Skip to content

feat!: keep WP Application Passwords available by default#70

Merged
parisek merged 1 commit into
mainfrom
feat/application-passwords-enabled-by-default
Jul 9, 2026
Merged

feat!: keep WP Application Passwords available by default#70
parisek merged 1 commit into
mainfrom
feat/application-passwords-enabled-by-default

Conversation

@parisek

@parisek parisek commented Jul 9, 2026

Copy link
Copy Markdown
Owner

From-Project: mairateam — enabling Application Passwords for the portadesign-mcp plugin required a per-project override of disable_application_passwords; the same need applies to every project adopting MCP.

Why: StarterBase ships disable_application_passwords = true as security hardening ("rarely used in practice"). That assumption no longer holds: Application Passwords are the authentication mechanism for REST/MCP integrations, which we now need fleet-wide. Keeping the hardened default would mean copy-pasting the override into every downstream theme.

What: Default flips to false — Application Passwords stay available out of the box. Deliberate breaking (behavioral) change; accepted trade-off. Sites with no MCP/REST integration opt back in with protected bool $disable_application_passwords = true; in their theme Base. No other hardening flag changes. CHANGELOG entry under Unreleased marks it BREAKING; suggest releasing as 1.17.0.

Tests: RegisterSecurityHardeningHooksTest sets the flag explicitly via reflection, so it is default-agnostic and keeps passing.

🤖 Generated with Claude Code

https://claude.ai/code/session_017xUQ7PWZU4zbQUBP26pak6

Application Passwords are the auth mechanism for REST/MCP integrations
(portadesign-mcp), which projects are adopting fleet-wide. Flip the
StarterBase::$disable_application_passwords default to false; sites
without such an integration can opt back into the hardened behavior
with a one-line override in their theme Base.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017xUQ7PWZU4zbQUBP26pak6
@parisek parisek self-assigned this Jul 9, 2026
@parisek parisek marked this pull request as ready for review July 9, 2026 13:31
@parisek parisek merged commit 87bce3a into main Jul 9, 2026
5 checks passed
@parisek parisek deleted the feat/application-passwords-enabled-by-default branch July 9, 2026 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant