Node.js has recently released security updates for the LTS releases: v20.12.2 and v18.20.2. These updates fix one medium-severity vulnerability. All VIP Node.js sites have received this update.
Questions?
If you have any questions related to this release, please open a support ticket, and we will be happy to assist.
Node.js has recently released security updates for the LTS releases: v20.12.1 and v18.20.1. These updates fix one high-severity and one medium-severity vulnerability. All VIP Node.js sites have received this update.
Questions?
If you have any questions related to this release, please open a support ticket, and we will be happy to assist.
Individuals have maliciously created fake but realistic-looking copies of the VIP Dashboard login screen. The screens aim to trick VIP customers into entering their genuine authentication credentials for GitHub or WordPress.com. This is a criminal technique known as “phishing”.
We include advice below on how to protect yourself and what to do if you may have fallen victim to this attack.
What to do if you suspect you have fallen victim to phishing for the VIP Dashboard
Hackers are experts at social engineering and trying to gain access to computer systems. Sometimes accidents happen, and the most important thing is to take immediate action to limit any damage they can do. The VIP team is here to help you if you are affected.
If you suspect you have fallen victim to these phishing attempts then please take the following steps.
Stop using the suspect website and do not enter any more information into it.
Raise an urgent ticket with our team as soon as possible. This will allow us to swiftly secure your account by resetting your login details and taking any additional necessary measures to protect your data and our systems.
Contact VIP’s Support team by creating a Zendesk Support ticket using one of the following methods:
Zendesk
Log in to the WordPress VIP Zendesk portal at wordpressvip.zendesk.com (carefully check the website address). Mark your ticket as urgent.
VIP Dashboard
Access the VIP Dashboard at dashboard.wpvip.com (again, carefully check the website address)
Select the button labeled “Help Center” located in the upper-right corner
Select the tab labeled “Support”
Mark your ticket as urgent
WordPress Admin Dashboard
Access your WordPress Admin dashboard
Select “VIP” from the left hand navigation menu of a site’s WordPress Admin dashboard.
Complete the fields in the form titled “Contact WordPress VIP Support”
Mark your ticket as urgent
Select the button labeled “Send Request“.
If you have provided any GitHub or WordPress.com login details on the phishing site, you will also need to immediately reset your GitHub credentials. We are unable to do this on your behalf, but we are happy to advise in the ticket. GitHub provides details on how to reset credentials in their Updating access credentials documentation.
How to protect yourself
When possible, use a known, safe way to access the VIP Dashboard: Access the VIP Dashboard either directly at this URL: https://dashboard.wpvip.com/ OR by a bookmark that uses that URL. Do NOT access the VIP Dashboard by searching through a search engine such as Google and clicking a link in the results.
Verify you are accessing the genuine site: When authenticating, carefully check the location in the browser to be sure that the domain exactly matches dashboard.wpvip.com.
Be wary of links in messages even if from a known contact: If a colleague or known contact sends you a link, hover over that link and carefully inspect that the domain is dashboard.wpvip.com before clicking it. Be especially wary of any email or message that creates a sense of urgency to log in, particularly if you are then required to authenticate.
Use a password manager: Password managers will check the website domain for you and fill in access details only if this check passes. Password managers also allow you to use very long complex passwords without requiring you to remember them. Password reuse should always be avoided; if you have used the same password on other sites, please go and reset it there as well, picking a unique password for each site.
Activate Multi-Factor Authentication (MFA) everywhere possible: The VIP Dashboard will enforce a final MFA check for all authenticating users, unless your organization uses our single sign-on (SSO) feature. We strongly recommend all your users configure MFA on their GitHub (GitHub MFA documentation) and on WordPress.com (WordPress.com MFA documentation) accounts if they have not done so already.
Security support for PHP version 8.1 will end on November 25, 2024. As part of VIP’s continued focus on your application’s security, we are committed to ensuring all customers have updated to PHP 8.2 ahead of this date. Below, you will find VIP’s PHP update timeline.
If customers have not updated their environments by the dates outlined, VIP will update the environments on the customer’s behalf. Please note that any updates made by VIP could result in issues if the proper customer testing has not been completed. If issues arise, we’ll do our best to assist where we can, but ask that you please test and deploy the update ahead of this schedule, to avoid any interruptions. This update cannot be deferred, and VIP is here to support you and your team as you work toward it.
