Changeset 7350 for sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-main/page-about-security.php
- Timestamp:
- 06/29/2018 08:57:02 PM (6 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-main/page-about-security.php
r7279 r7350 23 23 } ); 24 24 25 / / See inc/page-meta-descriptions.php for the meta description for this page.25 /* See inc/page-meta-descriptions.php for the meta description for this page. */ 26 26 27 27 /* … … 43 43 <div class="entry-content row"> 44 44 <section class="col-8"> 45 <p><?php 45 <p> 46 <?php 46 47 printf( 47 48 /* translators: %s: URL to English PDF */ … … 49 50 'https://github.com/WordPress/Security-White-Paper/blob/master/WordPressSecurityWhitePaper.pdf?raw=true' 50 51 ); 51 ?></p> 52 ?> 53 </p> 52 54 53 55 <img src="//s.w.org/about/images/logos/wordpress-logo-stacked-rgb.png" class="aligncenter" /> … … 59 61 <p><?php esc_html_e( 'The information in this document is up-to-date for the latest stable release of the software, WordPress 4.7 at time of publication, but should be considered relevant also to the most recent versions of the software as backwards compatibility is a strong focus for the WordPress development team. Specific security measures and changes will be noted as they have been added to the core software in specific releases. It is strongly encouraged to always be running the latest stable version of WordPress to ensure the most secure experience possible.', 'wporg' ); ?></p> 60 62 <h2><?php esc_html_e( 'Executive Summary', 'wporg' ); ?></h2> 61 <p><?php 63 <p> 64 <?php 62 65 printf( 63 66 /* translators: %s: WordPress Market share - 30. Note the following % sign is escaped as %%. */ 64 67 esc_html__( 'WordPress is a dynamic open-source content management system which is used to power millions of websites, web applications, and blogs. It currently powers more than %s%% of the top 10 million websites on the Internet. WordPress’ usability, extensibility, and mature development community make it a popular and secure choice for websites of all sizes.', 'wporg' ), 65 WP_MARKET_SHARE 66 ); 67 ?></p> 68 esc_html( WP_MARKET_SHARE ) 69 ); 70 ?> 71 </p> 68 72 69 73 <p><?php esc_html_e( 'Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top 10 list identified by The Open Web Application Security Project (OWASP) as common security vulnerabilities, which are discussed in this document.', 'wporg' ); ?></p> … … 73 77 <p><?php esc_html_e( 'Site developers and administrators should pay particular attention to the correct use of core APIs and underlying server configuration which have been the source of common vulnerabilities, as well as ensuring all users employ strong passwords to access WordPress.', 'wporg' ); ?></p> 74 78 <h2><?php esc_html_e( 'An Overview of WordPress', 'wporg' ); ?></h2> 75 <p><?php 79 <p> 80 <?php 76 81 printf( 77 82 /* translators: 1: WordPress Market share - 30. Note the following % sign is escaped as %%. 2: Footnote 3: Market Penetration - 60. Note the following % sign is escaped as %%. */ 78 esc_html__( 'WordPress is a free and open source content management system (CMS). It is the most widely-used CMS software in the world and it powers more than %1$s%% of the top 10 million websites%2$s, giving it an estimated %3$s%% market share of all sites 79 using a CMS.', 'wporg' ), 80 WP_MARKET_SHARE, 83 esc_html__( 'WordPress is a free and open source content management system (CMS). It is the most widely-used CMS software in the world and it powers more than %1$s%% of the top 10 million websites%2$s, giving it an estimated %3$s%% market share of all sites using a CMS.', 'wporg' ), 84 esc_html( WP_MARKET_SHARE ), 81 85 '<sup id="ref1"><a href="#footnote1">1</a></a></sup>', 82 86 60 83 87 ); 84 ?></p> 88 ?> 89 </p> 85 90 86 91 <p><?php esc_html_e( 'WordPress is licensed under the General Public License (GPLv2 or later) which provides four core freedoms, and can be considered as the WordPress “bill of rights”:', 'wporg' ); ?