Make WordPress Core

Opened 16 months ago

Last modified 16 months ago

#57388 assigned defect (bug)

For App Passwords in non-HTTPS websites, WordPress asks for development environment, but actually requires local

Reported by: drtimofey's profile drtimofey Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.1.1
Component: Application Passwords Keywords: has-patch
Focuses: Cc:

Description (last modified by sabernhardt)

When attempting to set Application Passwords on a non-HTTPS website (i.e. http://localhost), WordPress says it needs the development environment to be declared (creating an assumption it needs to be WP_ENVIRONMENT_TYPE=development). However, in actuality, WordPress requires WP_ENVIRONMENT_TYPE to be set to 'local', not 'development'.

To reproduce:

  • Deploy a non-HTTPS instance (i.e. http://localhost)
  • Set WP_ENVIRONMENT_TYPE constant to 'development' in wp-config.php, i.e. - define('WP_ENVIRONMENT_TYPE', 'development');
  • Go to /wp-admin/profile.php and edit any user
  • Under Application Passwords the following messages is posted, despite the environment being set to development:

The application password feature requires HTTPS, which is not enabled on this site.
If this is a development website you can [set the environment type accordingly]( to enable application passwords.


  • Either clarify the instructions to say to set it to 'local', not 'development'


  • Update the wp_is_application_passwords_supported() function to accept the development environment.

This ticket is related to #53658.

Attachments (2)

Screen Shot 2022-12-27 at 5.38.42 PM.png (332.7 KB) - added by drtimofey 16 months ago.
Screenshot of the wordpress message
57388.patch (799 bytes) - added by thakkarhardik 16 months ago.

Download all attachments as: .zip

Change History (4)

16 months ago

Screenshot of the wordpress message

#1 @sabernhardt
16 months ago

  • Component changed from Administration to Application Passwords
  • Description modified (diff)

#2 @thakkarhardik
16 months ago

  • Keywords has-patch added

I've added a patch which clarifies that the environment type should be 'local' in order to use the App passwords in non-https sites.

Note: See TracTickets for help on using tickets.