JetHost is a modern hosting provider built by industry veterans with more than 20 years of experience, offering a platform optimized for WordPress and WooCommerce websites, combining performance-focused architecture and secure hosting environments to support businesses, agencies, and developers at every stage of growth.

And with Patchstack, they get a security partner they can rely on.

Strengthening WordPress security at the hosting layer

WordPress powers a significant portion of the web, but its open ecosystem also means an increasing number of vulnerabilities in plugins and themes. While applying updates remains the best defense, many websites are exposed during the period between vulnerability disclosure and update availability.

Through this partnership, JetHost customers can activate Patchstack-powered vulnerability monitoring and mitigation, helping prevent known vulnerabilities from being exploited even before updates are applied.

JetHost's Business plan users will automatically receive Patchstack protection included with their accounts for one domain of their choice, while users on other plans can enable Patchstack for $3.99/domain/month.

This integration enables:

• Continuous vulnerability monitoring for WordPress plugins and themes
• Mitigation rules to block exploit attempts targeting known vulnerabilities
• Security alerts that help site owners respond quickly to risks

By combining hosting infrastructure with vulnerability intelligence, JetHost helps its customers reduce security risks and maintain website stability.

Advancing security across the WordPress ecosystem

JetHost views WordPress security as a foundational part of hosting, and Patchstack provides the largest vulnerability intelligence database in the WordPress ecosystem and protects millions of websites through real-time mitigation and threat intelligence.

Together, we are working toward a safer WordPress ecosystem where websites remain protected even as new vulnerabilities emerge.

Learn more about the integration in JetHost's post.

The post JetHost Partners with Patchstack for Proactive WordPress Security appeared first on Patchstack.

As part of this integration, BigWetFish customers will now get Patchstack’s automated vulnerability detection and mitigation, allowing them to protect their WordPress sites from emerging threats - especially during the window between vulnerability disclosure and updates.

Preventing - not only reacting

Security threats in the WordPress ecosystem continue to grow. Heavily exploited vulnerabilities also see a median time to exploit of 5 hours.

And while updates remain critical, site owners don’t always apply them immediately, leaving websites exposed during the gap between vulnerability disclosure and patching.

Through this integration, Big Wet Fish Hosting customers now benefit from:

• Real-time vulnerability monitoring
• Protection against exploitation attempts through RapidMitigate rules
• Reduced risk during delayed updates

Patchstack works at the application layer to block malicious requests targeting known vulnerabilities, providing an additional layer of defense beyond traditional hosting security controls.

Protecting WordPress - together

Patchstack protects millions of WordPress websites by providing the largest vulnerability database in the WordPress ecosystem and delivering real-time mitigation rules against exploitable threats.

And by partnering with Patchstack, Big Wet Fish Hosting joins a growing network of hosting providers committed to improving security standards across WordPress hosting, so customers don't have to choose between performance, reliability, and protection.

We’re proud to work with Big Wet Fish Hosting to make sure users can focus on growth while we handle the security.

The post BigWetFish Hosting Partners with Patchstack for WordPress Security appeared first on Patchstack.

Today, we're excited to announce that its security is getting a major upgrade with the introduction of Patchstack’s vulnerability detection and proactive protection.

What Patchstack Protection adds to ManageWP

With 7,966 vulnerabilities identified in 2024 and exploits often beginning within 5 hours of public disclosure, WordPress sites are exposed during the most dangerous period - the gap between disclosure and patching.

For agencies managing dozens or hundreds of sites, manually reacting within that window simply isn’t scalable.

Patchstack's RapidMitigate protection closes that window by applying targeted mitigation rules up to 48 hours before vulnerabilities go public, even before plugin developers release updates, and blocking attack attempts.

ManageWP users will be able to immediately see:

• Identified vulnerabilities across plugins, themes, and core
• Exploit attempts that were automatically mitigated
• Threat intelligence details, including attack types and malicious IPs
• Protection status across all managed sites

No separate logins, no switching between platforms. Simply protection running automatically inside the dashboard that agencies already use every day.

