Larn more nigh WordPress cadre software security in this free white newspaper. You tin can as well download information technology in PDF format.

Overview

This document is an assay and explanation of the WordPress cadre software development and its related security processes, as well as an exam of the inherent security built directly into the software. Conclusion makers evaluating WordPress as a content management system or web awarding framework should use this document in their assay and controlling, and for developers to refer to it to familiarize themselves with the security components and all-time practices of the software.

The data in this document is up-to-date for the latest stable release of the software, WordPress 4.7 at time of publication, just should be considered relevant also to the nearly recent versions of the software equally backwards compatibility is a strong focus for the WordPress development team. Specific security measures and changes will exist noted as they have been added to the core software in specific releases. Information technology is strongly encouraged to ever be running the latest stable version of WordPress to ensure the near secure experience possible.

Executive Summary

WordPress is a dynamic open-source content direction system which is used to ability millions of websites, web applications, and blogs. Information technology currently powers more than than 43% of the peak 10 million websites on the Internet. WordPress' usability, extensibility, and mature development community make information technology a popular and secure choice for websites of all sizes.

Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top x listing identified by The Open Web Awarding Security Project (OWASP) as common security vulnerabilities, which are discussed in this document.

The WordPress Security Team, in collaboration with the WordPress Core Leadership Team and backed by the WordPress global customs, works to identify and resolve security problems in the core software available for distribution and installation at WordPress.org, as well as recommending and documenting security all-time practices for third-party plugin and theme authors.

Site developers and administrators should pay item attention to the correct utilize of core APIs and underlying server configuration which take been the source of common vulnerabilities, besides as ensuring all users use potent passwords to admission WordPress.

An Overview of WordPress

WordPress is a free and open source content management arrangement (CMS). It is the most widely-used CMS software in the world and it powers more than 43% of the height 10 million websites1, giving it an estimated 62% market share of all sites using a CMS.

WordPress is licensed under the General Public License (GPLv2 or later) which provides 4 cadre freedoms, and tin be considered as the WordPress "pecker of rights":

  1. The freedom to run the program, for any purpose.
  2. The freedom to study how the program works, and change it to make it do what you wish.
  3. The freedom to redistribute.
  4. The liberty to distribute copies of your modified versions to others.

The WordPress Core Leadership Team

The WordPress projection is a meritocracy, run by a cadre leadership team, and led by its co-creator and lead programmer, Matt Mullenweg. The squad governs all aspects of the projection, including core development, WordPress.org, and customs initiatives.

The Core Leadership Team consists of Matt Mullenweg, 5 lead developers, and more than than a dozen cadre developers with permanent commit admission. These developers have last authority on technical decisions, and atomic number 82 architecture discussions and implementation efforts.

WordPress has a number of contributing developers. Some of these are former or current committers, and some are likely future committers. These contributing developers are trusted and veteran contributors to WordPress who have earned a slap-up deal of respect among their peers. Equally needed, WordPress besides has guest committers, individuals who are granted commit access, sometimes for a specific component, on a temporary or trial footing.

The core and contributing developers primarily guide WordPress development. Every version, hundreds of developers contribute code to WordPress. These core contributors are volunteers who contribute to the core codebase in some fashion.

The WordPress Release Cycle

Each WordPress release cycle is led by ane or more of the cadre WordPress developers. A release cycle unremarkably lasts around 4 months from the initial scoping meeting to launch of the version.

A release cycle follows the following patterntwo:

  • Phase one: Planning and securing team leads. This is done in the #core chat room on Slack. The release lead discusses features for the adjacent release of WordPress. WordPress contributors get involved with that discussion. The release lead volition identify team leads for each of the features.
  • Phase 2: Development work begins. Squad leads assemble teams and work on their assigned features. Regular chats are scheduled to ensure the development keeps moving forrard.
  • Stage iii: Beta. Betas are released, and beta-testers are asked to start reporting bugs. No more commits for new enhancements or feature requests are carried out from this phase on. Third-political party plugin and theme authors are encouraged to test their code against the upcoming changes.
  • Phase 4: Release Candidate. In that location is a string freeze for translatable strings from this point on. Work is targeted on regressions and blockers simply.
  • Phase 5: Launch. WordPress version is launched and fabricated available in the WordPress Admin for updates.