></p> … … 102 107 <p><?php esc_html_e( 'Each WordPress release cycle is led by one or more of the core WordPress developers. A release cycle usually lasts around 4 months from the initial scoping meeting to launch of the version.', 'wporg' ); ?></p> 103 108 104 <p><?php 109 <p> 110 <?php 105 111 printf( 106 112 /* translators: %s: Footnote*/ … … 108 114 '<sup id="ref2"><a href="#footnote2">2</a></sup>' 109 115 ); 110 ?></p> 116 ?> 117 </p> 111 118 <ul> 112 119 <li><?php esc_html_e( 'Phase 1: Planning and securing team leads. This is done in the #core chat room on Slack. The release lead discusses features for the next release of WordPress. WordPress contributors get involved with that discussion. The release lead will identify team leads for each of the features.', 'wporg' ); ?></li> … … 121 128 <p><?php esc_html_e( 'Major releases may add new user features and developer APIs. Though typically in the software world, a “major” version means you can break backwards compatibility, WordPress strives to never break backwards compatibility. Backwards compatibility is one of the project’s most important philosophies, with the aim of making updates much easier on users and developers alike.', 'wporg' ); ?></p> 122 129 123 <p><?php 130 <p> 131 <?php 124 132 printf( 125 133 /* translators: %s: Footnote */ … … 127 135 '<sup id="ref3"><a href="#footnote3">3</a></sup>' 128 136 ); 129 ?></p> 137 ?> 138 </p> 130 139 131 140 <h3><?php esc_html_e( 'Version Backwards Compatibility', 'wporg' ); ?></h3> … … 133 142 <h2><?php esc_html_e( 'WordPress and Security', 'wporg' ); ?></h2> 134 143 <h3><?php esc_html_e( 'The WordPress Security Team', 'wporg' ); ?></h3> 135 <p><?php 144 <p> 145 <?php 136 146 printf( 137 147 /* translators: 1: Number - 50; 2: Footnote*/ … … 140 150 '<sup><a href="#footnote3">3</a></sup>' 141 151 ); 142 ?></p> 143 144 <p><?php 152 ?> 153 </p> 154 155 <p> 156 <?php 145 157 printf( 146 158 /* translators: %s: Footnote */ … … 148 160 '<sup id="ref4"><a href="#footnote4">4</a></sup>' 149 161 ); 150 ?></p> 162 ?> 163 </p> 151 164 <h3><?php esc_html_e( 'WordPress Security Risks, Process, and History', 'wporg' ); ?></h3> 152 <p><?php 165 <p> 166 <?php 153 167 printf( 154 168 /* translators: 1: HackerOne URL 2: Footnote */ … … 157 171 '<sup id="ref5"><a href="#footnote5">5</a></sup>' 158 172 ); 159 ?></p> 173 ?> 174 </p> 160 175 161 176 <p><?php esc_html_e( 'Each security report is acknowledged upon receipt, and the team works to verify the vulnerability and determine its severity. If confirmed, the security team then plans for a patch to fix the problem which can be committed to an upcoming release of the WordPress software or it can be pushed as an immediate security release, depending on the severity of the issue.', 'wporg' ); ?></p> 162 177 163 <p><?php 178 <p> 179 <?php 164 180 printf( 165 181 /* translators: %s: Footnote */ … … 167 183 '<sup id="ref6"><a href="#footnote6">6</a></sup>' 168 184 ); 169 ?></p> 185 ?> 186 </p> 170 187 171 188 <p><?php esc_html_e( 'Administrators of the WordPress software see a notification on their site dashboard to upgrade when a new release is available, and following the manual upgrade users are redirected to the About WordPress screen which details the changes. If administrators have automatic background updates enabled, they will receive an email after an upgrade has been completed.', 'wporg' ); ?></p> 172 189 173 190 <h3><?php esc_html_e( 'Automatic Background Updates for Security Releases', 'wporg' ); ?></h3> 174 <p><?php 191 <p> 192 <?php 175 193 printf( 176 194 /* translators: %s: Footnote */ … … 178 196 '<sup id="ref7"><a href="#footnote7">7</a></sup>' 179 197 ); 180 ?></p> 198 ?> 199 </p> 181 200 182 201 <p><?php esc_html_e( 'When a security update is pushed for the current stable release of WordPress, the core team will also push security updates for all the releases that are capable of background updates (since WordPress 3.7), so these older but still recent versions of WordPress will receive security enhancements.', 'wporg' ); ?