries is available for public access.

Get iThemes Security Pro with 30+ Ways to Secure WordPress

iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your WordPress site including WordPress two-factor authentication, WordPress brute force protection, a WordPress malware scan and much more.

Get iThemes Security Pro now

The post New Secure App Passwords for XML-RPC & REST API – New in iThemes Security Pro appeared first on iThemes.

Powered by WPeMatico