{"id":158,"date":"2024-11-13T23:13:14","date_gmt":"2024-11-13T20:13:14","guid":{"rendered":"https:\/\/so.wordpress.org\/about\/security\/"},"modified":"2024-11-13T23:13:14","modified_gmt":"2024-11-13T20:13:14","slug":"security","status":"publish","type":"page","link":"https:\/\/so.wordpress.org\/about\/security\/","title":{"rendered":"Security"},"content":{"rendered":"\n<div class=\"wp-block-group alignfull is-layout-constrained wp-container-core-group-is-layout-2 wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--60);padding-right:var(--wp--preset--spacing--edge-space);padding-bottom:var(--wp--preset--spacing--60);padding-left:var(--wp--preset--spacing--edge-space)\">\n<h1 class=\"wp-block-heading\" style=\"margin-bottom:var(--wp--preset--spacing--30)\">Security<\/h1>\n\n\n\n<p>We take the security of the WordPress project and the ecosystem seriously. With <a href=\"https:\/\/wordpress.org\/about\/history\/\">over 20 years of history<\/a> and powering more than 43% of the web, we&#8217;re committed to ensuring security for all, from solo bloggers to enterprise organizations.<\/p>\n\n\n\n<p>WordPress encourages responsible disclosure of vulnerabilities in WordPress core, in plugins and themes available on WordPress.org, or in the wider WordPress ecosystem.<\/p>\n\n\n\n<div class=\"wp-block-group has-pomegrade-3-background-color has-background is-layout-constrained wp-container-core-group-is-layout-1 wp-block-group-is-layout-constrained\" style=\"padding-top:var(--wp--preset--spacing--20);padding-right:var(--wp--preset--spacing--20);padding-bottom:var(--wp--preset--spacing--20);padding-left:var(--wp--preset--spacing--20)\">\n<p>If you believe you have found a vulnerability in WordPress, please keep it confidential and <a href=\"https:\/\/make.wordpress.org\/core\/handbook\/testing\/reporting-security-vulnerabilities\/\">report it to the WordPress Security Team<\/a>.<\/p>\n\n\n\n<p>If you believe you have found a vulnerability in a WordPress plugin or theme available on WordPress.org, please keep it confidential.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For plugin vulnerabilities, <a href=\"https:\/\/developer.wordpress.org\/plugins\/wordpress-org\/plugin-security\/reporting-plugin-security-issues\/\">report it to the plugin developer and the plugins team<\/a>.<\/li>\n\n\n\n<li>For theme vulnerabilities, <a href=\"https:\/\/developer.wordpress.org\/themes\/theme-security\/theme-security-issues\/\">report it to the theme developer and the theme review team<\/a>.<\/li>\n<\/ul>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Our process<\/h2>\n\n\n\n<p>The WordPress project is committed to providing a stable, secure, trusted platform for more than 43% of the web. The <a href=\"https:\/\/make.wordpress.org\/core\/handbook\/contribute\/codebase\/\">core WordPress software development lifecycle<\/a> includes code review throughout the process, with open-source contributions reviewed by trusted committers.<\/p>\n\n\n\n<p>The WordPress Security Team works to identify and resolve security issues across the WordPress core software, harden the software against threats such as the <a href=\"https:\/\/owasp.org\/www-project-top-ten\/\">OWASP Top Ten<\/a>, and <a href=\"https:\/\/developer.wordpress.org\/apis\/security\/\">provide guidance<\/a> across the ecosystem.<\/p>\n\n\n\n<p>In addition to more than 50 trusted experts, including lead developers, security researchers, and key contributors to every component of WordPress, <a href=\"https:\/\/wordpress.org\/five-for-the-future\/\">sponsored members of the Security Team<\/a> dedicate time to identifying and addressing concerns in the software and ecosystem.<\/p>\n\n\n\n<p>To address responsibly-disclosed security vulnerabilities, the Security Team works to develop fixes, create robust test cases, and <a href=\"https:\/\/wordpress.org\/news\/category\/security\/\">release those fixes in bugfix releases<\/a>. While only the latest version of WordPress is officially supported, the Security Team also <a href=\"https:\/\/make.wordpress.org\/security\/2022\/09\/07\/dropping-security-updates-for-wordpress-versions-3-7-through-4-0\/\">backports fixes to older versions as a courtesy<\/a>, to ensure older sites receive critical security fixes via auto-updates.