While we try to be proactive in preventing security problems, we do not assume they\u2019ll never come up.<\/p>\n\n\n\n
It is standard practice to responsibly and privately disclose<\/strong> to the vendor (the WordPress coreCore<\/span> Core is the set of software required to run WordPress. The Core Development Team builds WordPress.<\/span><\/span><\/span> development team, in this case) a security problem before publicizing, so a fix can be prepared, and damage from the vulnerability minimized.<\/p>\n\n\n\n A security issuesecurity issue<\/span> A security issue is a type of bug that can affect the security of WordPress installations. Specifically, it is a report of a bug that you have found in the WordPress core code, and that you have determined can be used to gain some level of access to a site running WordPress that you should not have.<\/span><\/span><\/span> is a type of bugbug<\/span> A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority.<\/span><\/span><\/span> that can affect the security of WordPress installations.<\/p>\n\n\n\n Specifically, it is a report of a bug that you have found in the WordPress core code, and that you have determined can be used to gain some level of access to a site running WordPress that you should not have.<\/p>\n\n\n\n Your site being \u201chackedhacked<\/span> <\/span><\/span><\/span>\u201d is not<\/strong> a security issue. The security issue will involve knowing how the attacker got in and hacked the site. If you have details on the attack, then contact us. If not, then the Support Forums<\/a> are the most appropriate place to report such an issue.<\/p>\n\n\n\n You forgetting your password or losing access to your site is not<\/strong> a security issue. If you lost access through a bug in the WordPress code, then that might be a security issue.<\/p>\n\n\n\n Generally, security issues are complex problems. If you want to report a security issue, then that\u2019s great! You\u2019re in the right place. However, be sure that what you\u2019re reporting is actually<\/strong> a security issue. The experts that you are reporting it to are very busy, and don\u2019t usually respond to non-security issues.<\/p>\n\n\n\n The security reporting system is NOT for support. Don\u2019t send general problems there.<\/p>\n\n\n\n To encourage proactive security assessments, the WordPress community offers monetary rewards for reporting new, unreleased security vulnerabilities. Notably, these rewards are doubled during the period between the release of Beta 1 and the final Release Candidate (RCrelease candidate<\/span> One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta)<\/a>.<\/span><\/span><\/span>) of a major WordPress version.<\/p>\n\n\n\n For instance, in the WordPress 6.5 release cycle<\/a>, this enhanced bounty period spanned from February 13, 2024 (Beta 1) to March 28, 2024 (final RC). source<\/a><\/em><\/p>\n\n\n\n In all cases, you should not<\/strong> share the details with anyone else until after the fix for the bug has been officially released to the public.<\/p>\n\n\n\n WordPress.org<\/a> does not host sites. WordPress.org<\/a> provides publishing software that anyone can download and use. The organization, WordPress.org<\/a>, has no control over who uses the software, or how they use it. In other words, WordPress.org<\/a> does NOT have the power to take down comments, posts, sites, or anything else.<\/p>\n\n\n\n Instead of trying to contact WordPress, perform a whois lookup<\/a> to track down the operator or host of a particular site, then report the infringement to those organizations.<\/p>\n\n\n\n If you still can\u2019t determine the organization, these following articles by Plagiarism Today may help:<\/p>\n\n\n\n Things you should do:<\/p>\n\n\n\n Users with Administrator or Editor roles<\/a> are allowed to publish unfiltered HTML in post titles, post content, and comments, and upload HTML files to the media library. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges (Authors and Contributors) are not allowed to post unfiltered content or upload HTML files.<\/p>\n\n\n\n If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator or Editor putting XSS into content and stealing cookies, note that all cookies are marked for HTTPHTTP<\/span> HTTP is an acronym for Hyper Text Transfer Protocol. HTTP is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands.<\/span><\/span><\/span> only delivery, and are divided into privileged cookies used for adminadmin<\/span> (and super admin)<\/span><\/span><\/span> pages, and unprivileged cookies used for public facing pages. Content is never displayed unfiltered within the admin dashboard.<\/p>\n\n\n\n In WordPress Multisitemultisite<\/span> Used to describe a WordPress installation with a network of multiple blogs, grouped by sites. This installation type has shared users tables, and creates separate database tables for each blog (wp_posts becomes wp_0_posts). See also network<\/strong>, blog<\/strong>, site<\/strong><\/span><\/span><\/span>, only Super Admins can publish unfiltered HTML, as all other users (including site Administrators) are considered untrusted.<\/p>\n\n\n\n To disable unfiltered HTML for all users, including administrators, you can add The WordPress project doesn\u2019t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.<\/p>\n\n\n\n This includes, for example, retrieving the list of site users through the REST API Users endpoint<\/a>, Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments \u2014 such as Google and Facebook \u2014 have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.<\/p>\n\n\n\n Instead of attempting to hide a public identifier, WordPress attempts to encourage users to choose strong passwords instead, through both user interface as well as education.<\/p>\n\n\n\n Note that WordPress is not the only open sourceOpen Source<\/span> Open Source denotes software for which the original source code is made freely available and may be redistributed and modified. Open Source **must be** delivered via a licensing model, see GPL.<\/span><\/span><\/span> project to believe this. Drupal has similar arguments for the same thing.<\/a><\/p>\n\n\n\n This is a server configuration problem. Never enable If you get an email saying \u201cSomeone has asked to reset the password for the following site and username\u201d, this means someone visited the password reset page on your site. Anyone can visit this page, since it must be open to all for it to be accessible to those who have lost their password. Your password can be reset only by those who can read your email. If your email account has not been compromised, you can ignore this email.<\/p>\nWhat is a \u201csecurity\u201d issue?<\/h2>\n\n\n\n
Enhanced bounty rewards during BetaBeta<\/span> A pre-release of software that is given out to a large group of users to trial under real conditions. Beta versions have gone through alpha testing in-house and are generally fairly close in look, feel and function to the final product; however, design changes often occur as part of the process.<\/span><\/span><\/span> and Release Candidaterelease candidate<\/span> One of the final stages in the version release cycle, this version signals the potential to be a final release to the public. Also see alpha (beta)<\/a>.<\/span><\/span><\/span> phases<\/h2>\n\n\n\n
Where do I report security issues?<\/h2>\n\n\n\n
\n
trunk<\/code>, or a beta\/RC release, because there are some sites that run those in production.<\/li>\n<\/ul>\n\n\n\nWhere do I report copyright infringements, libel, and other legal issues?<\/h2>\n\n\n\n
\n
I\u2019ve been hacked. What do I do now?<\/h2>\n\n\n\n
\n
Why are some users allowed to post unfiltered HTMLHTML<\/span> HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers.<\/span><\/span><\/span>?<\/h2>\n\n\n\n
define( 'DISALLOW_UNFILTERED_HTML', true );<\/code> to wp-config.php<\/code>.<\/p>\n\n\n\nWhy are disclosures of usernames or user IDs not a security issue?<\/h2>\n\n\n\n
GET \/wp-json\/wp\/v2\/users<\/code>. Making this publicly accessible is intentional.<\/p>\n\n\n\nWhy are there path disclosures when directly loading certain files?<\/h2>\n\n\n\n
display_errors<\/code> on a production siteProduction Site<\/span> A production site is a live site online meant to be viewed by your visitors, as opposed to a site that is staged for development or testing.<\/span><\/span><\/span>.<\/p>\n\n\n\nWhy did I get this \u201cPassword Reset\u201d email?<\/h2>\n\n\n\n