Title: Security
Author: WordPress.org
Published: 1 ธันวาคม 2025

---

# Security

We take the security of the WordPress project and the ecosystem seriously. With 
[over 20 years of history](https://wordpress.org/about/history/) and powering more
than 43% of the web, we’re committed to ensuring security for all, from solo bloggers
to enterprise organizations.

WordPress encourages responsible disclosure of vulnerabilities in WordPress core,
in plugins and themes available on WordPress.org, or in the wider WordPress ecosystem.

If you believe you have found a vulnerability in WordPress, please keep it confidential
and [report it to the WordPress Security Team](https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/).

If you believe you have found a vulnerability in a WordPress plugin or theme available
on WordPress.org, please keep it confidential.

 * For plugin vulnerabilities, [report it to the plugin developer and the plugins team](https://developer.wordpress.org/plugins/wordpress-org/plugin-security/reporting-plugin-security-issues/).
 * For theme vulnerabilities, [report it to the theme developer and the theme review team](https://developer.wordpress.org/themes/theme-security/theme-security-issues/).

## Our process

The WordPress project is committed to providing a stable, secure, trusted platform
for more than 43% of the web. The [core WordPress software development lifecycle](https://make.wordpress.org/core/handbook/contribute/codebase/)
includes code review throughout the process, with open-source contributions reviewed
by trusted committers.

The WordPress Security Team works to identify and resolve security issues across
the WordPress core software, harden the software against threats such as the [OWASP Top Ten](https://owasp.org/www-project-top-ten/),
and [provide guidance](https://developer.wordpress.org/apis/security/) across the
ecosystem.

In addition to more than 50 trusted experts, including lead developers, security
researchers, and key contributors to every component of WordPress, [sponsored members of the Security Team](https://wordpress.org/five-for-the-future/)
dedicate time to identifying and addressing concerns in the software and ecosystem.

To address responsibly-disclosed security vulnerabilities, the Security Team works
to develop fixes, create robust test cases, and [release those fixes in bugfix releases](https://wordpress.org/news/category/security/).
While only the latest version of WordPress is officially supported, the Security
Team also [backports fixes to older versions as a courtesy](https://make.wordpress.org/security/2022/09/07/dropping-security-updates-for-wordpress-versions-3-7-through-4-0/),
to ensure older sites receive critical security fixes via auto-updates.

The Security Team also works directly with significant web hosting operators and
security ecosystem providers to detect and mitigate threats to WordPress-based sites,
including coordinating release rollouts and developing web application firewall (
WAF) mitigations.

Learn more about the [WordPress project’s security stance in our whitepaper](https://github.com/WordPress/Security-White-Paper/blob/master/WordPressSecurityWhitePaper.pdf?raw=true).

## Plugin Developers

The [Security guide in the Common APIs handbook](https://developer.wordpress.org/apis/security/)
is your go-to guide for secure development principles.

If you believe you've identified a security problem in your own plugin, the WordPress
plugins team is here to support you.

[Find out more about how to address security issues in your plugin.](https://developer.wordpress.org/plugins/wordpress-org/plugin-security/)

## Theme Developers

The [Security guide in the Common APIs handbook](https://developer.wordpress.org/apis/security/)
is your go-to guide for secure development principles.

If you believe you've identified a security problem in your own theme, the WordPress
theme review team is here to support you.

[Find out more about how to address security issues in your theme.](https://developer.wordpress.org/themes/theme-security/theme-security-issues/)

## Web Hosts

The [Security guide in the Advanced Administration handbook](https://developer.wordpress.org/advanced-administration/security/)
contains key information on how to secure your hosting environment.

We also strongly recommend [publishing a responsible disclosure policy](https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#receiving-vulnerability-reports)
of your own.