Enterprise security controls
for WordPress
WordPress VIP is purpose-built to be the most secure version of enterprise WordPress running the web. With WordPress VIP’s unmatched security controls, our customers fuse the flexibility and extensibility of WordPress with the airtight governance and protection required for even the most stringent compliance requirements, including FedRAMPⓇ.
One key way we bring enterprise-grade security to WordPress is through our suite of vulnerability management tools providing code analysis, activity logging, penetration testing, and software and plugin management. These tools empower customers to keep all platform code secure and up-to-date while we help manage necessary components, identify common errors such as memory leaks or buffer overflows, and respond to and patch issues if they arise.
Vulnerability scanning
WordPress VIP has several methods for detecting vulnerabilities, including an implementation of WPScan into our own Vulnerability and Update Scan technology.
Vulnerability and update scans are intended to detect security issues and available version updates before plugins and themes are deployed. Once Plugins are deployed, they are frequently scanned for known vulnerabilities and available updates. Any issues and updates found will be reported in the Plugins panel of the VIP Dashboard.
To assist with plugin vulnerability management and provide you additional time to implement critical patches, our engineering teams monitor when a high severity vulnerability is announced for the top plugins in our ecosystem and take steps at the platform level to mitigate them.
WordPress VIP also scans and maintains infrastructure and platform level software, insulating your applications with protections built on our systems. This container vulnerability scanning and audit logging mitigates threats for servers and host software.
WPScan provides a massive vulnerability database focused on WordPress plugins and themes. WordPress VIP uses WPScan to scan all pull requests on your WordPress VIP GitHub repository. Our scan detects any plugins or themes included in the pull request, and will report any known vulnerabilities or available updates.
VIP Code Analysis Bot
The VIP Code Analysis Bot automatically analyzes code pushed to customer applications. These scans surface information on potential vulnerabilities in customer applications, streamlining security governance while offering advanced customizations around bot behavior, type of code scanned, and auto approval configurations. This helps customers maintain the quality of the code submitted and ensures the security and stability of WordPress sites hosted on the VIP Platform.
The VIP Code Analysis Bot is composed of a series of powerful scanners to manage specific vulnerabilities and internal APIs. Capabilities include PHPCS analysis, PHP linting, SVG analysis, and Vulnerability and Update Scan with WPScan.
Logging and auditing
WordPress VIP empowers customers to analyze and investigate security issues in real-time with robust logging and auditing. Our platform logs activity at the application, web server, load balancer, database, and operating system layers so you have granular security visibility at every level of your application.
The Audit Log panel in the VIP Dashboard provides visibility into what is happening in an organization or an application. An audit trail of all management actions on the platform allows compliance with internal and external regulatory standards, and provides insight for debugging, security, and incident investigation.
Security and penetration testing
WordPress VIP battle tests its platform for security so you can be confident we’re prepared for the myriad of security threats propagating on the web. We’re constantly reviewing threats and updating our platform as weaknesses in 3rd party services are discovered.
We perform regular internal security testing and engage with third parties to perform platform vulnerability assessments. This includes continuous penetration testing on our infrastructure for vulnerabilities. In every attack vector, our expertise can help you keep your application safe.
The security of an application hosted on the VIP Platform is a shared responsibility between VIP and its customers.
Software Management
WordPress VIP also assists with vulnerability management by providing facilitated core WordPress updates. We alert all customers of upcoming WordPress updates and make sure you are on the latest secure version of the platform.
Additionally, we provide customers with the flexibility to switch between PHP, mu-plugins, and Node versions without the need to contact our support teams. This can help prevent languishing outdated software from becoming an easy point of attack for malicious activity.
WordPress VIP also monitors regular security patches for WordPress Core. Because WordPress VIP is managed by active members of the WordPress community, when an issue arises, we can offer a headstart for patching it ahead of the fix getting pushed to WordPress Cre code.
From WordPress Core, PHP, MySQL, to Memcached, WordPress VIP helps your team to facilitate software management. Each rollout of new software is meticulously planned, and we provide rigorous testing to ensure airtight security and uptime throughout.