← WordPress setup guides

Wordfence is blocking Application Passwords

If you try to connect your WordPress site to 42flows and see:

Application passwords have been disabled by Wordfence.

That's because Wordfence — one of the most popular WordPress security plugins — disables WordPress Application Passwords by default. Application Passwords are WordPress's official way of giving external services safe, revocable write access to your site via the REST API. Without them, 42flows can't publish content to your site.

The fix takes 30 seconds.

  1. In your WordPress admin, go to Wordfence → All Options.
  2. Expand Brute Force Protection.
  3. Find the setting Disable WordPress application passwords.
  4. Uncheck it.
  5. Click Save Changes at the bottom.

That's it. Your site will now expose the Application Passwords UI to authorized users.

Why this is safe

Application Passwords are:

  • Scoped — they only grant REST API access, not full login.
  • Revocable — you can delete an Application Password from your user profile anytime, which instantly breaks the connection without changing your main password.
  • Named — every Application Password is tied to a human-readable app name (e.g. 42flows), so you always know which service has access.
  • Auditable — WordPress logs the last time each Application Password was used.

Disabling them doesn't make your site meaningfully more secure — it just blocks legitimate integrations.

Create the Application Password

Once Wordfence is no longer blocking, you have two paths:

Automatic (via 42flows):

  1. Go back to the 42flows dashboard.
  2. Click Connect WordPress again.
  3. WordPress will redirect you to an authorization screen.
  4. Click Yes, I approve this connection — done.

Manual (if automatic still fails):

  1. In WordPress admin, go to Users → Profile.
  2. Scroll to Application Passwords.
  3. Enter 42flows as the name → click Add New Application Password.
  4. Copy the 24-character password shown (it's only displayed once).
  5. Paste it into the manual entry fallback in the 42flows dashboard.

Still stuck?

If you've unchecked the Wordfence setting and still don't see the Application Passwords section on your user profile:

  • Make sure you're on WordPress 5.6 or later — Application Passwords were added in 5.6.
  • Check that you're accessing the site over HTTPS. WordPress disables Application Passwords on non-HTTPS sites by default.
  • Check if another security plugin (iThemes Security, All In One Security, Sucuri) is also disabling them — same fix pattern: find the setting, uncheck it.

Once it's working, 42flows takes over — we handle SEO plugin detection, category creation, schema markup, and content delivery automatically.