VIP Timeline For Environments Not Yet On PHP 8.2
Tuesday, October 29, 2024 VIP Updates Non-Production Environments to PHP 8.2 VIP will begin updating all non-production environments that are not yet on PHP 8.2. We are proceeding with non-production environments first to provide customers time to address any issues that arise as a result of the update, before updating production environments.
Tuesday, November 12, 2024 VIP Updates Production Environments to PHP 8.2 VIP will begin updating all production environments that are not yet on PHP 8.2. After this date, working with your teams on post-update issues will be the priority.
Instead of the do-it-yourself approach, focus on your key priorities while our experienced staff manage, validate, and implement your PHP update for you with the specific needs of your applications in mind. Maximize your team’s resources, improve site stability, and unlock peace of mind with our Upgrade Assurance Service. This is a popular new service that we offer, for both WordPress and PHP updates, so we recommend securing your spot early. If you’re interested in learning more, please connect with your Relationship Manager, or reach out to our Support Team.
Helpful Resources
Support VIP is here to help along the way, and our Support team is always available to answer questions as you and your team work through the update. Please don’t hesitate to reach out if you need assistance.
Tooling Your application’s software versions can be managed directly by you in the VIP Dashboard.
To better plan for the road ahead, please be aware of the current security support end-of-life (EOL) schedule for the following PHP versions. These dates are pulled from the official PHP schedule, here. VIP will continue to post to the Lobby with our updated timeline for each year, which will likely follow the same outline as shared above, wrapping up roughly 2 weeks ahead of the PHP date.
We are delighted to announce that the Parse.ly plugin version 3.14 will become available in VIP staging and production environments on Tuesday, March 12, 2024. Before using it in production, we recommend testing the new release in staging.
This release will become the default in production on Tuesday, March 19, 2024, and all non-pinned environments will be auto-upgraded to this version. These changes do not affect customers who don’t use wp-parsely, or use an integration method outside of mu-plugins.
What’s new
The new smart linking feature can automatically embed related links within a block or an entire post. It uses Parse.ly AI to identify the most relevant and high-performing content on your site, and automatically embeds them as links in the post. Not only does this save you time otherwise spent finding related content, but embedded links improve recirculation and increase traffic and engagement across your site. This feature is entirely opt-in, as are all our other AI features.
The new option to use full metadata for non-posts helps Parse.ly customers see metadata for non-posts in their Parse.ly dashboard. For questions or support on this new capability, please contact support@parsely.com.
New and improved look for the Content Helper! In the last few months we’ve introduced several pre-publishing tools that are powered by AI, and with this release we are making it easier for you to publish faster in one view, and see how your work is performing in another view. Our goal is to simplify and streamline your experience in the WordPress block editor so you can work more efficiently, and we hope this updated user interface will help with that!
To complement all this work, we made internal changes to enable our use of the latest version of the Parse.ly AI API, which should improve the quality of suggestions and also allow for additional features in the future.
As part of our ongoing commitment to maintaining robust and secure email-sending practices, we want to communicate an important policy update that will affect how your applications send emails.
New Requirement: Domain Mapping and Verification
To ensure the integrity and deliverability of emails sent from applications hosted on WordPress VIP, it is now mandatory for all sending domains to be verified and mapped through the VIP Dashboard. A domain must be mapped to the environment from which the emails are sent. Mails sent from unmapped and unverified domains will soon be rejected.
Requirement: Domain SPF, DKIM, and DMARC DNS Configuration
As explained in previous communications (listed below), the primary changes required for email deliverability are the configuration of SPF, DKIM, and DMARC DNS records for each mapped & verified domain being used to send emails on VIP.
Up to now, for emails sent from your VIP environments using unmapped domains, we have been rewriting the “FROM” header to `donotreply@wpvip.com` as a temporary measure. This was intended to provide some leeway while transitioning to the new requirements. However, to align with best practices and improve service standards, this will be phased out according to the following schedule:
Starting March 5 2024: Email sent from non-production VIP servers with unmapped domains will be rejected.
Starting April 1 2024: We will extend this policy for all production environments, rejecting all email from domains that are not correctly mapped to VIP.
Action Required
To avoid disruption to your outgoing email, please ensure that you complete domain mapping and verification , as well as any required DNS security changes before the above-stated deadlines.
Support and Questions
We understand that this policy update may require you to make specific changes to your current setup. Our team is fully prepared to assist you with a smooth transition. If you have any questions or need support, please feel free to open a support ticket, and we will be happy to help.