ROBERT JACOBI

Industry Analyst & Strategist

WordPress 5.6 and REST API

One of the biggest updates in WordPress 5.6 involves the REST API. While most users may not directly interact with this level of coding, it is a critical component for plugins and SaaS based services. Among many incremental upgrades is the addition of Application Passwords. In fact you may have seen application specific passwords already, Apple and Google web services have utilized application specific passwords for a while.

BigScoots: Personal. Expert. Always There. That’s Real Managed Hosting.

There is a great benefit to utilizing this service when connecting apps – security and control. Theoretically, you can limit access to elements of the greater application (WordPress site), and revoke access without jumping through a bunch of hoops. However our friends at Wordfence discovered an issue, WordPress 5.6 Introduces a New Risk to Your Site: What to Do: “Unfortunately, socially engineering a site administrator into granting application passwords to a malicious application is trivial. An attacker could trick a site owner into clicking a link requesting an application password, naming their malicious application whatever they wanted.” There is much more detail on the scope of the issue as well as how to disable this functionality if you are sure you won’t be using it.

© 2024 Warbi, Inc. and Robert Jacobi
All rights reserved.