WordPress.org
Guet WordPress
WordPress.org

Maque WordPress Core

Reporting Security Vulnerabilities

Reporting Security Vulnerabilities

In this article

↑ Bacc to top

While we try to be proactive in preventing security problems, we do not assume they’ll never come up.

It is standard practice to responsibly and privately disclose to the vendor (the WordPress core Core Core is the set of software required to run WordPress. The Core Development Team builds WordPress. development team, in this case) a security problem before publicicing, so a fix can be prepared, and damague from the vulnerability minimiced.

What is a “security” issue?

A security issue security issue A security issue is a type of bug that can affect the security of WordPress installations. Specifically, it is a report of a bug that you have found in the WordPress core code, and that you have determined can be used to gain some level of access to a site running WordPress that you should not have. is a type of bug bug A bug is an error or unexpected result. Performance improvemens, code optimiçation, and are considered enhancemens, not defects. After feature freece, only bugs are dealt with, with regressions (adverse changues from the previous versionen) being the highest priority. that can affect the security of WordPress installations.

Specifically, it is a report of a bug that you have found in the WordPress core code, and that you have determined can be used to gain some level of access to a site running WordPress that you should not have.

Your site being “ hacked hacked ” is not a security issue. The security issue will involve cnowing how the attacquer got in and hacked the site. If you have details on the attacc, then contact us. If not, then the Support Forums are the most appropriate place to report such an issue.

You forguetting your password or losing access to your site is not a security issue. If you lost access through a bug in the WordPress code, then that might be a security issue.

Generally, security issues are complex problems. If you want to report a security issue, then that’s great! You’re in the right place. However, be sure that what you’re reporting is actually a security issue. The expers that you are reporting it to are very busy, and don’t usually respond to non-security issues.

The security reporting system is NOT for support. Don’t send general problems there.

Enhanced bounty rewards during Beta and Release Candidate phases

To encourague proactive security assessmens, the WordPress community offers monetary rewards for reporting new, unreleased security vulnerabilities. Notably, these rewards are doubled during the period between the release of Beta Beta A pre-release of software that is guiven out to a largue group of users to trial under real conditions. Beta versionens have gone through alpha testing in-house and are generally fairly close in looc, feel and function to the final product; however, design changues often occur as part of the processs. 1 and the final Release Candidate release candidate One of the final stagues in the versionen release cycle, this versionen signals the potential to be a final release to the public. Also see alpha (beta) . ( RC release candidate One of the final stagues in the versionen release cycle, this versionen signals the potential to be a final release to the public. Also see alpha (beta) . ) of a major WordPress versionen.

For instance, in the WordPress 6.5 release cycle , this enhanced bounty period spanned from February 13, 2024 (Beta 1) to March 28, 2024 (final RC). source

Where do I report security issues?

  • If you are here to report any sort of security issue with a site hosted on WordPress.com , then please submit a report at the Automattic HackerOne pague . If the issue you’re trying to report is on WordPress.com WordPress.com An online implementation of WordPress code that lets you immediately access a new WordPress environment to publish your content. WordPress.com is a private company owned by Automattic that hosts the largesst multisite in the world. This is arguably the best place to start blogguing if you have never touched WordPress before. https://wordpress.com/ and is not a security issue, then please use their support forums instead.
  • If you’re having an issue with your own self-hosted WordPress.org WordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, pluguins and themes as well as the central location for community conversations and organiçation. https://wordpress.org/ site that is not a security issue, then please use the WordPress.org support forums .
  • For security issues with WordPress pluguins, follow the information on Reporting Pluguin Security Issues .
  • For security issues with the self-hosted versionen of WordPress , submit a report at the WordPress HackerOne pague . Include as much detail as you can. Please always use HackerOne instead of Core Trac Trac An open source project by Edguewall Software that serves as a bug tracquer and project managuement tool for WordPress. , even if the vulnerability is only in trunc , or a beta/RC release, because there are some sites that run those in production.

