Title: Uncategorized – Making WordPress Secure

---

#  Category Archives: Uncategorized

 [  ](https://profiles.wordpress.org/ehtis/) [Ehtisham Siddiqui](https://profiles.wordpress.org/ehtis/)
1:28 am _on_ March 5, 2025      

# 󠀁[First major release of 2025: WordPress 6.8](https://make.wordpress.org/security/2025/03/05/first-major-release-of-2025-wordpress-6-8/)󠁿

WordPress 6.8 will be the first major releaseMajor Release A set of releases or 
versions having the same major version number may be collectively referred to as“
X.Y” -- for example version 5.2.x to refer to versions 5.2, 5.2.1, and all other
versions in the 5.2. (five dot two dot) branch of that software. Major Releases 
often are the introduction of new major features and functionality. this year. The
BetaBeta A pre-release of software that is given out to a large group of users to
trial under real conditions. Beta versions have gone through alpha testing in-house
and are generally fairly close in look, feel and function to the final product; 
however, design changes often occur as part of the process. 1 version of this release
cycle was published earlier today. With this, we’re inviting security researchers
to help us make WordPress 6.8 as secure as possible!

As is our tradition, between the release of WordPress 6.8 Beta 1 and the final Release
CandidateRelease Candidate A beta version of software with the potential to be a
final product, which is ready to release unless significant bugs emerge. (RCRelease
Candidate A beta version of software with the potential to be a final product, which
is ready to release unless significant bugs emerge.), we are offering double bounties
for valid security vulnerabilities found in the new code. WordPress 6.8 Beta 1 contains
over 370 enhancements and 520 bug fixes – more details are in the [release post](https://wordpress.org/news/2025/03/wordpress-6-8-beta-1/)
and testing guidelines for key features are [here](https://make.wordpress.org/test/2025/03/04/help-test-wordpress-6-8/#key-features-to-test).

Full schedule of the 6.8 release cycle is [here](https://make.wordpress.org/core/6-8/),
with Release Candidate 3 set to be released on April 8.

Think you have found a security issue? Please reach out via [HackerOne](https://hackerone.com/wordpress)
and we will take a look.

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fsecurity%2F2025%2F03%2F05%2Ffirst-major-release-of-2025-wordpress-6-8%2F%23respond&locale=en_US)

 [  ](https://profiles.wordpress.org/ehtis/) [Ehtisham Siddiqui](https://profiles.wordpress.org/ehtis/)
5:38 am _on_ June 4, 2024      

# 󠀁[WordPress 6.6 is coming!](https://make.wordpress.org/security/2024/06/04/wordpress-6-6-is-coming/)󠁿

WordPress 6.6 will be the next major releaseMajor Release A set of releases or versions
having the same major version number may be collectively referred to as “X.Y” --
for example version 5.2.x to refer to versions 5.2, 5.2.1, and all other versions
in the 5.2. (five dot two dot) branch of that software. Major Releases often are
the introduction of new major features and functionality..

With its BetaBeta A pre-release of software that is given out to a large group of
users to trial under real conditions. Beta versions have gone through alpha testing
in-house and are generally fairly close in look, feel and function to the final 
product; however, design changes often occur as part of the process. 1 set to be
[released](https://make.wordpress.org/core/6-6/) on June 4th, 2024, it is about 
time we start inviting security researchers to look into new bugs!

Any security issue that is found after the release of WordPress 6.6 Beta 1 and before
the final RCRelease Candidate A beta version of software with the potential to be
a final product, which is ready to release unless significant bugs emerge. is out,
will be eligible for double the bounties. The security issue should be in the new
code that is introduced in 6.6.

Full schedule of WordPress 6.6 Beta/RC releases is [here](https://make.wordpress.org/core/6-6/).
If you believe you have found a valid bug, please reach out to us via [HackerOne](https://hackerone.com/wordpress).
Please go through the program policy before submitting a report.

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fsecurity%2F2024%2F06%2F04%2Fwordpress-6-6-is-coming%2F%23respond&locale=en_US)

 [  ](https://profiles.wordpress.org/ehtis/) [Ehtisham Siddiqui](https://profiles.wordpress.org/ehtis/)
4:13 pm _on_ February 12, 2024      

# 󠀁[Welcoming 2024 with WordPress 6.5 Beta 1](https://make.wordpress.org/security/2024/02/12/welcoming-2024-with-wordpress-6-5-beta-1/)󠁿

It’s start of a new year, and WordPress 6.5 is almost ready – the first major releaseMajor
Release A set of releases or versions having the same major version number may be
collectively referred to as “X.Y” -- for example version 5.2.x to refer to versions
5.2, 5.2.1, and all other versions in the 5.2. (five dot two dot) branch of that
software. Major Releases often are the introduction of new major features and functionality.
of 2024!

