CINXE.COM

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("http://codex.wordpress.org/Security_FAQ","20120514063423","https://web.archive.org/","web","/_static/", "1336977263"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" />  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta http-equiv="Content-Style-Type" content="text/css"/> <meta name="generator" content="MediaWiki 1.15.5"/> <meta name="keywords" content="FAQ Security,Editing wp-config.php,FAQ,FAQ My site was hacked,Multilingual Codex,pt-br:FAQ Segurança"/> <link rel="canonical" href="/web/20120514063423/http://codex.wordpress.org/FAQ_Security"/> <link rel="shortcut icon" href="/web/20120514063423im_/http://codex.wordpress.org/favicon.ico"/> <link rel="search" type="application/opensearchdescription+xml" href="/web/20120514063423/http://codex.wordpress.org/opensearch_desc.php" title="Codex (en)"/> <link rel="alternate" type="application/rss+xml" title="Codex RSS feed" href="/web/20120514063423/http://codex.wordpress.org/index.php?title=Special:RecentChanges&feed=rss"/> <link rel="alternate" type="application/atom+xml" title="Codex Atom feed" href="/web/20120514063423/http://codex.wordpress.org/index.php?title=Special:RecentChanges&feed=atom"/> <title>FAQ Security « WordPress Codex</title> <style type="text/css"> @import url("https://web.archive.org/web/20120514063423cs_/http://s.wordpress.org/style/codex-wp4.css?3"); @import url("https://web.archive.org/web/20120514063423cs_/http://s.wordpress.org/style/wp4.css?10"); </style> <link media="only screen and (max-device-width: 480px)" href="https://web.archive.org/web/20120514063423cs_/http://wordpress.org/style/iphone.css" type="text/css" rel="stylesheet">  <link rel="shortcut icon" href="https://web.archive.org/web/20120514063423im_/http://s.wordpress.org/favicon.ico" type="image/x-icon"/> <script src="https://web.archive.org/web/20120514063423js_/http://www.google-analytics.com/urchin.js" type="text/javascript"></script> <script type="text/javascript"> _uacct = "UA-52447-1"; urchinTracker(); </script>  <script type="text/javascript" src="/web/20120514063423js_/http://codex.wordpress.org/index.php?title=-&action=raw&gen=js&useskin=codex"></script> <script type="text/javascript">wgBreakFrames=false;wgContentLanguage='en';</script> <script type="text/javascript" src="/web/20120514063423js_/http://codex.wordpress.org/skins/common/wikibits.js"></script> <script type="text/javascript" src="https://web.archive.org/web/20120514063423js_/http://s.wordpress.org/wp-includes/js/jquery/jquery.js"></script> </head> <body id="wordpress-org"> <div id="header"> <div class="wrapper"> <h1><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/" title="WordPress">WordPress.org</a></h1> <form action="https://web.archive.org/web/20120514063423/http://wordpress.org/search/do-search.php" method="get" id="head-search"> <input class="text" name="search" type="text" value="Search WordPress.org" maxlength="150" onfocus="this.value=(this.value=='Search WordPress.org') ? '' : this.value;" onblur="this.value=(this.value=='') ? 'Search WordPress.org' : this.value;"/> <input type="submit" class="button" value="Go"/> </form> <ul> <li><a href="" title="Home is where the heart is." class="current">Home</a></li> <li><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/showcase/" title="See some of the sites built on WordPress.">Showcase</a></li> <li><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/extend/themes/" title="Find just the right look for your website.">Themes</a></li> <li><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/extend/plugins/" title="Plugins can extend WordPress to do almost anything you can imagine.">Plugins</a></li> <li><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/extend/mobile/" title="Take your website on the go!">Mobile</a></li> <li><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/about/" title="About the WordPress Organization, and where we're going.">About</a></li> <li><a href="https://web.archive.org/web/20120514063423/http://codex.wordpress.org/Main_Page" title="Documentation, tutorials, best practices.">Docs</a></li> <li><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/news/" title="Come here for the latest scoop.">Blog</a></li> <li><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/support/" title="Support and discussion forums.">Forums</a></li> <li><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/hosting/" title="Find a