DEV Community

Dr. Michael Garbade
Dr. Michael Garbade

Posted on

How WordPress Security Team Protects WordPress Core

Have you ever wondered what makes WordPress secure? If you do, then we got you covered as we will go through how WordPress Security works.

WordPress is the number one content management system. But, that also makes it the number one target for hackers.

Jpolansky, a cybersecurity expert from the United States, also thinks on similar lines. His work surrounds on network monitoring, which focuses on how to understand network data and threats identity. According to him, WordPress’s popularity is what makes it an ideal hackers target, and it is the job of the WordPress security team and ethical hackers to find the loopholes and fix them!

Is WordPress Insecure?

WordPress is one of the most vulnerable content management systems out there. More than 70% of the WordPress website has some form of vulnerability.

However, out of the 70% infected WordPress website, only 10% are the ones that occurred due to the WordPress core weakness. On top of that, these sites are hacked because they were using old WordPress build and have not been updated to a more secure WordPress version.


Most of the hacks are zero-day exploits which are fixed by the WordPress team as soon as they come out.

The hacks also happen because the site uses bad themes, plugins, or hosting. Even the careless end user can make their site insecure and make it vulnerable to hackers.

In short, WordPress is not secure. The reason behind it is its ecosystem. It is the cumulation of different aspects, including users, plugins, and themes, which means the majority of WordPress websites are vulnerable.

Security Releases

The WordPress release cycle is at the core of improving WordPress with each release.

It starts with the formation of the core team and then discussing features. Once the features are decided upon, they move to the development phase. Next, they release betas to test out the build and find out any bugs associated with it. The release candidate is then followed by the launch.

WordPress version numbering determines if it is a major release or a security release.

All major releases start with first two number sequence. So, that means that 5.0, 4.9, 3.5, etc. are all major releases.

However, the minor releases are aimed to provide critical bugs and vulnerabilities fixes.

So, what does that mean for a WordPress user? Not only they have to update to major releases, but also keep updating to the minor releases as well. The minor releases are aimed at security and should not be ignored at any cost. Security releases are pushed automatically to WordPress website if they are not turned off by the admin itself.

Role of WordPress Security Team

So, who keeps WordPress core safe from all the vulnerabilities and hacks? It is the “WordPress Security Team.”

The security team consists of approx 50 experts - a group of security researchers and lead developers. Their work is to collaborate with other security teams all around the world, and ensure that they fix the vulnerabilities before it is exploited by hackers.

The security team is proactive in their approach and always ensure that potential vulnerabilities are put forward and fixed as soon as possible.

How secure is the WordPress core?

Over the years, WordPress has seen many major and minor releases.

WordPress follows the OWASP to ensure that WordPress maintains the same level of security.

OWASP is the Open Web Application Security Project for web application security. It is a community-driven and extremely comprehensive.

The top 10 OWASP threats have been covered and secure in WordPress. They include the following.

  • Injection
  • Session Management and Broken Authentication
  • Cross-Site Scripting(XSS)
  • Insecure Direct Object Reference
  • Sensitive Data Exposure
  • Security Misconfiguration
  • Missing Function Level Access Control
  • Known Vulnerabilities for using components
  • Cross-Site Request Forgery(CSRF)
  • Unvalidated Forwards and Redirects.

Apart from the top 10 threats, other security concerns are also handled by OWASP. As a WordPress user, you should not worry about the major vulnerabilities at all.

If you fancy yourself to help WordPress security, you should learn about Ethical Hacking Basics. You can get the basics of ethical hacking and grow yourself as a security expert -- and maybe one day help secure WordPress core!
WordPress Security as a process
WordPress ecosystem is huge. It consists of plugins and themes, developed by countless third-party developers. The quality of the code of the plugin and themes also determine whether your site is secure or not.

As an administrator, you need to secure your website correctly. You can also use Sucuri, WordFence, and BulletProof plugins to automate most of the security of the site. These plugins or services provide WordPress security as a process. WordPress security is a huge topic, and many companies working hard to secure your website!

What’s next?

WordPress security is essential for all the users and the web itself. If it stays secure, then most of the internet stays secure, considering that 30% of the online websites are developed using it.

So, what do you think about WordPress security?

Comment below and let us know.

Top comments (0)