Security
The VIP Platform is built with multiple levels of security controls and protection—including edge protection, secure networking, robust access controls, continuous security monitoring, and code scanning. VIP performs recurring internal security testing of the platform, vulnerability assessments, and engages with third-parties to perform platform penetration testing on a regular basis.
However, it is the combined responsibility of both VIP and the customer to strengthen and maintain the security of applications hosted on the VIP Platform.
Infrastructure built to mitigate security threats
VIP’s infrastructure is designed to mitigate security threats and manage vulnerabilities at a platform-level.
- Security monitoring: Safeguards against attacks include monitoring of traffic pattern anomalies and spikes, and controlled responses to suspicious traffic patterns. Brute-force protections are built in at the network level; they monitor for unnatural behavior and dynamically apply restrictions.
- Data center security: End-to-end encryption from data centers at the edge to origin, resource and data isolation, and encrypted off-site backups. VIP origin data centers meet the International Organization of Standardization (ISO), International Electrotechnical Commission (IEC) 27001 certification and Standards for Attestation Engagements (SSAE) No. 18 SOC2 Type 2.
- Database protection: Databases for every application are containerized in a separate infrastructure, each with their own unique authentication. This mitigates the risk of unauthorized access between applications. Production database backups are taken each hour and maintained for 30 days. They are stored in an encrypted format to ensure data continuity while maintaining security.
- Firewalls: Network and host-based firewalls are built into the platform with real-time notification processes designed to prevent unauthorized access attempts.
- Security patch management: The VIP team promptly deploys security patches and other protections to mitigate critical vulnerabilities for software that runs on the platform such as WordPress, PHP, and Node.js.
Whole-site HTTPS is enforced for all sites on the platform, and an installed TLS certificate is required for a site to be launched and publicly accessible. Let’s Encrypt TLS certificates are available for all domains by default. Customers have the option to install custom TLS certificates for their domains.
Reduced attack surface
VIP’s infrastructure has reduced attack surfaces that help to protect applications against many common forms of attack.
- All web containers run in read-only mode. A read-only web container disallows plugins, themes, and other code from having write permissions. While this can occasionally cause plugin incompatibilities, it protects against vulnerabilities such as installation of backdoor shells and other malicious files.
- The code deployed to an environment’s read-only web containers can only be modified by GitHub users given write-access to an application’s wpcomvip GitHub repository. The customer governs user access to an application’s GitHub repository. Read, Write, or Admin permissions are selectively assigned to users at the customer’s discretion.
- Uploaded media files are stored in the VIP File System, a separate, read-only, globally distributed object store.
Compliance
Customer responsibility for threat mitigation
The security of an application hosted on the VIP Platform is a shared responsibility between VIP and its customers. While VIP is committed to providing a secure infrastructure, customers have the responsibility of user management, overseeing that security best practices are followed by their users, and maintaining the quality of the code that is deployed to their applications.
Security incidents can cause an enormous amount of toil, financial cost, and negatively affect the reputation of a business. It is worth taking the time and making the effort to reduce the risk of a security incident in any way possible.
Use caution around the type of data stored by an application
VIP acts as a data processor for the customer; the customer is the data controller. The scope of personal data that is uploaded to an application hosted on the VIP Platform is within the control of the customer. The type of data collected is dependent on the settings applied to a VIP application by the customer and the code that is added to an application’s wpcomvip GitHub repository.
VIP explicitly discourages the collection, transmission, processing and storage of sensitive data on its infrastructure.
Control user access and restrict user permissions
Customers are advised to be vigilant about which users have access to the accounts related to an application, and what level of access those users have. Periodically review the list of users with access to application data (e.g., VIP Dashboard, GitHub, New Relic, Zendesk, and WordPress). Minimize the number of users who are granted Admin permissions for any account. Follow the principle of least privilege, and lower a user’s level of access to only what is necessary for their role. Remove a user from an account entirely if they should no longer have access.
VIP has no insight into a user who was granted access to an organization’s account at one time, and what that user’s relationship status is with the organization currently. It is the customer’s responsibility to keep the list of users with access to accounts associated with an organization up to date.
User access management (i.e., adding, removing, and editing user accounts) for most accounts are under the customer’s governance.
