Title: July 2026 – Making WordPress Secure

---

#  Monthly Archives: July 2026

 [  ](https://profiles.wordpress.org/johnbillion/) [John Blackbourn](https://profiles.wordpress.org/johnbillion/)
9:28 pm _on_ July 13, 2026      

# 󠀁[Hardening GitHub Actions workflows across the WordPress organisation](https://make.wordpress.org/security/2026/07/13/hardening-github-actions-workflows-across-the-wordpress-organisation/)󠁿

In recent months several supply chain attacks have successfully exploited weaknesses
in GitHubGitHub GitHub is a website that offers online implementation of git repositories
that can easily be shared, copied and modified by other developers. Public repositories
are free to host, private repositories require a paid subscription. GitHub introduced
the concept of the ‘pull request’ where code changes done in branches by contributors
can be reviewed and discussed before being merged by the repository owner. [https://github.com/](https://github.com/)
Actions workflow files and in published actions across many organisations and repos
on GitHub. The effects of these attacks can be considerable due to the highly privileged
environment in which workflows run. They can lead to malicious releases being published,
backdoors being inserted into packages, and secrets, such as APIAPI An API or Application
Programming Interface is a software intermediary that allows programs to interact
with each other and share data in limited, clearly defined ways. keys, being exfiltrated.
Notable instances include [TanStack](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem),
[actions-cool](https://www.stepsecurity.io/blog/actions-cool-issues-helper-github-action-compromised-all-tags-point-to-imposter-commit-that-exfiltrates-ci-cd-credentials),
[BitWarden](https://www.endorlabs.com/learn/shai-hulud-the-third-coming----inside-the-bitwarden-cli-2026-4-0-supply-chain-attack),
and [an attack that affected Microsoft, DataDog, and CNCF](https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation).
The [tj-actions](https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066)
organisation was attacked in a similar manner last year.

In many instances, these attacks exploit misconfigured workflows that unnecessarily
grant higher than necessary permissions, use the `pull_request_target` trigger in
an unsafe manner, or don’t make use of dependency pinning.

The WordPress project isn’t immune to these attacks, but fortunately it’s so far
not directly been affected due to several rounds of hardening applied to workflow
files over the last 18 months. This work remains ongoing.

## What’s already been done

 * January 2025: Workflow files in the `wordpress-develop` repository were significantly
   hardened to remove unsafe expressions, tighten permissions directives, and reduce
   unnecessary credential persistence, among other changes. The [Actionlint](https://github.com/rhysd/actionlint/)
   workflow file linter was also introduced. See [wordpress-develop#8007](https://github.com/WordPress/wordpress-develop/pull/8007).
 * April 2025: Workflow files in the `gutenberg` repo were hardened in a similar
   manner, and Actionlint was introduced into that repo too. See [gutenberg#69126](https://github.com/WordPress/gutenberg/pull/69126).
 * June 2025: [Twenty unmaintained repos in the WordPress org were archived](https://make.wordpress.org/project/2025/06/25/a-little-late-spring-cleaning/).
   Among other benefits, this ceases their Actions workflows.
 * April 2026: The [Zizmor](https://github.com/zizmorcore/zizmor) static analysis
   tool was introduced into the `wordpress-develop` repo. See [wordpress-develop#9767](https://github.com/WordPress/wordpress-develop/pull/9767).
 * April 2026: [The GitHub Actions Workflow Standards handbook page](https://developer.wordpress.org/coding-standards/wordpress-coding-standards/github-actions/)
   was introduced, covering what’s expected of workflow files and detailing common
   issues flagged by Actionlint and Zizmor.
 * May 2026: Workflow files were hardened in several repos, primarily to minimally-
   scope their permissions. See [performance#2471](https://github.com/WordPress/performance/pull/2471),
   [wordpress-playground#3628](https://github.com/WordPress/wordpress-playground/pull/3628),
   [two-factor#892](https://github.com/WordPress/two-factor/pull/892), [mcp-adapter#179](https://github.com/WordPress/mcp-adapter/pull/179),
   [sqlite-database-integration#404](https://github.com/WordPress/sqlite-database-integration/pull/404),
   [php-ai-client#235](https://github.com/WordPress/php-ai-client/pull/235), [Learn#3444](https://github.com/WordPress/Learn/pull/3444),
   and [wporg-main-2022#686](https://github.com/WordPress/wporg-main-2022/pull/686).
 * May 2026: A reusable workflow that’s used by dozens of repos across the WP-CLIWP-
   CLI WP-CLI is the Command Line Interface for WordPress, used to do administrative
   and development tasks in a programmatic way. The project page is [http://wp-cli.org/](http://wp-cli.org/)
   [https://make.wordpress.org/cli/](https://make.wordpress.org/cli/) organisation
   was hardened to remove unsafe behaviour. See [wp-cli@bd7290a](https://github.com/wp-cli/.github/commit/bd7290a8a5195dbb0577beb9443ab29d3ee91177).
 * May 2026: Further hardening of workflows in `wordpress-develop` that use the 
   potentially risky `pull_request_target` trigger. See [wordpress-develop#11808](https://github.com/WordPress/wordpress-develop/pull/11808).
 * May 2026: Supply chain and CI/CD workflows were specifically documented as a 
   valid target in [the HackerOne bug bounty program policy](https://hackerone.com/wordpress).
 * July 2026: Zizmor has been introduced into the `gutenberg` repo. See [gutenberg#71523](https://github.com/WordPress/gutenberg/pull/71523).

