Security at WordPress VIP
With WordPress VIP, customers get built-in security on multiple levels, using best practices based on decades of protecting WordPress at scale.
All of our origin data centers maintain SSAE 18 SOC 1, SSAE SOC 2 certifications. In addition, the VIP Cloud Hosting Service, under which we act as a data processor, is certified under the EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.
We are also the only enterprise WordPress platform that has earned the Federal Risk and Authorization Management Program (FedRAMP) “Authorized” status. Global brands in high-risk industries like finance, health, defense, tech, and government choose WordPress VIP to power their applications.
A preemptive approach to WordPress security
- Firewalls: We run network and host-based firewalls with real-time notification processes designed to prevent unauthorized access attempts.
- DDoS Protection: All VIP Cloud Hosting sites include intrusion prevention measures designed to protect against distributed denial-of-service (DDoS) attacks. We continuously monitor web traffic for suspicious activity.
- CDN: VIP Cloud Hosting includes the use of our globally distributed content delivery network (CDN), which is designed to enable our Cloud Hosting sites to operate at an industry-leading time to first byte (TTFB).
- Logging and Auditing: We log activity at the application, web server, load balancer, database, and operating system layers. This allows us to analyze and investigate security issues in real-time at multiple levels. Production sites are backed up hourly, logs and backups are kept for 30 days.
- Application: In order to help maintain secure, performant environments for our customers, each WordPress instance on the VIP Cloud Hosting Service runs within its own isolated, containerized environment. This containerization isolates processes, memory, as well as the file system.
- Database: Databases are isolated per application to help mitigate the risk of unauthorized access between applications and each database requires its own unique authentication.
- Customer Data Access: Normal operations of the VIP Cloud Hosting Service include support in the form of reviewing code, troubleshooting issues, and advising on architectural implementations. Access to customer data is strictly controlled and designed to be limited to solely those Automattic employees performing such activities—and internal access is also logged for an audit trail.
- Patching: The WordPress core security lead is WordPress VIP’s very own Jake Spurlock. We are active in the community and are given a heads-up before security patches are made public and in the instances where we find a vulnerability, we patch it ahead of the fix getting pushed to WordPress core.
- Security Testing: We perform regular internal security testing and engage with third parties to perform platform vulnerability assessments.
- Penetration Testing: We routinely engage independent third parties to run penetration tests against our platform.
- Bug Bounty: At Automattic, we take the security of our platforms very seriously. We operate a bug bounty program via HackerOne to reward those who find bugs and help improve the security of our applications.
- Personnel: Our security team is responsible for Automattic’s application and information security. This team works directly with Automattic’s product teams and their customers to address risk and maintain Automattic’s strong commitment to keeping our clients’ applications safe.
- Our servers are in compliant data centers designed to meet the regulatory demands of multiple industries such as PCI, SOX, and HIPAA.
- Our origin data centers meet the International Organization of Standardization (ISO), International Electrotechnical Commission (IEC) 27001 certification, Standards for Attestation Engagements (SSAE) No. 18 (SOC1) and SOC2 Type 2, and ongoing surveillance reviews. All servers are housed in dedicated cages to separate our equipment from other tenants.
- Automattic limits access to facilities where information systems that process Customer Data are located to authorized individuals only.
- We use a variety of industry-standard systems to help protect against loss of data due to power supply failure or line interference.
Automated scans can identify potential security issues, and, separately, Application Support helps educate customer development teams on security best practices in enterprise-scale development.
Data deletion, backup, and recovery
- Our backup systems are designed to backup site data regularly—hourly MySQL backups are taken for production sites on the platform.
- Automattic maintains emergency and contingency plans for the facilities in which data is located including redundant storage and procedures for recovering data that are designed to attempt to reconstruct data in its original or last-replicated state from before the time it was lost.
- Customers may request the deletion of any personal data (for example, the names and email addresses of Customer’s own users) that is provided to Automattic and/or stored on Automattic.