Implement secure development practices
It is possible for the secure infrastructure of an environment to be compromised by insecure code deployed to it from an application’s codebase. The quality of code contributed to an application’s codebase and the diligence of a customer’s code reviewers strongly influences the security of a publicly accessible site. Customers should develop their own security guidelines for all codebase contributors and ensure that they are followed.
- All code should be required to undergo internal code reviews before merging to a production branch. When reviewing code, be vigilant to have security in mind. Try to imagine all of the ways—both obvious and unlikely edge cases—that the new code could possibly be used maliciously.
- Never deploy untested prototype code to a publicly accessible environment.
- Any code that alters the permissions of a user role—and code that runs logic against permission levels—requires extra scrutiny during code review.
- Perform periodic holistic security reviews of the application’s entire codebase. These reviews can be helpful to identify emergent insecure behavior of the codebase that might not be obvious in individual changesets.
Third-party dependencies
Take steps to research the quality and suitability of any third-party code before adding it to an application’s codebase. Use tools such as PHPCS to evaluate code quality on a local machine, and investigate all issues reported by the VIP Code Analysis Bot in pull requests. While tools can be helpful, assessing potential security risks of code is best identified when combined with human code review.
Available updates for third-party dependencies that exist in an application repository (e.g. plugins and themes) should be tested and updated as soon as possible. VIP provides several code scanning features that can help customers keep their third-party plugins and software up to date and secure.
- Codebase Manager scans plugins within an application’s
/plugins
directory. The “Plugins” panel in the VIP Dashboard will indicate if version updates are available for a plugin, or if the scan has identified a known security vulnerability. A pull request to update a plugin can be initiated from within the VIP Dashboard Plugins panel. - The Vulnerability and Update Scan by the VIP Code Analysis Bot scans pull requests made to an application’s wpcomvip GitHub repository. The Bot queries the WPScan API for known plugin and theme security vulnerabilities and available version updates.
Run WordPress in a secure, safe manner
Though VIP has specific security measures in place to protect WordPress applications, customers share the responsibility of running their WordPress site in a safe and secure manner.
- The version of WordPress running on an environment should be maintained at the most recent major release version. Customers can update WordPress versions in the Software Versions panel of the VIP Dashboard. To ensure that an environment’s version of WordPress is updated automatically, enable managed updates. The VIP team automatically applies security patches for the version of WordPress running on an environment.
- Users that are granted access to a WordPress site potentially have access to the site’s data and settings. Use great caution when granting user access to a WordPress site, and assign roles and capabilities to each user that are limited to only what is necessary.
- By default, VIP requires two-factor authentication for all WordPress user accounts with a role that has the
manage_options
capability (e.g., Administrators and Super Admins). For greater security, two-factor authentication should be enforced for all WordPress user accounts with theedit_posts
capability (e.g. users with the Contributor role or greater). - Enforce strong password policies, and force password changes for users when needed.
- Immediately notify VIP Support if there is reason to suspect unauthorized use of WordPress user accounts.
Only run versions of software eligible for security updates
The version of PHP or Node.js running on an environment can be managed in the Software Versions panel of the VIP Dashboard. Only versions of software that are eligible for security updates can be selected for an environment; older versions are not an option. VIP notifies customers of upcoming version releases and version deprecations of PHP and Node.js in the VIP Lobby.
Notifications are intended to help customers plan ahead and schedule adequate time to test their application code against newer versions of software. All testing should be performed on non-production environments prior to updating the software version running on a production environment.
Educate team members on security best practices
It is the responsibility of all users with access to an application hosted on the WordPress VIP Platform to contribute to the security of that application. All team members should review and follow the security recommendations for users.
Users who do not follow security best practices can compromise the security of an application.
Communicate the importance of good password management to all users with access to an application’s data and/or settings. Users should regard the password strength meter built into WordPress and review WordPress.org’s recommendations for password best practices.
Audit every action
Internally, VIP logs activity at the application, web server, load balancer, database, and operating system layers. This allows the team to analyze and investigate security issues in real-time.
Customers have access to the Audit Log in the VIP Dashboard, which provides an overview and historical log of nearly every action that can be taken by an organization’s team members. In addition, a separate WP-CLI Commands audit log is available to monitor all WP-CLI commands that were run on an environment.
As a security best practice, these logs should be reviewed by the customer at a regular cadence to increase the likelihood that unusual or malicious behavior can be identified as soon as possible.
Review our enterprise-grade WordPress security article for more information about security on the VIP Platform and security best practices.
Last updated: January 04, 2024