Application password UX improvements by johnbillion · Pull Request #11079 · WordPress/wordpress-develop

johnbillion · 2026-02-27T13:07:45Z

Work in progress.

A collection of UX enhancements for the authorize-application.php screen, with a particular focus on hardening against phishing.

Greatly increase clarity about the target URL that will receive credentials if the request is approved
- Shows the target host name front and centre without the rest of the URL
- Gates approval behind a checkbox
Removes support for username:password@ credentials in URLs
- These are almost exclusively used for phishing
- Despite being deprecated in modern browsers for many years, they're still technically functional, but there is no need to support them
Removes support for reject URLs
- If a user rejects approval, it is unexpected that they still get sent to the requesting site
- This is an open redirect that can still result in phishing
- Replaces the redirect with a message stating that the request was not approved
Adds a "Copy" button to the generated application password after approval
- Matches the one used on the Application Passwords section of the user profile screen

Screenshots

…box.

…s the one on the profile screen.

…t, it should not send any data to the requesting site or app.

…ost exclusively used for phishing and is deprecated in modern browsers.

github-actions · 2026-02-27T13:24:42Z

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

All changes will be lost when closing a tab with a Playground instance.
All changes will be lost when refreshing the page.
A fresh instance is created each time the link below is clicked.
Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.

domenico-ruggiano · 2026-03-02T23:34:22Z

Great improvements here :)

johnbillion added 5 commits February 27, 2026 12:51

Increase clarity of the success URL, and gate approval behind a check…

c24eea0

…box.

Add a Copy button to the new application password screen. This matche…

395cd85

…s the one on the profile screen.

Fix form validation when an application password name isn't entered.

f569501

Completely remove the reject_url handling. If a user rejects a reques…

9d04cdc

…t, it should not send any data to the requesting site or app.

Reject success URLs that contain a username credential. These are alm…

24737a6

…ost exclusively used for phishing and is deprecated in modern browsers.

Coding standards.

b417df5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Application password UX improvements#11079

Application password UX improvements#11079
johnbillion wants to merge 6 commits intoWordPress:trunkfrom
johnbillion:application-password-ux

johnbillion commented Feb 27, 2026

Uh oh!

github-actions bot commented Feb 27, 2026

Uh oh!

domenico-ruggiano commented Mar 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

johnbillion commented Feb 27, 2026

Screenshots

Uh oh!

github-actions bot commented Feb 27, 2026

Test using WordPress Playground

Some things to be aware of

Uh oh!

domenico-ruggiano commented Mar 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants