[wp-trac] [WordPress Trac] #64862: Application Passwords: Add rate limiting to prevent brute-force attacks
WordPress Trac
noreply at wordpress.org
Sat Mar 14 11:34:48 UTC 2026
#64862: Application Passwords: Add rate limiting to prevent brute-force attacks
----------------------------------+------------------------------
Reporter: vrutti22 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 6.7
Severity: normal | Resolution:
Keywords: needs-patch security | Focuses:
----------------------------------+------------------------------
Changes (by vrutti22):
* Attachment "wp-app-password-rate-limit.diff" added.
== Steps to Reproduce == 1. Create an Application Password for any
WordPress user 2. Make repeated REST API requests with wrong password
using Basic Auth 3. Observe: no lockout, no 429, unlimited attempts ==
Expected Behavior == After N failed attempts from same IP, return WP_Error
with HTTP 429 and a transient-based lockout. == Proposed Fix ==
Transient-based rate limiting inside
wp_authenticate_application_password() with two filters for site owners to
configure: - application_password_login_max_attempts (default: 5) -
application_password_lockout_duration (default: 10 minutes) Patch + unit
tests (6 test cases) attached.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64862>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list