WordPress VIP Achieves FedRAMP Moderate ATO

We’re thrilled to announce that WordPress VIP has achieved FedRAMP Moderate Authority to Operate (ATO), making it the first managed WordPress platform to meet the rigorous security and compliance standards required for U.S. federal agencies and highly regulated industries.

For this authorization, WordPress VIP demonstrated a secure, scalable, and compliant CMS solution that empowers the largest organizations on the web, including government agencies, to deliver fast, accessible, and reliable digital experiences.

FedRAMP (Federal Risk and Authorization Management Program) is one of the most rigorous cloud security assessments in the world. It ensures that cloud-based services meet stringent security requirements before federal agencies can use them. 

What this means:

  • The vast majority of federal agencies and contractors can now leverage WordPress VIP’s secure and compliant cloud solution. 
  • Our platform includes hundreds of security controls covering encryption, access management, continuous monitoring, and incident response. Our ongoing compliance with FedRAMP standards is maintained through ongoing security scans and annual audits by certified independent assessors.
  • Customers in highly regulated industries, including healthcare, finance, and technology benefit from the same enhanced security posture.

This achievement is a testament to the dedication of our team and our ongoing investment in secure, enterprise-grade WordPress solutions. For more details, visit our announcement.

Call for Testing: Jetpack 14.5-beta

Jetpack 14.5-beta is available now for testing and the download link is available here

Jetpack 14.5 will be deployed to VIP on Tuesday, April 15, 2025*. The upgrade is expected to be performed at 17:00 UTC (1:00PM ET).

*This deployment date and time are subject to change if issues are discovered during testing of the Jetpack release.
A full list of changes is available in the commit log.

What is being added or changed?

Enhancements

  • Add page view count in the post and page list.
  • Add the Account Protection module toggle.
  • Connection: Allow pre-selected login providers.
  • Forms: Add block integrations modal with feature flag.
  • Forms: Add third-party integration endpoint.
  • Improve the onboarding experience of Jetpack.

Improved compatibility

  • Components: Update controls to prevent more deprecation notices.

Bug fixes

  • Fix display name when listing gravatar accounts.
  • Map block: Increase compatibility of components, preventing console warnings.
  • Newsletter: Ensure aria-label attribute on dashboard welcome message section is correctly spelled.
  • Stats: Fix date processing for “At a Glance” chart.
  • Story block: Avoid PHP warnings when using video files.
  • Video: Fix auto-reload after upload completes.

What do I need to do?

We recommend the below:

  1. Installing the release on your non-production sites using these instructions.
  2. Running through the testing flows outlined in the Jetpack Testing Guide.

As you’re testing, there are a few things to keep in mind:

  • Check your browser’s JavaScript console and see if there are any errors reported by Jetpack there.
  • Use Query Monitor to help make PHP notices and warnings more noticeable and report anything you see.

Questions?

If you have any questions, related to this release, please open a support ticket and we will be happy to assist.

Call for Testing: WordPress 6.8 RC1

The WordPress 6.8 Release Candidate 1 is now available on WordPress VIP. Use the Software Management page to update your non-production sites to WordPress 6.8 for testing.

What’s Changing?

WordPress 6.8 Release Candidate 1

Testing this release candidate is the next step in preparing your site for the WordPress 6.8 release slated for April 15, 2025.

How to test WordPress 6.8

Local Environment

Ensure VIP-CLI is updated:
npm update -g @automattic/vip

Update environment:
vip dev-env update --slug SITENAME

Non-production

Alternatively, you may update a non-production site to WordPress 6.8 RC1 now.

Within the Software Management section of the VIP Dashboard, you can select your non-production environment and change the WordPress version to “6.8″ within the “Testing” section.

Testing is vital to polishing the release during the Release Candidate and a great way to contribute. ✨

Not for Production Environments

WordPress VIP does not recommend using Release Candidate or Beta versions in production environments. Any sites that have managed updates will automatically be updated to WordPress 6.8 when released on April 15.

Questions?

If you have testing feedback or questions related to this release, please open a support ticket, and we will be happy to assist.

Removing restrictions on Media Imports 

Following feedback from customers, we’re pleased to make media imports even easier on the VIP Platform. We have now removed all limits for what file types can be imported using our VIP-CLI tool.

Previously our import tool matched the default limitations in WordPress, allowing the import of files as long as they matched a list of allowed file types. Uploading disallowed file types prior to this update required contacting support. After consultation on the security implications, we are happy to remove this restriction allowing any file of any type to be imported using the vip import media command provided by our CLI.

No updates to the VIP CLI are necessary for you to benefit from this improvement.
We’re always pleased to receive feedback from customers and improve our product to make your work easier. Our documentation on media imports contains more details, and please reach out to us if you have any questions!