Partnering to protect WordPress professionals

With Patchstack Protection now built directly into the ManageWP dashboard, WordPress professionals can stay protected automatically - without adding another tool, another login, or another thing to constantly monitor.

Vulnerabilities get mitigated before they go public, sites stay secure in the background, and updates can happen on your schedule instead of in panic mode.

Together with ManageWP, we’re making proactive vulnerability mitigation part of the everyday WordPress workflow - not an afterthought, not a separate tool, but a built-in layer of protection.

And this is just the beginning.

The post ManageWP Partners with Patchstack for Protection at Scale appeared first on Patchstack.

Through this partnership, Patchstack’s proactive WordPress vulnerability protection is now available directly via Zone+, making advanced security simple to activate and seamlessly integrated into the hosting experience.

Raising the standard for WordPress security

With thousands of new WordPress vulnerabilities discovered every year and exploit attempts often beginning within 5 hours of disclosure, proactive mitigation is no longer optional. It’s essential.

And at Zone, security isn’t treated as an afterthought. It’s built into the platform experience.

Patchstack’s protection is a natural fit: powered by the world’s largest WordPress vulnerability intelligence network, trusted by developers, agencies, and hosting providers globally.

Seamless activation through Zone+

Patchstack is now available inside the Zone+ app catalogue, allowing customers to activate protection in just a few clicks to receive:

• Continuous vulnerability monitoring
• Automatic virtual mitigation rules to prevent vulnerability exploits
• Application-layer protection against plugin and theme exploits
• Lightweight security with no performance trade-offs or code changes

This partnership ensures that professional-grade WordPress security is no longer reserved for large teams. It’s accessible to every Zone customer without complex setup or additional infrastructure changes.

Protection runs quietly in the background, while users maintain full visibility into detected vulnerabilities and blocked threats.

As Zone highlights:

Setting a higher bar for hosting security

Hosting providers play a critical role in shaping the security posture of the WordPress ecosystem. When protection is built into the hosting layer, customers don’t have to think about whether they’re secure - they simply are.

After all, security shouldn’t depend on how technical a customer is. It should be part of the foundation.

Together with Zone.ee, we’re making that foundation stronger.

The post Zone.ee Partners with Patchstack for Automatic WordPress Protection appeared first on Patchstack.

Known for building high-performing, design-led WordPress experiences, Grid Design Agency now uses Patchstack to ensure those sites stay secure long after launch.

Securing digital experiences with Patchstack

Grid Design Agency now includes Patchstack as part of its WordPress security stack to ensure clients' websites are protected against known and emerging vulnerabilities.

Patchstack adds an extra layer of protection by continuously monitoring the WordPress ecosystem for newly disclosed vulnerabilities and blocking exploitation attempts before damage occurs. With hyper-targeted mitigation rules, threats are stopped at the source - without impacting site performance or functionality.

This proactive approach allows Grid Design Agency to deliver peace of mind alongside exceptional design and development work.

Helping agencies deliver better security

By integrating Patchstack into its security stack, Grid Design Agency strengthens its ability to protect client websites at scale, reducing risk, minimizing emergency fixes, and helping clients stay online and trusted.

We’re excited to join forces with Grid Design Agency and help ensure that the incredible websites they build remain secure over time.

And with Patchstack now part of their security stack, Grid Design Agency joins the company of WordPress professionals and hosts shifting to proactive protection. And for agencies looking to raise the standard of WordPress security, Grid Design shows what’s possible.

The post Grid Design Agency Partners with Patchstack to Strengthen WordPress Security appeared first on Patchstack.

"Secure hosting" is a phrase that's increasingly used, and most hosts offer some level of security as part of their services. This mostly refers to known security suites like Cloudflare or in-house firewall solutions. But most of these solutions are ineffective against WordPress vulnerability exploits.

In 2025 we conducted a limited experiment to see if popular web hosting solutions could prevent attacks against known exploited vulnerabilities.

In the test we used 11 vulnerabilities that were known to be exploited in real-world attacks. We then tested these attacks on hosts using various solutions, from big security suites like Cloudflare to custom firewalls.

The shocking answer was that 88% of attacks we ran resulted in a successful site takeover.

