WordPress VIP has patched all versions of Jetpack deployed on the WordPress VIP platform. WordPress VIP applications are not vulnerable to the exploit mentioned in the Jetpack 12.1.1: Critical Security Update post.
If you have any questions related to this update, please open a support ticket with details and we will be happy to assist.
WordPress 6.2.1, a maintenance and security release, has been pushed out to all VIP sites running WordPress 6.2. The security patches have also been back-ported to sites running older WordPress versions.
This minor release features 20 bug fixes in Core and 10 bug fixes for the block editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.
If you have any questions related to this release, please open a support ticket and we will be happy to assist.
Today we are announcing two modifications which are designed to enhance the security of the HTTP Request Log Shipping and Database Backup Shipping configuration processes.
Instead of relying on the direct application of an AWS S3 bucket access policy, we now provide an AWS CloudFormation template that grants our tools the necessary access to your AWS S3 buckets for shipping HTTP logs and database backups. This improves the management of the access policies required to allow our systems to communicate securely with your S3 buckets.
Additionally, we’ve added a new input field called AWS Account ID. This is embedded in the CloudFormation template and helps validate that the specified bucket is owned by your AWS account, to avoid any misconfiguration issues.
You can follow this AWS guide to apply the AWS Cloud Formation template in your AWS Console.
If you have already enabled either HTTP Request Log Shipping or Database Backup Shipping, no changes are necessary and they will continue to work as configured.
If you would like to reconfigure any active HTTP Request Log Shipping or Database Backup Shipping configurations, you are welcome to do so by simply disabling and then re-enabling each shipping configuration. Once re-enabled, you may remove the Access Policy that you have previously applied to your bucket.
You can find more information on configuring both these features in our documentation:
If you have any questions about this change, please get in touch.
Over the next few months, we will be deprecating and then removing VaultPress from the WordPress VIP platform. The VIP Dashboard now supports exporting database backups for all your applications and environments, the primary feature previously provided by VaultPress.
Here’s the timeline for the planned deprecation and removal:
Once VaultPress is disabled for an environment, you won’t be able to access database backups from the VaultPress Dashboard. Instead, the VIP Dashboard will provide you an integrated experience for managing exports that fits in with your existing VIP workflows.
If you’d like to continue leveraging VaultPress until the final removal date in June, you can add the following line to your vip-config.php file:
define( 'VIP_VAULTPRESS_SKIP_LOAD', false );
With this in place, VaultPress will continue working on your environments even after we deprecate it on non-production and production environments. It will continue working until its removal date at the end of June.
Managing exports within the VIP Dashboard
We’re excited to have these and more new features coming soon to WordPress VIP.
Please reach out to VIP Support with any questions or concerns you may have. We are happy to accommodate an extension should you need it.
UPDATE (January 16, 2023) – CircleCI has published a full report that includes more details about the incident. VIP recommends affected customers review this document and reach out to support if you have any further questions or concerns.
UPDATE (January 6, 2023) – CircleCI has updated their initial post with more information and instructions. They now recommend rotating all secrets, keys, and tokens of any kind stored on their service. Please refer to CircleCI’s disclosure post for the most up-to-date information and instructions concerning this incident.
On Wednesday, January 4, 2023, CircleCI disclosed a security incident that affects VIP customers who use CircleCI. At this time, CircleCI reports the incident is contained and no unauthorized actors are active in their system, but recommends that CircleCI users rotate any secrets stored on their service.
If you have never used CircleCI, no action is necessary. We are communicating this to all customers as part of our ongoing commitment to security. We are also reaching out directly to the WordPress VIP customers that have used CircleCI.
If you have used CircleCI, you should take the following preventative actions as soon as possible:
CircleCI’s blog post has the most up to date information about their ongoing. WordPress VIP will update you if any further action is necessary.
As always, if you have any questions or concerns, please open a support ticket.
Beginning on Monday, January 16, 2023, all Let’s Encrypt TLS certificates issued on the WordPress VIP platform, including new certificates and automatic renewals, will be ECC certificates.
Elliptic Curve Cryptography (ECC) provides an equivalent level of encryption strength as RSA (Rivest-Shamir-Adleman) algorithm with a shorter key length. As a result, the speed and security offered by an ECC certificate are higher than an RSA certificate for Public Key Infrastructure (PKI).
We don’t anticipate any disruption to certificate requests or renewals as a result of this change. All web clients created within the last ~12 years already support ECC certificates, and minimum versions for TLSv1.2+ (required on the VIP Platform) are higher than those required for ECC certificates.
If you’d prefer to continue using RSA certificates after January 16, you’ll need to use a custom certificate, which can be uploaded and installed on the VIP Dashboard.
Please feel free to open a support ticket if you have any questions.
When security vulnerabilities are published for a WordPress plugin, the VIP team is notified and often we will help mitigate severe issues behind the scenes in order to prevent exploitation across vulnerable sites. This is not always possible for every vulnerability, and these mitigations are only meant to be a temporary solution. The real solution to this problem is keeping plugins updated and patched.
With that goal in mind, you may have also noticed that we introduced a new security scanning feature a few months ago that contributes to site security by occasionally opening plugin update pull requests in the GitHub repositories when newly released severe vulnerabilities are found. One of the main downsides to this is the lack of visibility as not every plugin vulnerability has an available patch, so no pull request could be created.
Today, we’re happy to announce more visibility and control with this plugin vulnerability scanning. There is now a page in the VIP Dashboard, located at Codebase > Plugins, that lists the plugins installed on the environment along with any known security issues.