home for your blog.">Hosting</a></li> <li id="download"><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/download/" title="Get it. Got it? Good.">Download</a></li> </ul> </div> </div> <div id="headline"> <div class="wrapper"> <h2>Codex</h2> <div class="portlet" id="p-personal"> <p class="login">Codex tools: <a href="/web/20120514063423/http://codex.wordpress.org/index.php?title=Special:UserLogin&returnto=FAQ_Security">Log in</a> </p> </div> </div> </div> <div id="pagebody"> <div class="wrapper"> <div class="col-10" id="bodyContent"> <h2 class="pagetitle">FAQ Security</h2>  <p class="LanguageLinks" style="border:1px solid #CCCCCC; line-height:1.5; text-align:left; color:#333333; font-size:90%; padding:10px;"><span style="white-space:nowrap;"><a href="/web/20120514063423/http://codex.wordpress.org/Multilingual_Codex" title="Multilingual Codex" class="mw-redirect">Languages</a>:</span> <strong class="selflink">English</strong> • <a href="https://web.archive.org/web/20120514063423/http://wpdocs.sourceforge.jp/FAQ/%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3" class="external text" title="http://wpdocs.sourceforge.jp/FAQ/%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3">日本語</a> • <a href="/web/20120514063423/http://codex.wordpress.org/pt-br:FAQ_Seguran%C3%A7a" title="pt-br:FAQ Segurança">Português do Brasil</a> • <small>(<a href="/web/20120514063423/http://codex.wordpress.org/Multilingual_Codex#Language_Cross_Reference" title="Multilingual Codex" class="mw-redirect">Add your language</a>)</small> </p> <p><a href="/web/20120514063423/http://codex.wordpress.org/FAQ" title="FAQ">Back to FAQ</a> </p> <table id="toc" class="toc" summary="Contents"><tr><td><div id="toctitle"><h2>Contents</h2></div> <ul> <li class="toclevel-1"><a href="#What_is_a_.22security.22_issue.3F"><span class="tocnumber">1</span> <span class="toctext">What is a "security" issue?</span></a></li> <li class="toclevel-1"><a href="#Where_do_I_report_security_issues.3F"><span class="tocnumber">2</span> <span class="toctext">Where do I report security issues?</span></a></li> <li class="toclevel-1"><a href="#Where_do_I_report_copyright_infringements.2C_libel.2C_and_other_legal_issues.3F"><span class="tocnumber">3</span> <span class="toctext">Where do I report copyright infringements, libel, and other legal issues?</span></a></li> <li class="toclevel-1"><a href="#I.27ve_been_hacked._What_do_I_do_now.3F"><span class="tocnumber">4</span> <span class="toctext">I've been hacked. What do I do now?</span></a></li> <li class="toclevel-1"><a href="#Why_are_some_users_allowed_to_post_unfiltered_HTML.3F"><span class="tocnumber">5</span> <span class="toctext">Why are some users allowed to post unfiltered HTML?</span></a></li> <li class="toclevel-1"><a href="#Why_are_there_path_disclosures_when_directly_loading_certain_files.3F"><span class="tocnumber">6</span> <span class="toctext">Why are there path disclosures when directly loading certain files?</span></a></li> <li class="toclevel-1"><a href="#Why_did_I_get_this_.22Password_Reset.22_email.3F"><span class="tocnumber">7</span> <span class="toctext">Why did I get this "Password Reset" email?</span></a></li> </ul> </td></tr></table><script type="text/javascript"> if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } </script> <p><br/> </p> <a name="What_is_a_.22security.22_issue.3F" id="What_is_a_.22security.22_issue.3F"></a><h3> <span class="mw-headline"> What is a "security" issue? </span></h3> <p>A security issue is a type of bug that can affect the security of WordPress installations. </p><p>Specifically, it is a report of a bug that you have found in the WordPress core code and that you have determined can be used to gain some level of access to a site running WordPress that you should not have. </p><p><b>Your blog being "hacked" is <i>not</i> a security issue.