[wp-trac] [WordPress Trac] #62789: Enforce use of application passwords for authenticated XML-RPC requests
WordPress Trac
noreply at wordpress.org
Wed Jan 8 18:02:21 UTC 2025
#62789: Enforce use of application passwords for authenticated XML-RPC requests
-------------------------+-----------------------------
Reporter: johnbillion | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: XML-RPC | Version: 5.6
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
Since WordPress 5.6, application passwords can be used to authenticate
with the REST API and XML-RPC. See #42790 for the ticket and
[https://make.wordpress.org/core/2020/11/05/application-passwords-
integration-guide/ see here for the announcement post with all the
details].
I propose that authentication via regular user passwords is disallowed for
XML-RPC requests, which would leave **authentication possible only via
application passwords**. Any custom authentication mechanisms would
continue to operate as they do currently.
== Reasoning
* Authentication over XML-RPC is a non-interactive workflow which means it
cannot benefit from login security enhancements such as multi-factor
authentication (MFA/2FA), CAPTCHA, or rate limiting. This is why the XML-
RPC feature is commonly disabled.
* Enforcing application password usage for XML-RPC authentication removes
the ability of bad actors to brute force user-generated passwords via this
endpoint. Application passwords are 24 alphanumeric characters long and
generated with a CSPRNG which results in entropy of 142 bits, well beyond
the 128 bits necessary to be considered secure against brute forcing.
Multi-factor authentication plugins often enforce application passwords
for XML-RPC for this reason.
* Along with #21022, this will speed up XML-RPC responses as a fast HMAC
will be used for hashing and checking application passwords rather than
the much slower phpass or bcrypt algorithms which are needed in order to
secure user-generated passwords.
== Concerns
* This is a breaking change for users of XML-RPC who are using user
passwords. This change needs to be communicated over a period of time
before being enforced. We will need to look into what mechanisms are
available to deliver this message to users of XML-RPC clients which will
be affected. I don't yet know if such messaging could be delivered over
the XML-RPC connection or whether it would be preferable to get in touch
with known XML-RPC client developers and ask them to add messaging to
their clients. Needs investigating.
* XML-RPC is considered a legacy API, however it is still in use by the
WordPress mobile apps for Android and iOS. At the time of writing these
apps don't yet support using the application password authorization
workflow in place of inputting a user password (although they do of course
support manually inputting an application password). If application
passwords are to be enforced for the mobile apps then the apps will need
to be updated to show relevant messaging to users in lieu of implementing
an application password authorization workflow.
* Other legacy applications using XML-RPC may operate in an environment
where a web browser isn't available to make use of the application
password authorization workflow, or where the app isn't able to handle a
response via a redirect URI from the workflow. The current application
password auhthorization workflow doesn't support out-of-band responses in
order to display the application password to the user, which means they'll
instead need to manually create an application password from the user
profile screen in the admin area. If we're going to invalidate existing
user passwords for XML-RPC then end users need a way to understand what
they need to do in order to switch to an application password.
* Jetpack appears to still use XML-RPC. Needs investigating.
* Application passwords are only supported over HTTPS (or when the
environment type is set to `local`). Enforcing application passwords would
mean that authenticated XML-RPC requests are no longer supported over
insecure HTTP requests.
== Other
* Need to consider how filters such as
`wp_is_application_passwords_available_for_user` are used and whether it
impacts this change.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62789>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list