Version Numbering and Security Releases

A major WordPress version is dictated past the first two sequences. For example, 3.5 is a major release, as is 3.half-dozen, 3.vii, or four.0. There isn't a "WordPress 3" or "WordPress 4" and each major release is referred to by its numbering, e.chiliad., "WordPress iii.9."

Major releases may add new user features and programmer APIs. Though typically in the software world, a "major" version means you can break backwards compatibility, WordPress strives to never intermission backwards compatibility. Backwards compatibility is one of the project'south nigh important philosophies, with the aim of making updates much easier on users and developers alike.

A pocket-sized WordPress version is dictated by the tertiary sequence. Version 3.5.one is a minor release, as is 3.4.twothree. A minor release is reserved for fixing security vulnerabilities and addressing disquisitional bugs just. Since new versions of WordPress are released then frequently — the aim is every 4-5 months for a major release, and minor releases happen as needed — at that place is only a need for major and modest releases.

Version Backwards Compatibility

The WordPress project has a potent commitment to backwards compatibility. This commitment means that themes, plugins, and custom code continues to role when WordPress cadre software is updated, encouraging site owners to go on their WordPress version updated to the latest secure release.

WordPress and Security

The WordPress Security Squad

The WordPress Security Team is made up of approximately 50 experts including lead developers and security researchers — about half are employees of Automattic (makers of WordPress.com, the earliest and largest WordPress hosting platform on the spider web), and a number work in the spider web security field. The squad consults with well-known and trusted security researchers and hosting companiesiii.

The WordPress Security Team often collaborates with other security teams to accost issues in common dependencies, such as resolving the vulnerability in the PHP XML parser, used past the XML-RPC API that ships with WordPress, in WordPress 3.9.iiiv. This vulnerability resolution was a consequence of a joint effort by both WordPress and Drupal security teams.

WordPress Security Risks, Process, and History

The WordPress Security Team believes in Responsible Disclosure past alerting the security team immediately of any potential vulnerabilities. Potential security vulnerabilities can exist signaled to the Security Team via the WordPress HackerOnefive. The Security Team communicates among itself via a private Slack channel, and works on a walled-off, private Trac for tracking, testing, and fixing bugs and security problems.

Each security study is best-selling upon receipt, and the team works to verify the vulnerability and make up one's mind its severity. If confirmed, the security team then plans for a patch to set up the problem which can be committed to an upcoming release of the WordPress software or it can be pushed as an immediate security release, depending on the severity of the issue.

For an immediate security release, an advisory is published by the Security Squad to the WordPress.org News sitesix announcing the release and detailing the changes. Credit for the responsible disclosure of a vulnerability is given in the advisory to encourage and reinforce continued responsible reporting in the futurity.

Administrators of the WordPress software meet a notification on their site dashboard to upgrade when a new release is available, and following the manual upgrade users are redirected to the Nigh WordPress screen which details the changes. If administrators have automatic background updates enabled, they volition receive an electronic mail subsequently an upgrade has been completed.

Automatic Background Updates for Security Releases

Starting with version 3.7, WordPress introduced automated background updates for all minor releases7, such as 3.7.1 and three.seven.2. The WordPress Security Team can place, fix, and push out automated security enhancements for WordPress without the site owner needing to practise anything on their end, and the security update will install automatically.

When a security update is pushed for the electric current stable release of WordPress, the core team will besides push security updates for all the releases that are capable of background updates (since WordPress 3.7), then these older but notwithstanding recent versions of WordPress volition receive security enhancements.

Individual site owners tin opt to remove automatic groundwork updates through a simple change in their configuration file, but keeping the functionality is strongly recommended by the core team, besides as running the latest stable release of WordPress.

