WordPress Publishes Security White Paper

photo credit: Lock - (license)
photo credit: Lock(license)

As WordPress currently powers 23% of the web, the platform’s security is constantly under scrutiny. WordPress has long been a favorite target of hackers and spammers who want to get the most return on their efforts. Since the the platform powers millions of websites, a critical vulnerability with a popular plugin or WordPress core can affect a large chunk of the web in a short amount of time.

WordPress published a security white paper this week to help the public learn more about the core software security. Many consultants have had the experience of clients who are considering WordPress but are wondering if it’s secure. This document was created both for decision makers who are evaluating WordPress and developers who are building on top of the software.

The document is available as a PDF, and here’s what you’ll find inside:

This document is an analysis and explanation of the WordPress core software development and its related security processes, as well as an examination of the inherent security built directly into the software.

The white paper gives an introduction to the core leadership team, the WordPress Security Team, how a release cycle works, and responsible disclosure of vulnerabilities. The second half of the document covers common security vulnerabilities and how WordPress protects itself against those potential risks.

Just like WordPress itself, the security white paper is open to contribution. Anyone can submit a pull request on the WordPress repository.


The security white paper is in need of translations in order to be more accessible to WordPress’ global audience. If you can assist with a particular translation, the repository has simple instructions for how to submit it on GitHub.

To translate the white paper, please create a sub-directory of the project, giving it the correct ISO639 code (for example, pt for Portuguese), and submit a pull request.

WordPress consultants will find this white paper to be an excellent resource to refer to during sales negotiations. If you’re a developer just getting started learning about WordPress’ inherent security, the document is provides a solid overview.

Hackers who are looking to receive bounty for finding security vulnerabilities can find Automattic on HackerOne. The company regularly rewards hackers with bounty for security bugs discovered with WordPress.com, which is powered by the core WordPress software.


16 responses to “WordPress Publishes Security White Paper”

  1. I love the idea of a whitepaper explaining WordPress security. I am a bit worried about the tagline that “WordPress publishes a security white paper” as it’s not really the WordPress project doing so. It’s confusing that the document is part of WordPress.org, but that the Git repository is hosted on Automattic’s GitHub. Not only that, but specifically a repository for the WordPress.com VIP team – and the document consists only of contributions from that one organization.

    This does a great job of highlighting security with our product.

    It also does a considerable amount of damage to the WordPress v WordPress.org v WordPress.com v Automattic confusion that often plagues the minds of exactly the demographic for whom this document was written.

    • Eric – I agree. I don’t know why it isn’t on WordPress.org’s github repository instead. I am guessing because 50% of the WordPress security team is made up of Automattic employees, but you’re right – there should be a better distinction drawn here. The relationship is symbiotic in nature but very muddy to onlookers.

      • Rather confusing, isn’t it? The document is on the WordPress.org About page under security and clearly states that it is about WordPress core software security.

  2. Off the topic a little bit, but, they can secure and document all they want. WordPress will never be secure as long as any theme or plugin is allowed to run. Head on to themecheck.org. Look at some of the themes that get low scores. Look at the security breaches warnings, the malware, etc… There are still plugins with the timthumb and other dangerous scripts within plugins in the WordPress plugin repository.

    As long as the WordPress core allows themes and plugins to be activated that contain dangerous scripts, security breaching codes and malware, it will NEVER be a secure platform. The whole exercise of securing the core is like a joke. It is very similar for the US government securing the airports and seaports, but very little is done to secure the borders. So very easily, anyone can walk in through Mexico or Canada. It’s the same joke in a different form!

      • Samuel “Otto” Wood, let me start by saying that I appreciate and have respect to you guys (core developers) more than you can ever imagine. This lot are more intelligent and capable than I can even be.

        That said, talk is cheap, you can produce all the documents you want, nobody cares. We need to see actions, and not just any action, but meaningful actions. What you did to the plugins directory page just a few days ago was meaningless and made things worse. It’s not just me saying this, but the majority of the users. Also, reading from your comments regarding the plugin directory, it seems that activity, any activity good or bad is what you measure success. The measuring stick should be on results, and if things get better or not. I am sure that I’m 100% wrong here, but that is the perception that is presented by the team’s actions and comments. How is the new plugin page better than before? We can’t even see the new and updated plugins lists, and don’t let me started with the meaningless and pixel consuming images… I have to scroll more to see less! Unfortunately I had to shift off topic again to make a point.