Along with displaying any found security vulnerabilities, you will also be able see if there are any updates available for the plugin. And whether there are any vulnerabilities or just an update available, this new feature also has the ability to create plugin update pull requests on demand. Simply click the “Create Pull Request” button, take a sip of your coffee, and then head over to GitHub where you can merge in the changes!
Read more information about Codebase Manager and this new plugins screen.
WordPress 6.0.3, a maintenance and security release, has been pushed out to all VIP sites running WordPress 6.0.2. The security patches have also been back-ported to sites running older WordPress versions.
This security and maintenance release features 16 security fixes affecting WordPress 6.0.2. To see a full list of changes, visit the 6.0.3 documentation page.
If you have any questions related to this release, please open a support ticket and we will be happy to assist.
In May, we announced that PHP 8.0 was now available on WordPress VIP environments. Since then, we’ve been excited to see many customers testing this version on their child environments, while other customers have completed the update to PHP 8.0 on their production sites.
WordPress VIP wants to ensure that every customer is supported along their PHP 8.0 update path and that no one scrambles toward the finish line. To aid your planning, take note of the key dates below. The timeline provides high-level milestones for WordPress VIP customers to keep everyone on track and mitigate potential risks as early as possible.
While Nov. 28, 2022 is the date PHP 7.4 will stop receiving security updates, WordPress VIP will begin updating any customer not yet on PHP 8.0 on Monday, Nov. 15, in an effort to minimize risk of security vulnerabilities. Please review the timeline below, and reach out to your Technical Account Manager or our support team with questions.
All new environments are created on PHP 8.0
Existing customers begin creating any new environments on PHP 8.0. If you have an upcoming project in preparation, work with your Technical Account Manager, who will help you incorporate this into your planning. If you have questions or concerns, create a ticket with our support team. If you’re a Premier customer, your account team is already aware of this timeline and can also answer questions.
*New customers have already begun launching their sites on PHP 8.0.
Customer check-in: All non-updated customers
Customers who have not yet updated all environments to PHP 8.0 receive communication inquiring about a target migration date. The goal is to help us understand potential risks and make sure you’re on your way to a successful update.
30 days from deadline: Customers planned for VIP update
WordPress VIP begins formalizing a plan to update customers who have not updated to PHP 8.0 and who have not provided a target date for updating in advance of Nov. 15. We will reach out to customers with next steps and flag potential risks.
Note: Customers updated by WordPress VIP will not have a rollback option. Issues related to the update will be the responsibility of the customer to address and solve.
Last day to roll back to PHP 7.4
Our goal is to have all WordPress VIP customers updated to PHP 8.0 before Nov. 1. After this date, working with your teams on post-update issues will be the priority.
WordPress VIP updates any customer applications not yet on PHP 8.0.
If you’re just getting started, but have more questions than answers, we’ve got you covered. Our resident PHP expert, Gary Jones, Engineering Lead for Premier customers, has written a comprehensive outline covering everything from a PHP 8.0 overview and getting started, to looking for compatibility issues and considerations around PHP 8.1. Even if you have a finalized PHP 8.0 plan, it’s a great resource to review to make sure you’re covered.
How to prepare your WordPress VIP site for PHP 8.0
Related VIP Documentation:
Update: Please read this Lobby post, which contains an updated timeline & deadline for PHP 8.0 updates. PHP 8.1 is fully supported and available as part of our Software Management feature.
VIP is excited to announce that PHP 8.0 is now available on WordPress VIP environments. PHP 8.0 is a major update that provides a plethora of new features and under-the-hood improvements.
Some highlights of PHP 8.0 include named arguments, union types, attributes, constructor property promotion, match expression, nullsafe operator, JIT, improvements in the type system, error handling, and consistency.
Since this is a new major version, we strongly recommend that you test your application in a non-production environment running PHP 8.0. PHP 7.4 will be going end-of-life soon, so even if you are not taking advantage of these new features, now is the time to get a jump on the upgrade to PHP 8.0.
To test in a non-production environment, please open a ticket with our support team specifying which application(s) and the PHP version you’d like. In the near future, you’ll be able to control this via a setting in the VIP Dashboard and VIP-CLI. We strongly encourage you to test in a non-production environment before updating in production.
To help your migration and testing of PHP 8.0, we recommend following these steps:
1. Update to our newly released version of VIP-CLI (2.9.5). You can pick the desired PHP version via `create` or `update` command to test new PHP versions locally.
2. Update a non-production environment as soon as possible to get visibility into scan results and to ensure ongoing compatibility with PHP 8.0 via the VIP Code Analysis Bot. We have added multi-version linting to the bot, so if your repository powers several sites with different versions of PHP, the bot will check the Pull Request against each enabled version. See the screenshot below for an example:
3. Review the WordPress VIP documentation “Prepare application code for a PHP version upgrade” guide and perform the recommended scan.
PHP 7.4 will stop receiving security updates on November 28, 2022. On this date, all sites on WordPress VIP still using PHP 7.4 will be upgraded to PHP 8.0 to minimize the risk from unpatched security vulnerabilities.
PHP 8.1 is also available but WordPress core does not yet fully support PHP 8.1, so we strongly recommend against running it in production at this time. PHP 8.1 is fully supported and available as part of our Software Management feature. [Updated 24 August 2022]
WordPress VIP Lobby 
You must be logged in to post a comment.