2013 OWASP Top x

The Open Spider web Application Security Project (OWASP) is an online community defended to web application security. The OWASP Top 10 listingviii focuses on identifying the nigh serious application security risks for a broad array of organizations. The Peak ten items are selected and prioritized in combination with consensus estimates of exploitability, detectability, and touch estimates.

The following sections talk over the APIs, resource, and policies that WordPress uses to strengthen the core software and tertiary party plugins and themes against these potential risks.

A1 - Injection

There is a set of functions and APIs available in WordPress to aid developers in making sure unauthorized lawmaking cannot be injected, and assistance them validate and sanitize data. Best practices and documentation are available9 on how to use these APIs to protect, validate, or sanitize input and output data in HTML, URLs, HTTP headers, and when interacting with the database and filesystem. Administrators tin likewise further restrict the types of file which tin can exist uploaded via filters.

A2 - Broken Hallmark and Session Management

WordPress cadre software manages user accounts and authentication and details such as the user ID, name, and password are managed on the server-side, as well as the authentication cookies. Passwords are protected in the database using standard salting and stretching techniques. Existing sessions are destroyed upon logout for versions of WordPress afterwards four.0.

A3 - Cross Site Scripting (XSS)

WordPress provides a range of functions which tin can help ensure that user-supplied data is prophylactic10. Trusted users, that is administrators and editors on a unmarried WordPress installation, and network administrators just in WordPress Multisite, can post unfiltered HTML or JavaScript as they need to, such as within a mail or page. Untrusted users and user-submitted content is filtered by default to remove dangerous entities, using the KSES library through the wp_kses role.

As an example, the WordPress cadre team noticed before the release of WordPress 2.3 that the function the_search_query() was being misused past nearly theme authors, who were not escaping the office'southward output for use in HTML. In a very rare case of slightly breaking astern compatibility, the part'south output was changed in WordPress 2.three to be pre-escaped.

A4 - Insecure Direct Object Reference

WordPress often provides direct object reference, such as unique numeric identifiers of user accounts or content bachelor in the URL or course fields. While these identifiers disclose directly system data, WordPress' rich permissions and access control system prevent unauthorized requests.

A5 - Security Misconfiguration

The majority of the WordPress security configuration operations are express to a single authorized administrator. Default settings for WordPress are continually evaluated at the core team level, and the WordPress core team provides documentation and best practices to tighten security for server configuration for running a WordPress sitexi.

A6 - Sensitive Information Exposure

WordPress user account passwords are salted and hashed based on the Portable PHP Password Hashing Framework12. WordPress' permission system is used to command access to private information such an registered users' PII, commenters' email addresses, privately published content, etc. In WordPress 3.seven, a password forcefulness meter was included in the core software providing additional information to users setting their passwords and hints on increasing strength. WordPress also has an optional configuration setting for requiring HTTPS.

A7 - Missing Role Level Admission Control

WordPress checks for proper authority and permissions for any role level admission requests prior to the activity beingness executed. Admission or visualization of administrative URLs, menus, and pages without proper authentication is tightly integrated with the authentication organization to prevent access from unauthorized users.

A8 - Cantankerous Site Request Forgery (CSRF)

WordPress uses cryptographic tokens, chosen nonces13, to validate intent of action requests from authorized users to protect against potential CSRF threats. WordPress provides an API for the generation of these tokens to create and verify unique and temporary tokens, and the token is express to a specific user, a specific action, a specific object, and a specific time period, which can be added to forms and URLs as needed. Additionally, all nonces are invalidated upon logout.

A9 - Using Components with Known Vulnerabilities

The WordPress core team closely monitors the few included libraries and frameworks WordPress integrates with for core functionality. In the by the core team has fabricated contributions to several tertiary-party components to make them more secure, such as the update to fix a cantankerous-site vulnerability in TinyMCE in WordPress 3.5.214.

