Most people these days know not to click links in suspicious emails; however, what if one of your WordPress site’s harried administrators or editors receives an authentic-looking email from the developers of one of the plugins the site relies on? The email asks them to click a link to provide an application password to increase the security/features or to continue to use the plugin?
WordPress 5.6 is due for release today, and one of its new features, Application Passwords, is a cause for concern among some security experts.
Application Passwords are a new tool designed to allow authenticated requests to WordPress APIs by applications. By default in WordPress 5.6, Application Passwords can be created via the WordPress User’s UI for any user, and have all the permissions of the user account in which they’re created.
Security Concerns about Application Passwords
One concern with Application Passwords is that someone could use social engineering to convince a user to provide an Application Password that would allow the execution of commands on the target WordPress site using the REST API. A cleverly spoofed email requesting an Application Password for a legitimate application or plugin might be tempting, as demonstrated in this video by WordFence.
Applciation Passwords are not designed to be used by humans; they’re for use programmatically by applications. You can’t log in to a WordPress site with an Application Password, but you could use the REST API to create a new user account, publish posts, or anything else the user’s account they’re based on can do via the REST API.
Disable Application Passwords in WordPress 5.6
You can completely disable Application Passwords by adding the following to your child theme’s functions.php:
add_filter( 'wp_is_application_passwords_available', '__return_false' );