But we wanted to see what would happen if we expanded the scope of the experiment. So for our second test, we decided to include more hosting companies, more different defensive layers, and more vulnerability types.

Our assumption was that the number of successful attacks would decrease as hosts would be better at blocking the more generic, non-WordPress specific vulnerabilities.

The new results show that while hosts overall did a little better against more generic attacks, 74% of all attacks still succeeded. Furthermore, this test also included the same 10 original vulnerabilities we tested in the first experiment. We had expected the hosts to react & mitigate those after our reports, but this was largely not the case.

We know WordPress vulnerabilities are still on the rise, and vibe-coding practices will only exacerbate the problem. Furthermore, Google reported that time-to-exploit metrics hit negative values for the first time in history in 2024, meaning attacks are happening faster than official updates are getting rolled out.

This case study is about looking past the marketing to see how well hosting companies actually defend against vulnerabilities.

Part I - Experiment methodology & setup

About this experiment

After our initial test was published, we were left with a question. We knew hosts weren’t blocking the specific major vulnerabilities we had tested, but we wanted to know what they were blocking.

The second test series meant more hosts, for a better perspective of the industry as a whole, and more tests encompassing a wider variety of vulnerabilities with a wider range of attack methods, so we could get a real idea of what the industry is and isn’t protecting against.

On top of that, we decided early on to bring in a group of industry leaders to provide input on our vulnerability selection, test suite, and testing processes, so we could ensure this experiment was as fair as possible.

Based on our original test, we had some assumptions on how the second series’ results would look. During the original test, multiple hosts showed some amount of protection against common, non-WordPress-specific vulnerabilities, such as SQL injection or directory traversal attacks. We expected to see many hosts block these attacks, and as we included significantly more of these non-WordPress-specific tests, we expected the total number of blocked vulnerabilities to increase.

That said, we also know the reality of protecting against WordPress-specific attacks, vulnerabilities like broken access control, or privilege escalation.

These types of attacks are generally plugin/theme specific; often require specific knowledge of the request only WordPress knows (such as, “does the user trying to do this have the correct privileges to do so?”); and are essentially impossible to block in a generic way, meaning there’s no “standard” rule a firewall could use to block them.

Based on these factors, and on how poorly the industry did during our original test, we assumed most WordPress-specific vulnerabilities would be successfully exploitable.

Experiment setup - choosing vulnerabilities & target hosts

With the goals of understanding the hosting ecosystem’s security better, and seeing if our assumptions held water in a broader evaluation, we built the framework for this experiment. First, we constructed a list of vulnerabilities.

Our original tests consisted almost entirely of major vulnerabilities - ones publicly known to be mass-exploited, or which had impacted huge numbers of users.

For the new experiment, we wanted to go wide rather than focus in on specifics; we selected 20 additional vulnerabilities, all published in either 2025 or 2024, with a goal of covering as many categories as possible, and involving different specific attacks to try and give the hosts we tested the best possible opportunities to block at least some of our attacks.

The final vulnerability selection includes 10 of the original vulnerabilities from our v1 tests (#1-9, #20), as well as 20 new vulnerabilities to expand the total scope.

The other major decision made was hosts to test. For this, we again wanted a broad spectrum of coverage. We looked to find both very large and relatively small hosts, as well as a mix of hosts who prominently advertised their security, as well as those who only mentioned it in passing.

To perform our tests, we set up each host with a stock WordPress instance. We used the most recent available WordPress version, and the stock Twenty Twenty-Five theme.

If a host provided their own security-related plugins (e.g., Jetpack), we would enable these. Otherwise, no other plugins were enabled. We would also review the host’s dashboard for security options, and ensure those features were enabled.

Executing the test attacks

After WordPress was installed, we installed the vulnerable versions of each plugin with a vulnerability we were testing, as well as any plugins they required (e.g., WooCommerce). Once installed, we automatically applied a preset configuration to the site and all plugins, ensuring each testing environment was as identical as possible.

Finally we would attempt to exploit each vulnerability using a prebuilt proof of concept (PoC) exploit. We intentionally kept the PoCs identical in each test and used the simplest reasonable PoCs we could produce. We also did not use any obfuscation or advanced bypass techniques in these attempts.

