How WordPress VIP Keeps Customers Safe From Cyberattacks

From development to deployment and beyond

Illustration of vulnerability management

WordPress VIP’s charter is to bring WordPress to the largest organizations on the web. 

Over time, we’ve had Salesforce, Meta, Capgemini, the White House, NASA, Al Jazeera, and News Corp, all adopt WordPress. With WordPress comes its world-class editor, beneficial cost savings, and limitless customizability through integrations.  

And yet one common misconception we hear from large organizations is that WordPress isn’t secure. They glance at a CMS bolstered by plugins and integrations and see multiple vectors for malicious actors to exploit.

WordPress VIP has long had an answer for this. We have one of the most airtight vulnerability protection systems on the market, an end-to-end process for managing a secure env’ironment of plugins and integrations. 

From development to production and beyond, our security measures help you enjoy the freedom and flexibility of WordPress without introducing additional risk into your organization. Let’s take a closer look at how.

Platform and infrastructure: reduced attack surface

VIP’s infrastructure is purpose-built to mitigate security threats and manage vulnerabilities at the platform-level.

We incorporate robust security monitoring to detect and respond to traffic anomalies and potential brute-force attacks, providing a dynamic defense against malicious activity. 

Our data centers use end-to-end encryption, resource and data isolation, and encrypted off-site backups. These centers meet rigorous international security standards, including International Organization of Standardization (ISO), International Electrotechnical Commission (IEC) 27001 certification, and Standards for Attestation Engagements (SSAE) No. 18 SOC2 Type 2.

Database protection is also a key focus. Every application’s database is housed in a separate containerized infrastructure, each with unique authentication. This reduces the risk of cross-application access. Production database backups are taken each hour, maintained for 30 days, and stored in an encrypted format to ensure both data continuity and security. 

Firewalls at both network and host levels further bolster security by repelling unauthorized access attempts. VIP’s security commitment is also evident in our prompt deployment of patches to address vulnerabilities in the platform’s software components like WordPress, PHP, and Node.js.

Besides these measures, VIP enforces whole-site HTTPS for all sites, requiring TLS certificates for public accessibility. We provide Let’s Encrypt TLS certificates by default but give customers the option to install custom certificates.

The platform also features a reduced attack surface by running web containers in read-only mode, preventing unauthorized modifications to code and mitigating the risk of backdoor installations. Access to modify code is strictly controlled through GitHub, with permissions carefully managed by the customer. Uploaded media files are securely stored in the VIP File System, further insulating them from threats.

Pre-deployment: rigorous code and vulnerability scanning

Code is scanned for vulnerabilities prior to deployment, to help you identify potential and known threats.

Here we leverage WPScan to detect known vulnerabilities in plugins and themes during the Pull Request (PR) process on our provided GitHub repositories. Identified vulnerabilities and updates are communicated via GitHub comments, enabling developers to address issues before deployment. 

Throughout deployment, our VIP Code Analysis Bot is integral to our security capabilities. It conducts static code analysis on all PRs, performing checks such as PHPCS analysis for PHP, WordPress, and VIP coding standards, as well as SVG analysis for SVG files. This automated system ensures that security or stability issues are identified during development, enhancing code quality and security.

Ongoing management: continuous monitoring 

Security vigilance extends beyond deployment. WordPress VIP continuously monitors plugins and themes on our customers’ sites. We regularly scan these components for known vulnerabilities, which can be viewed and managed in the Plugins Panel of the VIP Dashboard.

Recently, we released an alerting system for any HIGH or CRITICAL severity issues.  Key stakeholders are immediately and automatically notified of “high” and “critical” vulnerabilities detected so that they can take appropriate action to mitigate in a timely manner. This alerting system is customizable, allowing you to integrate alerts into existing emergency response processes via chats, email, or webhooks.   

All these measures help keep our customers protected and informed against emerging threats. 

Logging and auditing: comprehensive oversight

Enhancing oversight, WordPress VIP provides extensive logging and auditing capabilities. Our platform logs activity in the Audit Log Panel in the VIP Dashboard at the application, web server, load balancer, database, and operating system layers so you have granular security visibility at every level of your application. 

This transparency supports compliance efforts and facilitates detailed forensic analysis in case of a security incident. Detailed logs offer a clear trail of activities, crucial for understanding the scope of potential security breaches and ensuring accountability through debugging and incident investigation.

Proactive measures: platform vigilance, security testing, and incident response

Beyond automated tools and continuous monitoring, WordPress VIP proactively safeguards our platform. We conduct regular internal and third-party penetration testing to identify and mitigate vulnerabilities, bringing in expertise to help protect customers from attacks. 

In the event of a security incident, our experienced team responds swiftly, working closely with affected customers to resolve the issue and minimize impact. Our proactive incident response process is a critical investment in maintaining the security and integrity of your sites.

Though application security is a shared responsibility, we strive to go above and beyond to keep customers safe. We respond rapidly to macro-level threats, including updating our platform as weaknesses in third-party services are discovered, and neutralizing headline-making threats.

Enterprise security: WordPress VIP’s secret sauce

WordPress VIP’s comprehensive approach to security—initial development to ongoing management—demonstrates our continuing commitment to protecting our customers. Learn more by exploring our recently launched security learning module on VIP Learn or reviewing  our general Security documentation.

Author

Headshot of Simon Wheatley—Product Manager, WordPress VIP

Simon Wheatley—Product Manager, WordPress VIP

Get the latest content updates

Want to be notified about new content?

Leave your email address and we’ll make sure you stay updated.