As we look to the upcoming 2020 U.S. elections, political parties are conducting more virtual events than ever, and media outlets are experiencing major surges in traffic.
In an environment of increasing cybersecurity attacks across the digital landscape, we want to highlight the best-in-class security measures which empower WordPress VIP customers to operate safely and securely throughout the election season and beyond.
This post shares our best practices alongside steps customers can take in the shared responsibility of protecting application security.
With WordPress VIP, customers get built-in security on multiple levels using best practices based on years of experience protecting WordPress at scale. Best-in-class security protection is baked into the platform down to the metal and this is no different during the election season.
All of our origin data centers maintain SSAE 18 SOC 1, SSAE SOC 2 certifications. In addition, the VIP Cloud Hosting Service, under which we act as a data processor, is certified under the EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.
We are also the only enterprise WordPress platform that has earned the Federal Risk and Authorization Management Program (FedRAMP) “Authorized” status. Global brands in high-risk industries like finance, health, defense, tech, and government choose WordPress VIP to power their applications after conducting extensive security audits and compliance checks.
Visit our security page to learn about the individual components of our security best practices, including network security, data security, vulnerability management, and more.
Security during election season
WordPress VIP has a proven track record of providing a secure and stable platform throughout the election season. During election week in 2016, WordPress VIP provided 100% uptime for customers with significant traffic spikes, including FiveThirtyEight, which received in a single day the amount of traffic we see in an entire week at some of the world’s most popular sites.
In the rare instance of a service disruption, we embrace a key tenet of the Automattic Creed: communication is oxygen.
WordPress VIP will always, as soon as reasonably practical, provide information on the nature of a disruption, the steps being taken to remedy the disruption, and the expected duration of the disruption. Here are a few places to bookmark to stay up-to-date with service statuses:
- In the event of a disruption, Automattic will provide information and updates on the WordPress VIP Lobby and via Twitter @wpvipstatus.
- If the WordPress VIP Lobby is unavailable, information and updates will be provided by email to the address we have on file for your account or via Twitter @wpvipstatus.
- Following a service disruption, Automattic will post information on the cause and resolution of the issue to the WordPress VIP Lobby as soon as it is available.
Quelling potential threats
By its very nature, the open source WordPress platform maintains a strong security posture. Unlike closed and proprietary software, WordPress has an entire ecosystem of contributors actively monitoring for security threats. The WordPress security team, for example, is a global community of experienced developers and security researchers that proactively identifies and resolves vulnerabilities in the software.
As an added layer of protection, WordPress VIP has many active measures in place to combat potential enterprise security threats. These protections include:
- WordPress VIP manages WordPress core updates automatically. Employees of Automattic, WordPress VIP’s parent company, compose about half of the WordPress security team, and its lead is WordPress VIP’s very own Jake Spurlock. Updating themes and plugins is still a customer responsibility, but we help guide customers with any concerns.
- We automatically detect and mitigate brute force login attempts to both /wp-login.php and /xmlrpc.php at our edges as well as within WordPress via our platform and systems teams. Administrator-level users must use 2FA to access any site on our platform.
- All of our web servers are run in read-only mode. This blocks access to the underlying file system which could be used to install a backdoor shell or other malicious files. What this means is that even if user credentials are brute-forced and 2FA is bypassed, an attacker is still unable to execute many common attacks.
- We are committed to reacting quickly to “zero-day” events and working with you on a solution. Zero-day exploits are inherently challenging to defend against because they are novel. However, our proximity to WordPress core development grants us insight into security patches as soon as they are available.
Security is a shared responsibility
Holistic application security is a shared responsibility between WordPress VIP and our customers. That’s why we created a best practices checklist to help ensure your systems and processes play their part in safeguarding your applications, which you can download here:
Security is our number one priority, during election season and every other day of the year. We are deeply committed to safeguarding our customers’ sites and data. For more information on our enterprise-grade security protocols, visit wpvip.com/security or get in touch.
And don’t forget—perhaps the most important step U.S. citizens can take during this election season is to get out and vote!