The recent WordPress Security White Paper, published in March, is a must read for CMS decision makers for analysis and for the developers to familiarise with security best practices and components.

Why should you read it? or even be bothered? because as of 2014, 74.5 million sites depend on WordPress. And if you’ve been following the WordPress security updates, you know that a poorly setup WordPress site is a hacker favorite.

The whitepaper essentially covers details about the core software development, security processes and how the software has the  security built in.

Have a look at this white paper here.

wordpress security whitepaper

For most of this post, I would like to you to pay attention to the WordPress security ecosystem – how it is set up to identify, detect and deal with security issues.

The crucial task of identifying and resolving security issues is carried out mainly by the security team and the core leadership team. These two teams are backed up by the global WordPress community.

Who make up the core leadership team and the security team?

The WordPress core leadership team comprise of Matt Mullenweg who is the co-creator and lead developer, 5 lead developers and core developers. The core developers contribute to the core codebase and these members along with the contributing developers guide the lead developers. The contributing developers could be former, current or the future developers.

The WordPress Security team consists of 25 people who comprise of the lead developers and the security researchers.

“Time and again we stress on keeping your website updated and running on the latest version! This is to ensure the most secure experience for you.”

Security releases ensure all the new features and bug fixes have been made. These releases may be a minor or a major release. You can identify this by the version number. A difference between the new version 4.2 and 4.2.2 is that the first one is a major release and the second a minor release.

Major releases comprise the main feature changes, developer APIs and more. At this stage, it is acceptable to break the backward compatibility. The major releases usually occur every 4-5 months whereas minor releases happen if and when required and mostly consists of the security vulnerabilities and critical bugs.

The process of evaluating a security risk and process happens as following:

  1. Anyone can alert the security team about any vulnerabilities by sending them an email to [email protected]. The team also discuss among themselves via private mail on all things security.
  2.  Once the severity of the vulnerability is determined it is either fixed in the upcoming security release or if the severity is more it is pushed for an immediate release.
  3. You will receive the notification on your dashboard asking you for an update or if automatic updates have been enabled you will receive an email once it is updated.[bctt tweet=”The WordPress Security Team can push out automated security enhancements”]


The themes are present to make the content visible on the front end. There is a default theme that is reviewed and tested by the theme developers. You can make a child theme, but the security and the functionalities are of the default theme.

There are about 30000+ plugins and 2000+ themes. These inclusions and reviews are done by volunteers and there is no guarantee that they are free from security issues. The theme developers are given guidelines before submissions. The fixes and features can be uploaded on the repository and if there are any security risks the author will be contacted. The plugin author and the security team work together, or if the author does not respond the plugin is removed or the security team will update it.

The theme review team has a set of guidelines for theme developers to ensure code quality, presentation and features are up to mark. Anyone can apply to join this team. There are detailed guidelines for a plugin developer too.

[bctt tweet=”Test all your themes and plugins against latest standards and practices using Theme Check”]

theme check plugin wordpress security standards


While securing your WordPress installation has been addressed in this whitepaper, it is also important to note that the underlying operating system and web server play an equally important role in security. So, please check with your hosting provider to ensure they’re following good practices.

[content_band inner_container=”true” no_margin=”true” padding_top=”0px” padding_bottom=”0px” border=”none” bg_color=”#eded6f”]

Looking for help in securing your WordPress website? Get in touch.

Error: Contact form not found.


Related Posts

Why a Custom WordPress Theme Is The Solution For Better...

The WordPress is quite “democratic.” Its applications range from personal blogs and non-profit organizations to e-commerce platforms. World-famous companies like Mercedes-Benz, Microsoft, and Bloomberg all choose WordPress. How can they […]

The Website Migration Process: What You Need To Know In...

Website migration is the process of changing a website’s domain name or moving it from one environment to another. A transition is referred to as a migration in SEO terms […]

How Safe Is Website on WordPress? Here’s What You Need...

Every website owner should consider WordPress security. Google adds around 10,000 malware-infested and 50,000 phishing sites to its blocklist daily and weekly, respectively. If you care about your website, you […]

Schedule a call