WordPress 6.5.2 Maintenance and Security Release

Note: Due to an issue with the initial package, WordPress 6.5.1 was not released. 6.5.2 is the first minor release for WordPress 6.5.

This security and maintenance release features 2 bug fixes on Core12 bug fixes for the Block Editor, and 1 security fix.

Security backports were deployed for other major WordPress releases.

WordPress 6.5.2 is a short-cycle release. The next major release will be version 6.6 and is currently planned for 16 July 2024.

If you have any questions related to this release, please open a support ticket and we will be happy to assist.

Important Update: Changes to Email Sending Policy for Your VIP Applications

As part of our ongoing commitment to maintaining robust and secure email-sending practices, we want to communicate an important policy update that will affect how your applications send emails.

New Requirement: Domain Mapping and Verification 

To ensure the integrity and deliverability of emails sent from applications hosted on WordPress VIP, it is now mandatory for all sending domains to be verified and mapped through the VIP Dashboard. A domain must be mapped to the environment from which the emails are sent. Mails sent from unmapped and unverified domains will soon be rejected. 

For detailed guidance on mapping and verifying your domains, please visit: https://docs.wpvip.com/domains/verification/

Requirement: Domain SPF, DKIM, and DMARC DNS Configuration

As explained in previous communications (listed below), the primary changes required for email deliverability are the configuration of SPF, DKIM, and DMARC DNS records for each mapped & verified domain being used to send emails on VIP.

Phasing out: Header Rewrites

Up to now, for emails sent from your VIP environments using unmapped domains, we  have been rewriting the “FROM” header to `donotreply@wpvip.com` as a temporary measure. This was intended to provide some leeway while transitioning to the new requirements. However, to align with best practices and improve service standards, this will be phased out according to the following schedule:

  • Starting March 5 2024: Email sent from non-production VIP servers with unmapped domains  will be rejected.
  • Starting April 1 2024: We will extend this policy for all production environments, rejecting all email from domains that are not correctly mapped to VIP.

Action Required

To avoid disruption to your outgoing email, please ensure that you complete domain mapping and verification , as well as any required DNS security changes before the above-stated deadlines. 

Support and Questions

We understand that this policy update may require you to make specific changes to your current setup. Our team is fully prepared to assist you with a smooth transition. If you have any questions or need support, please feel free to open a support ticket, and we will be happy to help.

Advance Notice: Domain Verification Required for New Domains

At WordPress VIP, we have an ongoing commitment to be the world’s most secure WordPress platform. As part of that commitment, we are pleased to announce secure domain verification. From February 27, 2024, a verification step will be required for all domains added to our platform. Any domains previously added to our platform (legacy domains) are already considered verified, and will not require this step.

To verify a domain you must add a specific TXT record to the domain’s DNS record. The WordPress VIP platform will check for the correct TXT record and update the verification status. Our Domain Verification tool will guide you through the process, and can be found in the VIP Dashboard Domains & TLS panel. You can view the verification status of each domain in the “Verification” column.

Until a new domain has been verified, you will not be able to use it on our platform. Unverified domains cannot receive traffic, provision Let’s Encrypt certificates, be used in our launch tooling, or be used to send emails.

New Relic Management in the VIP Dashboard

We’re excited to announce an enhancement to our VIP Dashboard: Management capabilities of your applications APM from New Relic. This integration simplifies managing New Relic APM for both production and non-production environments, offering a seamless experience in monitoring and optimizing your application’s performance.

New Features at Your Fingertips

  • Easy Activation: Activate New Relic APM for your Production and Non-Production environments directly from the VIP Dashboard.
  • User Access Management: Effortlessly manage who has access to New Relic tools within your team.
  • Flexible Testing in Non-Production: Enable New Relic for continuous 7-day periods in non-production environments, perfect for thorough testing and analysis.
  • Uninterrupted Monitoring in Production: In Production environments, New Relic can be either permanently on or off, offering consistent monitoring without time constraints.

What to Expect

Upon activation, a New Relic entity is created for your application, and New Relic begins sampling HTTP requests. Please note, this may have a minimal impact on application performance, but the insights gained are invaluable for optimizing your user experience.

Ready to Enhance Your New Relic experience?

Get started by navigating to the New Relic section, located under “Performance” in your VIP Dashboard. For more detailed information, please check our documentation. If you’re activating New Relic for your Node.JS application please see our documentation for more advice on how to start reporting data from your application. 

Questions or Need Support?

If you have any questions or require assistance, our support team is always ready to help. Open a support ticket, and we’ll ensure your experience with New Relic APM is smooth and beneficial.

Announcing Enhanced Database Access with phpMyAdmin

Great news: We’re enhancing your database management capabilities by introducing read access to phpMyAdmin for all your environments. This user-friendly frontend tool will provide convenient read-only access to your database. 

Getting Started

To get access to phpMyAdmin you need to make sure to update your VIP-CLI to the latest version by running the following command:

npm install -g @automattic/vip

Once you’re at least on version 2.38.0 or higher you can simply run the following command:

vip db phpmyadmin @APPID.Environment

Check out our documentation for instructions on accessing and using phpMyAdmin through the VIP-CLI.

