Node.js has recently released security updates for the LTS releases: v20.12.2 and v18.20.2. These updates fix one medium-severity vulnerability. All VIP Node.js sites have received this update.
If you have any questions related to this release, please open a support ticket, and we will be happy to assist.
Individuals have maliciously created fake but realistic-looking copies of the VIP Dashboard login screen. The screens aim to trick VIP customers into entering their genuine authentication credentials for GitHub or WordPress.com. This is a criminal technique known as “phishing”.
We include advice below on how to protect yourself and what to do if you may have fallen victim to this attack.
Hackers are experts at social engineering and trying to gain access to computer systems. Sometimes accidents happen, and the most important thing is to take immediate action to limit any damage they can do. The VIP team is here to help you if you are affected.
If you suspect you have fallen victim to these phishing attempts then please take the following steps.
Contact VIP’s Support team by creating a Zendesk Support ticket using one of the following methods:
Log in to the WordPress VIP Zendesk portal at wordpressvip.zendesk.com (carefully check the website address). Mark your ticket as urgent.
dashboard.wpvip.com (again, carefully check the website address)If you have provided any GitHub or WordPress.com login details on the phishing site, you will also need to immediately reset your GitHub credentials. We are unable to do this on your behalf, but we are happy to advise in the ticket. GitHub provides details on how to reset credentials in their Updating access credentials documentation.
When possible, use a known, safe way to access the VIP Dashboard: Access the VIP Dashboard either directly at this URL: https://dashboard.wpvip.com/ OR by a bookmark that uses that URL. Do NOT access the VIP Dashboard by searching through a search engine such as Google and clicking a link in the results.
Verify you are accessing the genuine site: When authenticating, carefully check the location in the browser to be sure that the domain exactly matches dashboard.wpvip.com.
Be wary of links in messages even if from a known contact: If a colleague or known contact sends you a link, hover over that link and carefully inspect that the domain is dashboard.wpvip.com before clicking it. Be especially wary of any email or message that creates a sense of urgency to log in, particularly if you are then required to authenticate.
Use a password manager: Password managers will check the website domain for you and fill in access details only if this check passes. Password managers also allow you to use very long complex passwords without requiring you to remember them. Password reuse should always be avoided; if you have used the same password on other sites, please go and reset it there as well, picking a unique password for each site.
Activate Multi-Factor Authentication (MFA) everywhere possible: The VIP Dashboard will enforce a final MFA check for all authenticating users, unless your organization uses our single sign-on (SSO) feature. We strongly recommend all your users configure MFA on their GitHub (GitHub MFA documentation) and on WordPress.com (WordPress.com MFA documentation) accounts if they have not done so already.
More advice is available in our documentation here: Security recommendations for users.
Security support for PHP version 8.1 will end on November 25, 2024. As part of VIP’s continued focus on your application’s security, we are committed to ensuring all customers have updated to PHP 8.2 ahead of this date. Below, you will find VIP’s PHP update timeline.
If customers have not updated their environments by the dates outlined, VIP will update the environments on the customer’s behalf. Please note that any updates made by VIP could result in issues if the proper customer testing has not been completed. If issues arise, we’ll do our best to assist where we can, but ask that you please test and deploy the update ahead of this schedule, to avoid any interruptions. This update cannot be deferred, and VIP is here to support you and your team as you work toward it.
Tuesday, October 29, 2024
VIP Updates Non-Production Environments to PHP 8.2
VIP will begin updating all non-production environments that are not yet on PHP 8.2. We are proceeding with non-production environments first to provide customers time to address any issues that arise as a result of the update, before updating production environments.
Tuesday, November 12, 2024
VIP Updates Production Environments to PHP 8.2
VIP will begin updating all production environments that are not yet on PHP 8.2. After this date, working with your teams on post-update issues will be the priority.
Earlier PHP Version Options Removed
The option to select PHP version 8.1 will be removed from the software management tool.
Monday, November 25, 2024
PHP 8.1 End of Life
Security support for PHP 8.1 ends.
Instead of the do-it-yourself approach, focus on your key priorities while our experienced staff manage, validate, and implement your PHP update for you with the specific needs of your applications in mind. Maximize your team’s resources, improve site stability, and unlock peace of mind with our Upgrade Assurance Service. This is a popular new service that we offer, for both WordPress and PHP updates, so we recommend securing your spot early. If you’re interested in learning more, please connect with your Relationship Manager, or reach out to our Support Team.