The goal was to simulate real-life conditions by using the simplest attacks possible, thereby giving the hosts a fair chance to block the exploits.

Part II - Results & findings

As we had assumed the hosting defences did better compared to our original test results. On average, hosts managed to block 25.89% of exploit attempts, versus 12.8% in the original study.

However, this means roughly 74% of attacks still succeeded.

In the chart below you can see the breakdown of complete and partial success rates by host and the security setup that was tested:

Vulnerability block rates by host

⚠️ Note: Host names are hidden, but they are known to the external observers.

After reviewing these results and correlating them with the security solutions each host used, we found some interesting notes on the efficacy of some industry solutions.

Hosting defences mostly ineffective against WordPress vulnerabilities

We found that WordPress-specific vulnerabilities were still the least blocked across all hosts.

Of the high-impact vulnerabilities, Privilege Escalation attacks were blocked only 12% of the time.

Privilege Escalation is considered one of the most severe types of attacks - once an attacker has gained Administrator privileges, they can edit any content on your website, see any sensitive data (e.g., customer information on an e-Commerce website), or potentially even upload their own malicious PHP files, often bypassing any protections against PHP upload attacks, using WordPress’ built in tools for plugin/theme management.

Successful attack rates per vulnerability (Patchstack excluded)

“WAF” can mean anything, and nothing

Many hosts advertised a commercial web application firewall, specifically a solution often used for DNS management, anti-DDoS protection, and CDN functionality.

While these services often have a managed ruleset that can block common attack types (e.g., directory traversal, cross-site scripting, or PHP object injection), we did not see consistent results across all hosts using these products, even between different companies using the same product.

Based on this, we believe hosts are often enabling only certain components of these solutions, obfuscating what their WAF solution does and does not protect against, and can’t be evaluated solely because they “use an X brand firewall”.

It is also likely that hosts are limiting the capabilities of firewalls, as stricter rules would result in high volumes of false positives, which in turn would disrupt their normal services.

In-house firewalls more effective than commercial solutions for generic attacks

When looking at generic, non-WordPress specific vulnerability attacks, hosts’ in-house firewall solutions outperformed commercial solutions.

Our results show that the hosts that performed best maintained their own internal firewall solutions.

While seeing a host advertise an in-house firewall isn’t a silver bullet for securing your WordPress websites, it does confirm another assumption we had: the hosts that perform best are the ones investing resources in improving their environments.

The vast majority of successful blocks were from non-WordPress-specific vulnerabilities. The most consistently blocked vulnerability class was Arbitrary File Uploads*, in which all three tested vulnerabilities were blocked 60% of the time.

Arbitrary File Upload attacks involve uploading a malicious PHP file to the website, and once fully exploited, an attacker can immediately gain full control of the hosting environment. We considered the attack blocked when either the file itself was prevented from being uploaded or the hosting environment prevented our execution of it.

A special note on Cross-Site Request Forgery attacks

Cross-Site Request Forgery (CSRF) attacks were the only ones that weren't blocked by any host, or even Patchstack (in fact, we generally don't provide protection rules for CSRF).

This is due to the unique nature of CSRF vulnerabilities. These are usually impossible to exploit at scale, and they require specific targeting and social engineering to succeed. It's also difficult to prevent these exploits using protection rules without severely impacting normal site functionality.

No host can reasonably be expected to cover these vulnerabilities, and the two CSRF cases were selected for the experiment solely to ensure the widest possible coverage of different vulnerability types.

Conclusions

The results of this study support our initial conclusion that WordPress vulnerability mitigation remains a largely unsolved problem.

Hosting companies seem to agree - in their 2025 Web Hosting Trends survey, Cloudlinux reported that 64% of hosting companies cited WordPress vulnerabilities specifically as their biggest security challenge.

In our conversations with hosting industry representatives, we've noticed the biggest problem isn't that hosts don't care about vulnerability attacks - it's that they think their existing solutions have got them covered.

Effective security, however, works in layers. Different threats require different approaches, and as we saw from the test results, one-stop-shop tools & generic WAFs cannot cover vulnerability exploits.