</b> The security issue will involve knowing how the attacker got in and hacked the blog. If you have details on the attack, then email us. If not, then the <a href="https://web.archive.org/web/20120514063423/http://wordpress.org/support/" class="external text" title="http://wordpress.org/support/">Support Forums</a> are a better place to report such an issue. </p><p>You forgetting your password or losing access to your site is <i>not</i> a security issue. If you lost access through a bug in the WordPress code, then that might be a security issue. </p><p>Generally, security issues are complex problems. If you are wanting to report a security issue, then that's great! You're in the right place. However, be sure that what you're reporting is <i>actually</i> a security issue. The experts that you are reporting it to are very busy, and don't usually respond to non-security issues. </p><p>In other words, the security mailing addresses are NOT for support. Don't send general problems to them. </p> <a name="Where_do_I_report_security_issues.3F" id="Where_do_I_report_security_issues.3F"></a><h3> <span class="mw-headline"> Where do I report security issues? </span></h3> <ul><li> If you are here to report any sort of security issue with a <a href="https://web.archive.org/web/20120514063423/http://en.support.wordpress.com/com-vs-org/" class="external text" title="http://en.support.wordpress.com/com-vs-org/">WordPress.com</a> blog, then please see the <a href="https://web.archive.org/web/20120514063423/http://automattic.com/security/" class="external text" title="http://automattic.com/security/">Automattic Security</a> page. </li></ul> <ul><li> If the issue you're trying to report is on WordPress.com and is not a "security" issue, then please use their <a href="https://web.archive.org/web/20120514063423/http://en.forums.wordpress.com/" class="external text" title="http://en.forums.wordpress.com/">support forums</a> instead. </li><li> If you're having an issue with your own self-hosted blog that is not a "security" issue, then please use the WordPress.org <a href="https://web.archive.org/web/20120514063423/http://wordpress.org/support/" class="external text" title="http://wordpress.org/support/">support forums</a>. </li></ul> <ul><li> For security issues with WordPress plugins, email the details to plugins [at] wordpress.org, including as much detail as possible. </li><li> For actual security issues with the self-hosted version of WordPress, then you should send an email with the details to security [at] wordpress.org. Include as much detail as you can. </li></ul> <p>In both cases, you should <em>not</em> publish the details. </p> <a name="Where_do_I_report_copyright_infringements.2C_libel.2C_and_other_legal_issues.3F" id="Where_do_I_report_copyright_infringements.2C_libel.2C_and_other_legal_issues.3F"></a><h3> <span class="mw-headline"> Where do I report copyright infringements, libel, and other legal issues? </span></h3> <p><a href="https://web.archive.org/web/20120514063423/http://wordpress.org/" class="external text" title="http://wordpress.org/">WordPress.org</a> does not host sites. <a href="https://web.archive.org/web/20120514063423/http://wordpress.org/" class="external text" title="http://wordpress.org/">WordPress.org</a> provides publishing software that anyone can download and use. The organization, <a href="https://web.archive.org/web/20120514063423/http://wordpress.org/" class="external text" title="http://wordpress.org/">WordPress.org</a>, has no control over who uses the software or how they use it. In other words, <a href="https://web.archive.org/web/20120514063423/http://wordpress.org/" class="external text" title="http://wordpress.org/">WordPress.org</a> does NOT have the power to take down comments, posts, sites, or anything else. </p><p>Instead of trying to contact WordPress, perform a <a href="https://web.archive.org/web/20120514063423/http://whois.domaintools.com/" class="external text" title="http://whois.domaintools.com/">whois lookup</a> to track down the operator or host of a particular site, then report the infringement to those organizations. </p><p>If you still can't determining the organization, these following articles by Plagiarism Today may help: </p> <ul><li> <a href="https://web.archive.org/web/20120514063423/http://www.plagiarismtoday.com/stopping-internet-plagiarism/3-finding-the-host/" class="external text" title="http://www.plagiarismtoday.com/stopping-internet-plagiarism/3-finding-the-host/">Finding the Host</a> </li><li> <a href="https://web.archive.org/web/20120514063423/http://www.plagiarismtoday.com/2009/07/16/6-steps-to-find-a-hosts-dmca-contact/" class="external text" title="http://www.plagiarismtoday.com/2009/07/16/6-steps-to-find-a-hosts-dmca-contact/">6 Steps to Find a Host’s DMCA Contact</a> </li></ul> <a name="I.27ve_been_hacked._What_do_I_do_now.3F" id="I.27ve_been_hacked._What_do_I_do_now.3F"></a><h3> <span class="mw-headline"> I've been hacked. What do I do now? </span></h3> <p>The <a href="https://web.archive.org/web/20120514063423/http://wordpress.org/extend/plugins/exploit-scanner/" class="external