WordPress 5.3 Rescheduled to Dec 11, 2019

Update Dec 11th, 20:41 UTC: The WordPress Core team has delayed the release of WordPress 5.3.1 until tomorrow, Thursday, December 12. We will be updating all VIP Go sites to WordPress 5.3.1 once it is released ( skipping version 5.3 on production ) .

WordPress 5.3.1 will be deployed to production environments next Wednesday, December 11 when WordPress 5.3.1 is available.

During the course of the initial upgrade to WordPress 5.3, we identified an issue in the way JavaScript is concatenated on VIP Go. In short, JavaScript that opts in to Strict Mode can’t be concatenated with JavaScript that does not. In certain contexts, this could lead to JavaScript errors on certain pages and break expected functionality.

We have disabled concatenation for the offending WordPress core files while we work on a longer-term fix.

Testing

All develop and preprod environments have already been upgraded to the new version. We recommend continued testing of WordPress 5.3 there to ensure a smooth upgrade.

Required: Two-factor Authentication

Two-factor authentication (also known as multi-factor authentication) is a method of securing accounts requiring that you not only know something (e.g. a password) to log in but also that you possess something (e.g. your mobile device). The benefit of this approach to security is that even if someone guesses your password, they need to have also stolen your possession in order to break into your account.

Starting Wednesday, July 24, 2019 at 18:00 GMT / 2pm ET, two-factor authentication will be required for all WordPress accounts on VIP Go that have the manage_options capability. To avoid disruption, be sure to log in to your WordPress account and enable two-factor authentication before that time. If you don’t enable two factor authentication before May 29, you’ll have to enable it upon logging in before you can do anything else.

This has been a long standing requirement for our users and we’re bringing that same level of security to VIP Go. Site owners have always had the ability implement two-factor authentication on their sites on VIP Go; the difference is that it will now be required by default.

If you’d like to force two factor authentication for your users before May 29, you can use the wpcom_vip_is_two_factor_forced filter.

For example, to enable for all users that can edit posts:

add_action( 'set_current_user', function() { 
    $limited = current_user_can( 'edit_posts' );
    add_filter( 'wpcom_vip_is_two_factor_forced', function() use ( $limited ) {
        return $limited;
    }, PHP_INT_MAX );
} );

Or, to enable for all users on the site:

add_filter( 'wpcom_vip_is_two_factor_forced', '__return_true' );

To disable enforcement for all users on the site:

add_filter( 'wpcom_vip_is_two_factor_forced', '__return_false' );
add_filter( 'wpcom_vip_two_factor_prep_hide_admin_notice', '__return_true' );

As always, if you have any questions or need help with securing your site, please get in touch.

Introducing wpcomvip-bot for VIP Go

This notice relates to the following platforms: VIP Go

You may have seen a new member of the team sending Pull Requests to your VIP Go repository recently — wpcomvip-bot. To start, wpcomvip-bot has been sending Pull Requests for plugin updates. Over the coming weeks and months, expect to see more PRs like this.

Remaining consistent with standard VIP practice, PRs will not be merged on your behalf unless they contain critical security fixes or resolve an existing or potential site outage. It’s best practice to update plugins in a timely manner, but we also encourage you to merge the code into development environments and test there before deploying to production.

Over the next few weeks, wpcomvip-bot will start doing initial code reviews as well. Pull Requests to VIP Go sites will be immediately sent to wpcomvip-bot to ensure there are no syntax errors before passing the review to a human code reviewer. Over time, the scope of initial reviews by wpcomvip-bot will expand, providing feedback about blockers and highlighting potential problems to help get useful feedback about new code as soon as possible.

WordPress 4.9 Postponed

This notice relates to the following platforms: VIP Go

In order to accommodate teams that may want to be online during the scheduled WordPress upgrade, we’re going to postpone the upgrade on VIP Go until tomorrow, November 16th. We apologize for any inconvenience. The release went later than than anticipated, so we’ll upgrade tomorrow during US business hours instead.

New Release: Jetpack 5.2

This notice relates to the following platforms: VIP Go

Jetpack 5.2 (and the 5.2.1 maintenance release) are now live across all VIP Go sites.

Jetpack 5.2 brings you a brand new contact form experience, a better explanation of our recommended features, and several performance improvements.

If you have any questions about this upgrade or anything else Jetpack related, please feel free to reach out to us.

GitHub Two-Factor Authentication

This notice relates to the following platforms: VIP Go

On Monday, April 17, 2017, we will be requiring Two-Factor Authentication for all VIP Go repositories hosted on GitHub.

Please make sure that you and your team have enabled Two-Factor Authentication for your GitHub account prior to April 17. After the date, any accounts without Two-Factor Authentication will lose access to the wpcomvip organization, where all VIP Go repositories are hosted, including all read/write/admin privileges.

If you have any questions or concerns, please get in touch and we’d be happy to help.

Update (2017-04-17 11:00 ET): Two-Factor Authentication is now being enforced for all VIP Go repos. Thank you to all users who took the time to enable it for their accounts. If you were unable to enable and still need access, please get in touch and we’d be happy to help set up 2fa and restore your access.

Deprecating VIP Quickstart

This notice relates to the following platforms: WordPress.com VIP

As of today, VIP Quickstart is officially deprecated as a development environment for WordPress.com. With Quickstart’s version of Ubuntu (12.04) approaching end-of-life, we’re switching local development for WordPress.com VIP to more closely match our approach on VIP Go.

Going forward, we recommend using Chassis or VVV, with WordPress.com VIP mu-plugins and some extra development plugins. Both of the recommended environments are widely used in the WordPress community and we think the experience is better than we could offer with VIP Quickstart. (You’re also welcome to use a WordPress setup of your choice.)

We have a new documentation page that covers how to set up a development environment for your WordPress.com VIP project.

We no longer recommend setting up new Quickstart environments, though we will continue to provide support through to April 21, 2017.

As always, please reach out if you have any questions or run into issues.

Update: Two-Step Authentication on VIP Go

The date for required two-step authentication on all VIP Go sites has been pushed back to February 10, 2017. Previously the requirement was to take effect on November 14th.

Starting Monday, November 28, 2016, two-step authentication will be required for VIP Go sites that use Jetpack SSO. If your users are not ready for the change, you’ll want to make sure Jetpack SSO is disabled before that. Any time between November 28 and February 10, you can enable Jetpack SSO for added security.

If you have any questions about two-step authentication for VIP Go sites or Jetpack SSO, please open a ticket and we’ll be happy to help.