WordPress Security

WordPress Security

About WordPress Security

What is a "security" issue?

A security issue (or security vulnerability) is a type of bug that affects the security of WordPress installations.
If you've found a bug in the WordPress core code that you have determined can be used to gain some level of access to a site running WordPress that you should not have, then that is a security issue.
Before you report a security issue, please bear in mind the following:
  1. Your blog being "hacked" is not a security issue. A security issue will involve knowing how the attacker got in and hacked your site. If you have details on the attack vector, then email us. If not, report the issue on the Support Forums.
  2. Forgetting your password or losing access to your site is not a security issue. You should try resetting your password or contacting your site administrator or host for help.
  3. Generally, security issues are complex problems. If you want to report a security issue, then that's great! You're in the right place. However, be sure that what you're reporting is actually a security issue so you don't waste your own time or that of the experts you report it to.
  4. The security mailing addresses are NOT for support. Don't send general problems to them. Your message will not be replied to. Use the Support Forums instead.

Where do I report security issues?

Before reporting a security issue, please make sure you've read the section above and determined that the issue is actually one of security.
  • For a security issue, please see the Automattic Security page.
  • For a WordPress plugin security issue, email plugins [at] with as much detail as you can. You should also contact the plugin developer either via email (if it's listed in the plugin source code), or by posting in the support forum on their plugin page asking how best to send them details.
  • For a security issue with the self-hosted version of WordPress, email security [at] with as much detail as you can.
In all cases, you should never publish details of a security vulnerability. Doing so is irresponsible and unprofessional.
    Blogger Comment
    Facebook Comment


Post a Comment