WordPress security on VIP
Code
- The VIP Code Analysis Bot automatically analyzes any code pushed to GitHub pull requests.
- Codebase Manager’s Automated Security Scanning creates pull requests to upgrade plugins with vulnerabilities reported by WPScan.
- Software stack version upgrades for security releases (e.g., WordPress core and vip-go-mu-plugins) are automatically deployed to all environments on the platform as quickly as possible.
Site access
- The username
adminis disallowed for WordPress sites. - Federated logins via SSO
- Forced Two-Factor Authentication (2FA) for users with administrator roles (also available for all users).
- Ability to restrict site access for specific URLs, the WordPress admin, or for an entire site.
WP Cron, XML-RPC, and login endpoints
VIP has multiple security protections in place to protect against unauthorized access and abuse of the WP Cron, XML-RPC, and login endpoints.
- At the network level, dynamic security protocols are in place that can be triggered by unusual behavioral patterns. An automated attack would trigger VIP’s dynamic security measures, and login attempts would be completely blocked.
- Brute force attempts on
/wp-login.phpand/xmlrpc.phpare detected and mitigated at the edge (firewall, NGINX etc) as well as within WordPress via Jetpack’s Brute Force Attack Protection.
- Access to the
/xmlrpc.phpendpoint is restricted to authorized requests only. - The XML-RPC server in WordPress core code prevents more than one failed authentication attempt per a
system.multicallrequest.
Rate limiting
Rate limiting is a strategy to constrain how often an action can be repeated within a certain timeframe. The implementation of rate limiting can help to prevent some forms of malicious bot activity and to reduce strain on web servers. On the VIP Platform, rate limiting is in place at the application level for all WordPress sites, managed by vip-go-mu-plugins.
The rate limiting threshold for XML-RPC requests is 10 times per minute, with a one hour block timeout when this is exceeded. During the block timeout, 403s are returned.
Logic applied to the login rate limiting threshold varies depending on the context. For example, for any given username+IP combination, the limit is 5 failed attempts every 5 minutes. This layer protects against more localized, user-specific attacks.
Filters can be applied to adjust the login limit thresholds:
wpcom_vip_ip_login_threshold(Login limiting IP threshold)wpcom_vip_ip_username_login_threshold(Login limiting IP username threshold)