Warning: VIP Dashboard Phishing Attack

Individuals have maliciously created fake but realistic-looking copies of the VIP Dashboard login screen. The screens aim to trick VIP customers into entering their genuine authentication credentials for GitHub or WordPress.com. This is a criminal technique known as “phishing”.

We include advice below on how to protect yourself and what to do if you may have fallen victim to this attack.

What to do if you suspect you have fallen victim to phishing for the VIP Dashboard

Hackers are experts at social engineering and trying to gain access to computer systems. Sometimes accidents happen, and the most important thing is to take immediate action to limit any damage they can do. The VIP team is here to help you if you are affected.

If you suspect you have fallen victim to these phishing attempts then please take the following steps.

  • Stop using the suspect website and do not enter any more information into it.
  • Raise an urgent ticket with our team as soon as possible. This will allow us to swiftly secure your account by resetting your login details and taking any additional necessary measures to protect your data and our systems.

Contact VIP’s Support team by creating a Zendesk Support ticket using one of the following methods:

Zendesk

Log in to the WordPress VIP Zendesk portal at wordpressvip.zendesk.com (carefully check the website address). Mark your ticket as urgent.

VIP Dashboard

  1. Access the VIP Dashboard at dashboard.wpvip.com (again, carefully check the website address)
  2. Select the button labeled “Help Center” located in the upper-right corner
  3. Select the tab labeled “Support”
  4. Mark your ticket as urgent

WordPress Admin Dashboard

  1. Access your WordPress Admin dashboard
  2. Select “VIP” from the left hand navigation menu of a site’s WordPress Admin dashboard. 
  3. Complete the fields in the form titled “Contact WordPress VIP Support”
  4. Mark your ticket as urgent
  5. Select the button labeled “Send Request“.

If you have provided any GitHub or WordPress.com login details on the phishing site, you will also need to immediately reset your GitHub credentials. We are unable to do this on your behalf, but we are happy to advise in the ticket. GitHub provides details on how to reset credentials in their Updating access credentials documentation.

How to protect yourself

When possible, use a known, safe way to access the VIP Dashboard: Access the VIP Dashboard either directly at this URL: https://dashboard.wpvip.com/ OR by a bookmark that uses that URL. Do NOT access the VIP Dashboard by searching through a search engine such as Google and clicking a link in the results.

Verify you are accessing the genuine site: When authenticating, carefully check the location in the browser to be sure that the domain exactly matches dashboard.wpvip.com.

Be wary of links in messages even if from a known contact: If a colleague or known contact sends you a link, hover over that link and carefully inspect that the domain is dashboard.wpvip.com before clicking it. Be especially wary of any email or message that creates a sense of urgency to log in, particularly if you are then required to authenticate.

Use a password manager: Password managers will check the website domain for you and fill in access details only if this check passes. Password managers also allow you to use very long complex passwords without requiring you to remember them. Password reuse should always be avoided; if you have used the same password on other sites, please go and reset it there as well, picking a unique password for each site.

Activate Multi-Factor Authentication (MFA) everywhere possible: The VIP Dashboard will enforce a final MFA check for all authenticating users, unless your organization uses our single sign-on (SSO) feature. We strongly recommend all your users configure MFA on their GitHub (GitHub MFA documentation) and on WordPress.com (WordPress.com MFA documentation) accounts if they have not done so already.

More advice is available in our documentation here: Security recommendations for users.

[CircleCI Security Alert] Warning: Phishing attempt for login credentials

WordPress VIP offers CircleCI as an optional service for customers. Please reach out to VIP if you think you may have accidentally clicked a link.

Reposting the CircleCI Security Alert from Thursday, September 15, 2022

Yesterday evening (Sept 15), we (CircleCI) became aware of a phishing attempt for customers’ CircleCI and GitHub credentials. We have no reason to believe your organization has been specifically targeted or that your account has been compromised, but want our customers to be aware that there is an ongoing phishing attempt and to exercise due caution.
This is an example of the email impersonating CircleCI in an attempt to gain access to your account:

CircleCI will not require users to login to review any updates to Our Terms of Service. Additionally, these phishing attempts include links that send users to circle-ci[.]com, which is not owned by CircleCI. Any emails from CircleCI should only include links to circleci.com or its sub-domains. If you believe you or someone on your team may have accidentally clicked a link in this email, please immediately rotate your credentials for both GitHub and CircleCI, and audit your systems for any unauthorized activity.

