[wp-trac] [WordPress Trac] #64862: Application Passwords: Add rate limiting to prevent brute-force attacks
WordPress Trac
noreply at wordpress.org
Sat Mar 14 11:15:58 UTC 2026
#64862: Application Passwords: Add rate limiting to prevent brute-force attacks
--------------------------+----------------------------------
Reporter: vrutti22 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 6.7
Severity: normal | Keywords: needs-patch security
Focuses: |
--------------------------+----------------------------------
== Problem ==
`wp_authenticate_application_password()` in wp-includes/user.php
has no rate limiting. An attacker can make unlimited REST API
requests guessing application passwords with no lockout.
Unlike cookie login, there is no CAPTCHA, no lockout, and
wp_login_failed hook is not reliably triggered for plugins to hook into.
== Proposed Fix ==
Add transient-based IP rate limiting inside
wp_authenticate_application_password(), with a filter
`application_password_login_max_attempts` so site owners
can configure the threshold.
== Steps to Reproduce ==
1. Create an Application Password for any user
2. Send repeated REST API requests with wrong password
3. No lockout occurs — requests continue indefinitely
== Expected ==
After N failed attempts from same IP, return WP_Error with HTTP 429.
== Actual ==
No rate limiting. Unlimited attempts allowed.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64862>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list