Customer responsibility for threat mitigation

The security of an application hosted on the VIP Platform is a shared responsibility between VIP and its customers. While VIP is committed to providing a secure infrastructure, customers have the responsibility of user management, overseeing that security best practices are followed by their users, and maintaining the quality of the code that is deployed to their applications.

Security incidents can cause an enormous amount of toil, financial cost, and negatively affect the reputation of a business. It is worth taking the time and making the effort to reduce the risk of a security incident in any way possible.

Use caution around the type of data stored by an application

VIP acts as a data processor for the customer; the customer is the data controller.

The scope of personal data that is uploaded to an application hosted on the VIP Platform is within the control of the customer. The type of data collected is dependent on the settings applied to a VIP application by the customer and the code that is added to an application’s wpcomvip GitHub repository.

VIP explicitly discourages the collection, transmission, processing and storage of sensitive or protected data such as social security numbers, medical information, or credit card details on its infrastructure. Payment details for e-commerce sites should be handled by a PCI-compliant payment processor. PCI compliance is reliant on the payments processor (e.g., WooCommerce Payments, Stripe, etc.), the merchant, and the e-commerce extensions used.

Control user access and restrict user permissions

User access management (i.e., adding, removing, and editing user accounts) for most accounts are under the customer’s governance.

VIP has no insight into a user who was granted access to an organization’s account at one time, and what that user’s relationship status is with the organization currently. It is the customer’s responsibility to keep the list of users with access to accounts associated with an organization up to date.

Customers are advised to be vigilant about which users have access to the accounts related to an application, and what level of access those users have. Periodically review the list of users with access to application data (e.g., VIP Dashboard, GitHub, New Relic, Zendesk, and WordPress).

For all accounts related to an application, minimize the number of users who are granted Admin permissions for any account. Follow the principle of least privilege, and lower a user’s level of access to only what is necessary for their role. Remove a user’s account entirely if they should no longer have access.

Implement secure development practices

It is possible for the secure infrastructure of an environment to be compromised by insecure code deployed to it from an application’s codebase. The quality of code contributed to an application’s codebase and the diligence of a customer’s code reviewers strongly influences the security of a publicly accessible site. Customers should develop their own security guidelines for all codebase contributors and ensure that they are followed.

• All code should be required to undergo internal code reviews before merging to a production branch. When reviewing code, be vigilant to have security in mind. Try to imagine all of the ways—both obvious and unlikely edge cases—that the new code could possibly be used maliciously.
• Never deploy untested prototype code to a publicly accessible environment.
• Any code that alters the permissions of a user role—and code that runs logic against permission levels—requires extra scrutiny during code review.
• Perform periodic holistic security reviews of the application’s entire codebase. These reviews can be helpful to identify emergent insecure behavior of the codebase that might not be obvious in individual changesets.

Third-party dependencies

Take steps to research the quality and suitability of any third-party code before adding it to an application’s codebase. Use tools such as PHPCS to evaluate code quality on a local machine, and investigate all issues reported by the VIP Code Analysis Bot in pull requests. While tools can be helpful, assessing potential security risks of code is best identified when combined with human code review.

Available updates for third-party dependencies that exist in an application repository (e.g. plugins and themes) should be tested and updated as soon as possible. VIP provides several code scanning features that can help customers keep their third-party plugins and software up to date and secure.

• Codebase Manager scans plugins within an application’s /plugins directory. The “Plugins” panel in the VIP Dashboard will indicate if version updates are available for a plugin, or if the scan has identified a known security vulnerability. A pull request to update a plugin can be initiated from within the VIP Dashboard Plugins panel.
• The Vulnerability and Update Scan by the VIP Code Analysis Bot scans pull requests made to an application’s wpcomvip GitHub repository. The Bot queries the WPScan API for known plugin and theme security vulnerabilities and available version updates.

Run WordPress in a secure, safe manner

Though VIP has specific security measures in place to protect WordPress applications, customers share the responsibility of running their WordPress site in a safe and secure manner.

• The version of WordPress running on an environment should be maintained at the most recent major release version. Customers can update WordPress versions in the Software Versions panel of the VIP Dashboard. To ensure that an environment’s version of WordPress is updated automatically, enable managed updates. The VIP team automatically applies security patches for the version of WordPress running on an environment.
• Users that are granted access to a WordPress site potentially have access to the site’s data and settings. Use great caution when granting user access to a WordPress site, and assign roles and capabilities to each user that are limited to only what is necessary. Utilize the Inactive User module in WordPress Security Controls to flag or block users from logging in if they remain inactive beyond a set threshold of time.
• By default, the Two-Factor Authentication plugin is active on all WordPress sites on the VIP Platform and 2FA is enforced for all users that have an Editor, Administrator, or Super Admin role. For heightened security, 2FA should be enforced for all user roles and can be configured in the WordPress Security Controls panel.
• Enforce strong password policies, and force password changes for users when needed.
• Immediately notify VIP Support if there is reason to suspect unauthorized use of WordPress user accounts.

Only run versions of software eligible for security updates

The version of PHP or Node.js running on an environment can be managed in the Software Versions panel of the VIP Dashboard. Only versions of software that are eligible for security updates can be selected for an environment; older versions are not an option. VIP notifies customers of upcoming version releases and version deprecations of PHP and Node.js in the VIP Lobby.

Notifications are intended to help customers plan ahead and schedule adequate time to test their application code against newer versions of software. All testing should be performed on non-production environments prior to updating the software version running on a production environment.

Educate team members on security best practices

It is the responsibility of all users with access to an application hosted on the WordPress VIP Platform to contribute to the security of that application. All team members should review and follow the security best practices for users.

Users who do not follow security best practices can compromise the security of an application.

Communicate the importance of good password management to all users with access to an application’s data and/or settings. Users should regard the password strength meter built into WordPress and review WordPress.org’s recommendations for password best practices.

Audit every action

Internally, VIP logs activity at the application, web server, load balancer, database, and operating system layers. This allows the team to analyze and investigate security issues in real-time.

Customers have access to the Audit Log in the VIP Dashboard, which provides an overview and historical log of nearly every action that can be taken by an organization’s team members. In addition, a separate WP-CLI Commands audit log is available to monitor all WP-CLI commands that were run on an environment.

As a security best practice, these logs should be reviewed by the customer at a regular cadence to increase the likelihood that unusual or malicious behavior can be identified as soon as possible.