New Changes to Access-Controlled Files

We’ve improved how you interact with access-controlled media files in your non-production environments.

The Access-Controlled Files feature restricts access to files and media uploaded to the WordPress Media Library of a site.

https://docs.wpvip.com/access-and-routing/access-controlled-files/

Non-production environments will automatically inherit the media files access-control settings from their parent environment. 

In addition to this, you will have the flexibility to override these settings on any non-production environment, taking precedence over the parent environment’s configuration. This will give you greater control to tailor access settings for specific environments, potentially useful for testing or staging scenarios.

However, it’s important to be cautious when overriding these settings:

  • Security Risks: Allowing more open access in non-production environments can inadvertently expose sensitive media files, especially if the environment is accessible beyond your internal team.
  • Inconsistent Access: If the settings between environments differ significantly, it could lead to confusion or accidental exposure of files during deployments or migrations.

The process to configure the Access-Controlled Files settings remains the same, as detailed in the documentation.

As a reminder about media on WordPress VIP, in general, files uploaded to a WordPress production environment are automatically shared with and available to associated non-production environments.

For more details please refer to the documentation. Reach out to us if you have any questions!

Insights & Metrics: July 2024 Updates

In April, we announced the launch of our Insights & Metrics panel. Thanks to your feedback, we have diligently improved the experience and are proud to announce new features and improvements today.

Your site is vital to your business. That’s why you partner with WordPress VIP. Application Insights & Metrics gives you the visibility and tools you need to accurately assess the performance and stability of your applications.

Here is a short demo of what you can expect using Insights and Metrics today.

We are excited about the visual polish and user interface improvements we’ve made to the dashboard, but are just as excited about some new features.

You may have noticed the comparison metrics in the demo. These allow you to understand how your current performance is trending at a glance. 

We’ve added new metrics:

  • Application Memory and CPU usage per HTTP request metrics to give you even more insight into how your application is performing. 
  • Your database size over time, in addition to its current size.
  • Terminated MySQL queries that were hidden from view before, but now can be tracked.
  • A view of 500 errors per 1,000 requests serves as an early warning sign of application trouble.

We are also bringing these insights into other parts of the VIP Dashboard. The Database Backup page now shows the total database size, and every deployment page includes a response time graph to quickly assess if the code change affected performance.

To access these insights, log in to your account on the VIP Dashboard and select “Performance” then “Insights & Metrics” for any application. 

Read our documentation on the Insights & Metrics panel.

And we aren’t done yet. We are in the midst of a closed beta of anomaly detection to highlight when important metrics move beyond historical norms. Stay tuned to this space for an announcement of the open beta in a few weeks.

Announcing VIP Learn

The WordPress development resource you’ve been waiting for

Today, we’re excited to announce the launch of VIP Learn

We frequently hear the request for deeper learning and training, a way to empower our customers with the same WordPress expertise we offer in our support and professional services. Well you asked, and we listened. VIP Learn is a comprehensive platform for upskilling your development teams with courses curated by seasoned WordPress VIP Engineers and industry experts. 

  • Obtain enterprise-level WordPress development skills to accomplish more, faster
  • Easily progress through coursework at your own pace
  • Free access, no credit card required

What is VIP Learn?

VIP Learn is a free instructional platform for engineers with intermediate or higher experience levels who are looking to advance their skills in enterprise-level WordPress development. 

While there are many great foundational resources out there to get acquainted with open-source WordPress, VIP Learn is designed to build on existing WordPress knowledge and take those abilities to the next level. 

VIP Learn accelerates learning for WordPress VIP customers and partners, but it is also an open resource for the wider enterprise WordPress community. You don’t have to be a WordPress VIP customer to take advantage of the key principles on the platform, such as security or performance.  

Our aim is to uniquely contribute to your learning journey, providing you with the tools and knowledge needed to excel in your projects and leverage the full potential of the enterprise WordPress.

