Who’s in charge of WordPress security?

In 2019 we wrote a lot about WordPress security. We’ve highlighted how WordPress sites get hacked (spoiler – User error) and some security-conscious organisations who put their trust in WordPress, including the US White House, Facebook, and others. In discussing how WordPress sites get hacked, we briefly mentioned how there is a dedicated WordPress security team who helps keep WordPress safe.

Now, in this post, we’re going to go more in-depth with that topic, and discuss who’s actually responsible for keeping the WordPress software safe and secure for ~35% of the Internet (that’s the percentage of websites that WordPress powers in 2020).

---

WordPress has a dedicated security team

Let’s start at the beginning, with the specific team that’s dedicated to keeping WordPress safe.

If you’re not familiar with the WordPress development cycle, there are different teams tasked with keeping various parts of the project running smoothly, all headed up by the WordPress Core Leadership Team, with Matt Mullenweg at the helm.

One of those teams is the WordPress Security Team, which is comprised of around 50 security experts.

About half of these experts work at Automattic, the parent company behind WordPress.com and a number of popular self-hosted WordPress plugins, while the other half are independent lead developers and security researchers.

The WordPress Security Team works with other WordPress development teams to ensure that there are no issues in new releases, and it’s also responsible for discovering and patching issues in existing WordPress releases.

In addition to the experts on the team itself, the WordPress Security Team also collaborates with other platforms to address vulnerabilities in common dependencies. For example, the WordPress and Drupal security teams collaborated to fix a vulnerability in WordPress’ PHP XML parser.

What is the security team responsible for?

It’s important to note that the main responsibility of the WordPress Security Team is the core WordPress software, not the entire WordPress ecosystem.

There are tens of thousands of WordPress themes and plugins, and it would be impossible for the team to manually assess the security of every single extension. This is why plugin vulnerabilities were one of the biggest attack vectors when we looked at the data on how WordPress sites get hacked.

With that being said, that doesn’t mean the Security Team completely ignores WordPress plugins and themes. If the team does discover a vulnerability in a plugin, they’ll contact the plugin developer and work with the developer to fix the issue.

If the developer isn’t responsive to making those fixes, the team might pull the plugin from the WordPress.org plugin directory to avoid issues. Or, in some cases where there’s an extreme vulnerability (and/or the plugin is very popular), the team might step in and directly fix and update the plugin themselves.

Does the WordPress security team disclose security issues?

Yes, the WordPress Security Team follows a policy of Responsible Disclosure.

Essentially, Responsible Disclosure means that the security team does not immediately disclose security issues. Instead, they wait until the team can create a patch and fix the issue.

After that patch is released (and WordPress users have a chance to update), then the team will publicly disclose the vulnerability.

The whole community cares about security, too

While WordPress does have a dedicated team of 50+ experts focused on its security, those experts aren’t the only people working to keep WordPress safe.

As an open-source platform, WordPress has a whole community of thousands of volunteers with their eyeballs on the code. Many of these contributors are developers and security researchers themselves.

Additionally, WordPress further encourages the community to report security issues with its own WordPress bug bounty program.

There, individuals can, and do, report issues in the WordPress core software, as well as some associated tools like the Gutenberg and Classic editors, WP-CLI, and others.

These reports go to the WordPress Security Team, who are then tasked with fixing the problem (and then responsibly disclosing the issue once the patch is out).

You don’t have to handle security alone

The WP Security Team and community at large do a great job of keeping the WordPress software itself safe and secure, but they aren’t looking at your website. There is much more to security than just the CMS product itself.

If WordPress security is important, you will need an experienced WordPress agency to provide the consultancy, solution architecture and infrastructure to keep your website safe and secure in the toughest environments.