></p> … … 184 203 <p><?php esc_html_e( 'Individual site owners can opt to remove automatic background updates through a simple change in their configuration file, but keeping the functionality is strongly recommended by the core team, as well as running the latest stable release of WordPress.', 'wporg' ); ?></p> 185 204 <h3><?php esc_html_e( '2013 OWASP Top 10', 'wporg' ); ?></h3> 186 <p><?php 205 <p> 206 <?php 187 207 printf( 188 208 /* translators: %s: Footnote */ … … 190 210 '<sup id="ref8"><a href="#footnote8">8</a></sup>' 191 211 ); 192 ?></p> 212 ?> 213 </p> 193 214 194 215 <p><?php esc_html_e( 'The following sections discuss the APIs, resources, and policies that WordPress uses to strengthen the core software and 3rd party plugins and themes against these potential risks.', 'wporg' ); ?></p> 195 216 <h4><?php esc_html_e( 'A1 - Injection', 'wporg' ); ?></h4> 196 <p><?php 217 <p> 218 <?php 197 219 printf( 198 220 /* translators: %s: Footnote */ … … 200 222 '<sup id="ref9"><a href="#footnote9">9</a></sup>' 201 223 ); 202 ?></p> 224 ?> 225 </p> 203 226 <h4><?php esc_html_e( 'A2 - Broken Authentication and Session Management', 'wporg' ); ?></h4> 204 227 <p><?php esc_html_e( 'WordPress core software manages user accounts and authentication and details such as the user ID, name, and password are managed on the server-side, as well as the authentication cookies. Passwords are protected in the database using standard salting and stretching techniques. Existing sessions are destroyed upon logout for versions of WordPress after 4.0.', 'wporg' ); ?></p> 205 228 <h4><?php esc_html_e( 'A3 - Cross Site Scripting (XSS)', 'wporg' ); ?></h4> 206 <p><?php 229 <p> 230 <?php 207 231 printf( 208 232 /* translators: 1: Footnote, 2: wp_kses() */ … … 211 235 '<code>wp_kses</code>' 212 236 ); 213 ?></p> 214 215 <p><?php 237 ?> 238 </p> 239 240 <p> 241 <?php 216 242 printf( 217 243 /* translators: %s: the_search_query() */ … … 219 245 '<code>the_search_query()</code>' 220 246 ); 221 ?></p> 247 ?> 248 </p> 222 249 <h4><?php esc_html_e( 'A4 - Insecure Direct Object Reference', 'wporg' ); ?></h4> 223 250 <p><?php esc_html_e( 'WordPress often provides direct object reference, such as unique numeric identifiers of user accounts or content available in the URL or form fields. While these identifiers disclose direct system information, WordPress’ rich permissions and access control system prevent unauthorized requests.', 'wporg' ); ?></p> 224 251 <h4><?php esc_html_e( 'A5 - Security Misconfiguration', 'wporg' ); ?></h4> 225 <p><?php 252 <p> 253 <?php 226 254 printf( 227 255 /* translators: %s: Footnote */ … … 229 257 '<sup id="ref11"><a href="#footnote11">11</a></sup>' 230 258 ); 231 ?></p> 259 ?> 260 </p> 232 261 <h4><?php esc_html_e( 'A6 - Sensitive Data Exposure', 'wporg' ); ?></h4> 233 <p><?php 262 <p> 263 <?php 234 264 printf( 235 265 /* translators: %s: Footnote */ … … 237 267 '<sup id="ref12"><a href="#footnote12">12</a></sup>' 238 268 ); 239 ?></p> 269 ?> 270 </p> 240 271 241 272 <h4><?php esc_html_e( 'A7 - Missing Function Level Access Control', 'wporg' ); ?></h4> … … 243 274 244 275 <h4><?php esc_html_e( 'A8 - Cross Site Request Forgery (CSRF)', 'wporg' ); ?></h4> 245 <p><?php 276 <p> 277 <?php 246 278 printf( 247 279 /* translators: %s: Footnote */ … … 249 281 '<sup id="ref13"><a href="#footnote13">13</a></sup>' 250 282 ); 251 ?></p> 283 ?> 284 </p> 252 285 253 286 <h4><?php esc_html_e( 'A9 - Using Components with Known Vulnerabilities', 'wporg' ); ?></h4> 254 <p><?php 287 <p> 288 <?php 255 289 printf( 256 290 /* translators: %s: Footnote */ … … 258 292 '<sup id="ref14"><a href="#footnote14">14</a></sup>' 259 293 ); 260 ?></p> 261 262 <p><?php 294 ?> 295 </p> 296 297 <p> 298 <?php 263 299 printf( 264 300 /* translators: %s: Footnote */ … … 266 302 '<sup id="ref15"><a href="#footnote15">15</a></sup>' 267 303 ); 268 ?></p> 304 ?> 305 </p> 269 306 270 307 <h4><?php esc_html_e( 'A10 - Unvalidated Redirects and Forwards', 'wporg' ); ?