Notice: Change to ASYNC Login behaviour

This notice relates to the following platform: WordPress.com VIP

The default behaviour of the WordPress.com platform can cause a white screen whilst rendering the front-end of a site, as login credentials are verified. To speed this up, we added an asynchronous login feature which, if you wished, you could opt out from.

However, this has caused some technical issues for some clients and, as a result, we have made the decision to make this opt-in. With immediate effect, asynchronous login has therefore been switched off.

What do I need to do?

If you had previously opted-out to asynchronous login with the WPCOM_DISABLE_ASYNC_REMOTE_LOGIN constant, then please remove this as the functionality no longer exists. This is optional, but recommended.

If you experience any issues with render blocking and would like to re-enable asynchronous login then please add the following code to your site…

if ( ! defined( 'WPCOM_ENABLE_ASYNC_REMOTE_LOGIN' ) ) {
    define( 'WPCOM_ENABLE_ASYNC_REMOTE_LOGIN', true );
}

If you have any questions, please open a support ticket and we’ll be happy to assist.

Have questions?

If you have any questions related to this release, please open a support ticket with details and we will be happy to assist.

Resolved: VIP Go Availability Issues

This notice relates to the following platform: VIP Go

On February 18th at 12:40 UTC issues with some VIP Go sites experiencing intermittent 502 errors were reported. This was caused by a caching issue affecting our east-coast data centre and only traffic going through this data centre was affected. It was resolved at approximately 14:40 UTC.

The issue is now resolved and all sites should be functioning normally. We apologize for the trouble!

The root cause is still being investigated and we will provide a further update once we know anything further on this.

If you have any questions or are experiencing any potentially-related issues, please open a support ticket, and we will be happy to assist.

Notice: WordPress VIP ruleset deprecated from WPCS 1.0

This notice relates to the following platforms: WordPress.com VIP, VIP Go

WPCS, the WordPress Coding Standards ruleset for PHPCS, has hit a milestone release of version 1.0 and one of the many changes included within this release is a deprecation of the WordPress-VIP ruleset.

All of the PHPCS rulesets for VIP are now part of  the separate VIP coding standards. These rulesets are WordPressVIPMinimum and WordPress-VIP-Go.

If you are currently using the ​WordPress-VIP ruleset for PHPCS validation before code submission, please now switch to the alternatives, otherwise you won’t be able to validate your code before submission for review.

For more background on this release and the project in general, check out the post on VIP News.

If you have any questions, please open a support ticket and we’ll be happy to assist.

Call for Testing: WordPress 4.9.8 RC

This notice relates to the following platforms: WordPress.com VIP, VIP Go

Update (2018-07-31 1700 UTC): The core release for 4.9.8 has been pushed to Thursday, August 2.

WordPress 4.9.8, a maintenance release, is due to be released Tuesday, July 31, 2018. A release candidate is available for testing now.

What’s New?

The main features of the release are:

  • Gutenberg (VIP Go only): Introduces a “Try Gutenberg” callout – a promotion for Gutenberg on your site’s dashboard (this does not appear if you already have Gutenberg installed)
  • Emoji: Update Twemoji to 11.0
  • TinyMCE: Updates to v4.7.13 (as noted below, WordPress.com sites will receive this update on Thursday, July 26).

In addition to the above, 4.9.8 contains 41 fixes and enhancements, including:

  • Performance: Extreme memory leak related to wp_is_stream in wp-includes/functions.php in WordPress 4.9.7
  • REST API: Attachments controller should respect “Max upload file size” and “Site upload space” in multisite
  • REST API: Only render fields specific to request when _fields= is used
  • REST API: Expose revision count and last revision ID on Post response
  • Privacy: Don’t replace comment author URL and email with anything
  • Privacy: Inconsistent use of blogname and sitename in Privacy emails

When is this being deployed?

WordPress.com VIP sites will receive the changes in two phases:

  1. Thursday, July 26: TinyMCE update.
  2. Tuesday, July 31: All other changes.

VIP Go sites will receive the update on Tuesday, July 31 Thursday, August 2 (the same date as the public release).

We’ll follow-up with additional Lobby posts once the updates have been deployed.

What do I need to do?

We highly recommend updating your local development environments to the release candidate using the Beta Tester plugin or updating it to track the 4.9 branch via either the Subversion or GitHub repos.

