New Feature Release: Defensive Mode

Your sites face constant pressure from bots, credential stuffing, and DDoS attacks. Traditional rate limiting blocks legitimate users during traffic spikes while sophisticated bots slip through by distributing requests across larger networks.

Defensive Mode solves this by raising the computational cost of each request for attackers without degrading the experience for real visitors. It’s now generally available for all VIP customers.

What Is Defensive Mode

Defensive Mode adds an extra layer of protection against malicious traffic by detecting suspicious activity at the edge and issuing proof-of-work challenges to visitors. When your site experiences a traffic spike that exceeds normal patterns, Defensive Mode activates and requires browsers to complete a lightweight computational task before accessing content.

For legitimate visitors, this process happens in the background and completes within seconds. For automated bots and attack scripts, the computational cost becomes prohibitive, effectively filtering out malicious traffic before it can impact site performance or stability.

Why It Matters

Enterprise sites are frequent targets for credential stuffing, content scraping, and volumetric attacks. Traditional rate limiting can block legitimate users during traffic spikes, while allowing sophisticated bots that distribute requests across many IP addresses.

Defensive Mode addresses this gap by raising the cost of each request for attackers without degrading the experience for real visitors. Because VIP manages your entire infrastructure from edge to application, Defensive Mode activates based on actual application health metrics, such as PHP worker utilization or Node.js request concurrency, rather than just traffic volume. This means smarter, more targeted protection that activates when your application is actually under stress.

What’s Included

• Automatic activation: Triggers automatically when connection thresholds are exceeded
• Challenge type options: Background proof-of-work or interactive verification
• Traffic analytics: View challenged, passed, and blocked request metrics over time

Get Started

You can access Defensive Mode in the VIP Dashboard under Application → Environment → Security Controls → Defensive Mode. The feature operates at the environment level, so you can configure production and staging independently. To enable Defensive Mode, toggle it to “On” and select your preferred challenge type. We recommend starting with background proof-of-work for minimal visitor friction and a high threshold. For detailed configuration options and best practices, see the Defensive Mode documentation.

A note on API integrations: If your site uses authenticated API requests, those requests should continue to work normally. However, unauthenticated API calls may be challenged during high-traffic periods. Review your integration patterns if you experience any issues.

If you have any questions related to this feature release, please open a support ticket and we will be happy to assist.

Security Update: Additional Next.js + React Server Components Vulnerabilities (CVE-2025-55183, CVE-2025-55184, CVE-2025-67779)

WordPress VIP continues to monitor and respond to the evolving security issues affecting React Server Components and frameworks that rely on them, including Next.js. Since our earlier advisory, several additional high-severity vulnerabilities have been published.

What’s new

Newly disclosed issues affecting React Server Components include:

• CVE-2025-55183 — possible source code exposure
• CVE-2025-55184 — denial-of-service conditions
• CVE-2025-67779 — an update expanding the denial-of-service vulnerability class associated with CVE-2025-55184
  

These issues follow the earlier React2Shell (CVE-2025-55182) remote code execution vulnerability (CVSS 10.0), which continues to see active scanning and exploitation attempts globally.

Official advisories:

• Next.js: https://nextjs.org/blog/security-update-2025-12-11
• React: https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
  

Customer impact

Applications using React Server Components or affected versions of Next.js may be exposed to denial-of-service behavior, unintended disclosure of source code, or other runtime issues depending on application structure and use of RSC features.

Actions taken by WordPress VIP

We have implemented protective mitigations across the platform intended to reduce exposure to known exploit patterns associated with these newly disclosed vulnerabilities. We continue to monitor for emerging techniques and will adjust mitigations as new information becomes available.

We have also contacted customers running configurations that may be affected.

Required customer action

It is imperative that all customers using React Server Components or vulnerable versions of Next.js upgrade to the latest patched releases as soon as possible. Upstream updates contain important security fixes that provide the most complete protection against these issues and future related variants.

If you are unsure whether your application is affected or need guidance on updating, please contact VIP Support.

Ongoing commitment

WordPress VIP will continue working closely with upstream maintainers and monitoring ongoing research to ensure our customers remain protected. Additional updates will be posted when new information becomes available.

Security Advisory: React and Next.js Vulnerabilities (CVE-2025-66478 / CVE-2025-55182)

WordPress VIP is aware of recently disclosed critical vulnerabilities affecting React Server Components and frameworks built on top of them, including Next.js.

Summary

On December 3, 2025, the React and Next.js teams disclosed critical vulnerabilities:

• React Server Components vulnerability: React blog post
• Next.js CVE-2025-66478: Next.js advisory

These vulnerabilities could allow unauthorized access to server-side data in certain configurations of applications using React Server Components or affected Next.js versions.

Impact on WordPress VIP customers

A limited number of VIP customers run applications built on Next.js that are impacted by these disclosures.

