One of the biggest updates in WordPress 5.6 involves the REST API. While most users may not directly interact with this level of coding, it is a critical component for plugins and SaaS based services. Among many incremental upgrades is the addition of Application Passwords. In fact you may have seen application specific passwords already, Apple and Google web services have utilized application specific passwords for a while.
Sponsor of the Week: Godaddy Pro Offers A Robust Suite Of Free Tools To Web Developers & Designers To Help Them Save Time Managing All Their Clients & Sites. With Godaddy Pro, You Can Easily Shop For Your Client, Monitor Their Sites, & Manage All Their WordPress Websites From One Place.
There is a great benefit to utilizing this service when connecting apps – security and control. Theoretically, you can limit access to elements of the greater application (WordPress site), and revoke access without jumping through a bunch of hoops. However our friends at Wordfence discovered an issue, WordPress 5.6 Introduces a New Risk to Your Site: What to Do: “Unfortunately, socially engineering a site administrator into granting application passwords to a malicious application is trivial. An attacker could trick a site owner into clicking a link requesting an application password, naming their malicious application whatever they wanted.” There is much more detail on the scope of the issue as well as how to disable this functionality if you are sure you won’t be using it.