What if I need more information?

More information about this release can be found in the official announcement post about the release candidate. And always, if you have any questions or concerns, please let us know.

Notice: TLS 1.0 to be disabled

This notice relates to the following platforms: VIP Go

Starting the week of Monday, July 9th, Transport Layer Security (TLS) version 1.0 will be permanently disabled on the VIP Go platform.

What is TLS?

Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, TLS 1.2 in 2008, and TLS 1.3 in 2018.

What’s wrong with TLS 1.0?

There are many potential vulnerabilities in early TLS that, left unaddressed, put sites at risk.  The widespread POODLE and BEAST exploits are just a couple of examples of how attackers have taken advantage of weaknesses in early TLS to compromise organizations.  As of June 30, 2018 the PCI Data Security Standard (PCI DSS)  also recommended disabling TLS 1.0.

Why disable TLS 1.0 now?

The VIP Go platform has protected against potential TLS 1.0 vulnerabilities for a long time.  While there is no immediate practical risk in using TLS 1.0, our security team has been monitoring real-world TLS 1.0 usage patterns and usage is low enough that now is right to move forward with this change.

How will disabling TLS 1.0 impact me?

The impact is expected to be very small.  In our tests, less than 5% of total traffic is impacted, with the majority of that being bots.  Once TLS 1.0 is disabled, your site will no longer be accessible within the following browser/platform combinations…

  • Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below
  • Desktop IE versions 7 and below
  • Desktop IE versions 8, 9, and 10 – compatible only when running Windows 7 or newer, but not by default
  • Firefox 23 to 26 – compatible, but not by default
  • Firefox 22 and below
  • Google Chrome 22 to 37 – compatible when running on Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile)
  • Google Chrome 21 and below
  • Google Android browser, Android 4.4 (KitKat) and below
  • Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below
  • Mobile Safari for iOS 4 and below

If you have any questions, please open a support ticket and we’ll be happy to assist.

Update: TLS 1.0 was disabled on Wednesday, July 11th.

WordPress VIP and the CVE-2018-6389 DoS Flaw

This notice relates to the following platforms: WordPress.com VIPVIP Go

CVE-2018-6389, a potential Denial of Service (DoS) flaw, was announced last week. VIP sites are not currently at risk from this attack.

As described, the vulnerability takes advantage of WordPress’ built-in script loader which concatenates internal JavaScript files into a single payload for use on the Login screen and the Dashboard. A large number of concurrent requests to the script loader could cause a DoS due to the increase in IO operations and bandwidth usage.

At VIP, our standard practices are designed to detect and mitigate these very types of attacks without making specialized changes to code outside of core. Our security team’s active monitoring approach is the strongest and most sustainable line of defense against potential threats like these.

If you have concerns or further questions about this vulnerability or anything else, please let us know.

Getty Images v2.4.3 to be deprecated imminently (Updated)

This notice relates to the following platforms: WordPress.com VIP, VIP Go

We’ve received word from our partner Getty that they plan to deprecate older versions of their Getty Images plugin by the end of January.

It will affect any version of the plugin less than 2.4.4, as they use an older version of Getty’s API. For VIP clients, this means 2.4.3. When this happens the plugin will stop working and you will not be able to sign into it, search, etc.

If your team uses the Getty Images plugin, we recommend checking what version you’re on to make sure you aren’t caught by surprise when versions earlier than 2.4.4 are deprecated on January 31st. If you’re on any earlier version, it’s best to upgrade to version 3.0 ahead of this transition.

Version 3.0 of the plugin provides a simpler way to add captivating visual content to your WordPress site, with improved usability, and includes:

  • New landing page featuring Creative, Featured and Editorial images
  • New look and feel
  • Ability to set a downloaded image as the Featured Image directly from the plugin (no more bouncing back and forth between the media library and the plugin to set your Featured Image)
  • Larger images in the search
  • results (plus the option to switch back to the detailed view if that’s what you prefer)
  • Improved search filter panel

We encourage all VIPs using Getty Images WordPress Plugin to upgrade to this version by specifying the version parameter of wpcom_vip_load_plugin() like so:

wpcom_vip_load_plugin( 'getty-images', 'plugins', '3.0' );

For VIP Go, you can take advantage of the new version by adding the latest reviewed version (v.3.0) to your plugins​ folder. The plugin can be downloaded from WordPress.org).

