Security

WordPress VIP and FEDRAMP Certification

WordPress VIP is FEDRAMP certified, adhering to some of the strictest security requirements globally, including those for the whitehouse.gov website. Additionally, WordPress VIP complies with the Data Privacy Framework.

Secure Platform

Security Monitoring

VIP’s infrastructure is designed to mitigate security threats and manage vulnerabilities at a platform level. Safeguards against attacks include monitoring traffic pattern anomalies and spikes and controlled responses to suspicious traffic patterns. Brute-force protections are built in at the network level, monitoring for unnatural behavior and dynamically applying restrictions.

Data Center Security

Data center security includes end-to-end encryption from data centers at the edge to origin, resource and data isolation, and encrypted off-site backups. VIP origin data centers meet the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27001 certification and Standards for Attestation Engagements (SSAE) No. 18 SOC2 Type 2.

Database Protection

Databases for every application are containerized in a separate infrastructure, each with its own unique authentication. This mitigates the risk of unauthorized access between applications. Production database backups are taken each hour and maintained for 30 days, stored in an encrypted format to ensure data continuity while maintaining security.

Firewalls

Network and host-based firewalls are built into the platform with real-time notification processes designed to prevent unauthorized access attempts.

Security Patch Management

The VIP team promptly deploys security patches and other protections to mitigate critical vulnerabilities for software that runs on the platform, such as WordPress, PHP, and Node.js.

HTTPS and TLS Certificates

Whole-site HTTPS is enforced for all sites on the platform, and an installed TLS certificate is required for a site to be launched and publicly accessible. Let’s Encrypt TLS certificates are available for all domains by default. Customers have the option to install custom TLS certificates for their domains.

Additional Security Measures

Endpoint Protections

VIP has multiple security protections in place to guard against unauthorized access and abuse of the WP Cron (/wp-cron.php), login (/wp-login.php), and XML-RPC (/xmlrpc.php) endpoints.

Penetration Testing

A third-party penetration test is conducted against the WordPress VIP Platform every 12 months.

Rate Limiting

Rate limiting constrains how often an action can be repeated within a certain timeframe, helping to prevent malicious bot activity and reduce strain on web servers. On the VIP Platform, rate limiting is implemented at the application level for all WordPress sites, managed by VIP MU plugins, and at the edge.

Secure Code Practices

Automated Code Analysis

VIP Code Analysis Bot automatically analyzes any code committed to the system for vulnerabilities. Feedback from the Bot is posted on reviewed pull requests based on automated scans, including Vulnerability and Update Scan, PHPCS analysis, PHP linting, and SVG analysis.

Plugin Security

Plugins in the /plugins directory of a WordPress environment’s wpcomvip GitHub repository branch are automatically scanned by Codebase Manager. Known security vulnerabilities and available version updates identified by Codebase Manager are reported in the VIP Dashboard’s Plugins panel.

Media File Security

Media files uploaded to /wp-content/uploads are not located in a web container’s filesystem. They are stored in a separate, read-only, globally distributed object store called the VIP File System.

Software Stack Version Upgrades

Software stack version upgrades for security releases (e.g., WordPress core and VIP MU plugins) are automatically deployed to all environments on the platform as quickly as possible.

Bug Bounty Program

We’re enrolled in a public bug bounty program for FareHarbor sites, providing insight into any publicly available endpoints that could pose a security threat.

Site Access

Admin Access

Site Admins only have access to their own sites.

Two-Factor Authentication (2FA)

2FA can be enabled for all accounts on the site to enhance security. Read more about our 2FA options here.