Warning: VIP Dashboard Phishing Attack

Individuals have maliciously created fake but realistic-looking copies of the VIP Dashboard login screen. The screens aim to trick VIP customers into entering their genuine authentication credentials for GitHub or WordPress.com. This is a criminal technique known as “phishing”.

We include advice below on how to protect yourself and what to do if you may have fallen victim to this attack.

What to do if you suspect you have fallen victim to phishing for the VIP Dashboard

Hackers are experts at social engineering and trying to gain access to computer systems. Sometimes accidents happen, and the most important thing is to take immediate action to limit any damage they can do. The VIP team is here to help you if you are affected.

If you suspect you have fallen victim to these phishing attempts then please take the following steps.

  • Stop using the suspect website and do not enter any more information into it.
  • Raise an urgent ticket with our team as soon as possible. This will allow us to swiftly secure your account by resetting your login details and taking any additional necessary measures to protect your data and our systems.

Contact VIP’s Support team by creating a Zendesk Support ticket using one of the following methods:

Zendesk

Log in to the WordPress VIP Zendesk portal at wordpressvip.zendesk.com (carefully check the website address). Mark your ticket as urgent.

VIP Dashboard

  1. Access the VIP Dashboard at dashboard.wpvip.com (again, carefully check the website address)
  2. Select the button labeled “Help Center” located in the upper-right corner
  3. Select the tab labeled “Support”
  4. Mark your ticket as urgent

WordPress Admin Dashboard

  1. Access your WordPress Admin dashboard
  2. Select “VIP” from the left hand navigation menu of a site’s WordPress Admin dashboard. 
  3. Complete the fields in the form titled “Contact WordPress VIP Support”
  4. Mark your ticket as urgent
  5. Select the button labeled “Send Request“.

If you have provided any GitHub or WordPress.com login details on the phishing site, you will also need to immediately reset your GitHub credentials. We are unable to do this on your behalf, but we are happy to advise in the ticket. GitHub provides details on how to reset credentials in their Updating access credentials documentation.

How to protect yourself

When possible, use a known, safe way to access the VIP Dashboard: Access the VIP Dashboard either directly at this URL: https://dashboard.wpvip.com/ OR by a bookmark that uses that URL. Do NOT access the VIP Dashboard by searching through a search engine such as Google and clicking a link in the results.

Verify you are accessing the genuine site: When authenticating, carefully check the location in the browser to be sure that the domain exactly matches dashboard.wpvip.com.

Be wary of links in messages even if from a known contact: If a colleague or known contact sends you a link, hover over that link and carefully inspect that the domain is dashboard.wpvip.com before clicking it. Be especially wary of any email or message that creates a sense of urgency to log in, particularly if you are then required to authenticate.

Use a password manager: Password managers will check the website domain for you and fill in access details only if this check passes. Password managers also allow you to use very long complex passwords without requiring you to remember them. Password reuse should always be avoided; if you have used the same password on other sites, please go and reset it there as well, picking a unique password for each site.

Activate Multi-Factor Authentication (MFA) everywhere possible: The VIP Dashboard will enforce a final MFA check for all authenticating users, unless your organization uses our single sign-on (SSO) feature. We strongly recommend all your users configure MFA on their GitHub (GitHub MFA documentation) and on WordPress.com (WordPress.com MFA documentation) accounts if they have not done so already.

More advice is available in our documentation here: Security recommendations for users.

Feature Announcement: Insights & Metrics Beta

Our customers are running the best sites on the web. To help you successfully run these high performance, highly available, and highly secure applications, we’re excited to announce the beta availability of Application Insights & Metrics.

Application Insights & Metrics will give you the tools you need to accurately assess the performance and stability  of your sites.

View metrics such as your HTTP Origin Response time and compare performance against the VIP-wide Baseline

This is a brand new level of access and insight into applications running on the WordPress VIP Platform. Understanding performance, response, usage, and utilization metrics will give you valuable opportunities to address issues before they escalate into problems for your team. This release is marked as a beta as we intend to add more functionality here over the coming months, and we want to hear your feedback.