With vibe-coding introducing more security issues both within and outside the WordPress ecosystem, hosts need to rethink how they build their security stacks to provide safe solutions for their customers.

How does your security stack up against vulnerabilities? Let's find out

If you're a hosting company and would like to have your security stack tested using the same framework then get in touch and we'll perform this pentest for you for free.

If you're interested, simply fill out the form on this page and our security team will be in touch.

P.S. your results will be kept confidential. You will also have full transparency into the vulnerabilities and attack methods used.

Special thanks 🙏

We'd like to thank Konrad Keck and Kevin Ohashi for helping us validate the test methods, and also for your questions and feedback throughout this process!

The post The Myth of Secure Hosting - Only 26% of Vulnerability Attacks Blocked By Hosts appeared first on Patchstack.

Seahawk Media specialises in white-label WordPress services for businesses and hosts, including development, maintenance, and ongoing support. Their maintenance plans are used to manage and protect a large number of WordPress sites on behalf of their partners, and they’ve now become stronger with the addition of Patchstack. 

Stronger security for Seahawk Media’s customers with Patchstack

Seahawk Media is now offering Patchstack to select maintenance plan customers at no additional cost. This ensures their WordPress sites are continuously protected against known vulnerabilities, not just cleaned after an incident. 

Patchstack adds an extra layer of security by monitoring vulnerable plugins and themes and preventing attacks before they happen.

In addition to enhanced security, Seahawk Care Plans also provide Site Speed Optimization and Image Optimization, keeping websites fast, efficient, and always ready for their customers' audience.

Learn more about Seahawk Care Plans

Patchstack also added after hack cleanups

If a client’s site is compromised before installing Patchstack, Seahawk Media will perform the cleanup. 

Once the site is successfully cleaned up and restored, they will install Patchstack to ensure no vulnerabilities exist and prevent future attacks, reducing the risk of repeat incidents. 

Helping agencies deliver better security

We’re excited to welcome Seahawk Media to the Patchstack ecosystem and help protect even more WordPress sites.

And with Patchstack now part of their security stack, Seahawk Media is joining the ranks of WordPress professionals, agencies, and hosts moving from reactive cleanup to proactive protection - exactly where WordPress security should be.

The post Seahawk Media Partners with Patchstack to Strengthen WordPress Security appeared first on Patchstack.

Integrated as an add-on, Patch & Protect will help Modular DS users know about and protect their websites from vulnerabilities before they are publicly disclosed, significantly reducing the time they are exposed to attacks.

Timely detection and automated protection: all in one place

The moment that Modular DS users enable the Patch & Protect add-on, they will be able to see the status of their plugins and their vulnerabilities, as well as monitor attacks that their Patchstack-powered add-on blocked.

In addition to getting the mitigation rules, Modular DS’s Patchstack integration also includes hardening rules to further protect WordPress sites, with functionality such as:

• Hiding WordPress version information
• Disabling the theme editor and user enumeration
• Restricting XML-RPC access
• Adding security headers
• Blocking access to the WordPress debug.log file and others

For website maintenance professionals, this means another critical part of their offer - security - can now be fully automated.

Bring proactive security to your WordPress site portfolio

The launch of Patch & Protect marks more than just another integration. It redefines how professionals manage and secure WordPress websites at scale.

Deliver more value to clients without adding new tools or manual work; differentiate your services by proactively preventing issues; reduce time spent on emergencies; and strengthen client trust.

Our collaboration shows what’s possible when management and security come together. 

Patch & Protect is now available through Modular DS. Activate it today to strengthen the foundation of your business.

The post Modular DS Adds Patchstack-Powered Security: Introducing Patch & Protect appeared first on Patchstack.

Unfortunately, the majority of WordPress attacks bypass standard hosting defenses. 

In our own study, we found that across five hosting environments and 11 WordPress-specific vulnerabilities, 87.8% of the exploits bypassed network and server security layers before reaching the point where Patchstack’s application-layer protection stopped them.

For you as a host, this means that security isn’t just a cost center. It’s a must-have and, with Patchstack’s integration, it becomes profitable, too.