The introduction read-only access to your database through phpMyAdmin marks a pivotal moment in our continuous effort to provide advanced tools and features that cater to the evolving needs of our customers. It embodies our commitment to enhancing the development experience, offering a sophisticated yet user-friendly platform for efficient database management.

Need Help or Have Questions?

If you encounter any issues or have questions about using phpMyAdmin, our support team is here to assist. Please open a support ticket, and we’ll help ensure a smooth experience.

Email Delivery Changes on VIP

Following our earlier communication this month, we’re taking additional steps to fortify the reliability and security of email delivery from the VIP platform. This initiative underscores our commitment to providing a stable and trustworthy platform for all our users.

Key Updates

  • Mandatory Email Authentication Records: For domains mapped to VIP application environments, SPF, DMARC, and DKIM records are required. Email messages originating from domains that are mapped to VIP application environments but that do not have valid DKIM records will not be signed by our SMTP servers after 1 February 2024. 
  • Policy for Unmapped Domains: Emails from domains not mapped to VIP app environments will face a stricter policy. Starting in March 2024, our SMTP servers will reject such emails. However, to ease this transition, we’re implementing a one-month grace period.
    During this time, emails from unmapped domains won’t be blocked outright but will have their headers rewritten to be sent from donotreply@wpvip.com.

Action Required

  • Verify and Update Domains: Before an application can send email using  WordPress VIP mail servers, its domain name must be mapped to VIP. Please verify that the domain is listed on the Domains & TLS page in the VIP Dashboard. Soon, emails sent from unmapped domains will be rejected.
  • DNS Setting Updates: As mentioned in our previous post, please ensure that your domains include the DNS records specified. This update is crucial to maintain uninterrupted email services.

We appreciate your prompt attention to these changes. Our goal is to ensure a seamless transition and continued excellence in service delivery.

If you have further questions about this change or how it affects your domains, you can open a ticket with VIP Support.

Action Required: Changes in Email Deliveries

Both Google and Yahoo are making some changes for deliverability to their services starting from Feb 1, 2024, and WordPress VIP will be updating our infrastructure to account for these changes. Customers who use custom domains to send emails from WordPress will need to act and add DNS records mentioned below. If you only use the default email address, donotreply@wpvip.com, no action is necessary.

Required Changes 

If you use a custom domain to send email, you’ll need to add SPF and DKIM records and, if you’re sending more than 5,000 emails per day, a DMARC record into your DNS settings. 

Sender Policy Framework (SPF)

For the SPF Record, you need to add the following string to your existing SPF Record:

include:_spf.wpvip.com

Domain Keys Identified Mail (DKIM)  

For the DKIM Record, you to add the following CNAME records to your DNS Settings:

wpvip1._domainkey.<domain> CNAME wpvip1._domainkey.wpvip.com
wpvip2._domainkey.<domain> CNAME wpvip2._domainkey.wpvip.com

Domain-based Message Authentication, Reporting and Conformance (DMARC)

For DMARC, which is required if you are sending more than 5,000 emails per day, the minimum entry would need to be:

_dmarc.<domain>

with TXT value of 

v=DMARC1; p=none; 

Notice

VIP’s infrastructure is not intended for the distribution of bulk HTML emails, mailing list functionality, invitations to view or share content, notifications of site activity, or other mass-email functionality. 

We kindly ask you to use an SMTP (Simple Mail Transfer Protocol) service or ESP (Email Service Provider) to send such emails. More Information on how to set this up can be found in our documentation: https://docs.wpvip.com/technical-references/email-on-vip/ 

What happens after 1st of February

Please make sure to set the required DNS entries for your domains to make sure your emails are still delivered. Without these updates, your emails risk being undelivered or marked as spam, leading to potential communication disruptions and harm to your domain’s credibility. Prompt action is advised to uphold the reliability and effectiveness of your email communications.

If you have any questions related to this, please open a support ticket, and we will be happy to assist.

HTTP/2 and curl Security Updates

VIP has completed work to mitigate two unrelated, recently disclosed security vulnerabilities.

VIP constantly maintains the security of our infrastructure. We don’t announce that every mitigation has been completed, but these issues were widespread, significant, and well known, so we wanted to be clear that you are protected on VIP.

HTTP/2 Protocol

On October 10, 2023 CloudflareGoogleAmazon, and others posted about a newly discovered and actively exploited vulnerability in the HTTP/2 protocol that lets attackers launch very large scale attacks with very few resources. Nearly every web server in the world, including those at VIP, use this protocol and were susceptible.

Soon after the disclosure, a patch was created that will be included in the next version of the affected software. We have deployed this patch to all of our web servers ahead of the general release. This deployment was complete within hours of the vulnerability being announced.

Please note that this vulnerability could only be used to trigger a denial of service issue – it cannot be used to steal or modify user data, access your systems, etc. VIP has no evidence that sites were affected via this method.

curl

On October 3, 2023, the founder and lead developer of curl and libcurl, a low-level library used in many applications, announced a significant vulnerability and that a fix would be available in a new version to be released on October 11, 2023.