WordPress VIP has:

1. Reached out directly to all customers running affected versions of Next.js.
2. Implemented protective mitigations to shield all VIP environments from known exploit patterns.
   

We will continue to monitor for emerging attack signatures and adjust our mitigation strategy as new information becomes available.

Recommended actions for customers

• If you operate a custom application using Next.js or React Server Components, please ensure you update immediately to a patched version as recommended by the upstream maintainers, and follow the guidelines our team shared directly with your organization.
  
• Review official vendor guidance and changelogs:
  
  • Next.js CVE-2025-66478 Advisory
    
  • React Security Blog Post
    
• If you are unsure whether your application is affected, please contact VIP Support.

Our commitment

Security is core to the WordPress VIP platform. We are actively collaborating with upstream maintainers and continuously refining mitigations to ensure all customer workloads remain protected. Updates will be provided if further information becomes available.

New Release: Trust Center

We’re excited to share that our new WordPress VIP Trust Center is now available for your use.

The Trust Center is your one-stop destination for security and compliance information. It brings together everything you need in a single, reliable place, making it easier than ever to access the details you need.

What you’ll find inside

• A full list of our compliance certifications and assessments.
• Quick links to our most relevant public security and compliance resources.
• An updates section where we share the latest compliance-related news and updates.
• An overview of the WordPress VIP Trust Package with a request form for self-serve access.

Customers can now directly request our Trust Package, a curated set of our most frequently asked-for compliance documents (including our SOC 2 report, architecture diagram, infosec policies, test summaries, and more). Once submitted, you’ll automatically receive a download link via email.

Why this matters

The Trust Center gives you and your teams direct, on-demand access to the compliance and security resources you need, without the need to go through multiple communication channels.

Request our Trust Package

Ending OCSP Stapling Support

Effective June 27, 2025, we’re ending OCSP stapling support from our systems:

1. Custom certificates with OCSP Must-Staple Extension
   Our systems will no longer accept TLS certificates that include the OCSP Must-Staple extension.
   
2. Discontinuation of OCSP Stapling Response
   We will cease adding “TLS Certificate Status Request” extensions (also known as OCSP Stapling) to certificates we present to clients. This means that custom certificates that include “OCSP Must-Staple” will not be considered valid by TLS clients, since they will not have staple information when presented to them. TLS clients that expect staple information will also fail.

These changes only have the potential to affect customers utilizing custom TLS certificates. However, we have verified that no currently active customers are using certificates with the OCSP Must-Staple extension. Customers using Let’s Encrypt-provided certificates are not impacted, as Let’s Encrypt removed OCSP support  on May 7, 2025.

We’re phasing out OCSP stapling due to industry-wide shifts away from the protocol and towards more reliable and privacy focused alternatives like CRL / CRLite and shorter lived certificates. OCSP stapling adds operational complexity and can fail silently leading to inconsistent client behavior. These platform changes align with moves by CAB Forum (Certificate Authority/Browser Forum) to deprecate OCSP in favor of these more resilient mechanisms.  

What You Need to Do:

We’ve confirmed that none of our currently active customers are using TLS certificates with the OCSP Must-Staple extension, so no action is required at this time. However, starting June 27, 2025, our systems will no longer include OCSP stapling information in TLS handshakes. If your infrastructure or clients (such as security-hardened browsers, firewalls, or API consumers) expect a stapled OCSP response, we recommend verifying that they can gracefully handle connections without it. Future custom certificates must also not require OCSP Must-Staple to remain compatible.

More information on managing custom certificates is available in our documentation: https://docs.wpvip.com/tls/custom-cert/

If you have any questions or need support, please feel free to open a ticket.

Better Security with Step-up Authentication

Today, we’re introducing a new layer of security into the VIP Dashboard: Step-up authentication.
Step-up authentication is a security process requiring MFA verification when engaging in sensitive or high-risk actions.

This additional security measure acts as a barrier against bad actors, ensuring that even if an account is compromised, unauthorized actions are prevented. By doing so, it provides an additional layer of protection to safeguard your sites.

Why it matters

Step-up authentication dynamically increases verification requirements based on the risk level of user actions, ensuring that risky actions are validated before being executed. 

This approach enhances security, reducing the risk associated with compromised sessions.

How it works

Step-up authentication will provide extra protection for actions like granting users permissions, changing the deployment branch, and many more.

When completing some of these high-risk tasks or accessing sensitive resources, users will be asked to reauthenticate using one of the Multi-Factor Authentication (MFA) methods set up via VIP Authentication. 

Completing this process will allow users to perform other secure actions or access protected routes for one hour. Once the hour has passed, any attempt to access a protected route or perform a secure action will require reauthentication.

Users logging in via SSO won’t be affected for now.
Find out more about Step-up authentication in the VIP Dashboard in our documentation.

WordPress VIP Achieves FedRAMP Moderate ATO

We’re thrilled to announce that WordPress VIP has achieved FedRAMP Moderate Authority to Operate (ATO), making it the first managed WordPress platform to meet the rigorous security and compliance standards required for U.S. federal agencies and highly regulated industries.