For example, visibility into your application’s object cache hit rate can help you optimize caching strategies, stats around database query types can help you identify inefficient code, sudden change in trends after code deployments can help you detect issues quickly.

This feature provides a host of valuable metrics. HTTP Requests are represented by response code and origin response time. Object cache and database information includes counts of different commands and slow query counts. Also available is the total size of the DB, active PHP worker count, and the page cache hit rate. Relevant events, e.g. deployments of application code, as well as Node, PHP, and WordPress versions updates, can be overlaid on the metrics.

Working with metrics, you can choose a time window from “last 30 minutes”, which is useful to see detail around a recent deployment, to “last 14 days”, for broader trends. Each time series metric is available as a chart or a table. 

The legend at the bottom of the chart allows you to toggle time series and event markers. Hovering on an event marker shows key information for the event, and may provide a link to more detail, e.g. the logs for a particular deployment.

When viewing origin response time and slow query count in longer time windows you will see the “VIP-wide baseline”. The baseline enables you to compare your application performance against all other applications on the WordPress VIP platform.

To get started, log in to your account on the VIP Dashboard and select “Performance” then “Insights & Metrics” for any application. We look forward to seeing how you use this feature and welcome your feedback.

Read our documentation on the Insights & Metrics panel.

Notice: Scheduled Maintenance for Notifications management on the VIP Dashboard

Update, 28 September – This maintenance has been completed.

We will perform maintenance on a service that powers Notifications management for the VIP Dashboard. The maintenance window for this upgrade will begin at 9 AM UTC on 28 September 2023, and is expected to last no more than 2 hours (we will post updates on this post).

Listing, viewing, adding, updating, and removing both notifications and destinations will be unavailable during the maintenance.

Notifications will continue to be delivered. No application downtime is expected as a result of this maintenance. Sites will continue to serve requests, and editorial and publishing activity can continue as normal.

If you have any questions about this maintenance, please open a support ticket and we’ll be happy to assist.

You can learn more about this feature in the Notifications announcement post or our documentation about Notifications.

Feature Announcement: Manage deploy notifications from the VIP Dashboard

Help your team stay informed when code is deployed to your VIP applications with our new notifications feature. Notifications can be sent to a Slack channel, by email, or to a general purpose webhook URL.

The Notifications management screen in the VIP Dashboard, showing deploy notifications for different environments, some for deployment success, some for deployment failure, and some for all deployment events.
The Notifications management screen for an application on the VIP Platform

Notifications can be sent for deployment success or failure, and can be flexibly configured to ensure your team is aware of activity by environment type (production or non-production) or for a single specific environment.

Start configuring notifications by visiting your application in the VIP Dashboard, and choosing “Notifications” in the left-hand navigation. If you’re an Organization Admin you can also manage notifications across your organization by visiting your Organization screen on the VIP Dashboard and choosing “Notifications” from the left-hand navigation.

Prior to this feature you may have had notifications created by VIP Support on your behalf. These pre-existing notifications have been migrated to the new system, and are present in the new management screens. You no longer need to contact VIP Support to create or update notifications, this is possible via the VIP Dashboard.

This is just the beginning of our work on notifications. Over the coming months we will be extending notifications to more event types and adding more destinations, places, and channels you can direct notifications to. If you have events that you want us to add to this feature or additional destinations you’d like to receive notifications in, please let us know by clicking the “Give Feedback” button at the top right of any Notifications screen or by contacting support and asking them to pass your request on.

Read our public documentation on Notifications and watch this space for more announcements as we expand the reach of this feature.

If you have any questions or problems, please contact support and we’ll be happy to help.

New release: authentication and user management changes in the VIP Dashboard

The People screen on the VIP Dashboard listing users and showing their access
Showing the new user management

This functionality is available immediately. You can easily invite your team and control their access from the VIP Dashboard using our new user management. New users can also choose to authenticate with either GitHub, previously our only supported authentication, or using a WordPress.com account. This does not change how you log in to WordPress, and if you choose you can continue to use GitHub to log in to the VIP Dashboard.