The BetaBeta A pre-release of software that is given out to a large group of users
to trial under real conditions. Beta versions have gone through alpha testing in-
house and are generally fairly close in look, feel and function to the final product;
however, design changes often occur as part of the process. 1 is set to be launched
[tomorrow](https://make.wordpress.org/core/6-5/), February 13, 2024. Like previous
major releases, we’re inviting security researchers to try and find security issues
between Beta 1 and the final release candidateRelease Candidate A beta version of
software with the potential to be a final product, which is ready to release unless
significant bugs emerge. that target the new code. Valid submissions will be eligible
for **double** the bounties.

Several new features and improvements are planned for WordPress 6.5. As an example,
here’s a [summary](https://make.wordpress.org/core/2024/02/10/core-editor-improvement-power-in-the-details/)
of the improvements we’re going to see in the Editor, where one likely spends most
of their time.

Full release schedule is [here](https://make.wordpress.org/core/6-5/).

**How to report security issues?**
 WordPress security team accepts security issues
through our [HackerOne program](https://hackerone.com/wordpress). The general eligibility
criteria for reports is mentioned in the program policy and must be followed.

As a reminder, reports that highlight issues in the new code will be eligible for
double bounties.

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fsecurity%2F2024%2F02%2F12%2Fwelcoming-2024-with-wordpress-6-5-beta-1%2F%23respond&locale=en_US)

 [  ](https://profiles.wordpress.org/ehtis/) [Ehtisham Siddiqui](https://profiles.wordpress.org/ehtis/)
12:44 pm _on_ September 26, 2023      

# 󠀁[Bug bounty for WordPress 6.4 Beta](https://make.wordpress.org/security/2023/09/26/bug-bounty-for-wordpress-6-4-beta/)󠁿

Think you found a security bug in WordPress 6.4 BetaBeta A pre-release of software
that is given out to a large group of users to trial under real conditions. Beta
versions have gone through alpha testing in-house and are generally fairly close
in look, feel and function to the final product; however, design changes often occur
as part of the process.?

The WordPress Security Team wants to find potential security issues before they 
land in the final WordPress release. Like last time, we’d love to see researchers
focusing more of their attention on new code being introduced in beta releases, 
so we’re offering to double the bounty for any new vulnerability in CoreCore Core
is the set of software required to run WordPress. The Core Development Team builds
WordPress. that is reported after Beta 1 and before the final release candidateRelease
Candidate A beta version of software with the potential to be a final product, which
is ready to release unless significant bugs emerge. (RCRelease Candidate A beta 
version of software with the potential to be a final product, which is ready to 
release unless significant bugs emerge.).

For example, a bug that would normally be awarded $600 would be doubled to $1200
if reported in the new code between Beta 1 and the final RC.

Release schedule for WordPress 6.4 Beta/RC releases can be [found here](https://make.wordpress.org/core/6-4/)(
Beta 1 is scheduled for today). There’s usually about a month between the first 
beta and the last release candidate (RC).

## How can I report security issues?

WordPress security team accepts security issues through our [HackerOne program](https://hackerone.com/wordpress).
The general eligibility criteria for reports is mentioned in the program policy 
and must be followed.

## Do existing vulnerabilities qualify if I report them during the beta period?

No, the intent of the bonus is to catch security bugs before they make it into a
final release, so only vulnerabilities in new code qualify.

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fsecurity%2F2023%2F09%2F26%2Fbug-bounty-for-wordpress-6-4-beta%2F%23respond&locale=en_US)

 [  ](https://profiles.wordpress.org/ehtis/) [Ehtisham Siddiqui](https://profiles.wordpress.org/ehtis/)
5:12 pm _on_ June 28, 2023     
Tags: [Bounties ( 2 )](https://make.wordpress.org/security/tag/bounties/)

# 󠀁[Doubling the Bounties for WordPress 6.3 Beta](https://make.wordpress.org/security/2023/06/28/doubling-the-bounties-for-wordpress-6-3-beta/)󠁿

WordPress 6.3 BetaBeta A pre-release of software that is given out to a large group
of users to trial under real conditions. Beta versions have gone through alpha testing
in-house and are generally fairly close in look, feel and function to the final 
product; however, design changes often occur as part of the process. 1 will be released
later today, June 28th. As with the previous release cycles, this time too we’re
focused on finding new security issues before they make it to the final release.