If necessary, the core team may make up one's mind to fork or replace critical external components, such as when the SWFUpload library was officially replaced by the Plupload library in 3.5.2, and a secure fork of SWFUpload was made available by the security team<15 for those plugins who continued to use SWFUpload in the short-term.

A10 - Unvalidated Redirects and Forwards

WordPress' internal access control and authentication system will protect confronting attempts to direct users to unwanted destinations or automated redirects. This functionality is also made bachelor to plugin developers via an API, wp_safe_redirect() sixteen.

Further Security Risks and Concerns

XXE (XML eXternal Entity) processing attacks

When processing XML, WordPress disables the loading of custom XML entities to preclude both External Entity and Entity Expansion attacks. Beyond PHP'south core functionality, WordPress does non provide additional secure XML processing API for plugin authors.

SSRF (Server Side Request Forgery) Attacks

HTTP requests issued by WordPress are filtered to prevent admission to loopback and private IP addresses. Additionally, access is but immune to certain standard HTTP ports.

WordPress Plugin and Theme Security

The Default Theme

WordPress requires a theme to be enabled to render content visible on the frontend. The default theme which ships with core WordPress (currently "Twenty 20-2") has been vigorously reviewed and tested for security reasons by both the team of theme developers plus the cadre development team.

The default theme can serve as a starting point for custom theme development, and site developers can create a kid theme which includes some customization but falls back on the default theme for most functionality and security. The default theme tin can exist easily removed by an administrator if not needed.

WordPress.org Theme and Plugin Repositories

There are approximately 50,000+ plugins and 5,000+ themes listed on the WordPress.org site. These themes and plugins are submitted for inclusion and are manually reviewed by volunteers before making them available on the repository.

Inclusion of plugins and themes in the repository is not a guarantee that they are costless from security vulnerabilities. Guidelines are provided for plugin authors to consult prior to submission for inclusion in the repository17, and extensive documentation about how to practise WordPress theme evolution18 is provided on the WordPress.org site.

Each plugin and theme has the ability to be continually developed by the plugin or theme owner, and any subsequent fixes or feature development can be uploaded to the repository and made bachelor to users with that plugin or theme installed with a description of that change. Site administrators are notified of plugins which need to be updated via their assistants dashboard.

When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If at that place is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, stock-still and updated directly by the Security Team.

The Theme Review Team

The Theme Review Team is a group of volunteers, led by primal and established members of the WordPress community, who review and approve themes submitted to be included in the official WordPress Theme directory. The Theme Review Team maintains the official Theme Review Guidelinesxix, the Theme Unit Test Datas20, and the Theme Check Plugins21, and attempts to engage and educate the WordPress Theme programmer community regarding development best practices. Inclusion in the group is moderated by core committers of the WordPress development squad.

The Office of the Hosting Provider in WordPress Security

WordPress tin be installed on a multitude of platforms. Though WordPress cadre software provides many provisions for operating a secure web application, which were covered in this document, the configuration of the operating organisation and the underlying spider web server hosting the software is equally important to keep the WordPress applications secure.

A Note almost WordPress.com and WordPress security

WordPress.com is the largest WordPress installation in the world, and is endemic and managed by Automattic, Inc., which was founded by Matt Mullenweg, the WordPress project co-creator. WordPress.com runs on the cadre WordPress software, and has its own security processes, risks, and solutions22. This document refers to security regarding the cocky-hosted, downloadable open source WordPress software available from WordPress.org and installable on any server in the world.

Appendix

Core WordPress APIs

The WordPress Core Application Programming Interface (API) is comprised of several private APIs23, each one covering the functions involved in, and utilize of, a given fix of functionality. Together, these course the project interface which allows plugins and themes to interact with, modify, and extend WordPress cadre functionality safely and securely.

While each WordPress API provides all-time practices and standardized means to interact with and extend WordPress core software, the following WordPress APIs are the most pertinent to enforcing and hardening WordPress security:

Database API

The Database API24, added in WordPress 0.71, provides the right method for accessing data every bit named values which are stored in the database layer.