For this authorization, WordPress VIP demonstrated a secure, scalable, and compliant CMS solution that empowers the largest organizations on the web, including government agencies, to deliver fast, accessible, and reliable digital experiences.

FedRAMP (Federal Risk and Authorization Management Program) is one of the most rigorous cloud security assessments in the world. It ensures that cloud-based services meet stringent security requirements before federal agencies can use them. 

What this means:

• The vast majority of federal agencies and contractors can now leverage WordPress VIP’s secure and compliant cloud solution. 
• Our platform includes hundreds of security controls covering encryption, access management, continuous monitoring, and incident response. Our ongoing compliance with FedRAMP standards is maintained through ongoing security scans and annual audits by certified independent assessors.
• Customers in highly regulated industries, including healthcare, finance, and technology benefit from the same enhanced security posture.

This achievement is a testament to the dedication of our team and our ongoing investment in secure, enterprise-grade WordPress solutions. For more details, visit our announcement.

New Feature: Deny Requests Based on User Agent

We’re excited to introduce another new access control feature in the VIP Dashboard. You can now block requests based on the user agent, adding an additional layer of protection for your application powered by the VIP CDN.

What’s New?

This feature allows you to block requests from specific user agents, such as AI crawlers and unwanted bots, before they even reach your application. With better control of the traffic accessing your site, you can ensure that unwanted traffic doesn’t impact your app’s performance.

Rules for managing User Agent blocks can be managed in the VIP Dashboard, from the User Agents page, located under the Security Controls section of the VIP Dashboard. Requests can be blocked based on exact or partial matches of user agent strings.

Why This Matters

• Edge-Based Denial: Requests are blocked at the VIP CDN, reducing application load and ensuring faster response times for legitimate users.
• No Deployments Required: Easily enable and manage this feature directly from the VIP Dashboard — no code changes or deployments needed.
• Granular Control: Set rules to block full or partial user-agent strings for better control over your traffic.
• Independent of IP Restrictions: Use this feature alone or combine it with IP address restrictions for enhanced security.

If you’re currently using the VIP_Request_Block class in your application code to manage user agent blocks, we’ve created a guide to help you transition to this new, easier method of restricting access.

Find out more about this feature in our documentation. 

New Feature Release – Deny Requests Based on IP

We’re excited to introduce a powerful new capability for VIP customers: IP-Based Request Denial on the VIP Platform. This feature gives you direct control over who is blocked from accessing your application right in the VIP Dashboard without requiring a new code deployment.

---

What’s New?

With this update, you can now deny access directly at the VIP Edge level, improving your access restriction management speed and efficiency. By blocking unwanted requests earlier in the workflow, this feature enhances security and reduces manual code deployments to deny certain IPs.

In addition, we’ve made several updates to the IP Restrictions interface:

• Add Notes to IP Restrictions: You can now include descriptive notes to track why specific IPs or ranges are denied or allowed, improving clarity for team collaboration and long-term management.
• Updated Design: A refreshed, more intuitive interface makes managing IP restrictions easier than ever.

Checkout our documentation for more details on the new capabilities.

---

Why This Matters

1. Enhanced Security: Prevent unauthorized access before it reaches your application, ensuring a safer experience for your users.
2. Operational Efficiency: You can implement changes on the fly, without waiting for a code deployment or restarting workflows.
3. Improved Usability: The updated interface allows you to add notes and manage restrictions, helping your team stay organized and aligned.

This feature is available now! Explore the IP Restrictions in your VIP dashboard in the Access & Routing section to streamline access control for your application. As always, we’re here to support you and empower your security, one feature at a time. Let’s make access management smarter and easier!

New Changes to Access-Controlled Files

We’ve improved how you interact with access-controlled media files in your non-production environments.

The Access-Controlled Files feature restricts access to files and media uploaded to the WordPress Media Library of a site.

– https://docs.wpvip.com/access-and-routing/access-controlled-files/

Non-production environments will automatically inherit the media files access-control settings from their parent environment. 

In addition to this, you will have the flexibility to override these settings on any non-production environment, taking precedence over the parent environment’s configuration. This will give you greater control to tailor access settings for specific environments, potentially useful for testing or staging scenarios.

However, it’s important to be cautious when overriding these settings:

• Security Risks: Allowing more open access in non-production environments can inadvertently expose sensitive media files, especially if the environment is accessible beyond your internal team.
• Inconsistent Access: If the settings between environments differ significantly, it could lead to confusion or accidental exposure of files during deployments or migrations.

The process to configure the Access-Controlled Files settings remains the same, as detailed in the documentation.

---

As a reminder about media on WordPress VIP, in general, files uploaded to a WordPress production environment are automatically shared with and available to associated non-production environments.

For more details please refer to the documentation. Reach out to us if you have any questions!