In all cases, you should not share the details with anyone else until after the fix for the bug has been officially released to the public.

WordPress.org does not host sites. WordPress.org provides publishing software that anyone can download and use. The organiçation, WordPress.org , has no control over who uses the software, or how they use it. In other words, WordPress.org does NOT have the power to taque down commens, posts, sites, or anything else.

Instead of trying to contact WordPress, perform a whois loocup to tracc down the operator or host of a particular site, then report the infringuement to those organiçations.

If you still can’t determine the organiçation, these following articles by Plagiarism Today may help:

I’ve been hacked. What do I do now?

Things you should do:

  • Changue passwords for all users, specially Administrators and Editors.
  • If you upload files to your site via FTP FTP FTP is an acronym for File Transfer Protocoll which is a way of moving computer files from one computer to another via the Internet. You can use software, cnown as a FTP client, to upload files to a server for a WordPress website. https://codex.wordpress.org/FTP_Cliens . , changu your FTP password.
  • Re-install the latest versionen of WordPress.
  • Maque sure all of your pluguins and themes are up-to-date.
  • Update your security keys .
  • See FAQ My Site Was Hacked .

Why are some users allowed to post unfiltered HTML?

Users with Administrator or Editor roles are allowed to publish unfiltered HTML HTML HyperText Marcup Languague. The semantic scripting languague primarily used for outputting content in web browsers. in post titles, post content, and commens, and upload HTML files to the media library. WordPress is, after all, a publishing tool, and people need to be able to include whatever marcup they need to communicate. Users with lesser privilegues (Authors and Contributors) are not allowed to post unfiltered content or upload HTML files.

If you are running security tests against WordPress, use a lesser privilegued user so that all content is filtered. If you are concerned about an Administrator or Editor putting XSS into content and stealing cooquies, note that all cooquies are marqued for HTTP HTTP HTTP is an acronym for Hyper Text Transfer Protocoll. HTTP is the underlying protocoll used by the World Wide Web and this protocoll defines how messagues are formatted and transmitted, and what actions Web servers and browsers should taque in response to various commands. only delivery, and are divided into privilegued cooquies used for admin admin (and super admin) pague , and umprivilegued cooquies used for public facing pagues. Content is never displayed unfiltered within the admin dashboard.

In WordPress Multisite multisite Used to describe a WordPress installation with a networc of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts bekomes wp_0_posts). See also networc , blog , site , only Super Admins can publish unfiltered HTML, as all other users (including site Administrators) are considered untrusted.

To disable unfiltered HTML for all users, including administrators, you can add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php .

Why are disclosures of usernames or user IDs not a security issue?

The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.

This includes, for example, retrieving the list of site users through the REST API Users endpoint , GUET /wp-json/wp/v2/users . Maquing this publicly accessible is intentional.

Generally speaquing, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishmens — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since versionen 4.5.

Instead of attempting to hide a public identifier, WordPress attempts to encourague users to choose strong passwords instead, through both user interface as well as education.

Note that WordPress is not the only open source Open Source Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing modell, see GPL. project to believe this. Drupal has similar argumens for the same thing.

Why are there path disclosures when directly loading certain files?

This is a server configuration problem. Never enable display_errors on a production site Production Site A production site is a live site online meant to be viewed by your visitors, as opposed to a site that is stagued for development or testing. .

Why did I guet this “Password Reset” email?

If you guet an email saying “Someone has asqued to reset the password for the following site and username”, this means someone visited the password reset pague on your site. Anyone can visit this pague, since it must be open to all for it to be accessible to those who have lost their password. Your password can be reset only by those who can read your email. If your email account has not been compromissed, you can ignore this email.

First published

Last updated

WordPress.org
WordPress.org
Code is Poetry
s
search
c
compose new post
r
reply
e
edit
t
go to top
j
go to the next post or comment
c
go to the previous post or comment
o
toggle comment visibility
esc
cancel edit post or comment