Filesystem API

The Filesystem API25, added in WordPress two.626, was originally created for WordPress' own automatic updates feature. The Filesystem API abstracts out the functionality needed for reading and writing local files to the filesystem to be done deeply, on a variety of host types.

Information technology does this through the WP_Filesystem_Base class, and several subclasses which implement unlike means of connecting to the local filesystem, depending on individual host support. Any theme or plugin that needs to write files locally should practise and then using the WP_Filesystem family unit of classes.

HTTP API

The HTTP API27, added in WordPress two.728 and extended further in WordPress 2.eight, standardizes the HTTP requests for WordPress. The API handles cookies, gzip encoding and decoding, chunk decoding (if HTTP 1.1), and various other HTTP protocol implementations. The API standardizes requests, tests each method prior to sending, and, based on your server configuration, uses the advisable method to make the request.

Permissions and current user API

The permissions and current user API29 is a set of functions which volition aid verify the current user's permissions and authority to perform any task or functioning being requested, and can protect further against unauthorized users accessing or performing functions across their permitted capabilities.

White newspaper content License

The text in this document (not including the WordPress logo or trademark) is licensed under CC0 i.0 Universal (CC0 1.0) Public Domain Dedication. Y'all can copy, modify, distribute and perform the work, fifty-fifty for commercial purposes, all without asking permission.

A special give thanks you lot to Drupal'southward security white paper , which provided some inspiration.

Boosted Reading

  • WordPress News https://wordpress.org/news/
  • WordPress Security releases https://wordpress.org/news/category/security/
  • WordPress Developer Resource https://developer.wordpress.org/

Authored past Sara Rosso

Contributions from Barry Abrahamson, Michael Adams, Jon Cave, Helen Hou-Sandí, Dion Hulse, Mo Jangda, Paul Maiorana

Version i.0 March 2015

Footnotes

  • [1] https://w3techs.com/, as of Dec 2019
  • [two] https://make.wordpress.org/cadre/handbook/well-nigh/release-cycle/
  • [3] https://brand.wordpress.org/core/handbook/about/release-cycle/version-numbering/
  • [4] https://wordpress.org/news/2014/08/wordpress-3-9-2/
  • [v] https://hackerone.com/wordpress
  • [half dozen] https://wordpress.org/news/
  • [7] https://wordpress.org/news/2013/10/basie/
  • [viii] https://world wide web.owasp.org/index.php/Top_10_2013-Top_10
  • [9] https://programmer.wordpress.org/plugins/security/
  • [10] https://codex.wordpress.org/Data_Validation#HTML.2FXML
  • [11] https://wordpress.org/support/article/hardening-wordpress/
  • [12] https://www.openwall.com/phpass/
  • [13] https://developer.wordpress.org/plugins/security/nonces/
  • [xiv] https://wordpress.org/news/2013/06/wordpress-3-five-2/
  • [fifteen] https://make.wordpress.org/cadre/2013/06/21/secure-swfupload/
  • [16] https://developer.wordpress.org/reference/functions/wp_safe_redirect/
  • [17] https://wordpress.org/plugins/developers/
  • [18] https://developer.wordpress.org/themes/getting-started/
  • [19] https://make.wordpress.org/themes/handbook/review/
  • [xx] https://codex.wordpress.org/Theme_Unit_Test
  • [21] https://wordpress.org/plugins/theme-bank check/
  • [22] https://automattic.com/security/
  • [23] https://codex.wordpress.org/WordPress_APIs
  • [24] https://developer.wordpress.org/apis/handbook/database/
  • [25] https://codex.wordpress.org/Filesystem_API
  • [26] https://wordpress.org/support/wordpress-version/version-2-6/
  • [27] https://developer.wordpress.org/plugins/http-api/
  • [28] https://wordpress.org/support/wordpress-version/version-2-7/
  • [29] https://developer.wordpress.org/reference/functions/current_user_can/