In version 5.6, WordPress introduced the REST API application password. This can be a useful feature, or a dangerous one. As a WordPress website owner, what do you need to know about it?
What does the application password do?
The purpose of the application password is to allow third party applications to connect to your site, and use the WordPress REST API, introduced in version 4.7, on your site’s behalf. If you’re not sure what that is, Codeinwp has a good introduction to REST API. In short, an API is what allows two different applications to talk to each other.
When would you use the REST API?
Let’s say your organization is part of a group of partner organizations. One of the partner organization websites might tap into your WordPress website’s REST API to pull events from your site and display them on the partner website. Similarly, the partner website could display a list of posts from your website on their site. This might be desirable if you have a larger audience you want to alert about upcoming events or recent posts, for example. This is just one example, but the REST API can be used in various legitimate ways.
What is the purpose of the application password?
The REST API contains public information – non-sensitive items like public posts, authors, events. Other information remains private, like unpublished content. Actions, like the ability to update a post using the API, also remain accessible only to authorized users and are not publicly available. The application password would give you, the website owner, a way to provide an authorization to another party to access some of those actions.
What is the danger of the application password?
The danger of allowing any application to access your data is not knowing what the application will do with your data. You wouldn’t want a spammer to be able to use the REST API to update your posts, for example. So that’s ok, you would never hand over access to an untrusted party…
Unless you believed that party to be trustworthy. Phishing and social engineering scams are on the rise. Scammers are becoming more clever, and even if you’re very cautious, it’s possible to be tricked into allowing a third party to access your information via the new application password. Humans are the weakest security link. For example, you might see a great new plugin you want for your site, and if the source isn’t trustworthy, the plugin could have been created for no other reason than to gain access to WordPress websites for nefarious purposes like publishing spam posts on the website. You might therefore hand over the keys to your site without realizing it.
What should you do to keep your website safe?
If you aren’t using the application password feature, disable it. There are valid use cases for the feature, like publishing posts to your blog from a different website interface. If you aren’t sure whether your website is using this feature, speak with your developer.
Based on WordPress’s recommendations, we do not advise disabling the REST API altogether. Instead, we recommend disabling application passwords for the REST API.
If you are using Wordfence, the application password can be disabled under the “Brute Force Protection” heading, “Additional Options.” Normally this happened automatically when you upgraded to version 7.4.14, so if you do want to use the application password feature, you’ll need to enable it here instead.
What if you don’t have Wordfence?
If you don’t have Wordfence on your website but still want to disable WordPress application passwords, you can use a plugin or add a filter in your child theme functions.php file:
add_filter( 'wp_is_application_passwords_available', '__return_false' );
Wordfence has a more in-depth article on WordPress application passwords that we encourage you to read.