        If the team wants to totally secure WordPress, then themes, and plugins should not be allowed to get activated that contain dangerous code – period (Scott that was for you).

        I am cheering for you guys, honestly, but avoiding or misrepresenting the facts is just wrong. Just making the core as secure as possible, is simply not enough, and it should not be acceptable. Somebody in the dev. team has to do the brave thing here…

        • I’m not sure how the reskin of the plugin directory is at all involved in security, but regardless of that, but given that it only changed 2 days ago, I’m not sure how you expect us to measure “results” there without, you know, some meaningful amount of time passing.

          Nevertheless, we do take plugin and theme security quite seriously. Plugins get updated and fixed all the time, and we’re in constant communication with plugin authors to notify them of found issues and to get those issues fixed. There have been two plugins fixed this week, but then it’s only Friday. We get a lot more security reports on the weekend.

          Aside from that, there are many people scanning the directory for known issues (like timthumb) and several good researchers out there who report to the plugins team on a semi-monthly basis with new findings. There is no misrepresentation of the facts involved here; when security issues are found, they are either fixed, removed, or otherwise dealt with in the most appropriate manner. For severe or widespread issues, we’ve sometimes bypassed authors and made fixes directly to the affected plugins. For cases like timthumb, we’ve scanned the repository, done mass emails to authors, manually removed plugins or helped users to otherwise stop using broken and unmaintained ones, and generally done at best as is possible.

          You seem to be overly focused on the fact that security issues exist at all. Sadly, that’s not going to change for any project, ever. Mistakes are made and bugs happen. Our concern is to prevent the problems when possible and to mitigate issues as quickly as is feasible. The plugin directory is not guaranteed to be safe (it actually says that right in the white paper, again, please read it). However, we do our utmost to correct issues whenever they appear in the best way that we can.

        • Hi. I do a lot of the top level reviews for plugins. I look at between 40 and 100 plugins a day. Most are new plugins. A lot are reviews for security or other guideline violations.

          I spend a lot of time doing that. I spent zero time on the theme skin. The majority of the plugin team spent no time at all on that theme. And the entire time Otto was working on the skinning, he was still available for me when I asked for a second set of eyes on things I wasn’t quite sure about.

          We’re a very quiet team.

          I kind of like the new layout, since it’s very welcoming to new users. It’s not just a big LIST of things, that rather is daunting. It’s a nicely formatted page. People like that :) I don’t need it, but then again, I’m a WP Dinosaur.

      • nick6352683,

        If the current version of WordPress was 100% secure. No bugs whatsoever then Otto, Mika and the rest would be out of their jobs.

        If a piece of software is 100% secure then no need for people to fix it since it is 100% secure.

        No matter how much Otto, Mika and rest look at themes/plugins…something will go oops once a while.

        For the amount that it costs to get WordPress, it’s themes and plugins….the security is awesome.


        Week passwords, username: ADMIN, easy to guess username/password. having unupdated theme/plugins, and so forth.

  3. Thanks for everyone checking out the paper, as Otto said above I’d recommend you really read it.

    As to where the source is hosted (which repository), can we just appreciate for a second that it’s a public thing anyone can contribute to, like the WordPress book? And that it’s under a CC Zero license! :) We’ll probably move it to another repo eventually, but just wanted to get it out there sooner rather than later.

  4. Thank you very much for putting this document together. It is good to be proactive and share information about the processes and steps taken to keep WordPress secure. I learned some things from reading it. Security is a process.

    It is my belief that WordPress is as secure or more secure than other similar CMS projects. It pains me when people make off-hand comments about the lack of WordPress security because it is clear they are not well informed. I guess that we don’t do ourselves any favors with the periodic security fire drills: a plugin or theme has a security issue and then people publish articles with headlines like “WordPress security issue, thousands of sites affected.” This is often well meaning, in that people are trying to get the word out, but it distorts the truth.

    Automatic updates are, in my opinion, tremendously important. I applaud the team that had the guts to go ahead with the effort despite the fears of many people.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: