Webmasters can also issue authenticated requests to WordPress APIs via Application Passwords

WordPress 5.6 lands with new auto-update UI, Site Health enhancements

UPDATED WordPress 5.6 has shipped with a new user interface (UI) for opting into automatic updates for major releases, and enhancements to how Site Health handles and validates health checks.

Launched today (December 8), the full release also allows external applications to make authentication requests to various WordPress APIs via a new Application Passwords feature.

However, the latest version of the Wordfence security plugin disables this function by default after Wordfence threat analyst Chloe Chamberland claimed that social engineering attacks could potentially abuse the feature to achieve site takeover.

Auto updates for major releases

The new auto-update UI builds on the recent adoption of auto-updates for plugins and site themes by default in WordPress Core version 5.5.

Developers could already opt into auto-updates of major releases, but web admins of existing installations can now do likewise through the new UI.

Constants and filters already implemented by hosts or agencies take precedence, according to the most recent dev note.

Both existing and new installations will still receive minor updates by default, with the latter also receiving major updates by default.

Site Health checks

A trio of key improvements have been made to Site Health, which runs performance and security analyses on WordPress sites and issues notifications and recommendations to, for instance, upgrade the PHP version, deactivate unused plugins, or implement HTTPS.

Previously, “any invalid asynchronous response would cause a fatal JavaScript error, halting further processing of checks, and preventing the top of the page indicator from ever reaching a finished state”, reads a dev note on the updates.

However, invalid responses are now discarded with the introduction of validation rules to the response form of an asynchronous health check. “It will not count towards the Site Health indicator or be listed among the checks,” explains the note.

Webmasters are also no longer forced to add a badge to their checks – this is “useful, but not a hard requirement”.

Site Health will also now eschew admin-ajax.php for asynchronous tests in favor of using a dedicated REST API endpoint.

This means plugins and themes can also harness REST endpoints, not just ajax actions, for tests.


Read more of the latest open source security news


“To maintain backwards compatibility, each test can now declare has_rest (defaults to false). If this is of a true value, then the test argument is treated as an absolute URL (this means that it should be a fully qualified address, and not a relative one), for example, by using the rest_url() function provided by core,” continues the dev note.

An absolute, rather than relative, URL gives “developers flexibility so they may have an external service where it makes sense to do a remote request”.

This change, together with this bug fix, enables an update to scheduled Site Health checks too – introducing the async_direct_test argument to a test array. This change was implemented because “asynchronous calls were less than ideal to query from a scheduled event when run locally”.

WordPress 5.6 also introduces support for PHP 8, several new block editor features, and an AAA-ready default theme, according to the release’s Field Guide.


This article was updated on December 9 with reference to research from Wordfence


READ MORE WordPress 5.5 rolls out with auto-updates for plugins, themes