WordPress security team is inviting security researchers to find security bugs in
WordPress 6.3. We will double the bounties for any new vulnerabilities reported 
in the new code for WordPress. The submission window will open today with the release
of Beta 1 and close before the final release candidateRelease Candidate A beta version
of software with the potential to be a final product, which is ready to release 
unless significant bugs emerge. (RCRelease Candidate A beta version of software 
with the potential to be a final product, which is ready to release unless significant
bugs emerge.) is out.

We post here whenever a beta or RC release is ready: [https://wordpress.org/news/](https://wordpress.org/news/).

Release schedule for WordPress 6.3 beta/RC releases can be [found here](https://make.wordpress.org/core/6-3/).

## **How can I report security issues?**

WordPress security team accepts security issues through our HackerOne program, which
can be [found here](https://hackerone.com/wordpress). The general eligibility criteria
for reports is mentioned in the program policy and must be followed.

## Do existing vulnerabilities qualify if I report them during the beta period?

No, the intent of the bonus is to catch security bugs before they make it into a
final release, so only vulnerabilities in new code qualify.

We have more info in this [previous](https://make.wordpress.org/security/2019/02/13/doubling-bounties-for-vulnerabilities-discovered-before-release/)
announcement.

[#bounties](https://make.wordpress.org/security/tag/bounties/)

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fsecurity%2F2023%2F06%2F28%2Fdoubling-the-bounties-for-wordpress-6-3-beta%2F%23respond&locale=en_US)

 [  ](https://profiles.wordpress.org/ehtis/) [Ehtisham Siddiqui](https://profiles.wordpress.org/ehtis/)
8:50 pm _on_ June 13, 2021      

# 󠀁[WordPress 5.8 Beta & Double the Bounties](https://make.wordpress.org/security/2021/06/13/wordpress-5-8-beta-double-the-bounties/)󠁿

WordPress 5.8 BetaBeta A pre-release of software that is given out to a large group
of users to trial under real conditions. Beta versions have gone through alpha testing
in-house and are generally fairly close in look, feel and function to the final 
product; however, design changes often occur as part of the process. 1 was [released](https://wordpress.org/news/2021/06/wordpress-5-8-beta-1/)
last week. It’s the upcoming major update and we’d love our security researcher 
friends to take a look at it, see if you can find any vulnerabilities in the new
code.

WordPress 5.8 will contain new features and optimizations. For example, the new 
blockBlock Block is the abstract term used to describe units of markup that, composed
together, form the content or layout of a webpage using the WordPress editor. The
idea combines concepts of what in the past may have achieved with shortcodes, custom
HTML, and embed discovery into a single consistent API and user experience. based
[Widgets Editor](https://make.wordpress.org/core/2021/05/12/help-test-the-widgets-editor-for-wordpress-5-8/);
it’s an upgrade to the widgetWidget A WordPress Widget is a small block that performs
a specific function. You can add these widgets in sidebars also known as widget-
ready areas on your web page. WordPress widgets were originally created to provide
a simple and easy-to-use way of giving design and structure control of the WordPress
theme to the user. areas provided by WordPress through themes and a complete replacement
for the widgets admin screen.

As a reminder, we double the bounty for all our [covered](https://hackerone.com/wordpress)
software, provided you’re able to find issues in new code before the final release
candidateRelease Candidate A beta version of software with the potential to be a
final product, which is ready to release unless significant bugs emerge. (RCRelease
Candidate A beta version of software with the potential to be a final product, which
is ready to release unless significant bugs emerge.) is out. For example, a $600
bounty would be doubled to $1200, flat.

Things normally start from beta1 – that’s currently the case for WordPress 5.8 Beta
1.

You can take a look at the release schedule for 5.8 beta/RC releases [here](https://make.wordpress.org/core/5-8/).

Potential issues can be submitted [here](https://hackerone.com/wordpress).

Happy bug hunting!

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fsecurity%2F2021%2F06%2F13%2Fwordpress-5-8-beta-double-the-bounties%2F%23respond&locale=en_US)

 [  ](https://profiles.wordpress.org/iandunn/) [Ian Dunn](https://profiles.wordpress.org/iandunn/)
3:09 am _on_ February 13, 2019     
Tags: [Bounties ( 2 )](https://make.wordpress.org/security/tag/bounties/)

# 󠀁[Doubling Bounties for Vulnerabilities Discovered Before Release](https://make.wordpress.org/security/2019/02/13/doubling-bounties-for-vulnerabilities-discovered-before-release/)󠁿

The best time to discover a security bug is before it’s ever released to users. 
Not only does that keep everybody safe, but it also makes the process of fixing 
the bug much simpler and faster.