Courses

With our roots at Automattic and deep connection with the WordPress community, WordPress VIP has cultivated exclusive expertise for building sophisticated, secure, and scalable WordPress applications. 

Our courses include:

  • Enterprise WordPress Security: Dive deep into safeguarding WordPress applications, focusing on identifying and mitigating common security vulnerabilities. This course covers essential techniques such as secure code writing, safe plugin usage, rigorous security testing, and hardening of WordPress configurations. Master practical, real-world strategies to fortify your WordPress sites against potential cybersecurity threats.
  • Enterprise WordPress Performance: Equip yourself with the skills to build high-performing, scalable WordPress applications. Learn performance optimization strategies, including efficient database management, caching techniques, and content delivery optimization. Enhance user experience through improved page load times and overall website performance.
  • WordPress VIP Architecture and Tooling: This course covers the developer-specific tools available on the VIP Platform and how to best use them. Learn to leverage the platform built for enterprise use, with security and performance at scale in its DNA.

How to get started

Engineers can work through course material at their own pace by creating a free account at learn.wpvip.com. The first three courses—Security, Performance, and VIP Architecture and Tooling—are available now. Please look forward to additional courses coming soon. 

Enroll today to push your WordPress development capabilities to new heights.

New Release: Plugin Vulnerability notifications

We’re excited to announce plugin vulnerability notifications on WordPress VIP, enabling rapid triage and response from your teams, and enhancing your site’s security.

Effective immediately, key members of your team will automatically receive emails for HIGH and CRITICAL plugin vulnerabilities, ensuring you can take prompt action on essential security concerns. This critical notification feature is called “Important Alerts”.

Want more comprehensive coverage? Opt in to receive notifications for any vulnerabilities. All delivered through your preferred channels—Slack, Google Chat, Microsoft Teams, a webhook, or email.

We care deeply about the security of your applications running on the WordPress VIP Platform. One of the key methods we utilize to keep your application secure is vulnerability detection.

The VIP platform scans for vulnerabilities before deployment and at regular intervals after deployment, keeping you informed of vulnerabilities found. We scan the code in every pull request for known vulnerabilities before it is deployed, reporting results in easy to read GitHub comments. Deployed code is scanned for newly discovered vulnerabilities, reported on the VIP Dashboard plugins panel where you can easily create a pull request to update the plugin and fix the issue. 

Today, we’re adding notifications of all newly uncovered vulnerabilities discovered in your plugins. You can choose a combination of Slack, Google Chat, or Microsoft Teams, a general-purpose webhook URL, or an email address as destinations for plugin vulnerability notifications

If we find a vulnerability with a severity of HIGH or CRITICAL, we will proactively push an Important Alert. Important Alerts are automatically emailed to all your Organization Administrators. You can easily add additional destinations from the array of supported communications channels, ensuring critical messages always reach the right members of your team or are routed to your own on-call management systems.

To manage your destinations for important alerts:

  1. For any organization choose “Notifications” from the left hand menu
  2. Choose “Manage Alerts” from the “Important Alerts” area near the top of the screen
  3. …from the “Important Alerts” panel the customer can add new or existing destinations, and remove any destinations previously added

To subscribe to newly discovered plugin vulnerabilities for an organisation or application:

  1. For any organization or any application environment choose “Notifications” from the left hand menu
  2. “Add Notification” and choose “Plugin Vulnerabilities”, then configure your notification as usual

If you have any questions or concerns related to this upcoming change, please open a support ticket and we will be happy to assist.

Custom Deployments are now available

Get ready to embrace more flexibility and ownership with the VIP’s newest feature: Custom Deployments.

You may have previously heard of this capability as Bring Your Own Repository. Today, we’re excited to launch it as Custom Deployments, a game-changing tool that empowers your team with even greater independence and control over your development process. 

Custom Deployments liberate you with options beyond our provided GitHub repository, enabling you to send us a deployment-ready artifact directly through the VIP-CLI. It’s our way of putting the reins back in your hands – prepare your code exactly how you want it, and let us handle the rest.

