WordPress 5.6 has been released to the public now for a matter of a few days and already we have seen quite a number of concerned users asking about the security of the new update as it introduces a long-awaited application password system for the API.
So let’s clear up straight away is this a security risk or problem? No, not at all actually. The application password system is just for applications to communicate to your WordPress site securely, it does not provide WP Admin dashboard access and it has to be set up just the same as a user would so there are no backdoors for creating users.
I believe a lot of confusion has come about off the back of the Wordfence blog post over at https://www.wordfence.com/blog/2020/12/wordpress-5-6-introduces-a-new-risk-to-your-site-what-to-do of which they showed how a socially engineered attack could allow someone to control/take over a site, however, social engineering is a very real thing risk for any type of access to a site and as such should you should always be alert to emails, messages asking you to click a link or provide details.
So essentially the guidance is that really this is just another area possible hackers may look to exploit, but it’s not inherently a weakness in the system.
I’m never going to use it, can I disable it?
Yes, absolutely. For most of the WordPress user base this will never be something they will need to use so for now you can simply add a snippet of code to your WordPress Themes functions.php
add_filter( 'wp_is_application_passwords_available', '__return_false' );
I’m sure in the very near future we will see a plugin available to handle the same task, it would be nice for it to be a core option to disable it all together or disabled by default and enabled where developers require it.
For more information and a complete breakdown of the feature check out the WordPress core notes at https://make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/
As always, the most important part of security is you, being vigilant to the emails and messages you get. The human is the weak link in the chain of security and for many hackers, it’s the easiest method of gaining access without ever having to hack a line of a site’s code.
If you are ever unsure, simply don’t click it.