></h4> 271 <p><?php 308 <p> 309 <?php 272 310 printf( 273 311 /* translators: %s: Footnote */ … … 275 313 '<sup id="ref16"><a href="#footnote16">16</a></sup>' 276 314 ); 277 ?></p> 315 ?> 316 </p> 278 317 <h3><?php esc_html_e( 'Further Security Risks and Concerns', 'wporg' ); ?></h3> 279 318 <h4><?php esc_html_e( 'XXE (XML eXternal Entity) processing attacks', 'wporg' ); ?></h4> … … 283 322 <h2><?php esc_html_e( 'WordPress Plugin and Theme Security', 'wporg' ); ?></h2> 284 323 <h3><?php esc_html_e( 'The Default Theme', 'wporg' ); ?></h3> 285 <p><?php 324 <p> 325 <?php 286 326 printf( 287 327 /* translators: %s: The latest Core Theme release - Currently Twenty Seventeen */ 288 328 esc_html__( 'WordPress requires a theme to be enabled to render content visible on the frontend. The default theme which ships with core WordPress (currently "%s") has been vigorously reviewed and tested for security reasons by both the team of theme developers plus the core development team.', 'wporg' ), 289 wp_get_theme( 'core/' . WP_CORE_DEFAULT_THEME )->display( 'Name' ) 290 ); 291 ?></p> 329 esc_html( wp_get_theme( 'core/' . WP_CORE_DEFAULT_THEME )->display( 'Name' ) ) 330 ); 331 ?> 332 </p> 292 333 293 334 <p><?php esc_html_e( 'The default theme can serve as a starting point for custom theme development, and site developers can create a child theme which includes some customization but falls back on the default theme for most functionality and security. The default theme can be easily removed by an administrator if not needed.', 'wporg' ); ?></p> … … 295 336 <h3><?php esc_html_e( 'WordPress.org Theme and Plugin Repositories', 'wporg' ); ?></h3> 296 337 297 <p><?php 338 <p> 339 <?php 298 340 printf( 299 341 /* translators: 1: Number of plugins - 50,000; 2: Number of themes - 5,000 */ 300 esc_html__( 'There are approximately %1$s+ plugins and %2$s+ themes listed on the WordPress.org site. These themes and plugins are submitted for inclusion and are manually reviewed by volunteers before making them available on the repository.', 'wporg' 301 ), 302 number_format_i18n( 50000 ), 303 number_format_i18n( 5000 ) 304 ); 305 ?></p> 306 307 <p><?php 342 esc_html__( 343 'There are approximately %1$s+ plugins and %2$s+ themes listed on the WordPress.org site. These themes and plugins are submitted for inclusion and are manually reviewed by volunteers before making them available on the repository.', 'wporg' 344 ), 345 esc_html( number_format_i18n( 50000 ) ), 346 esc_html( number_format_i18n( 5000 ) ) 347 ); 348 ?> 349 </p> 350 351 <p> 352 <?php 308 353 printf( 309 354 /* translators: 1: Footnote; 2: Footnote */ … … 312 357 '<sup id="ref18"><a href="#footnote18">18</a></sup>' 313 358 ); 314 ?></p> 359 ?> 360 </p> 315 361 316 362 <p><?php esc_html_e( 'Each plugin and theme has the ability to be continually developed by the plugin or theme owner, and any subsequent fixes or feature development can be uploaded to the repository and made available to users with that plugin or theme installed with a description of that change. Site administrators are notified of plugins which need to be updated via their administration dashboard.', 'wporg' ); ?></p> … … 318 364 <p><?php esc_html_e( 'When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.', 'wporg' ); ?></p> 319 365 <h3><?php esc_html_e( 'The Theme Review Team', 'wporg' ); ?></h3> 320 <p><?php 366 <p> 367 <?php 321 368 printf( 322 369 /* translators: 1: Footnote; 2: Footnote; 3: Footnote */ … … 326 373 '<sup id="ref21"><a href="#footnote21">21</a></sup>' 327 374 ); 328 ?></p> 375 ?> 376 </p> 329 377 <h2><?php esc_html_e( 'The Role of the Hosting Provider in WordPress Security', 'wporg' ); ?></h2> 330 378 <p><?php esc_html_e( 'WordPress can be installed on a multitude of platforms. Though WordPress core software provides many provisions for operating a secure web application, which were covered in this document, the configuration of the operating system and the underlying web server hosting the software is equally important to keep the WordPress applications secure.', 'wporg' ); ?