
WordPress 5.6, the final major release planned for 2020, comes out today, on December 8, 2020. It includes a few major features and updates, as well as a huge number of minor enhancements and bug fixes. A few changes have immediate implications for security and compatibility which I’ve highlighted in this post for WordPress users.
Application Passwords add functionality, and risk
WordPress 5.6 will come with a new feature that allows external applications to request permission to connect to a site and generate a password specific to that application. Once the application has been granted access, it can perform actions on behalf of a user via the WordPress REST API.
Unfortunately, socially engineering a site administrator into granting application passwords to a malicious application is trivial. An attacker could trick a site owner into clicking a link requesting an application password, naming their malicious application whatever they wanted.
Worse yet, the application password request URLs are set up to send the newly generated password to the requester’s site via a redirect URL. Since application passwords function with the permissions of the user that generated them, an attacker could use this to gain control of a website. We demonstrated how an attacker could use a social engineering attack using application passwords on Wordfence Live.
For this reason, the latest version of Wordfence, 7.4.14, disables application passwords by default. If you have a specific use case for application passwords and would like to re-enable application passwords, you can do so under Wordfence->Firewall->Manage Brute Force Protection:

The jQuery update continues
WordPress 5.6 is step 2 of a 3-step plan to get WordPress on an up-to-date version of jQuery. This plan has been:
- WordPress 5.5: Remove the jQuery Migrate 1.x script. (August 2020)
- WordPress 5.6: Update to the latest jQuery, jQuery UI, and jQuery Migrate scripts. (December 2020)
- WordPress 5.7: Remove the jQuery Migrate script. (March 2021)
WPTavern has an excellent article that goes into more detail about the situation.
PHP 8 Compatibility
If you’re a typical WordPress site owner using a fair number of plugins, it may be some time before it’s safe to update to PHP 8. On the other hand, if you’re creating a brand new site from scratch, you’ll be able to get ahead of many issues by starting with the latest version of PHP and WordPress.
Automatic major version updates
We’ve discussed automatic updates in the past, and how they can be essential for some use cases and potentially catastrophic for others. Currently, WordPress core automatically applies minor updates, which are typically much safer than automatic plugin updates due to extensive testing.
Starting with WordPress 5.6, all new WordPress installations will receive automatic updates for major versions. This means that if you create a fresh WordPress site with WordPress 5.6, it will automatically be updated to WordPress 5.7 when it comes out. While this has a higher likelihood of causing issues, bear in mind that the most likely problems will be with incompatible plugins, which will be much less prevalent on brand new sites.
Existing sites that have updated to WordPress 5.6 from previous versions will retain the current behavior of automatically updating only for minor versions and security patches, so current site owners do not have to worry about this. If desired, a current site owner can now opt in to automatic major version updates and even Beta and RC releases.
A brand new theme
Conclusion
WordPress 5.6 includes a number of changes, improvements, and bug fixes, including many we haven’t covered. We’ve focused on the items we feel are most relevant to our users and most likely to cause issues. As with all major updates to WordPress, whether or not you wish to update right away will depend on your use case. There are a number of promising new features as well as some potential for growing pains, but these will be applicable to developers rather than users.
Leave a Reply