Skip to content

Document application password logins #698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 3, 2025
Merged

Document application password logins #698

merged 5 commits into from
Jul 3, 2025

Conversation

kasparsd
Copy link
Collaborator

@kasparsd kasparsd commented Jul 3, 2025

What?

Document the Two Factor behaviour for logins over REST API and XML-RPC.

Why?

Follow-up to #697.

How?

  • Document the two_factor_user_api_login_enable filter in README.
  • Add a notice to user profile settings about requiring application passwords for logins over REST API and XML-RPC.

Testing Instructions

Screenshots or screencast

Add a notice to user profile to encourage the use of application passwords:

notice

Changelog Entry

Added - New feature.
Changed - Existing functionality.
Deprecated - Soon-to-be removed feature.
Removed - Feature.
Fixed - Bug fix.
Security - Vulnerability.

Added - document the two_factor_user_api_login_enable filter.

kasparsd
kasparsd commented Jul 3, 2025
View reviewed changes
class-two-factor-core.php
@@ -1943,6 +1956,12 @@ private static function render_user_providers_form( $user, $providers ) {
<?php esc_html_e( 'Configure a primary two-factor method along with a backup method, such as Recovery Codes, to avoid being locked out if you lose access to your primary method. Methods marked as recommended are more secure and easier to use.', 'two-factor' ); ?>
</p>

<?php if ( function_exists( 'wp_is_application_passwords_available_for_user' ) && wp_is_application_passwords_available_for_user( $user ) ) : ?>
<p>
<?php esc_html_e( 'Authentication for REST API and XML-RPC must use application passwords (defined above) instead of your regular password.', 'two-factor' ); ?>
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joostdekeijzer @jeffpaul Do you have any comments on this wording?

I considered placing this within application passwords area or the actual password field but eventually decided to collocate with the two-factor instructions.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy seems fine to me, location as well; both can iterate if we get any pointed community feedback on either; otherwise :shipit:

@kasparsd kasparsd requested a review from jeffpaul July 3, 2025 14:29
@kasparsd kasparsd self-assigned this Jul 3, 2025
@kasparsd kasparsd merged commit c34df2f into master Jul 3, 2025
54 checks passed
@kasparsd kasparsd deleted the document-application-password-logins branch July 3, 2025 16:28
@jeffpaul jeffpaul added this to the 0.14.0 milestone Jul 3, 2025
@kasparsd kasparsd mentioned this pull request Jul 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeffpaul jeffpaul Awaiting requested review from jeffpaul

Assignees

@kasparsd kasparsd

Labels
None yet
Projects
None yet
Milestone
0.14.0
Development

Successfully merging this pull request may close these issues.
2 participants
@kasparsd @jeffpaul