
As WordPress currently powers 23% of the web, the platform’s security is constantly under scrutiny. WordPress has long been a favorite target of hackers and spammers who want to get the most return on their efforts. Since the the platform powers millions of websites, a critical vulnerability with a popular plugin or WordPress core can affect a large chunk of the web in a short amount of time.
WordPress published a security white paper this week to help the public learn more about the core software security. Many consultants have had the experience of clients who are considering WordPress but are wondering if it’s secure. This document was created both for decision makers who are evaluating WordPress and developers who are building on top of the software.
The document is available as a PDF, and here’s what you’ll find inside:
This document is an analysis and explanation of the WordPress core software development and its related security processes, as well as an examination of the inherent security built directly into the software.
The white paper gives an introduction to the core leadership team, the WordPress Security Team, how a release cycle works, and responsible disclosure of vulnerabilities. The second half of the document covers common security vulnerabilities and how WordPress protects itself against those potential risks.
Just like WordPress itself, the security white paper is open to contribution. Anyone can submit a pull request on the WordPress repository.
The security white paper is in need of translations in order to be more accessible to WordPress’ global audience. If you can assist with a particular translation, the repository has simple instructions for how to submit it on GitHub.
To translate the white paper, please create a sub-directory of the project, giving it the correct ISO639 code (for example, pt for Portuguese), and submit a pull request.
WordPress consultants will find this white paper to be an excellent resource to refer to during sales negotiations. If you’re a developer just getting started learning about WordPress’ inherent security, the document is provides a solid overview.
Hackers who are looking to receive bounty for finding security vulnerabilities can find Automattic on HackerOne. The company regularly rewards hackers with bounty for security bugs discovered with WordPress.com, which is powered by the core WordPress software.
I love the idea of a whitepaper explaining WordPress security. I am a bit worried about the tagline that “WordPress publishes a security white paper” as it’s not really the WordPress project doing so. It’s confusing that the document is part of WordPress.org, but that the Git repository is hosted on Automattic’s GitHub. Not only that, but specifically a repository for the WordPress.com VIP team – and the document consists only of contributions from that one organization.
This does a great job of highlighting security with our product.
It also does a considerable amount of damage to the WordPress v WordPress.org v WordPress.com v Automattic confusion that often plagues the minds of exactly the demographic for whom this document was written.