The security of your content and the WordPress.com platform are matters that we take very seriously. This page provides a few notes on security at WordPress.com VIP.
Secure Users and Access #
- Ask all of your users to go through our User Security Best Practices checklist and confirm that they’ve taken these steps.
- Consider having us force-enable two-step authentication for users on your site. Two-step authentication requires anyone accessing your site to use their password and a code generated on their mobile device or sent by text to their phone; without access to a user’s device, an attacker cannot login to their account.
- Review the users who have “Administrator” access on your VIP site(s), since they can change key settings. Try to keep this number to a minimum and use other roles to grant users the minimum permissions they need for their work on your site. If an Administrator hasn’t logged in recently, downgrade their access until they need it again.
- Remind your users to set strong passwords for their WordPress.com accounts and to never store their password information (or related details such as two-step backup codes) anywhere that could be accessed by others.
- Consider enabling our New Device Notification plugin so you can be aware when a user logs in from a new or unexpected location.
- Perform regular audits of users and their roles on your VIP site(s), removing inactive users. VIPs with larger networks of sites can request periodic CSV exports of all users/roles so they can automate user list audits.
Secure Code #
Your code works, but is it safe? When writing code for the WordPress.com VIP environment, you’ll need to be extra cautious of how you handle data coming into WordPress and how it’s presented to the end user. Here are some tips to get your started:
- Don’t trust user input or third-party APIs. Always make sure to validate and sanitize all data that can be populated from “outside.” Review our document on Validating, Sanitizing, and Escaping to learn how.
- Try to exploit your code with common XSS methods as a test. Visit http://ha.ckers.org/xss.html for a list of basic XSS attacks and make sure pasting these snippets to input fields or url parameters will not harm your site.
- Make sure to implement nonces to avoid duplicate submission of forms and fraud activities. See https://developer.wordpress.org/plugins/security/nonces/
- When adding menus or registering your plugins, make sure that you use an unique handle or slug other than
__FILE__to ensure that you are not revealing system paths.
Security Scans #
We recognize that VIP sites may wish to perform security scans on their sites, or have 3rd parties do so on their behalf. While this is almost always okay, our systems team may block any traffic that is considered suspicious. This may affect your scan results.
If your team plans to run recurring or intense scans of your site, please open a support ticket in advance of the first scan to provide us with details such as:
- the anticipated IP or block from which the scan will originate
- the frequency and/or duration of the scan