Patchstack’s plug-and-play integration

That’s where Patchstack’s plug-and-play integration comes in. 

It’s a drop-in, zero-dev-lift component that lets you display real-time vulnerability protection and threat-blocking stats directly inside your own dashboards.

And because Patchstack operates at the application level, there is no need for additional installation deep in the server stack.

It’s so simple that a single developer can handle it within just a few days!

It transforms invisible protection into a visible, monetizable feature.

Instead of telling customers “your site is protected,” your dashboard can show them:

• Real-time vulnerabilities detected and blocked
• Live metrics of mitigation rules in action
• The story: “Here’s what we caught for you.”

That visibility changes the dynamic. When customers see protection in action, their upgrade conversion rates go up, and you get a strong new upsell lever (with 100%+ margins). 

Plus, you’re saving time and resources because support tickets related to hacked WordPress sites decrease. 

How does it work?

The integration experience has been designed to get you started within just a few hours:

1. API access & setup: You receive documentation and credentials to integrate the web hosting view.
2. Embed the integration: Drop a few lines of HTML and (if needed) customize.
3. Show Real Value: Customers see blocked vulnerabilities, active protection, and live stats.
   

Plus, you get all the marketing support you need for the launch with pre-made materials and 1:1 consultation sessions with our team.

From reactive to proactive

Security is most commonly offered to customers as malware clean-ups and remediation. This means you're only offering security to a fraction of the total customer base.

And it usually happens when it's already too late.

With Patchstack, web hosts can deliver real-time vulnerability notifications to customers for free, predicting future incidents and allowing customers to take action before their websites become compromised.

With more than 90% of websites having at least one vulnerability in their CMS, plugins, or themes, the notifications deliver immediate value to almost all users.

These proactive vulnerability notifications are recurring, timely, and highly precise upsell opportunities where customers understand their responsibility. By enabling Patchstack, they can take immediate action to address security vulnerabilities.

How much could you earn with the Patchstack security integration?

With Patchstack’s ROI Calculator for Hosts, you can see exactly how much additional income your security integration could generate.

Just enter a few key details (average estimated conversion rate, number of hosted sites, and the monthly price per site), and the calculator will instantly show your potential additional revenue from upsells.

Our data from hosting partners shows that results can come fast:

• Time to ROI: often as little as 4 weeks
• Typical profit margins: up to 100 %+ when bundled into higher-tier plans
• Added value: measurable drop in hacked-site tickets and support hours

The calculator helps you turn protection into a predictable revenue stream, showing, in precise numbers, how security translates directly into growth.

Stop hiding your best differentiator. 

Show customers how you’re keeping them safe, use the ROI Calculator to project your revenue potential, and talk to our team about integrating Patchstack in your hosting today. 

👉 Try the ROI Calculator and see what your Patchstack integration could earn.

The post New: Patchstack Web Host Integration Unlocks Proactive Website Security with Industry-Leading Upsell Conversions appeared first on Patchstack.

Security teams from web hosts, plugin companies, and security providers often investigate in silos, resulting in much of the same work being duplicated. Ultimately, the web suffers as those who get the information last will pay a hefty price of compromised websites and broken trust.

At Patchstack, we believe that strong partnerships and alliances are what can have the biggest possible impact in making the web more secure.

Over the years, we have partnered with many of the largest web hosting, plugin, and security companies (some of whom most would consider competitors) to share information and speed up investigations, ensuring websites and customers remain secure.

Today, we are separating this alliance from our commercial partnerships and invite all security teams of hosting providers, plugin companies, and security companies to a shared community where we can all collaborate on incident investigation and threat intelligence, with a simple shared goal of making the web safer and leaving no one behind.

As the information shared within this community is sensitive, we will manually verify and accept every member who wishes to join.

Our initial requirement is that every member must prove their software/service is responsible for or has an impact on the security of more than 1,000 websites (we might make exceptions depending on the sites' importance).

The members must be responsible for internal security processes or have technical information security expertise.

If you’re interested in joining, please fill out the form here:

The post Creating an open alliance to secure the web appeared first on Patchstack.