This change adds multifactor authentication (MFA) to VIP Dashboard to further secure your account. The next time you log in to an existing account, or the first time you log in a new account, you will be asked to set up a code in your authenticator app or provide a phone number to send a code to; our documentation covers more on MFA.

To see the user management screens, visit your VIP Dashboard then from any of your applications click on your organisation name (“My Org” in the screenshot above). We also have documentation on user management.

For a full rundown of the new features, including a questions and answers section, you can read “Changes are coming to authentication and user management on the VIP Dashboard“, which we published earlier this month.

If you see any issues, please contact our VIP Support.

Changes are coming to authentication and user management on the VIP Dashboard

On Wednesday 17th November we will release our new user management feature on the VIP Dashboard, and additionally we will allow users to authenticate via WordPress.com as well as GitHub.

This release is part of a larger plan rolling out through 2022 which will include enabling authentication to VIP via your organization’s SSO provider, e.g. Okta, Microsoft Azure SSO, Google’s G Suite, etc, as well as using your VIP Dashboard user to authenticate to VIP-provided third party services, WordPress applications running on VIP Cloud, and to your Parse.ly account.

User Management

With User Management moving to the VIP Dashboard, you’ll be able to clearly see which users have access to the VIP Dashboard and VIP-CLI, with easy controls to manage those users.

An animation showing the coming user management functionality
Showing the new user management

This change means you will manage users for your organization via the VIP Dashboard, rather than by associating them with the GitHub repository. You can easily assign key staff to roles like Organization Admin so they can access all apps and manage users, or Organization Member where they can see all your applications and environment. Access can also be managed on a per-application basis, so if you have contractors who are only working on one of your sites you can easily facilitate and monitor what they can see and act on. You can read more about the different permission levels and roles in “Roles & Permissions” in our public documentation.

Access to your code in the GitHub repository will continue to be managed via the GitHub repository settings.

If you are a VIP customer with Premier support, your account team can support inviting additional Organization Admins to make sure the appropriate people in your organization have the ability to manage users.

Invitations for Account Owners

In order to manage users, you must be an Organization Admin for your customer organization. If your organization does not have an Organization Admin then as part of the release we will invite the nominated account owner for your organization, watch for this email.

Questions & Answers

Q: When will the changes happen?
A: The changes will be made on Wednesday 17th November.

Q: What areas of WordPress VIP are affected by the changes?
A: Authentication to the VIP Dashboard, authentication to VIP-CLI, and user management for both the VIP Dashboard and VIP-CLI.

Q: How will I be able to authenticate to the VIP Dashboard and VIP-CLI after the changes?
A: We are keeping the GitHub authentication option, and adding the option to authenticate via WordPress.com SSO.

Q: Will this change how I or my colleagues log in to WordPress?
A: No.

Q: Will existing access to VIP Dashboard and VIP-CLI remain after the change?
A: Yes. Currently access is determined by roles on the GitHub repository associated with an application. Users automatically gain “Guest” role in your Organization and then App specific roles, either “write” or “read”, depending on the GitHub role granted – these VIP Dashboard roles will remain, but will be managed from the VIP Dashboard after the change. See below for access to the code and access to deploy.

Q: How will I manage users for the VIP Dashboard and VIP-CLI?
A: After the change you will manage users from the VIP Dashboard.

Q: Who will be able to manage users for the VIP Dashboard and VIP-CLI?
A: Only users with the Organization Admin role.

Q: What if my organization does not have anyone with the Organization Admin role?
A: As part of the release we will invite all nominated account contacts to become Organization Admin for their organization. If you believe you should have received this email but have not received it by Thursday 18th November, please contact support.

Q: How will I manage access to commit and deploy code?
A: Access to commit and deploy the code in your VIP provided GitHub repository will continue to be managed via the settings for that GitHub repository.

