Theme security issues

Please do not report security issues with WordPress Core to the themes team. To report an issue with WordPress itself, follow the directions for reporting security vulnerabilities.
If you have found a plugin with a security issue, please read Reporting Plugin Security Issues

How to report a theme

If you find a theme with a security issue, please do not post about it publicly anywhere. Even if there’s a report filed on one of the official security tracking sites, bringing more awareness to the security issue tends to increase people being hacked, and rarely speeds up the fixing.

To report a theme that is in the theme directory, please go to the theme’s directory listing (For example, and use the “Report this theme” button in the sidebar, and complete the form.

You can also send reports of security issues to Include the following:

  • a clear and concise description of the issue
  • a link to the specific theme
  • whether or not you have validated the security issue yourself
  • optional – links to any public disclosures on 3rd party sites

For developers

What to do when you receive a request to update your theme

If your theme has been reported and the Themes Team decides that action needs to be taken, you will receive an email from the Themes Team with information and instructions.
– You may be asked to solve an issue within a specific time frame. This depends on the severity of the issue.
– The Themes Team may need to suspend your theme to prevent new downloads until the issue is resolved.

You must reply to the email if you have any questions, need more information, or need more time.

Test your theme update carefully and submit it through the upload form on the theme directory page.

Learn more about how the Themes team works with theme suspensions and delisting.


To learn more about theme security, please see the Security chapter of the common APIs handbook.