></p> 331 379 <h3><?php esc_html_e( 'A Note about WordPress.com and WordPress security', 'wporg' ); ?></h3> 332 <p><?php 380 <p> 381 <?php 333 382 printf( 334 383 /* translators: %s: Footnote */ … … 336 385 '<sup id="ref22"><a href="#footnote22">22</a></sup>' 337 386 ); 338 ?></p> 387 ?> 388 </p> 339 389 <h2><?php esc_html_e( 'Appendix', 'wporg' ); ?></h2> 340 390 <h3><?php esc_html_e( 'Core WordPress APIs', 'wporg' ); ?></h3> 341 <p><?php 391 <p> 392 <?php 342 393 printf( 343 394 /* translators: %s: Footnote */ … … 345 396 '<sup id="ref23"><a href="#footnote23">23</a></sup>' 346 397 ); 347 ?></p> 398 ?> 399 </p> 348 400 349 401 <p><?php esc_html_e( 'While each WordPress API provides best practices and standardized ways to interact with and extend WordPress core software, the following WordPress APIs are the most pertinent to enforcing and hardening WordPress security:', 'wporg' ); ?></p> … … 351 403 <h3><?php esc_html_e( 'Database API', 'wporg' ); ?></h3> 352 404 353 <p><?php 405 <p> 406 <?php 354 407 printf( 355 408 /* translators: %s: Footnote */ … … 357 410 '<sup id="ref24"><a href="#footnote24">24</a></sup>' 358 411 ); 359 ?></p> 412 ?> 413 </p> 360 414 361 415 <h3><?php esc_html_e( 'Filesystem API', 'wporg' ); ?></h3> 362 416 363 <p><?php 417 <p> 418 <?php 364 419 printf( 365 420 /* translators: 1: Footnote; 2: Footnote */ … … 368 423 '<sup id="ref26"><a href="#footnote26">26</a></sup>' 369 424 ); 370 ?></p> 425 ?> 426 </p> 371 427 372 428 <p><?php echo wp_kses_post( __( 'It does this through the <code>WP_Filesystem_Base</code> class, and several subclasses which implement different ways of connecting to the local filesystem, depending on individual host support. Any theme or plugin that needs to write files locally should do so using the WP_Filesystem family of classes.', 'wporg' ) ); ?></p> … … 374 430 <h3><?php esc_html_e( 'HTTP API', 'wporg' ); ?></h3> 375 431 376 <p><?php 432 <p> 433 <?php 377 434 printf( 378 435 /* translators: 1: Footnote; 2: Footnote */ … … 381 438 '<sup id="ref28"><a href="#footnote28">28</a></sup>' 382 439 ); 383 ?></p> 440 ?> 441 </p> 384 442 385 443 <h3><?php esc_html_e( 'Permissions and current user API', 'wporg' ); ?></h3> 386 444 387 <p><?php 445 <p> 446 <?php 388 447 printf( 389 448 /* translators: %s: Footnote */ … … 391 450 '<sup id="ref29"><a href="#footnote29">29</a></sup>' 392 451 ); 393 ?></p> 452 ?> 453 </p> 394 454 <h3><?php esc_html_e( 'White paper content License', 'wporg' ); ?></h3> 395 <p><?php 455 <p> 456 <?php 396 457 printf( 397 458 /* translators: 1: Link to WordPress Foundation Trademark Polocy (English); 2: Link to Creative Commons CC0 license (English) */ … … 400 461 'https://creativecommons.org/publicdomain/zero/1.0/' 401 462 ); 402 ?></p> 403 404 <p><?php 463 ?> 464 </p> 465 466 <p> 467 <?php 405 468 printf( 406 469 /* translators: %s: Link to the Drupal Security Whitepaper (english). */ … … 408 471 'http://drupalsecurityreport.org/' 409 472 ); 410 ?></p> 473 ?> 474 </p> 411 475 <h3><?php esc_html_e( 'Additional Reading', 'wporg' ); ?></h3> 412 476 <ul> 413 <li><?php 477 <li> 478 <?php 414 479 printf( 415 480 /* translators: %s: Link to News Blog including the <a> tags. */ … … 417 482 '<a href="https://wordpress.org/news/">https://wordpress.org/news/</a>' 418 483 ); 419 ?></li> 420 <li><?php 484 ?> 485 </li> 486 <li> 487 <?php 421 488 printf( 422 489 /* translators: %s: Link to News Blog Security Release Archive including the <a> tags. */ … … 424 491 '<a href="https://wordpress.org/news/category/security/">https://wordpress.org/news/category/security/</a>' 425 492 ); 426 ?></li> 427 <li><?php 493 ?> 494 </li> 495 <li> 496 <?php 428 497 printf( 429 498 /* translators: %s: Link to Developer.WordPress.org including the <a> tags. */ … … 431 500 '<a href="https://developer.wordpress.org/">https://developer.wordpress.org/</a>' 432 501 ); 433 ?></li> 502 ?> 503 </li> 434 504 </ul> 435 505
Note: See TracChangeset
for help on using the changeset viewer.