Skip to content

WordPress security on VIP

Multiple layers of security are in place to protect WordPress applications:

Site access

  • The username admin is disallowed for WordPress sites. Attempts to log in with the admin username will be blocked and the notice Logins are restricted for that user. Please try a different user account. will be displayed.
  • Forced Two-Factor Authentication (2FA) for administrators and custom roles with the manage_options capability. Enabling 2FA is a security recommendation for all users.
  • Single Sign On (SSO) can be enabled on any WordPress site.
  • Customers have the ability to restrict site access for specific URLs, the WordPress admin, or for an entire site.

WP Cron, XML-RPC, and login endpoints

VIP has multiple security protections in place to protect against unauthorized access and abuse of the WP Cron, XML-RPC, and login endpoints.

  • At the network level, dynamic security protocols are in place that can be triggered by unusual behavioral patterns. An automated attack would trigger VIP’s dynamic security measures, and login attempts would be completely blocked.
  • Brute force attempts on /wp-login.php and /xmlrpc.php are detected and mitigated at the edge (i.e., firewall, NGINX). Attempts to obfuscate the URL of the WordPress login page by altering the URL—via a plugin or otherwise—will remove VIP’s brute force login protections from the login URL.
  • Access to the /xmlrpc.php endpoint is restricted to authorized requests only.
  • The XML-RPC server in WordPress core code prevents more than one failed authentication attempt per a system.multicall request.

Rate limiting

Rate limiting is a strategy to constrain how often an action can be repeated within a certain timeframe. The implementation of rate limiting can help to prevent some forms of malicious bot activity and to reduce strain on web servers. On the VIP Platform, rate limiting is in place at the application level for all WordPress sites, managed by VIP MU plugins, and at the edge.

The rate limiting threshold for XML-RPC requests at the edge is 10 times per minute, with a one-hour block timeout when this is exceeded. During the block timeout, 403s are returned. This rate is global and not customizable per application.

Logic applied to the login rate limiting threshold varies depending on the context. For example, for any given username+IP combination, the limit is 5 failed attempts every 5 minutes. This layer protects against more localized, user-specific attacks.

Filters can be applied to adjust the login limit thresholds:

  • wpcom_vip_ip_login_threshold (Login limiting IP threshold)
  • wpcom_vip_ip_username_login_threshold (Login limiting IP username threshold)

Last updated: August 03, 2023

Relevant to

  • WordPress