Security, WordPress

WordPress 5.6 Risk: Here’s How to Protect Your Site


WordPress 5.6 was released on December 8, 2020. While this release has a number of beneficial improvements, it also includes something that introduces a potential security risk to your site. 

If you are on Pair WordPress Hosting or use PairSIM to manage your WordPress installation and haven’t disabled the WordFence plugin, you are already protected by default. 

The WordPress 5.6 Risk

WordPress 5.6 comes with application password support. This means that outside applications can connect to your site and, once the application has access, it can generate a password for that application. 

The normal process will look something like this: a third-party application requests to connect to your site and generate a password. You (or your site administrator) grants access. The application then generates a password for the application and sends the password to the third party application via a redirect URL. 

While this utility is benign on its own, it can be abused in ways that make it hard to differentiate abuse from a legitimate source. Say, for example, a hacker wants to gain access to your site admin interface. If they know what the application request looks like, they can mimic it and trick your site administrator into granting them access. Once the site administrator grants access, the hacker can enter your website using the application password. 

How does the application password give them access? Well, application passwords are given the same level of permissions as the user that created them (in this case, the site administrator). This would effectively give the hacker unfettered access to your website’s admin interface. 

How You Can Protect Your Site

So how do you protect yourself? Luckily, if you use the WordFence plugin (which comes on all WordPress installations through Pair Networks) and have updated it to version 7.4.14, then you’re already protected! 

WordFence version 7.4.14 automatically disables application passwords. That way, the risk is removed from your site. 

Not sure if you’ve updated your WordFence plugin? You can check by going to Plugins in the left sidebar, then checking to see if WordFence has an update. 

If you manually installed WordPress on your Pair hosting account or removed WordFence from your WordPress installation, then you will need to manually disable the new application password feature. 

Should I Still Update to WordPress 5.6?

Yes, you should still update to WordPress 5.6. However, we also recommend you either use WordFence version 7.4.14 or above, or you put other precautions into place that help minimize the risk of application password abuse. 

I Have WordFence, But I Want to Use Application Passwords

If you plan on using application passwords regardless of the risk, you can still do so with WordFence installed. You just need to tell the plugin that you plan to do so. 

In order to re-enable application passwords, follow these steps: 

  1. Log in to your WordPress Admin interface
  2. In the left sidebar, hover over the WordFence tab
  3. In the drop-down, click Firewall
  4. Then, find the the Brute Force Protection section and click on Manage Brute Force Protection
  5. Uncheck the box next to Disable WordPress application passwords
  6. Click the Save Changes button in the top bar

This will allow application passwords on your site. We do not recommend you enable this unless you are planning on using application passwords. 

If You Need Any Help or Have Questions… 

If you need any help or have questions about this update, please reach out to our support staff. They are available 24/7 to help answer questions, troubleshoot, or give web hosting guidance.