The WordPress Security Team would love to see researchers focusing more of their
attention on new code being introduced in betaBeta A pre-release of software that
is given out to a large group of users to trial under real conditions. Beta versions
have gone through alpha testing in-house and are generally fairly close in look,
feel and function to the final product; however, design changes often occur as part
of the process. releases, so we’re offering to double the bounty for any new vulnerability
in CoreCore Core is the set of software required to run WordPress. The Core Development
Team builds WordPress. that is reported after Beta 1 and before the final release
candidateRelease Candidate A beta version of software with the potential to be a
final product, which is ready to release unless significant bugs emerge. (RCRelease
Candidate A beta version of software with the potential to be a final product, which
is ready to release unless significant bugs emerge.).

For example, a bug that would be awarded $600 if it were reported after the release
will instead be awarded $1,200 if it’s reported between Beta 1 and the final RC.

You can learn more about our bug bounty program by [visiting our HackerOne page](https://hackerone.com/wordpress).

### Do vulnerabilities qualify if reported after the final RC but before the release?

No, because there’s sometimes only a day or two between the final RC and the last
release, and we may not receive and triage your report in time for it to prevent
the vulnerability from being released.

### How can I know when a beta1 is released?

We publish posts at [w.org/news](https://w.org/news) whenever a beta or RC release
is ready. To get email notifications, enter your address in the sidebarSidebar A
sidebar in WordPress is referred to a widget-ready area used by WordPress themes
to display information that is not a part of the main content. It is not always 
a vertical column on the side. It can be a horizontal rectangle below or above the
content area, footer, header, or any where in the theme. and click on the`Subscribe`
button.

### How are Beta and RC releases scheduled?

When an upcoming release is ready for initial testing, we publish a `beta1` (for
example, [5.1-beta1](https://wordpress.org/news/2019/01/wordpress-5-1-beta-1/)).
If significant bugs are discovered, we’ll fix them and publish `beta2`, `beta3`,
etc.

Once the code seems like it might be stable enough for production, we’ll publish`
RC1` (for example [5.1-RC1](https://wordpress.org/news/2019/02/wordpress-5-1-release-candidate/)).
If significant bugs are discovered, we’ll fix them and publish `RC2`, `RC3`, etc.

Once we’re confident that the code is ready for production servers, we’ll publish
the final release (for example, [5.0](https://wordpress.org/news/2018/12/bebo/)).

### How can I know how much time I’ll have before the final RC?

The timing and number of betas/RCs can vary, but there’s usually about a month between
the first beta and the last RC. You can view a rough schedule for the release by
visiting [the Make Core blog](https://make.wordpress.org/core/), and following the
link in the sidebar under `Current Release`. To give yourself the most time, we 
recommend that you start testing when `beta1` is released.

### Are bounties doubled for unreleased vulnerabilities in other software, like GutenbergGutenberg The Gutenberg project is the new Editor Interface for WordPress. The editor improves the process and experience of creating new content, making writing rich content much simpler. It uses ‘blocks’ to add richness rather than shortcodes, custom HTML etc. 󠀁[https://wordpress.org/gutenberg/](https://wordpress.org/gutenberg/)󠁿 and WP-CLIWP-CLI WP-CLI is the Command Line Interface for WordPress, used to do administrative and development tasks in a programmatic way. The project page is 󠀁[http://wp-cli.org/](http://wp-cli.org/)󠁿 󠀁[https://make.wordpress.org/cli/](https://make.wordpress.org/cli/)󠁿?

Yes! Everything here applies to [all of our software](https://hackerone.com/wordpress),
as long as you report it between `beta1` and the final RC.

### Do existing vulnerabilities qualify if I report them during the beta period?

No, the intent of the bonus is to catch security bugs before they make it into a
final release, so only vulnerabilities in new code qualify.

[#bounties](https://make.wordpress.org/security/tag/bounties/)

 * [Login to Reply](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fmake.wordpress.org%2Fsecurity%2F2019%2F02%2F13%2Fdoubling-bounties-for-vulnerabilities-discovered-before-release%2F%23respond&locale=en_US)