這個外掛並未在最新的 3 個 WordPress 主要版本上進行測試。開發者可能不再對這個外掛進行維護或提供技術支援,並可能會與更新版本的 WordPress 產生使用上的相容性問題。

Application Passwords

外掛說明

⚠️ 重要注意事項:這個外掛已整合至 WordPress 5.6 中,請不要個別安裝。查看整合指南→

Use Application Passwords to authenticate users without providing their passwords directly. Instead, a unique password is generated for each application without revealing the user’s main password. Application passwords can be revoked for each application individually.

Important: Application Passwords can be used only for authenticating API requests such as REST API and XML-RPC, and they won’t work for regular site logins.

Contribute

Creating Application Password Manually

  1. Go the User Profile page of the user that you want to generate a new application password for. To do so, click Users on the left side of the WordPress admin, then click on the user that you want to manage.
  2. Scroll down until you see the Application Passwords section. This is typically at the bottom of the page.
  3. Within the input field, type in a name for your new application password, then click Add New.
    Note: The application password name is only used to describe your password for easy management later. It will not affect your password in any way. Be descriptive, as it will lead to easier management if you ever need to change it later.
  4. Once the Add New button is clicked, your new application password will appear. Be sure to keep this somewhere safe, as it will not be displayed to you again. If you lose this password, it cannot be obtained again.

Two Factor Support

Application Passwords can be used together with the Two Factor plugin as long as you bypass the API acccess restrictions added by the Two Factor plugin. Those protections disable API requests with password authentication for users with Two Factor enabled.

Use the two_factor_user_api_login_enable filter to allow API requests authenticated using an application passwords:

add_filter( 'two_factor_user_api_login_enable', function( $enable ) {
    // Allow API login when using an application password even with 2fa enabled.
    if ( did_action( 'application_password_did_authenticate' ) ) {
        return true;
    }

    return $enable;
} );

This is not required if the user associated with the application password doesn’t have any of the Two Factor methods enabled.

Requesting Password for Application

To request a password for your application, redirect users to:

https://example.com/wp-admin/admin.php?page=auth_app

and use the following GET request parameters to specify:

  • app_name (required) – The human readable identifier for your app. This will be the name of the generated application password, so structure it like … “WordPress Mobile App on iPhone 12” for uniqueness between multiple versions. If omitted, the user will be required to provide an application name.
  • success_url (recommended) – The URL that you’d like the user to be sent to if they approve the connection. Two GET variables will be appended when they are passed back — user_login and password — these credentials can then be used for API calls. If the success_url variable is omitted, a password will be generated and displayed to the user, to manually enter into your application.
  • reject_url (optional) – If included, the user will get sent there if they reject the connection. If omitted, the user will be sent to the success_url, with ?success=false appended to the end. If the success_url is omitted, the user will be sent to their dashboard.

Testing an Application Password

We use curl to send HTTP requests to the API endpoints in the examples below.

WordPress REST API

Make a REST API call to update a post. Because you are performing a POST request, you will need to authorize the request using your newly created base64 encoded access token. If authorized correctly, you will see the post title update to “New Title.”

curl --user "USERNAME:APPLICATION_PASSWORD" -X POST -d "title=New Title" https://LOCALHOST/wp-json/wp/v2/posts/POST_ID

When running this command, be sure to replace USERNAME and APPLICATION_PASSWORD with your credentials (curl takes care of base64 encoding and setting the Authorization header), LOCALHOST with the hostname of your WordPress installation, and POST_ID with the ID of the post that you want to edit.

XML-RPC

Unlike the WordPress REST API, XML-RPC does not require your username and password to be base64 encoded. Send an XML-RPC request to list all users:

curl -H 'Content-Type: text/xml' -d '<methodCall><methodName>wp.getUsers</methodName><params><param><value>1</value></param><param><value>USERNAME</value></param><param><value>PASSWORD</value></param></params></methodCall>' https://LOCALHOST/xmlrpc.php

In the above example, replace USERNAME with your username, PASSWORD with your new application password, and LOCALHOST with the hostname of your WordPress installation. This should output a response containing all users on your site.

Plugin History

This is a feature plugin that is a spinoff of the main Two-Factor Authentication plugin.

螢幕擷圖

  • New application passwords has been created.
  • After at least one Application Password for you account exists, you'll see a table displaying them, allowing you to view usage and revoke them as desired.

安裝方式

Search for “Application Passwords” under “Plugins” → “Add New” in your WordPress dashboard to install the plugin.

Or install it manually:

  1. Download the plugin zip file.
  2. Go to PluginsAdd New in your WordPress admin.
  3. Click on the Upload Plugin button.
  4. Select the file you downloaded.
  5. Click Install Plugin.
  6. Activate.

Using Composer

Add this plugin as a Composer dependency from Packagist:

composer require georgestephanis/application-passwords

使用者評論

2020 年 9 月 30 日
This plugin saved me a bunch of time and concern when trying to lock down a couple of scripts. I was initially concerned that I was going to be in for some hoop-jumping to get it set up. But once I jumped in, I had it working in no time.
2020 年 9 月 6 日
I struggled for 3 days to connect my WooCommerce store with Printful. Printful support had zero clue on how to do this. I found the solution in this plugin. It took less than one minute to have the fix. Merci to the dev!
閱讀全部 31 則使用者評論

參與者及開發者

以下人員參與了開源軟體〈Application Passwords〉的開發相關工作。

參與者

將〈Application Passwords〉外掛本地化為台灣繁體中文版

對開發相關資訊感興趣?

任何人均可瀏覽程式碼、查看 SVN 存放庫,或透過 RSS 訂閱開發記錄

變更記錄

檢視外掛在 GitHub 上的發佈記錄