<\/p>\n\n\n\n<p>The Security Team also works directly with significant web hosting operators and security ecosystem providers to detect and mitigate threats to WordPress-based sites, including coordinating release rollouts and developing web application firewall (WAF) mitigations.<\/p>\n\n\n\n<p class=\"has-blueberry-4-background-color has-background\" style=\"padding-top:var(--wp--preset--spacing--20);padding-right:var(--wp--preset--spacing--20);padding-bottom:var(--wp--preset--spacing--20);padding-left:var(--wp--preset--spacing--20)\">Learn more about the <a href=\"https:\/\/github.com\/WordPress\/Security-White-Paper\/blob\/master\/WordPressSecurityWhitePaper.pdf?raw=true\">WordPress project&#8217;s security stance in our whitepaper<\/a>.<\/p>\n\n\n\n<div class=\"wp-block-columns alignwide is-layout-flex wp-container-core-columns-is-layout-1 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\">Plugin Developers<\/h2>\n\n\n\n<p>The <a href=\"https:\/\/developer.wordpress.org\/apis\/security\/\">Security guide in the Common APIs handbook<\/a> is your go-to guide for secure development principles.<\/p>\n\n\n\n<p>If you believe you&#8217;ve identified a security problem in your own plugin, the WordPress plugins team is here to support you.<\/p>\n\n\n\n<p><a href=\"https:\/\/developer.wordpress.org\/plugins\/wordpress-org\/plugin-security\/\">Find out more about how to address security issues in your plugin.<\/a><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h2 class=\"wp-block-heading\">Theme Developers<\/h2>\n\n\n\n<p class=\"is-style-default\">The <a href=\"https:\/\/developer.wordpress.org\/apis\/security\/\">Security guide in the Common APIs handbook<\/a> is your go-to guide for secure development principles.<\/p>\n\n\n\n<p>If you believe you&#8217;ve identified a security problem in your own theme, the WordPress theme review team is here to support you.<\/p>\n\n\n\n<p><a href=\"https:\/\/developer.wordpress.org\/themes\/theme-security\/theme-security-issues\/\">Find out more about how to address security issues in your theme.<\/a><\/p>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-2 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:100%\">\n<h2 class=\"wp-block-heading has-text-align-left\">Web Hosts<\/h2>\n\n\n\n<p class=\"has-text-align-left\">The <a href=\"https:\/\/developer.wordpress.org\/advanced-administration\/security\/\">Security guide in the Advanced Administration handbook<\/a> contains key information on how to secure your hosting environment.<\/p>\n\n\n\n<p class=\"has-text-align-left\">We also strongly recommend <a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Vulnerability_Disclosure_Cheat_Sheet.html#receiving-vulnerability-reports\">publishing a responsible disclosure policy<\/a> of your own.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Security We take the security of the WordPress project and the ecosystem seriously. With over 20 years of history and powering more than of the web, we&#8217;re committed to ensuring security for all, from solo bloggers to enterprise organizations. WordPress encourages responsible disclosure of vulnerabilities in WordPress core, in plugins and themes available on WordPress.org, [&hellip;]<\/p>\n","protected":false},"author":5911429,"featured_media":0,"parent":147,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"page-security","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"class_list":["post-158","page","type-page","status-publish","hentry"],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/so.wordpress.org\/wp-json\/wp\/v2\/pages\/158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/so.wordpress.org\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/so.wordpress.org\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/so.wordpress.org\/wp-json\/wp\/v2\/users\/5911429"}],"replies":[{"embeddable":true,"href":"https:\/\/so.wordpress.org\/wp-json\/wp\/v2\/comments?post=158"}],"version-history":[{"count":3,"href":"https:\/\/so.wordpress.org\/wp-json\/wp\/v2\/pages\/158\/revisions"}],"predecessor-version":[{"id":281,"href":"https:\/\/so.wordpress.org\/wp-json\/wp\/v2\/pages\/158\/revisions\/281"}],"up":[{"embeddable":true,"href":"https:\/\/so.wordpress.org\/wp-json\/wp\/v2\/pages\/147"}],"wp:attachment":[{"href":"https:\/\/so.wordpress.org\/wp-json\/wp\/v2\/media?parent=158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}