Q: Do I need to do anything to prepare for this change?
A: Other than read this post, no. Thank you for reading it!

If you have any questions, please contact support or your Premier account team.

New this week: Launching sites on a multisite network, Platform usage metrics, and an audit log UI

Something for everyone in our three new VIP Dashboard features: a straightforward multisite site launch tool, an audit log of all platform activity, and filters for your usage metrics.

Easily launch new sites in a WordPress multisite

Our tool allows you to easily map a production-ready domain and perform search/replace throughout your site content, so you can launch a new site on your multisite network without leaving the VIP Dashboard. Read our documentation for more instructions to try this out on your next launch.

Map your production domain and ready your content for launch

Track usage over time

We want you to have all the information about your usage on our platform. You can now see the total requests for all applications, or for one application in particular. Alternatively, you can choose a particular month, or view the last 30 days on a rolling basis. Hovering over the chart gives you a snapshot of the request breakdown for API vs Application requests for that day. Our documentation covers how requests are calculated and more details about what you can see. View your organization usage in the VIP Dashboard by clicking your organization name and then choosing “Usage.”

Breakdown your platform usage by date range and by application

Track activity using our Audit Log UI

With our Platform Audit Log you can follow and track all application management activity in your VIP Cloud organization, helping to meet your compliance standards. Read our Audit Log documentation for full details. You’ll find your Audit Log by clicking the name of your organization in the VIP Dashboard, then choosing “Audit Log” from the left hand menu.

The Audit Log: all your organization activity in one place

Automated build and deploy on VIP Go

This notice relates to the following platforms: VIP Go

We’re pleased to announce the availability of an automated build and deploy workflow for VIP Go.

Using a Continuous Integration (CI) or Continuous Delivery (CD) service like Travis CI or CircleCI, you can now automatically transpile/concatenate/minify/optimize your JavaScript, CSS, and static assets (almost anything except PHP) and deploy it your sites. This means you no longer have to manually build, commit, and push your code. Instead, your working branch can remain clean — with only source files — and the CI/CD service can manage the build and deployment process for you. Your teams can work faster and more efficiently, with fewer errors and less time spent rebasing, rebuilding, and dealing with merge conflicts.

To find out more and to get started, you can read our documentation for automated build and deploys.

If you’re not sure whether a build process is right for your team, please reach out and we’d be happy to help.

Call for Testing: Jetpack 6.1 (Beta)

This notice relates to the following platforms: VIP Go

Jetpack 6.1 will be deployed to VIP Go on Wednesday, May 9, 2018. The upgrade is expected to be performed at 19:00 UTC (15:00 EDT). This deployment date and time is subject to change if issues are discovered during testing of the Jetpack release.

The beta is available now, and the download link is at the bottom of the beta release notice.

What is being added or changed?

This update includes a number of refinements, updates, and fixes to existing flows and features within Jetpack. Of note is the introduction of a shortcode for WordAds users for inline ad placement and support for ​​ads.txt.

You can find a full list of changes in the release notes and the commit log.

What do I need to do?

We recommend testing your site against the new version before the release using these instructions.

If you have testing feedback or questions related to this release (or Jetpack in general), please open a support ticket with details and we will be happy to assist.

 

Data Sync for VIP Go

This notice relates to the following platforms: VIP Go

We’re pleased to announce an automated data sync process which copies data between production and non-production environments.

Having up-to-date production data in test environments simplifies debugging, testing, and QA. Our aim is sync data between production and other environments fast and easily. Today we’re launching new sync functionality that syncs even the largest production databases within minutes. Plus, with our UnionFS integration, media library contents are always available across environments.

To run a data sync, please contact us and we’d be be happy to initiate it for you. Very soon, we’ll be releasing tools that will make data syncing self-service (if you would like to help us test new functionality like this, please let us know).

If you’re interested in learning more, our documentation covers how data sync works and how to customize/extend it.