Is this related to this issue: https://ww.wp.xz.cn/support/topic/bad-practice-5/?
It states that
This plugin uses it’s own alternative authentication method for the WP-JSON API instead of the native application passwords provided by core WP
[…]
After examining the code a bit further to find out why the authentication always returned a 401 in our setup, we’ve discovered it tries to login and run it’s code as the first (random) administrator account it can find in the database.
I find this quite preoccupying. I would love clarification on this, @davidgurr .