- All of our origin data centers have committed to maintaining SSAE 18 SOC 1, SSAE SOC 2 certifications.
- Your site data is stored on servers located in the United States and in the EU.
- We maintain GDPR and CCPA compliance for all of our products and services and advise customers on the steps they can take to remain compliant.
- The VIP Cloud Hosting Service, under which we act as a data processor, is certified under the EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce. Our Notice of Certification can be viewed here.
- Additionally, we have a worldwide network of 20+ edge data centers. These data centers provide routing as well as data caching, which helps us reduce latency and improve the performance of our network.
How we handle disruptions
In the rare instance of a service disruption, we embrace a key tenet of the Automattic Creed: communication is oxygen.
WordPress VIP will always, as soon as reasonably practical, provide information on the nature of a disruption, the steps being taken to remedy the disruption, and the expected duration of the disruption. Here are a few places to bookmark to stay up-to-date with service statuses:
- In the event of a disruption, Automattic will provide information and updates on the WordPress VIP Lobby (https://lobby.vip.wordpress.com) and via Twitter @wpvipstatus
- If the VIP Lobby is unavailable, information and updates will be provided by email to the address we have on file for your account or via Twitter @wpvipstatus
- Following a service disruption, Automattic will post information on the cause and resolution of the issue to the VIP Lobby as soon as it is available
Security breach notification
If we discover a security breach involving your site data, Automattic will, except to the extent prohibited by applicable law, notify you of any third-party legal processes received by Automattic relating to the breach, and cooperate with you in investigating and remedying the breach.
WordPress VIP can support single sign-on, two-factor authentication, or IP-based restrictions, and can consult on custom user roles and permissions. We also support 2FA for “Administrator” accounts, with support to extend the requirement to specific or all other roles.
How a WordPress site can be compromised
- Out-of-date WordPress core, plugins, or themes that have been updated to address a vulnerability, but the updated version has not been applied to a given site
- Brute-force of wp-admin user login credentials or credentials used to administer a site’s files (SFTP)
- Modification of WordPress core, plugin, or theme files to deface, redirect, or embed a “backdoor” or “web shell”
- “Zero-day” exploits
What WordPress VIP does differently
- We manage WordPress core updates automatically. Our proximity to WordPress core development allows us insights into upcoming releases related to core security before any competitor. Updating themes and plugins is a customer’s responsibility, though we are available to help guide you through any concerns.
- We automatically detect and mitigate brute force login attempts to both /wp-login.php and /xmlrpc.php at our edges as well as within WordPress via our platform and systems teams. Administrator-level users must use 2FA to access any site on our platform.
- All of our web servers are run in read-only mode. What this means is that even if user credentials are brute-forced and 2FA is bypassed, an attacker can’t use that for many common attacks. This blocks access to the underlying file system which could be used to install a backdoor shell or other malicious files.
- Zero-day exploits are inherently challenging to defend against because they are novel, but we are committed to reacting quickly to these events and working with you on a solution.
Security is a shared responsibility
WordPress VIP security is a shared responsibility between Automattic and our customers. Every WordPress VIP site contributor plays a critical role in risk mitigation. Here are the steps we recommend to help customers protect their devices and accounts.
You should always ensure that you are maintaining the security of your account by using sufficiently complicated passwords, not reusing passwords across services, enabling two-factor authentication, and storing them safely. You should also ensure that you have sufficient security on your own systems. Periodic audits of your user list and privileges is a good practice to keep.
We strongly recommend enabling SSL (HTTPS) on all of the websites that you host with us. At a minimum, we use SSL and HTTPS for all authenticated customer access to our services. Automattic can obtain and implement auto-renewing SSL certificates from Let’s Encrypt as part of our service. Customers may also purchase their own certificates from any SSL vendor.
Let’s talk security
We love talking about security, our approach to safeguarding data and systems, and emerging industry standards and best practices. If there’s anything you’d like to know more about, please drop us a note.