Where do I report security issues?
Send an email with the details to firstname.lastname@example.org.
Where do I report copyright infringements, libel, and other legal issues?
You don't! WordPress.org does not host sites. WordPress.org provides publishing software that anyone can download and use. The organization, WordPress.org, has no control over who uses the software or how they use it. In other words, WordPress.org does NOT have the power to take down comments, posts, sites, or anything else. Perform a whois lookup to track down the operator or host of a particular site, then report the infringement to those organizations.
I've been hacked. What do I do now?
The Exploit Scanner plugin can help detect damage so that it can be cleaned up. Other things you should do:
- Change passwords for all users, especially Administrators and Editors.
- If you upload files to your site via FTP, change your FTP password.
- Re-install the latest version of WordPress.
- Make sure all of your plugins and themes are up-to-date.
- Update your Editing_wp-config.php#Security_Keys security keys.
- See FAQ My Sites Was Hacked.
Why are some users allowed to post unfiltered HTML?
Users with Administrator or Editor privileges are allowed to publish unfiltered HTML in post titles and content. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges are not allowed to post unfiltered content. If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator putting XSS into content and stealing cookies, note that all cookies are marked for HTTP only delivery and are divided into privileged cookies used for admin pages and unprivileged cookies used for public facing pages. Content is never displayed unfiltered in the admin. Regardless, an Administrator has wide-ranging super powers among which unfiltered HTML is a lesser one.
Why are there path disclosures when directly loading certain files?
This is considered a server configuration problem. Never enable display_errors on a production site.