If you have any questions please open a ticket where we’ll be happy to assist you transition to the newest version.

The VIP platform and the Meltdown/Spectre Vulnerabilities

This notice relates to the following platforms: WordPress.com VIP, VIP Go

As you may have read, last week, a new type of security vulnerability was disclosed which takes advantage of speculative execution, a feature of all modern microprocessors.  These vulnerabilities have become known as Meltdown and Spectre.

Over the past week, we have worked with our hardware vendors, as well as our internal security and systems teams to accomplish the following:

a) Identify the risks these issues pose in our environment.

b) Obtain software updates which mitigate those risks.

c) Test the updates to ensure acceptable performance and functionality,

d) Deploy the patches across our fleet of servers, prioritizing higher-risk environments first.

Since WordPress.com does not utilize public cloud services like Amazon, Google, or Microsoft Azure, but instead operates our own servers in our own data centers, we have full control over the patching process and can ensure our customers are not negatively impacted by the original vulnerability, the patches, or the patching process.

How does this affect VIP?

As part of our risk identification processes, we classified WordPress.com VIP as very low risk. WordPress.com does not rely on the protections bypassed by either the Meltdown or the Spectre vulnerabilities. In addition, all code deployed to the WordPress.com VIP platform is reviewed though automated and manual methods, making the execution of malicious code on the platform difficult.

The VIP Go platform, however, does use Linux containers, specifically Docker, to isolate clients from each other. This security model could be bypassed if someone were to successfully the exploit issue now known as “Meltdown”.  Granted, there is no known exploit in the wild for Meltdown today, and it would be relatively difficult to execute undetected on VIP Go. Out of an abundance of caution, all VIP Go servers that execute PHP have been patched against the Meltdown vulnerability.

In addition, no performance penalty has been observed on either WordPress.com VIP or VIP Go as a result of the Meltdown security patches.

We continue to work with our internal teams and external vendors on Spectre mitigations. We will apply a similar process there that we did for Meltdown. No interruption of service or significant performance impact is expected.

New Release: WordPress 4.9

This notice relates to the following platforms: WordPress.com VIPVIP Go

banner

WordPress 4.9, named “Tipton” in honor of jazz musician and band leader Billy Tipton, was publicly launched last week and the update has been now deployed across all VIP WordPress.com and Go sites. The release includes many small improvements focused on end users.

You can find details about all the changes in the announcement post and release notes.

As always, if you have any questions, issues, or need help, feel free to reach out to us.

WordPress 4.9: Testing MediaElement Upgrades

This notice relates to the following platforms: WordPress.com VIPVIP Go

This post adds one more important testing suggestion to last week’s notes about the release of WordPress 4.9 – MediaElement.

MediaElement has been upgraded to 4.2.6, which includes many bug fixes as well as an improved UI and a number of enhancements. You can read more details about the change at Make WordPress Core.

If you take advantage of MediaElement within your theme we highly recommend testing your existing code with the changes in question. This is particularly relevant if you are using the WordPress.com VIP platform, as the update is due to be made imminently.

When will these changes be deployed?

WordPress.com VIP: We will be deploying incremental updates leading up to the public release of WordPress 4.9 with the bulk of the enhancements being pushed out from this week onwards. This specific change is due at 13:00 UTC on November 3, 2017.

VIP Go: The entire WordPress 4.9 release, including the MediaElement change, will be deployed to all Go sites on November 14, 2017.

Please note that the deployment dates are subject to change if critical issues are discovered during testing or the public release is delayed. We’ll post updates to the Lobby if the dates do change.

What do I need to do?

We highly recommend updating your local development environments to the beta release using the Beta Tester plugin or updating it to track trunk (i.e. bleeding edge) via either the Subversion or GitHub repos. (If you’re using VVV, one of the default sites will already be tracking trunk. For Chassis users, you can switch your install to switch over to a separate checkout.)

For sites on VIP Go, you can have your Go-hosted development sites switched to trunk as well. If this is something that interests you, please reach out and we can set it up for you.

What if I find Issues?

If you have testing feedback or questions related to this release, please open a support ticket with details and we will be happy to help.