Almost 600 unique WordPress security vulnerabilities were disclosed by the end of 2020. These security vulnerabilities were mainly found by developers, WordPress security companies, or independent WordPress security researchers.

The vast majority of the security issues that happened and the security vulnerabilities found rather affected the third-party plugins or themes than the WP core. To be precise, only 22 of those security vulnerabilities actually put at risk WordPress security by impacting the WordPress core. 

A standard procedure in cases like this – in case of a security problem or vulnerabilities found in a theme, plugin, or within the WordPress core is to notify the vendor privately. So the WordPress security problem can be dealt with accordingly and adequately to the situation, a damage control protocol needs to be prepared to minimize the damage as much as possible. 

What Is a Security Issue? 

A security vulnerability is a type of bug that can affect any WordPress website installation. Usually, a WordPress security bug occurs just before or after your website’s security has been jeopardized. 

An essential aspect of WordPress Security is the maintenance of the website. Usually, that’s been done with various security plugins and with an SSL certificate. The end purpose of web-hacking is for hackers to obtain unauthorized access to your website on the admin level with the highest possible privileges. 

It’s very important to note that a website being hacked isn’t a security issue, and yet how the hacker got through your WordPress security and how the site got hacked can be considered a security issue. 

Unauthorized access gained from both the front-end and the server-side are considered equally important and a severe web security issue that needs to be resolved as soon as possible. 

Why Are Disclosures of Usernames or User IDs Not a Security Issue? 

Usernames, as well as user IDs, are not considered to be private information by the WordPress project itself. By that, the public nature of usernames doesn’t allow disclosure of usernames to be treated as a security issue. 

Moreover, the usernames are imagined to be part of your online identity as a method of identification. Therefore, the verification process is done by a password, and the disclosure of passwords is a matter of security. 

Moreover, the user itself doesn’t think about the username as something confidential but often speaks about usernames very openly, and many users share them. WordPress has moved from allowing the users to log in only with a username to letting the users choose whether to log in with the username or the email address the account was created with. 

Also, please remember that you forget your passwords or usernames, and due to that, you lose access to your website is not considered a matter of WordPress security, nor is it a security issue. Now, if you happen to lose access due to a bug in the WP code, that can be considered a security issue and be reported as such.

Moreover, as an easier way to protect the website from hacking made through a user account, WordPress has made it its goal to educate the users about the importance of a strong password and actually to encourage the users to put strong passwords into use. 

Where Are Security Issues Reported?

Any security issues with a WordPress-hosted website, as well as with a self-hosted version of WordPress, are usually reported by submitting a report at the Automattic HackerOne page. In any other cases, particularly if you’re reporting other issues with your website, it’s recommended to use WordPress Support. This way, everybody’s time and resources will be maximally used, and the issue will be resolved in the shortest period. 


It’s essential to note that the security reporting system is not the same as the WordPress support. So that’s why it would be for the best if you’d not send there problems concerning the general matters. 

Moreover, the best way of keeping your website safe and sound is to hire WordPress developer to take care of every gap that can be the next possible target of hackers. 

Keep in mind that the professionals working in that center are dealing with severe and complex issues, and that’s why they usually don’t even bother to respond to non-security-related issues. You’ll save everyone precious time and resources, including yourself if you actually report something that’s truly a security issue.