Application Passwords Disabled Despite HTTPS & Correct Config – Need Help

  • Resolved alinajum

    (@alinajum)


    10 months, 1 week ago

    Hi WordPress community,

    I’m unable to enable Application Passwords (required for the WooCommerce mobile app), even after exhaustive troubleshooting. Here’s what I’ve tried:Steps Taken So Far

    1. SSL/HTTPS Setup
      • Installed and activated ZeroSSL (Lifetime SSL) via Hostinger.
      • Confirmed SSL is active (padlock shows in browser).
      • Updated WordPress URLs to https:// in Settings > General.
      • Added force HTTPS rules to .htaccess:apacheCopyDownloadRewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    2. Authorization Headers
      • Added Hostinger-recommended code to .htaccess:apacheCopyDownload<IfModule mod_setenvif.c> SetEnvIf Authorization “(.*)” HTTP_AUTHORIZATION=$1 </IfModule>
      • Disabled all security/cache plugins (Wordfence, LiteSpeed, etc.).
    3. WordPress Config
      • Verified wp-config.php has no DISALLOW_APPLICATION_PASSWORDS line.
      • Checked Settings > Reading – “Discourage search engines” is unchecked.
      • Site Health (Tools > Site Health) shows no critical errors (REST API is accessible).

    Current Issue

    • Application Passwords section is missing in Users > Profile.
    • WooCommerce app error:“Application password feature is disabled in your site.”

    Questions

    1. Are there server-level blocks (ModSecurity, firewalls) that could silently drop Authorization headers?
    2. Could a theme/plugin conflict persist even after deactivation?
    3. Any way to debug why WordPress disables the feature despite HTTPS?

    Any insights or debugging steps would be greatly appreciated!

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Manuel Camargo

    (@sirlouen)

    10 months, 1 week ago

    I’m not aware of the possibility of having Application Passwords disabled by WP

    In fact I’m currently testing in my local installation (without certificates or anything like that, because I’ve noticed you have taken a ton of steps regarding this part), and I can add Application Passwords without trouble.

    Doing a quick search I find that some plugins that Wordfence like to disable this feature by default.

    Moderator bcworkz

    (@bcworkz)

    10 months, 1 week ago

    1. While possible, it’s unlikely. You could confirm request headers with some PHP code and confirm response headers with your browser’s network developer tool. In any case, AFAIK WP doesn’t check headers to determine applicability of app passwords. The criteria is only if the communication is protected by SSL. WP simply checks for a HTTPS request or the port number (see source code for is_ssl()).

    However, if your site is using Basic Auth, it’ll cause app passwords to be disabled.

    2. No, however, caching could make it appear so.

    3. Yes, step through PHP code in /wp-admin/user.php, starting around line 776 and determine where the app password section is being suppressed. If you have SSL or are in a local environment, that should normally allow app passwords. However, it’s feasible for themes or plugins to disable the feature via available filter hooks. Apparently you’ve already confirmed that’s not happening.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Application Passwords Disabled Despite HTTPS & Correct Config – Need Help’ is closed to new replies.