Post via email - Password field default value trips Google Chrome warning

[adamkheckler]

TLDR: The default "Post via email" password is simply "password", which can trigger a scary-looking popup in Google Chrome.

To reproduce the issue:

1. In Chrome, go to "chrome://settings/security".
2. Toggle on the "Warn you if a password was compromised in a data breach" setting.
3. Spin up a WordPress test site.
4. In wp-admin, go to Settings > Writing.
5. Click "Save Changes". No need to change any actual settings.
6. Observe the attached popup from Chrome.

I believe Chrome thinks I have actually chosen the password "password" and warning me about it, which makes sense. The problem is that this triggers even when I've simply left the "Post via email" settings on their defaults, and only changed the default post category or whatever.

I'm not sure if WP core can do anything about this, but it seemed worth mentioning.

Updates schema.php and unit tests

Trac 61332

[sabernhardt]

#22942 might deprecate the feature at some point, but I wonder about just leaving the password empty in schema.php. The value needs to be replaced for proper use anyway.

[psykro]

Replying to sabernhardt:

#22942 might deprecate the feature at some point, but I wonder about just leaving the password empty in schema.php. The value needs to be replaced for proper use anyway.

I just tested with an empty password, and it doesn't trigger the Chrome warning. I can't think of any reasons why this wouldn't be ok, as you point out, you have to specify actual mail server details for it to work.

[SergeyBiryukov]

In 58928:

Upgrade/Install: Use an empty string for the default “Post via email” password.

This aims to avoid a security warning in Chrome, which could previously be triggered even if the default value is not actually used as a password.

Follow-up to [208], [230], [233], [662], [1599], [1601]

Props adamkheckler, sabernhardt, peterwilsoncc, psykro, petitphp.
Fixes #61332.

Thanks for the PR! Merged in r58928.