Support
VIP is here to help along the way, and our Support team is always available to answer questions as you and your team work through the update. Please don’t hesitate to reach out if you need assistance.
Tooling
Your application’s software versions can be managed directly by you in the VIP Dashboard.
Documentation
We have helpful documentation available to guide you through preparing your application code for a PHP update.
In case you missed it, VIP announced the availability of PHP 8.3, in December 2023. We strongly encourage your team to stay ahead of the PHP update curve, and begin testing and updating to PHP 8.3 this year.
To better plan for the road ahead, please be aware of the current security support end-of-life (EOL) schedule for the following PHP versions. These dates are pulled from the official PHP schedule, here. VIP will continue to post to the Lobby with our updated timeline for each year, which will likely follow the same outline as shared above, wrapping up roughly 2 weeks ahead of the PHP date.
PHP Update Timelines
| Deprecated PHP Version | VIP Version Update Complete | PHP Security Support EOL |
|---|---|---|
| 8.1 | November 12, 2024 | November 25, 2024 |
| 8.2 | November 24, 2025* | December 8, 2025 |
| 8.3 | November 9, 2026* | November 23, 2026 |
You may see news reports of our parent company, Automattic, striking deals to sell data from WordPress.com and Tumblr to OpenAI and Midjourney. The original report appeared in 404 Media and was picked up by The Verge.
I want to assure WordPress VIP customers that your data has not been shared as part of any deal that Automattic may have negotiated and we will never share your data without explicit consent.
And while we’re on the topic of AI crawlers and your content – while it is not possible to prevent all AI crawlers, you can signal to reputable organizations that you do not want your content crawled. We have code examples for blocking AI crawlers in our documentation.
Please do reach out directly – I’m ng@automattic.com – if I can help in any way. Thank you for your continued partnership.
At WordPress VIP, we have an ongoing commitment to be the world’s most secure WordPress platform. As part of that commitment, we are pleased to announce secure domain verification. From February 27, 2024, a verification step will be required for all domains added to our platform. Any domains previously added to our platform (legacy domains) are already considered verified, and will not require this step.
To verify a domain you must add a specific TXT record to the domain’s DNS record. The WordPress VIP platform will check for the correct TXT record and update the verification status. Our Domain Verification tool will guide you through the process, and can be found in the VIP Dashboard Domains & TLS panel. You can view the verification status of each domain in the “Verification” column.
Until a new domain has been verified, you will not be able to use it on our platform. Unverified domains cannot receive traffic, provision Let’s Encrypt certificates, be used in our launch tooling, or be used to send emails.
We’re excited to announce our cloud development environment implementation, based on GitHub Codespaces. This new type of development environment allows our customers to move faster and integrate their work directly with their code repositories.
This implementation will empower you to start developing immediately, without having to install and configure any software on your computer. Code from any device, you don’t even have to have a computer to develop.
GitHub Codespaces is a powerful feature that allows users to spin up development environments in the cloud in mere minutes.
Codespaces unlocks exciting possibilities like quickly sharing the results of your work with other members of the team or stakeholders and even pair programming (utilizing LiveShare). It’s much easier to share a link to your codespace than recording a demo or having a call to run a live demonstration.
Codespaces can be run in-browser or within select IDEs like Visual Studio Code and Jetbrains IDEs.
WordPress VIP implementation with GitHub Codespaces is packed with all the features you can find in the VIP Local Development Environment including XDebug, Mailpit, Photon, phpMyAdmin, Elasticsearch, and Cron. We provided conservative default values, many of these optional services are disabled by default, the configuration can be tweaked in features key of ‘devcontainer.json’.
Tooling like WP-CLI, latest LTS version of Node.js, and latest VIP-CLI is preinstalled for your convenience.
We’ve designed it in a way to be extensible so you can add your own features (including privately published ones), further tailoring your cloud development workflow to your needs.
We don’t intend this tool to be a replacement for VIP Local Development Environments, both products will receive the same level of support. Each has their own primary use-cases.
Using the VIP Local Development Environment would be preferred in the following scenarios:
Using codespaces will help with the following cases:
Find out more about our support on GitHub Codespaces in the documentation.
Use of Codespaces within the ‘wpcomvip’ GitHub organization is available as a part of our Enhanced and Premier packages. Please open a support ticket and our team will get you set up.
