Hi @brettdl, thanks for getting in touch!
So long as the?Wordfence > All Options > Disable WordPress application passwords?setting isn’t enabled, Wordfence shouldn’t be blocking them by design.
It sounds like a false-positive could be stopping a normal operation when the connection is attempted.
There may be some specific?Live Traffic?blocks visible when attempts are made to connect into your site. When clicking any block line (or “eye” icon) on blocks that appear during this process, it will state the reason in red text. The easiest way to test is to attempt an Application Password connection that’s failing, then check Live Traffic for the most recent entry at the top of the list.
Sometimes, depending on the issue, an “ADD PARAM TO FIREWALL ALLOWLIST” button appears in this section which you can click to allow these types of request in future.
Also,?Learning Mode?can help easily allow operations if they’re being blocked as false-positives. From the Wordfence Dashboard click on?Manage WAF. Then you will see?Basic Firewall Options > Web Application Firewall Status. Change the option to?Learning Mode. You could then attempt to connect the application again to teach Wordfence this is normal and should be allowed in future. After your testing, switch the WAF from Learning Mode back to?Enabled and Protecting?to see if they continue to work.
Let us know how you get on!
Peter.