How to get started

Note: This feature is currently only available for WordPress sites. It may be extended to Node applications in the future if there is sufficient interest.

  1. To enable on the VIP Dashboard, go to your target application, then on the sidebar, navigate to “Code” > “Repository” and select “Custom Deployment”
  2. Generate and store the token for Custom Deployment
  3. Run the following command and replace the variables with values relevant to your application and file:
WPVIP_DEPLOY_TOKEN=<token> vip @<app-name>.<env> app deploy <pathToZipOrTarFile> --message <commitMessage>

The VIP-CLI command is available on all versions higher than 3.4.1. You can change your application deployment method per environment and a switch back to “Default Deployment” will automatically deploy the latest version from the wpcomvip GitHub repository. 

Preparing the deployment file

To ensure we can deploy the provided code, you need to provide a zip or tar file containing a parent folder containing all the files from your repo in the same format as the WordPress skeleton. 

Automating this with GitHub Actions

When we talked with customers, a highly requested feature was to have more control over the deployment process by allowing the use of GitHub Actions. We created a reusable action that can now be integrated into your development and deployment workflow. 

For more information, visit our Custom Deployments Guide, which will assist you through every stage of the process.

VIP CLI: Changes to the Media Imports tool

With the recent VIP CLI 3.1.0 release, we have enhanced the performance and stability of the Media Imports tool:

  1. Enhanced error reporting
    • Previously, error reports were limited to displaying a maximum of 250,000 errors. We’ve now removed this limitation, allowing you to view the complete list of errors encountered during your import process. 
    • We have added a prompt to download the error file while checking the status of import, this file will only be available to download for seven days following the completion of your import.
  2. File Size limit increased to 2GB: We have increased the size limit for each file in an import from 1GB to 2GB based on customer feedback.

Please note that we will start rolling out the changes in phases from the 7th of June, 2024. Customers must upgrade to VIP CLI 3.1.0 to be a part of this rollout, and benefit from the upgrades.

Deprecation Notice

We are planning to deprecate use of the media import tool on older CLI versions in favor of the enhanced performance and stability available with the new VIP CLI version. From 15th July, 2024, customers may not be able to initiate media imports using the VIP CLI if it is on a version older than 3.1.0.

New Feature: Insights & Metrics

In December, we announced the availability of our Insights & Metrics panel. Thanks to your feedback, we have diligently improved the experience and are proud to announce new features and improvements today.

Your site is vital to your business. That’s why you partner with WordPress VIP. Application Insights & Metrics gives you the visibility and tools you need to accurately assess the performance and stability of your applications.

Many of you have used this feature in beta to better understand how your application performs directly from the VIP Dashboard. Here is a short demo of what both new and returning users can expect with the official release of Insights and Metrics.

You may have noticed significant improvements to time selection in the demo. We frequently heard the need for more precise controls, and now you have them–including the ability to share a link to a specific time period for improved collaboration.

There are hundreds of metrics you can look at to access your site. The Insights & Metrics panel is designed by our WordPress experts to put the most important numbers at your fingertips. 

The Insights & Metrics panel shows metrics for:

  • Origin response time – measure how fast your application responds.
  • Origin and Edge response codes – quickly track down any application errors.
  • PHP Process – understand application load.
  • Slow MySQL queries – zero in on queries slowing down your users.
  • Cache hit rate – ensure that your application takes full advantage of the VIP’s edge CDN.

To get started, log in to your account on the VIP Dashboard and select “Performance” then “Insights & Metrics” for any application. 

Read our documentation on the Insights & Metrics panel.

And we aren’t done yet. In the coming weeks, we will begin a closed beta of anomaly detection to highlight when important metrics move beyond historical norms.

Important Update: Changes to Email Sending Policy for Your VIP Applications

As part of our ongoing commitment to maintaining robust and secure email-sending practices, we want to communicate an important policy update that will affect how your applications send emails.

