Discover in this tutorial how to create and use an application password for the WordPress REST API, without the need for plugins.
In previous tutorials you have seen how to use the REST API, for example in the tutorial where I explained how to display posts from another website via a shortcode using the WordPress REST API.
In that case, you don’t need to authenticate because the data is available for reading, unless you disable the REST API.
But to query other more sensitive data, such as installed plugins, or to create or delete posts, you need to authenticate. As you can imagine, this is for security reasons. 😉
If you do a search on this, you will see that there are several plugins that help you do this, but they are not really necessary anymore.
As of WordPress 5.6 the Application Passwords plugin became part of the core, so you have a native way to create a password that allows you to authenticate with the REST API.
So in this tutorial you’re going to see how you can get this data and use it to use the REST API in an authenticated way.
The advantage is that once you know how to do this you will be able to access and modify all the REST API endpoints. This opens up an almost infinite range of possibilities.
Let’s see how you can achieve this.
Instructions to create an authentication for the WordPress REST API
1. Create an application password in WordPress
The first thing you need to do is to create a new application password.
To do this go (in the WordPress installation where you want to authenticate) to Users > Profile and scroll down to the “Application Passwords” section.
Then fill in the new password name field (it can be anything) and click on “Add a new application password”.
Once done, the password name and password will be displayed
Make sure to copy it and keep it safe becauseit will not be displayed again.
2. Use the data to identify yourself
Now you have the pair of credentials (username and password) that will allow you to authenticate through the REST API.
Here is an example of how you could authenticate yourself to access the plugins endpoint:
In the first part of the snippet you define the variables:
$username= WordPress username
$password= Application password obtained in the previous step
$website_url= The URL of the website
$request_url= The URL where the request is made. In this case it is the concatenation:
$website_url . '/wp-json/wp/v2/plugins/'which accesses the REST API plugin endpoint.
Remember to change the value of the variables to those of your case.
Then you use the
wp_remote_request function to get the endpoint for plugins (with the
The authentication part is done in the headers using the
base64_encode function to encrypt the username and password.
'headers' => array( 'Authorization' => 'Basic ' . base64_encode( $username . ':' . $password ), ),
This is just an example, you can change both the REST API endpoint you access and the HTTP method.
In the next tutorials I will explain how you can take advantage of it with practical cases
Now you know how to create and use WordPress REST API authentication without using any plugin.
Moreover, you’ve seen the possibilities it opens up. With a little practice and imagination you can use WordPress decoupled or headless in conjunction with an app.
Any questions? Let me know in the comments.
And if you want to give me any suggestion for future tutorials, leave it in the contact form. Advantages of being a subscriber. 😉