text" title="http://wordpress.org/extend/plugins/exploit-scanner/">Exploit Scanner</a> plugin can help detect damage so that it can be cleaned up. Other things you should do: </p> <ul><li> Change passwords for all users, especially Administrators and Editors. </li><li> If you upload files to your site via FTP, change your FTP password. </li><li> Re-install the latest version of WordPress. </li><li> Make sure all of your plugins and themes are up-to-date. </li><li> Update your <a href="/web/20120514063423/http://codex.wordpress.org/Editing_wp-config.php#Security_Keys" title="Editing wp-config.php">security keys</a>. </li><li> See <a href="/web/20120514063423/http://codex.wordpress.org/FAQ_My_site_was_hacked" title="FAQ My site was hacked">FAQ My Site Was Hacked</a>. </li></ul> <a name="Why_are_some_users_allowed_to_post_unfiltered_HTML.3F" id="Why_are_some_users_allowed_to_post_unfiltered_HTML.3F"></a><h3> <span class="mw-headline"> Why are some users allowed to post unfiltered HTML? </span></h3> <p>Users with Administrator or Editor [<a href="https://web.archive.org/web/20120514063423/http://codex.wordpress.org/Roles_and_Capabilities#Roles|roles" class="external autonumber" title="http://codex.wordpress.org/Roles_and_Capabilities#Roles|roles">[1]</a>] are allowed to publish unfiltered HTML in post titles, post content, and comments. WordPress is, after all, a publishing tool, and people need to be able to include whatever markup they need to communicate. Users with lesser privileges are not allowed to post unfiltered content. </p><p>If you are running security tests against WordPress, use a lesser privileged user so that all content is filtered. If you are concerned about an Administrator putting XSS into content and stealing cookies, note that all cookies are marked for HTTP only delivery and are divided into privileged cookies used for admin pages and unprivileged cookies used for public facing pages. Content is never displayed unfiltered in the admin. Regardless, an Administrator has wide-ranging super powers among which unfiltered HTML is a lesser one. </p><p>In WordPress multisite, only Super Admin can publish unfiltered HTML, as all other users are considered untrusted. </p><p>To disable unfiltered HTML for all users, including administrators, you can add <code>define( 'DISALLOW_UNFILTERED_HTML', true );</code> to wp-config.php. </p> <a name="Why_are_there_path_disclosures_when_directly_loading_certain_files.3F" id="Why_are_there_path_disclosures_when_directly_loading_certain_files.3F"></a><h3> <span class="mw-headline"> Why are there path disclosures when directly loading certain files? </span></h3> <p>This is considered a server configuration problem. Never enable display_errors on a production site. </p> <a name="Why_did_I_get_this_.22Password_Reset.22_email.3F" id="Why_did_I_get_this_.22Password_Reset.22_email.3F"></a><h3> <span class="mw-headline"> Why did I get this "Password Reset" email? </span></h3> <p>If you get an email saying "Someone has asked to reset the password for the following site and username" this means someone visited the password reset page on your blog. Anyone can visit this page since it must be open to all for it to be accessible to those who have lost their password. Your password can be reset only by those who can read your email. If your email account has not been compromised, you can ignore this email. </p><p><a href="/web/20120514063423/http://codex.wordpress.org/FAQ" title="FAQ">Back to FAQ</a> </p>  <div class="printfooter"> Retrieved from "<a href="https://web.archive.org/web/20120514063423/http://codex.wordpress.org/FAQ_Security">http://codex.wordpress.org/FAQ_Security</a>"</div> <div id="catlinks"><div id="catlinks" class="catlinks"><div id="mw-normal-catlinks"><a href="/web/20120514063423/http://codex.wordpress.org/Special:Categories" title="Special:Categories">Categories</a>: <span dir="ltr"><a href="/web/20120514063423/http://codex.wordpress.org/Category:Troubleshooting" title="Category:Troubleshooting">Troubleshooting</a></span> | <span dir="ltr"><a href="/web/20120514063423/http://codex.wordpress.org/Category:WordPress_Help" title="Category:WordPress Help">WordPress Help</a></span></div></div></div>  </div> <div class="col-2"> <ul class="submenu"> <li id="n-mainpage"><a href="/web/20120514063423/http://codex.wordpress.org/Main_Page">Home Page</a></li> <li><a