外掛標籤
開發者團隊
原文外掛簡介
WordPress Application Passwords prove identity. They do not limit what an authenticated request can do. If the user behind a password is an admin, every tool that authenticates as that user has admin-level access — with no native way to narrow it.
Today, REST clients, automation platforms, AI agents, management tools, and MCP connectors all authenticate with Application Passwords. Any of them, if misconfigured or compromised, can do anything that user can do.
Mandate App Security adds the missing layer: a capability policy per Application Password. You define what each credential is allowed to do. Mandate App Security enforces it on every request. Normal wp-admin sessions and user roles are unaffected.
Instead of treating every Application Password as equally trusted, Mandate App Security lets administrators and password owners save a capability allowlist per password.
An administrator can choose:
a WordPress user
one of that user’s Application Passwords
the capabilities that password should be allowed to use
an optional expiration date for that password
whether the scope is locked so the password owner can view it but not edit it
Users can scope their own Application Passwords when WordPress allows Application Passwords for their account. Only administrators can edit another user’s scope or lock a scope against owner edits.
When a request is authenticated with that Application Password, Mandate App Security checks the saved allowlist and removes capabilities that are not allowed for that password.
Mandate App Security never grants new permissions. It only narrows an Application Password to capabilities the selected user already receives from assigned roles. If the selected Application Password is past its saved expiration date, Mandate App Security removes all capabilities for that request. Normal browser and wp-admin sessions for the same user are not changed.
Example scopes
A reporting dashboard that only needs to read posts and media should never be able to edit settings or manage users. A content automation tool that publishes posts has no reason to access WooCommerce orders. An AI writing assistant does not need plugin management access.
With Mandate App Security, each of those tools gets a dedicated Application Password scoped to exactly what it needs. Nothing more.
Source Code
Mandate App Security is available at https://wpmandate.com.
The public development repository, release packages, and build documentation are at https://github.com/FernleafSystems/Mandate-for-WordPress.
