Individuals have maliciously created fake but realistic-looking copies of the VIP Dashboard login screen. The screens aim to trick VIP customers into entering their genuine authentication credentials for GitHub or WordPress.com. This is a criminal technique known as “phishing”.
We include advice below on how to protect yourself and what to do if you may have fallen victim to this attack.
What to do if you suspect you have fallen victim to phishing for the VIP Dashboard
Hackers are experts at social engineering and trying to gain access to computer systems. Sometimes accidents happen, and the most important thing is to take immediate action to limit any damage they can do. The VIP team is here to help you if you are affected.
If you suspect you have fallen victim to these phishing attempts then please take the following steps.
- Stop using the suspect website and do not enter any more information into it.
- Raise an urgent ticket with our team as soon as possible. This will allow us to swiftly secure your account by resetting your login details and taking any additional necessary measures to protect your data and our systems.
Contact VIP’s Support team by creating a Zendesk Support ticket using one of the following methods:
Zendesk
Log in to the WordPress VIP Zendesk portal at wordpressvip.zendesk.com (carefully check the website address). Mark your ticket as urgent.
VIP Dashboard
- Access the VIP Dashboard at
dashboard.wpvip.com(again, carefully check the website address) - Select the button labeled “Help Center” located in the upper-right corner
- Select the tab labeled “Support”
- Mark your ticket as urgent
WordPress Admin Dashboard
- Access your WordPress Admin dashboard
- Select “VIP” from the left hand navigation menu of a site’s WordPress Admin dashboard.
- Complete the fields in the form titled “Contact WordPress VIP Support”
- Mark your ticket as urgent
- Select the button labeled “Send Request“.
If you have provided any GitHub or WordPress.com login details on the phishing site, you will also need to immediately reset your GitHub credentials. We are unable to do this on your behalf, but we are happy to advise in the ticket. GitHub provides details on how to reset credentials in their Updating access credentials documentation.
How to protect yourself
When possible, use a known, safe way to access the VIP Dashboard: Access the VIP Dashboard either directly at this URL: https://dashboard.wpvip.com/ OR by a bookmark that uses that URL. Do NOT access the VIP Dashboard by searching through a search engine such as Google and clicking a link in the results.
Verify you are accessing the genuine site: When authenticating, carefully check the location in the browser to be sure that the domain exactly matches dashboard.wpvip.com.
Be wary of links in messages even if from a known contact: If a colleague or known contact sends you a link, hover over that link and carefully inspect that the domain is dashboard.wpvip.com before clicking it. Be especially wary of any email or message that creates a sense of urgency to log in, particularly if you are then required to authenticate.
Use a password manager: Password managers will check the website domain for you and fill in access details only if this check passes. Password managers also allow you to use very long complex passwords without requiring you to remember them. Password reuse should always be avoided; if you have used the same password on other sites, please go and reset it there as well, picking a unique password for each site.
Activate Multi-Factor Authentication (MFA) everywhere possible: The VIP Dashboard will enforce a final MFA check for all authenticating users, unless your organization uses our single sign-on (SSO) feature. We strongly recommend all your users configure MFA on their GitHub (GitHub MFA documentation) and on WordPress.com (WordPress.com MFA documentation) accounts if they have not done so already.
More advice is available in our documentation here: Security recommendations for users.
WordPress VIP Lobby 