How VIP Mitigated Two Major Security Vulnerabilities
At WordPress VIP, cybersecurity is of utmost importance. We keep our customers’ websites safe 24/7, even with issues they never end up hearing about. We want to shed light on how we recently mitigated some significant security vulnerabilities, ensuring that VIP customers’ online presence remains safe and sound.
Recently, we quickly and safely mitigated two high-profile issues, namely HTTP/2 and Curl. These vulnerabilities made headlines for their widespread notoriety, but the VIP Systems team is consistently identifying potential risks targeting all the largest sites on the web, and taking expert, decisive action to neutralize them. Let’s take a look at these issues that affected nearly 100 percent of the internet and how we were able to keep them far, far away from our customers.
HTTP/2
On October 10, 2023 Cloudflare, Google, Amazon and others posted about how HTTP/2, a protocol aimed at enhancing website loading speeds and efficiency, had a critical vulnerability. This vulnerability allowed attackers to potentially conduct Distributed Denial of Service (DDoS) attacks on websites using fewer resources.
Nearly every web server in the world, including those at WordPress VIP, uses the HTTP/2 protocol and was susceptible to this threat.
A patch for the next version of the affected software was created soon after the disclosure, and the WordPress VIP team deployed it to all of our web servers ahead of the general release. We completed this deployment within hours of the vulnerability being announced to ensure that sites with WordPress VIP were safe.
Without swift mitigation of the HTTP/2 issue, our customers could have been susceptible to DDoS attacks, causing downtime and potential data breaches. Our prompt action prevented this from happening and kept our customers safe.
Curl
Curl, a popular tool for transferring data with URLs, was at the center of another security concern on October 3, 2023. This vulnerability garnered significant attention, though WordPress VIP was quick to analyze the threat and take appropriate steps to safeguard our customers from it.
If not for the rapid response, a motivated and resourceful bad actor could have exploited the Curl vulnerability to launch DDoS attacks.
We were prepared for efficient deployment of the new version of the Curl software (available on October 11, 2023) across our infrastructure. That deployment was completed within hours, and sites on WordPress VIP are now protected against the issue.
How do we find out about these issues so quickly?
While every security vulnerability presents its unique challenges, The WordPress VIP team’s expertise and commitment to customer safety makes it possible to resolve them swiftly.
We’re always vigilant when it comes to security threats. We employ various methods to stay informed about potential vulnerabilities as soon as they pop up:
- Automated Scans: We use automated scans to detect known vulnerabilities and assess their severity.
- NIST and Industry Watchdogs: We closely follow the National Institute of Standards and Technology (NIST) and other industry watchdogs to stay updated on published vulnerabilities.
- Advance Notice: For WordPress vulnerabilities, with our parent company Automattic being a major contributor to WordPress core, we get advance notice from the WordPress core security team, allowing us to patch issues before public disclosure.
- White Hat Hackers: We actively engage with white hat hackers. They help us discover vulnerabilities, which we promptly address before public disclosure.
How are we able to mitigate them?
Mitigating security vulnerabilities is a meticulous process that we undertake with great precision:
- Patch Deployment: As soon as we identify a vulnerability, we deploy patches to address the issue.
- Pre-Mitigation: In some cases, we pre-mitigate vulnerabilities before official patches become available to protect our VIP customers.
- Rapid Response: Our globally distributed systems team operates 24/7 to ensure rapid response to urgent security issues.
What goes into our rapid response?
At WordPress VIP, your security is paramount. We have a highly competent and dedicated team with a deep understanding of security issues and best practices. We take every possible measure to deal with security issues as quickly as possible, whether they make headlines or stay hidden in the shadows.
Our ability to mitigate vulnerabilities quickly is attributed to several key factors:
- Dedicated Teams: We have 24/7, on-call teams that focus on monitoring, detection, and mitigation of security vulnerabilities.
- Global Coverage: With globally distributed teams covering different time zones, we can address issues as soon as they arise, regardless of the time of day.
- Efficient Processes: We have well-defined processes in place for handling security issues, enabling us to act swiftly and effectively.
- Proactive Measures: Our proactive approach involves staying ahead of potential threats and taking necessary steps to safeguard our customers’ websites.
- Priority-Based Scheduling: We prioritize tasks based on urgency, ensuring that critical security vulnerabilities are addressed immediately.
The recent experiences with the HTTP/2, and Curl vulnerabilities highlight our commitment to keeping your online presence secure at all times, mitigating some threats before they even reach our customers’ radar. Your peace of mind is our priority, and we’ll continue to uphold the highest standards of security to keep your online presence safe and sound.
Contributors
Jaye, Systems Engineer, VIP
Jacob Smith, Technical Account Manager, VIP