If you need help or have any questions, please do not hesitate to reach out to our team.
To better building,

The Team at CircleCI

Please reach out to VIP if you think you may have accidentally clicked a link.

VIP Go: Two-Step Authentication Required for Admins

Starting Monday November 14th, two-step authentication will be required for all admins on VIP Go sites via Jetpack SSO. If you have sites on the WordPress.com VIP platform, you’ll remember that two-step authentication has been a requirement for admin users for some time. For any sites using a conflicting SSO plugin, we’ll work with your developers to ensure admin users have two-step authentication enabled as well.

The new requirement will be enforced for admins by default, but will be possible to expand to all users via a filter. We’ll follow up with details following the November 14th deadline.

In the meantime, we recommend ensuring all admin users on your sites have enabled two-step authentication on their WordPress.com account before November 14th. If you try to log into a VIP Go site as an admin with an account that does not have two-step authentication set up, you’ll be directed to the security settings page on WordPress.com.

 

screen-shot-2016-10-19-at-2-03-35-pm

Explicit Sanitization, Validation, and Escaping

Every line of code that is committed to WordPress.com VIP is reviewed by the VIP Team. One of the most common issues we flag during code reviews is data validation. When writing code for the WordPress.com VIP environment, you’ll need to be extra cautious of how you handle data coming into WordPress and how it’s presented to the end user.

We follow these guiding principles:

  1. Never trust user input.
  2. Escape as late as possible.
  3. Escape everything from untrusted sources (like databases and users), third-parties (like Twitter), etc.
  4. Never assume anything.
  5. Never trust user input.
  6. Sanitation is okay, but validation/rejection is better.
  7. Never trust user input.

These concepts apply to nearly all code in a theme, including many core functions that return a value.

For example, did you know that even if values passed to JavaScript inside your theme are passed through wp_json_encode(), they still require sanitization to be safe? The function wp_json_encode() cleans in the sense that values can’t escape JSON. Depending on how the values are used, though, unwanted characters could still be allowed through as part of a “safe” value.

Consider this pseudo-code:
$post_id = $_GET['post_id'];
$params['url'] = esc_url("https://www.example.com/action=get_post&post_id=$post_id");
js_var = <?php echo wp_json_encode( $params ) ?>;
$('#some_link').attr('src', js_var);

Assume 6&action=delete_post is passed into $_GET['post_id']. The post would then be deleted, not retrieved. wp_json_encode() allows this url to be passed, but it’s not a url that we want or expect.

Here’s an example of a good way to handle this:
$post_id = absint( $_GET['post_id'] );
$params['url'] = esc_url( "https://www.example.com/action=get_post&post_id=".absint( $post_id ) );
js_var = <?php echo wp_json_encode( $params ) ?>;
$('#some_link').attr('src', js_var);

It’s best practice to sanitize anything coming in from users as soon as you begin to interact with it, treating it as potentially malicious code right away. Remember to validate or escape on output in order to ensure maximum security.

Head over to the Data Validation Codex page to see all of the sanitization and escaping functions WordPress has to offer.

WordPress 3.6.1 Maintenance and Security Release

WordPress 3.6.1 was released yesterday and is a maintenance and security update.

For VIPs running on WordPress.com, no action is required. WordPress.com has already been upgraded to the latest and greatest code.

For self-hosted VIPs, this is a security release for all previous versions and you should update your sites immediately, as it addresses 3 issues fixed by the WordPress security team.

You can see the full release notes here. If you have any questions, please get in touch.

WordPress 3.5.2 Maintenance and Security Release

WordPress 3.5.2 was released last week and is a maintenance and security update.

For VIPs running on WordPress.com, no action is required. WordPress.com has already been upgraded to the latest and greatest code.

For self-hosted VIPs, this is a security release for all previous versions and the Core team strongly encourages you to update your sites immediately. The WordPress security team resolved seven security issues, and this release also contains some additional security hardening.

For more information, click here. If you have any questions, please get in touch.