New Requirement: Domain Mapping and Verification 

To ensure the integrity and deliverability of emails sent from applications hosted on WordPress VIP, it is now mandatory for all sending domains to be verified and mapped through the VIP Dashboard. A domain must be mapped to the environment from which the emails are sent. Mails sent from unmapped and unverified domains will soon be rejected. 

For detailed guidance on mapping and verifying your domains, please visit: https://docs.wpvip.com/domains/verification/

Requirement: Domain SPF, DKIM, and DMARC DNS Configuration

As explained in previous communications (listed below), the primary changes required for email deliverability are the configuration of SPF, DKIM, and DMARC DNS records for each mapped & verified domain being used to send emails on VIP.

Phasing out: Header Rewrites

Up to now, for emails sent from your VIP environments using unmapped domains, we  have been rewriting the “FROM” header to `[email protected]` as a temporary measure. This was intended to provide some leeway while transitioning to the new requirements. However, to align with best practices and improve service standards, this will be phased out according to the following schedule:

  • Starting March 5 2024: Email sent from non-production VIP servers with unmapped domains  will be rejected.
  • Starting April 1 2024: We will extend this policy for all production environments, rejecting all email from domains that are not correctly mapped to VIP.

Action Required

To avoid disruption to your outgoing email, please ensure that you complete domain mapping and verification , as well as any required DNS security changes before the above-stated deadlines. 

Support and Questions

We understand that this policy update may require you to make specific changes to your current setup. Our team is fully prepared to assist you with a smooth transition. If you have any questions or need support, please feel free to open a support ticket, and we will be happy to help.

Advance Notice: Domain Verification Required for New Domains

At WordPress VIP, we have an ongoing commitment to be the world’s most secure WordPress platform. As part of that commitment, we are pleased to announce secure domain verification. From February 27, 2024, a verification step will be required for all domains added to our platform. Any domains previously added to our platform (legacy domains) are already considered verified, and will not require this step.

To verify a domain you must add a specific TXT record to the domain’s DNS record. The WordPress VIP platform will check for the correct TXT record and update the verification status. Our Domain Verification tool will guide you through the process, and can be found in the VIP Dashboard Domains & TLS panel. You can view the verification status of each domain in the “Verification” column.

Until a new domain has been verified, you will not be able to use it on our platform. Unverified domains cannot receive traffic, provision Let’s Encrypt certificates, be used in our launch tooling, or be used to send emails.

New Relic Management in the VIP Dashboard

We’re excited to announce an enhancement to our VIP Dashboard: Management capabilities of your applications APM from New Relic. This integration simplifies managing New Relic APM for both production and non-production environments, offering a seamless experience in monitoring and optimizing your application’s performance.

New Features at Your Fingertips

  • Easy Activation: Activate New Relic APM for your Production and Non-Production environments directly from the VIP Dashboard.
  • User Access Management: Effortlessly manage who has access to New Relic tools within your team.
  • Flexible Testing in Non-Production: Enable New Relic for continuous 7-day periods in non-production environments, perfect for thorough testing and analysis.
  • Uninterrupted Monitoring in Production: In Production environments, New Relic can be either permanently on or off, offering consistent monitoring without time constraints.

What to Expect

Upon activation, a New Relic entity is created for your application, and New Relic begins sampling HTTP requests. Please note, this may have a minimal impact on application performance, but the insights gained are invaluable for optimizing your user experience.

Ready to Enhance Your New Relic experience?

Get started by navigating to the New Relic section, located under “Performance” in your VIP Dashboard. For more detailed information, please check our documentation. If you’re activating New Relic for your Node.JS application please see our documentation for more advice on how to start reporting data from your application. 

Questions or Need Support?

If you have any questions or require assistance, our support team is always ready to help. Open a support ticket, and we’ll ensure your experience with New Relic APM is smooth and beneficial.