We were prepared for rapid deployment of that new version across our infrastructure and completed that within hours as well. Your site is now protected against this issue.

Summary

The VIP team mitigated both of these highly impactful security incidents as part of our ongoing promise to assure your sites are secure, reliable, and lightning fast. We have not seen any malicious activity related to these issues at this time.

Your site is protected from both of these incidents, and no further action is necessary on your part.

Reminder: PHP Updates Begin in 30 Days

OCT 26 UPDATE: The ability to roll back to a version earlier than PHP 8.1, will remain available in the software update tool, through Sunday, November 26- the last day of security support by PHP. Earlier version options will be permanently removed on Monday, November 27, 2023.

In July, we called your attention to the upcoming security support end-of-life for PHP 8.0, and the timeline that VIP has outlined, to prepare customers ahead of the formal PHP deadline of November 26, 2023.

We are now 30 days out from the first wave of VIP updates commencing, and are taking this opportunity to remind customers to please test and deploy the update ahead of this schedule, to avoid any interruptions. Below are a few scenarios we’ve outlined to ensure your teams know what to expect. In addition, our PHP Updates documentation was recently updated to include a more robust outline to help your teams address these updates now, and in the future.

Customer Scenarios

Ideal: We’ve tested and deployed the update ahead of the VIP schedule.
Amazing! There will be no surprises for your team, and VIP will not touch your application when running our updates. 

Incomplete: We’ve tested this update, and are going to wait for VIP to run the update.
While it’s awesome that you’ve tested your application(s) against the update, we don’t recommend waiting for VIP to run the update for you, for a few reasons:

  • VIP may run the update at a time in which your team is not available. If the update deploys with no issue, this is not a problem, but if it doesn’t, having your team available to address any issues with your application puts your business in a better position. 
  • While differences between test environments and production environments may be minor, we know that there is always the possibility for tweaks needed after a production deployment. We suggest eliminating that variable ahead of time.
  • Updating the software version of PHP can be managed directly from the VIP Dashboard.

Risk: We have not had time to test the update ahead of the VIP schedule.
VIP is not able to defer this update. We are adhering to the PHP schedule, and keeping your application secure is a top priority. If VIP runs the update without a customer testing first, there is a possibility that your application may run into issues that your team needs to rapidly address.

VIP Timeline for Non-Updated Environments

Monday, October 30, 2023

VIP Updates Non-Production Environments to PHP 8.1
VIP will begin updating all non-production environments that are not yet on PHP 8.1. We are proceeding with non-production environments first in order to provide customers time to address any issues that arise as a result of the update, before updating production.

Monday, November 13, 2023

VIP Updates Production Environments to PHP 8.1
VIP will begin updating all production environments that are not yet on PHP 8.1. After this date, working with your teams on post-update issues will be the priority. 

Earlier PHP Version Options Removed
The option to select PHP version 7.4 (deprecated) and 8.0 is removed from the software management tool

Sunday, November 26, 2023

PHP 8.0 End of Life
Security support for PHP 8.0 ends.

Questions?

Please don’t hesitate to reach out to our Support team with any questions.

Completed: VaultPress Deprecation

We have reached the end of the VaultPress deprecation process. VaultPress is now disabled across the VIP Platform, and is no longer available for use on VIP environments.

You can continue to access your data through our convenient VIP Dashboard and VIP-CLI features, see below.

What does this mean?

If you’re a customer that has been using the VIP_VAULTPRESS_SKIP_LOAD PHP constant to continue using VaultPress to create backups for your environments, even after the deprecation on the 29th of March, you will no longer be able to do so. VaultPress will no longer be connected to your site environments, which means that no VaultPress backups will be generated. You will also lose access to the VaultPress Dashboard.

Customers that have not been using the VIP_VAULTPRESS_SKIP_LOAD PHP constant will also no longer be able to access the VaultPress Dashboard. VaultPress itself has been disconnected from your site environments since the 29th of March – so there have been no VaultPress backups generated since then.

Manage and export data with VIP tools

There are several ways to export and manage your data from the VIP Platform:

  • From the VIP Dashboard – choose to export the entire database, a single network site (for multisites), or specific tables
  • Using the  VIP-CLI command vip export sql

Managing data access through the VIP Dashboard and VIP-CLI allows us to provide a clear, simple, and secure service for your team. The VIP Dashboard user management system allows for regulation of access control, enhancing security and easing the workload for onboarding and offboarding processes.

All crucial interactions such as generation and download events are systematically tracked and recorded in the Audit Log, providing a clear record of significant system interactions. 

On-demand database backups

You can now trigger a database backup on-demand before exporting it using the VIP CLI.  The capability to trigger a database backup via the VIP Dashboard will follow soon.

Generating a backup for download will ensure that you are working with the most up to date data and should provide you all the tools needed to efficiently and confidently deploy applications. 

Please reach out to VIP Support with any questions or concerns you may have.