Penetration testing
Penetration tests, security assessments, or other scans can be run by a customer against their application’s WordPress VIP Platform environments.
Prior to running any tests or scans, create a VIP Support ticket. In the Support ticket, outline the objectives and planned methodology of the tests or scans so VIP engineers can validate and approve the approach.
Limitations
- The scope of testing must be limited to the domains mapped to the environments of the customer’s application.
- Customers are not permitted to conduct their own security assessments of VIP’s infrastructure or services (e.g. the VIP Dashboard and API). If a customer has questions about what falls within the scope of “infrastructure or services” they can ask for more details in the VIP Support ticket.
- Do not perform Denial-of-Service (DoS) attacks or simulations against an environment on the VIP Platform, VIP’s infrastructure, or any of VIP’s services. Any testing that is found to be abusive, or impactful on VIP’s systems—or impactful to other customers—will likely be blocked.
- Requests are only blocked if they are determined to be harmful to the platform (e.g. too many per second). VIP cannot allow a specific IP to bypass the limits that are in place, as they are part of a global safeguard that protects all sites on the platform from bad traffic.
- Specific IP addresses cannot be added to a VIP Platform allow list.
- A rate limiting threshold of 10 XML-RPC requests per minute is in place at the edge. If this limit is exceeded, a one-hour block timeout will occur, during which a
403 Forbidden
HTTP response status code will be returned. This rate limit is global and is not customizable per environment.
Penetration tests run by WordPress VIP
A third-party penetration test is conducted against the WordPress VIP Platform every 12 months. Customers can request an executive summary of the test under a non-disclosure agreement (NDA) by submitting a VIP Support ticket.
If a security issue is discovered within the VIP Platform—or any of VIP’s services—report it immediately via HackerOne.
WordPress VIP does not provide test accounts for the purpose of discovering security issues.
Last updated: March 12, 2024