To work with Codespaces outside of the wpcomvip organization, customers can copy the .devcontainer/devcontainer.json file to their own GitHub repository. Each user gets up to 180 hours of compute free. Please refer to the Codespaces billing page for more details.
We’re happy to unveil a significant advancement in code management: the Repository Management feature inside the VIP Dashboard. This new tool will accelerate your development and testing workflows by giving you the autonomy to take instant actions around your environments.
Repository Management allows you to modify the branches from which we deploy your environments, offering a tailored and flexible approach to your project’s needs, without the need to go through our support. We’ve empowered you to take decisive action, toggle it yourself, and keep on deploying cool things.
To start using Repository Management, simply access the VIP Dashboard, go to Code, and select ‘Repository Management’. From there, you can choose your preferred deployment branch. For detailed instructions, please refer to our Repository Management Documentation.
As always, we’re here to help. If you have any questions or need support with Repository Management, please open a support ticket, and our team will be glad to assist you.
WordPress VIP will implement DNS Security Extensions (DNSSEC) for the go-vip.net domain on February 2, 2024.
No action is required on your part.
If your domain points to a go-vip.net domain via an ALIAS, ANAME, or CNAME, DNS record, or if you access an unlaunched site at the go-vip.net domain, you will benefit from this enhancement. Our team has worked diligently to ensure a smooth transition for all applications, and we anticipate no downtime or complications.
DNSSEC is an advanced security protocol designed to protect Internet users from a range of cyber threats. It adds a layer of security to the Domain Name System (DNS), which is responsible for converting domain names (like go-vip.net) into IP addresses.
DNSSEC validates DNS responses with cryptographic proof, ensuring the resolution process is secure. Protecting your site from threats such as DNS spoofing and cache poisoning, techniques that allow attackers to redirect your visitors to a fraudulent site.
We have not experienced such attacks on the go-vip.net domain, but security is a top concern, and we want to prevent this possibility.
If you have further questions about this change or how it affects your domains, you can open a ticket with VIP Support.
Our customers are running the best sites on the web. To help you successfully run these high performance, highly available, and highly secure applications, we’re excited to announce the beta availability of Application Insights & Metrics.
Application Insights & Metrics will give you the tools you need to accurately assess the performance and stability of your sites.
This is a brand new level of access and insight into applications running on the WordPress VIP Platform. Understanding performance, response, usage, and utilization metrics will give you valuable opportunities to address issues before they escalate into problems for your team. This release is marked as a beta as we intend to add more functionality here over the coming months, and we want to hear your feedback.
For example, visibility into your application’s object cache hit rate can help you optimize caching strategies, stats around database query types can help you identify inefficient code, sudden change in trends after code deployments can help you detect issues quickly.
This feature provides a host of valuable metrics. HTTP Requests are represented by response code and origin response time. Object cache and database information includes counts of different commands and slow query counts. Also available is the total size of the DB, active PHP worker count, and the page cache hit rate. Relevant events, e.g. deployments of application code, as well as Node, PHP, and WordPress versions updates, can be overlaid on the metrics.
Working with metrics, you can choose a time window from “last 30 minutes”, which is useful to see detail around a recent deployment, to “last 14 days”, for broader trends. Each time series metric is available as a chart or a table.
The legend at the bottom of the chart allows you to toggle time series and event markers. Hovering on an event marker shows key information for the event, and may provide a link to more detail, e.g. the logs for a particular deployment.
When viewing origin response time and slow query count in longer time windows you will see the “VIP-wide baseline”. The baseline enables you to compare your application performance against all other applications on the WordPress VIP platform.
To get started, log in to your account on the VIP Dashboard and select “Performance” then “Insights & Metrics” for any application. We look forward to seeing how you use this feature and welcome your feedback.
With our Single Sign-On (SSO) feature, your team will authenticate into the VIP Dashboard and VIP-CLI with the same authentication flow used throughout your organization’s tools and services. Our SSO integration is compatible with any federated authentication Identity Provider (IdP) that supports the SAML 2.0 standard, including Okta, Azure Active Directory, and Google Workspace. Taking advantage of this new feature will streamline access management, strengthen governance, and ease your onboarding and offboarding processes.
Here’s what’s new:
For more details, please read our documentation on Single Sign-On.
WordPress VIP Lobby 
You must be logged in to post a comment.