Several of these changes tightened the permissions directives. Ensuring each workflow
runs with the lowest permissions required for each job reduces the risk of an attacker
being able to exploit an exposed token or otherwise elevate their permission beyond
what is minimally necessary.

## What’s being worked on

While great progress has been made to date, there’s still a large amount of work
remaining. The current long-term plan is for workflow file scanning with Actionlint
and Zizmor to be implemented and enforced _at the organisation level instead of 
in each repository_. This ensures that every repository consistently follows secure
best practices within Actions-related files. The Security Team is still discussing
the best way to accomplish this and how to codify the resulting policy.

You can expect to see more pull requests to be opened in repos across the WordPress
organisation in the coming weeks as a part of the continued efforts to harden workflow
files by addressing any issues flagged by Actionlint and Zizmor.

Note: If a security hardening pull request is opened by someone who has the “Owner”
role on the WordPress organisation on GitHub, it’s within their remit to self-merge
the pull request if they deem it necessary, or for another owner of the organisation
to do so.

## Wider security policy work

As a result of [the ongoing efforts to clarify the requirements for a repository to be a part of the WordPress organisation](https://make.wordpress.org/project/2025/06/04/criteria-for-creating-or-migrating-repositories-under-the-wordpress-github-organization/),
the Security Team is discussing the best way to facilitate security vulnerability
reports for all repos in a sustainable way. As a result the team hopes to standardise
on a security policy that will apply to all repos under the organisation, and [this may well manifest as a central SECURITY.md file](https://github.com/WordPress/.github/issues/6)
and a corresponding HackerOne policy. Stay tuned for more info on these policies
soon.

Once that work is complete, the team will look at implementing further organisation-
wide repo security policies such as requiring immutable releases, secret scanning,
and requiring rulesets to be in place.

While the Security Team has no _immediate_ plans to enforce policies for the secure
configuration of Node and npm, it’s likely that this will be done once the `wordpress-
develop` and `gutenberg` repos are updated to use at least Node v24. See [gutenberg#72973](https://github.com/WordPress/gutenberg/issues/72973).
Stay tuned for more guidance on Node and npm configuration in the coming weeks.

## Want to get involved?

For the most part, securing GitHub Actions workflow files is hardening work that’s
performed in public, not in private, and any contributor can help out. If you’re
interested in helping out please leave a comment here or post a message in the [#core-build-test-tools](https://wordpress.slack.com/archives/C08D0Q6BHNY)
channel in WordPress SlackSlack Slack is a Collaborative Group Chat Platform [https://slack.com/](https://slack.com/).
The WordPress community has its own Slack Channel at [https://make.wordpress.org/chat/](https://make.wordpress.org/chat/).

_Props to [@desrosj](https://profiles.wordpress.org/desrosj/) for peer review and
everyone who has contributed to this work over the last 18 months._

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fsecurity%2F2026%2F07%2F13%2Fhardening-github-actions-workflows-across-the-wordpress-organisation%2F%23respond&locale=en_US)