For years, Patchstack has pushed the boundaries of virtual patching. Over the past two years we have relentlessly innovated to deliver the fastest, most accurate vulnerability-mitigation solution for websites.

Today we are proud to unveil powerful new capabilities that take our mitigation system well beyond traditional virtual patching. And with that, we are excited to introduce RapidMitigate.

Fully programmatic mitigation rules

RapidMitigate makes it possible to deploy fully programmatic rules, each containing multiple complex conditions. Written in a custom JSON format, these rules are consumed by the Patchstack agent’s application-level mitigation engine, which sanitizes vulnerable functions and eliminates threats without touching underlying code.

Dynamic mitigation deployment

Unlike conventional virtual patching products, Patchstack RapidMitigate has deep, real-time visibility into the target application via software composition analysis (SCA). That insight lets us deploy or remove mitigation rules on demand.

Because rules are applied only where needed, we can maintain and automate over 10,000 vulnerability-specific rules - more than ten times the coverage any competitor offers. Traditional regex-based approaches must apply broad rules network-wide, creating performance drag and false positives; RapidMitigate avoids both.

Dynamic mitigation triggering

Session-level visibility allows RapidMitigate to factor in authentication states and other prerequisites, activating a vPatch rule only when conditions for exploitation exist. In some cases, vulnerabilities involve base64 or double-encoded JSON payloads. Our engine can handle these scenarios by applying targeted mutations to request parameters as needed.

This precision has two major advantages:

• It slashes false positives that disrupt admin interfaces.
• it keeps performance overhead to an absolute minimum—rules are evaluated only when a malicious request invokes a vulnerable function.

Even in an extreme case of 100 active vulnerabilities, processing 100 rules adds just fractions of a millisecond.

Multilayer mitigation

RapidMitigate is a hybrid solution: depending on the vulnerability, mitigation can occur at the application layer or one layer earlier in Apache/Nginx. While 99% of WordPress issues are best handled inside the runtime, edge-case vulnerabilities that touch raw PHP files are stopped at the server level.

Powered by Patchstack Threat Intelligence

RapidMitigate ties directly into Patchstack Threat Intelligence. The moment our researchers disclose a new vulnerability; an appropriate rule is automatically deployed.

With more than 800 WordPress plugin developers relying on Patchstack to coordinate responsible disclosure, we deliver the fastest, most comprehensive vulnerability mitigation on the market.

Available to all Patchstack users and hosting companies

RapidMitigate has been merged with virtual patching and is working without any action needed. It will be available on all Patchstack plans and in our web hosting offerings.

The post RapidMitigate: Next-gen vulnerability mitigation for websites appeared first on Patchstack.

Setting up a vulnerability disclosure program (VDP) is going to be mandatory by the EU laws (CRA) starting from June 2026.

However, not every vendor has the in-house security expertise, and that’s where having a VDP managed by a security company comes with many benefits.

The goal of a VDP is to set a clear framework and an internal process on how external reporters must send vulnerability reports and how the software vendor then processes them. It’s an industry standard and a baseline for ethical disclosure that all security companies, ethical hackers, and security researchers should respect.

An automated way to handle mis-reported vulnerabilities

Ever since we launched the Patchstack mVDP for WordPress plugins in 2023, we have noticed that not all reporters follow the ethical disclosure principles. Some intentionally ignore the VDPs set up by the vendors and don’t go through the process the vendors have specifically set up for vulnerability reporting.

As the goal of the VDPs is to have a strict framework of how vulnerabilities are being reported and so all vulnerabilities go through the same process - external reporters who don’t respect the VDPs are not just unethical, but also create unnecessary confusion and can introduce potential security risks where mis-reported vulnerabilities fall out of an internal security policy and processes.

Until today, vendors have forwarded such reports to Patchstack manually, so we could assist them and add them to their Patchstack mVDP platform.

To make this process more streamlined, we’ve now launched a new report forwarding system where mis-reported security vulnerabilities can be automatically pulled into the Patchstack mVDP platform, by just forwarding the email report, screenshot or a PDF.