New Feature: Deny Requests Based on User Agent

We’re excited to introduce another new access control feature in the VIP Dashboard. You can now block requests based on the user agent, adding an additional layer of protection for your application powered by the VIP CDN.

What’s New?

This feature allows you to block requests from specific user agents, such as AI crawlers and unwanted bots, before they even reach your application. With better control of the traffic accessing your site, you can ensure that unwanted traffic doesn’t impact your app’s performance.

Rules for managing User Agent blocks can be managed in the VIP Dashboard, from the User Agents page, located under the Security Controls section of the VIP Dashboard. Requests can be blocked based on exact or partial matches of user agent strings.

Why This Matters

  • Edge-Based Denial: Requests are blocked at the VIP CDN, reducing application load and ensuring faster response times for legitimate users.
  • No Deployments Required: Easily enable and manage this feature directly from the VIP Dashboard — no code changes or deployments needed.
  • Granular Control: Set rules to block full or partial user-agent strings for better control over your traffic.
  • Independent of IP Restrictions: Use this feature alone or combine it with IP address restrictions for enhanced security.

If you’re currently using the VIP_Request_Block class in your application code to manage user agent blocks, we’ve created a guide to help you transition to this new, easier method of restricting access.

Find out more about this feature in our documentation. 

Call for Testing: WordPress 6.8 Beta

WordPress 6.8 Beta is now available. This is the first beta released as part of the 6.8 development cycle and can be deployed to non-production environments in your WordPress VIP dashboard.

The current target for the final release is April 15, 2025

What is being added or changed?

WordPress 6.8 Beta 1 contains over 370 enhancements and 520 bug fixes for the editor, including design improvements, polishing the query loop, and more than 230 tickets for WordPress 6.8 Core. Here’s a glimpse of what’s coming:

Editor improvements

Easier ways to see your options in Data Views, and you can opt to ignore sticky posts in the Query Loop. Plus you’ll find lots of little improvements in the editor!

The Style Book comes to Classic themes

The Style Book now features a structured layout so you can preview site colors, typography, and block styles more easily. You can use the Style Book in classic themes with editor-styles or a theme.json file and includes clearer labels, and you can find them under Appearance > Design.

Support for Speculation browser API

WordPress 6.8 introduces native support for speculative loading, leveraging the Speculation Rules API to improve site performance with near-instant page loads. This feature prefetches or prerenders URLs based on user interactions, such as hovering over links, reducing load times for subsequent pages.

Major security boost

WordPress 6.8 will use bcrypt for password hashing, which significantly hardens WordPress. Other hashing is getting hardened, too, throughout the security apparatus. You won’t have to change anything in your daily workflow.

How to test the upgrade on a local environment

The quickest way to test locally is to use the VIP Local Development Environment.

To update an existing environment:

vip dev-env update -w=6.8 --slug=mytestsite

To create a new one:

vip dev-env create -w=6.8 --slug=mytestsite

How to test the upgrade on a VIP Platform environment

You can update your non-production environments by running the trunk version of WordPress from within the Software Management section of the VIP Dashboard or by running the vip config software update command with VIP-CLI.

For example:

vip @mytestsite.production config software update wordpress trunk

Call for Testing: Jetpack 14.4-beta

Jetpack 14.4-beta is available now for testing and the download link is available here

Jetpack 14.4 will be deployed to VIP on Tuesday, March 18, 2025*. The upgrade is expected to be performed at 17:00 UTC (1:00PM ET).

*This deployment date and time are subject to change if issues are discovered during testing of the Jetpack release.

A full list of changes is available in the commit log.

What is being added or changed?

Enhancements

  • Newsletter: Add newsletter widget header row behind a feature flag.
  • Newsletter: Add footer widget section.
  • VideoPress: Add title to the attachment details view.

Bug fixes

  • Forms: Ensure non-rendering fields to not trigger validation or show value in form submission response.
  • Forms: Fix 404 error when a user submits an invalid form with JavaScript disabled.
  • Gravatar Widget: Fix linked accounts not showing.
  • Publicize: Fix disconnect command not working.
  • Widget Visibility: Fix possible fatal errors for widgets using anonymous functions as callbacks.

What do I need to do?

We recommend the below:

  1. Installing the release on your non-production sites using these instructions.
  2. Running through the testing flows outlined in the Jetpack Testing Guide.

As you’re testing, there are a few things to keep in mind:

  • Check your browser’s JavaScript console and see if there are any errors reported by Jetpack there.
  • Use Query Monitor to help make PHP notices and warnings more noticeable and report anything you see.

Questions?

If you have any questions, related to this release, please open a support ticket and we will be happy to assist.