Is DAST Allowed on WordPress.com?

  • Unknown's avatar

    To whom it may concern

    One of our group companies is hosting a website using a wordpress.com IP address(192.0.64.0/18).

    Therefore, I would like to confirm the following two points:
    ① Would you allow us to conduct a web application assessment (DAST), excluding DoS attacks, on a website (IP) built on WordPress.com?
       We understand that an application-layer assessment is necessary if the site includes custom PHP files or features that interact with a DB.
    ② If there is a URL that clearly outlines the terms and procedures regarding the above, please let us know.

    Best regards,

  • Unknown's avatar

    The documentation of wordpress.com is very clear: “DAST (Dynamic Application Security Testing) is strictly not allowed on standard WordPress.com sites because aggressive or automated vulnerability scanning triggers platform-wide, automated WAF (Web Application Firewall) blocks.” – https://wordpress.com/support/security/

  • Unknown's avatar

    Thank you for your comment!
    However, I believe the existence of a WAF and the prohibition of DAST are separate issues.
    Also, while it says “block communication,” it does not explicitly state “prohibit DAST.”
    Could you please point me to the section in the Terms of Service that explicitly states, “You must not perform DAST,” or “If you perform DAST, you must follow the rules below”?

  • Unknown's avatar

    WordPress.com does not officially support or whitelist DAST tools on its infrastructure. In fact, their security policy notes that while you’re free to test your own site, your IP may be temporarily blocked since their systems can’t distinguish you from a malicious actor.

    You can read more about this in the WordPress.com security documentation.

  • Unknown's avatar

    I thought that the following text refers to WordPress.com’s own IP address policies, not the policies regarding IP addresses associated with the domains of our group companies.
    However, is it correct to assume that these policies apply to all WordPress.com IP addresses (192.0.64.0/18)?
    >Please bear in mind that if you wish to attempt to test our security measures on your WordPress.com-hosted site, we do not allow for whitelisting.
    >You are free to test whatever you wish, but as our system cannot ensure you are not malicious, your IP address may be temporarily blocked.

    Also, based on the URL below, I thought it might be possible to disable intrusion detection for DAST traffic originating from specific IP addresses. Is this correct?
    https://jetpack.com/resources/wordpress-allowlist-ip/

  • Hi there,

    I wanted to clarify a few points here:

    • WordPress.com does not explicitly prohibit DAST or vulnerability scanning on your own site, and ktok0630, you’re right that the documentation doesn’t state that.
    • However, WordPress.com will not whitelist any IPs or testing suites. Our infrastructure has global WAF protections, rate-limiting, and anti-DDoS layers that cannot be disabled or bypassed for any individual customer.
    • As such, your testing IPs may be temporarily blocked as a result.

    You mentioned you would be excluding this, but I have to note that DoS attacks/simulations are not allowed.

    As for the Jetpack IP allowlisting article that ktok0630 referenced, this applies to self-hosted WordPress sites only, not WordPress.com-hosted sites. It’s an article about restricting access to areas of your site, to allow only certain IP addresses while blocking everyone else.

    Now during your testing, if you do discover any platform-level vulnerabilities, we do offer rewards via our HackerOne bug bounty program.

    Also, to answer your last question: yes, the platform-wide protections apply globally to all WordPress.com-hosted sites, regardless of which specific IP within that range their site resolves to.

Log in or create an account to reply