href="/web/20120514063423/http://codex.wordpress.org/WordPress_Lessons">WordPress Lessons</a></li> <li><a href="/web/20120514063423/http://codex.wordpress.org/Getting_Started_with_WordPress">Getting Started</a></li> <li><a href="/web/20120514063423/http://codex.wordpress.org/Working_with_WordPress">Working with WordPress</a></li> <li><a href="/web/20120514063423/http://codex.wordpress.org/Blog_Design_and_Layout">Design and Layout</a></li> <li><a href="/web/20120514063423/http://codex.wordpress.org/Advanced_Topics">Advanced Topics</a></li> <li><a href="/web/20120514063423/http://codex.wordpress.org/Troubleshooting">Troubleshooting</a></li> <li><a href="/web/20120514063423/http://codex.wordpress.org/Developer_Documentation">Developer Docs</a></li> <li><a href="/web/20120514063423/http://codex.wordpress.org/About_WordPress">About WordPress</a></li> </ul> <h3>Codex Resources</h3> <ul class="submenu"> <li id="n-portal"><a href="/web/20120514063423/http://codex.wordpress.org/Codex:Community_Portal">Community portal</a></li> <li id="n-currentevents"><a href="/web/20120514063423/http://codex.wordpress.org/Current_events">Current events</a></li> <li id="n-recentchanges"><a href="/web/20120514063423/http://codex.wordpress.org/Special:RecentChanges">Recent changes</a></li> <li id="n-randompage"><a href="/web/20120514063423/http://codex.wordpress.org/Special:Random">Random page</a></li> <li id="n-help"><a href="/web/20120514063423/http://codex.wordpress.org/Help:Contents">Help</a></li> </ul> </div> </div> </div> <div id="footer"> <div class="wrapper"> <p> <a href="https://web.archive.org/web/20120514063423/http://wordpress.org/about/privacy/">Privacy</a> | <a href="https://web.archive.org/web/20120514063423/http://wordpress.org/about/license/">License / GPLv2</a>     See also: <a href="https://web.archive.org/web/20120514063423/http://wordpress.com/?ref=wporg-footer" title="Hassle-free WP hosting">WordPress.com</a> | <a href="https://web.archive.org/web/20120514063423/http://wordpress.tv/" title="Videos, tutorials, WordCamps">WordPress.TV</a> | <a href="https://web.archive.org/web/20120514063423/http://central.wordcamp.org/" title="Find a WordPress event near your home">WordCamp</a> | <a href="https://web.archive.org/web/20120514063423/http://jobs.wordpress.net/" title="Find or post WordPress jobs">WP Jobs</a> | <a href="https://web.archive.org/web/20120514063423/http://ma.tt/" title="Co-founder of WordPress, an example of what WordPress can do">Matt</a> | <a href="https://web.archive.org/web/20120514063423/http://wordpress.org/news/feed/" class="rsslink">Blog RSS</a> </p> <br/> <iframe src="https://web.archive.org/web/20120514063423if_/http://www.facebook.com/plugins/like.php?app_id=121415197926116&href=http%3A%2F%2Fwww.facebook.com%2Fwordpress&send=false&layout=button_count&width=150&show_faces=false&action=like&colorscheme=light&font=lucida+grande&height=21" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:150px; height:21px;" allowtransparency="true"></iframe> <div class="g-plusone" data-size="medium" data-href="https://plus.google.com/107188080561309681193"></div> <iframe allowtransparency="true" frameborder="0" scrolling="no" src="https://web.archive.org/web/20120514063423if_/http://platform.twitter.com/widgets/follow_button.html?screen_name=WordPress&show_count=false" style="width:150px; height:20px;"></iframe> <h6>Code is Poetry</h6> </div> </div> <script type="text/javascript">_qoptions={qacct:"p-18-mFEk4J448M"};</script> <script type="text/javascript" src="https://web.archive.org/web/20120514063423js_/http://edge.quantserve.com/quant.js"></script> <noscript><img src="https://web.archive.org/web/20120514063423im_/http://pixel.quantserve.com/pixel/p-18-mFEk4J448M.gif" style="display: none;" border="0" height="1" width="1" alt=""/></noscript>  <script type="text/javascript" src="https://web.archive.org/web/20120514063423js_/http://s.gravatar.com/js/gprofiles.js"></script> <script type="text/javascript"> (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://web.archive.org/web/20120514063423/https://apis.google.com/js/plusone.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })(); </script> <script type="text/javascript"> (function($){ $(document).ready(function() { $('#footer a').click(function() { if (this.href.indexOf('wordpress.org') == -1 && this.href.indexOf('http') == 0) { recordOutboundLink(this, 'Outbound Links', this.href); return false; } }); }); })(jQuery); </script> </body> </html> </body> </html>