You will now find a “Forward reports” button on your mVDP dashboard with a dedicated forward email. All forwarded reports will be automatically standardized, validated by Patchstack, and then added under the vendor mVDP dashboard for status tracking and exploitation monitoring.

A few extra tips on how to deal with unethical reporters

We’ve seen it all.

Beg bounty reporters (researchers who report very low impact security “issues” and ask beg for a bounty even if the company has no bounty program), straight up unethical researchers who drop vulnerabilities publicly before reporting it to vendors, and security companies who don’t follow the VDPs and aggressively enforce vendors to sign up to their product to access vulnerability details.

Here are a few tips on how to deal with cases like that:

1) If you’re unsure if a vulnerability report is valid, ask a trusted security expert to validate it before you reply to the reporter.

2) Have clear information on your website and software readme file on how all vulnerabilities should be reported to avoid situations where a researcher can claim there was nowhere to report.

3) If a reporter is not respecting your VDP and asking you to sign up for their services to see the vulnerability report, just ask for the report to be sent to a secure email, which you can then forward to your VDP system.

Don’t have a VDP? Consider the free Patchstack-managed VDP

Top WordPress plugin companies such as Elementor, YITH, StellarWP, and many, many others have chosen Patchstack as their managed VDP provider.

Patchstack manages your VDP, helps coordinate vulnerability disclosure with a goal to minimize negative impact, and helps to secure your codebase with an AI code review tool and auditing.

All the important information can be found here: https://patchstack.com/for-plugins/

The post Patchstack managed VDP report forwarding appeared first on Patchstack.

We’re thrilled to announce that the WP Squared team has just rolled out Patchstack protection to deliver automated, proactive protection from plugin, theme, and core vulnerabilities.

No need to wait for developers to issue fixes or scramble to update vulnerable plugins!

Raising the bar on WordPress security with an intuitive security experience

WP Squared is known for the comprehensive support and security coverage it provides to high-performing WordPress websites.

Now, thanks to Patchstack’s protection module integrated directly into their hosting dashboard, WP Squared can block threats proactively, even before updates are available, reducing the risk of exploits and dramatically shortening the window of exposure.

Unlike general-purpose firewalls, Patchstack’s protection is tailored for WordPress. It knows exactly how to defend against WordPress plugin and theme vulnerabilities, with surgical precision and zero false positives.

Integrated seamlessly into WP Squared, Patchstack’s vulnerability protection will alert users of vulnerable plugins and themes, as well as provide instant protection, giving them time to update the components safely.  

Empowering WordPress agencies with next-gen security

Vulnerabilities are increasing year on year, and with AI in the mix, attackers are becoming more savvy. 

Reactive protection is no longer enough, and WP Squared is taking strides to protect its users with Patchstack’s next-generation vulnerability mitigation tooling. Together, we’re building a safer, more resilient open web - one site at a time.

Want to explore how Patchstack can protect your company’s users? Start here.

The post WP Squared Integrates Patchstack Real-Time Protection to Safeguard Users appeared first on Patchstack.

WP Umbrella users can now opt for Patchstack’s real-time protection right within their dashboards!

Site Protect add-on users get access to instant protection against vulnerabilities in WordPress plugins and themes, without needing to wait for updates or risk compatibility issues with untested plugin updates. 

From alerts to protection: Seamless integration for WP Umbrella Users

WP Umbrella has long been a trusted management platform for WordPress professionals who want to handle multiple sites from one place. With bulk & safe updates, scheduled backups stored in Europe, and automated reporting, it already offered a complete toolkit for agencies working with WordPress.

Now, thanks to the integration of Patchstack’s real-time protection, WP Umbrella takes WordPress security to the next level by turning alerts into automatic defense.

When a known vulnerability is detected, sites are immediately shielded (even if the vulnerable plugin or theme hasn’t been updated yet).

This bridges the gap between awareness and action, a critical improvement for agencies and freelancers managing sites at scale. From uptime and performance to backups and security, everything is now centralized in one powerful interface.

Managing Patchstack from WP Umbrella

If you're already using Patchstack and WP Umbrella, you can seamlessly connect your account to your WP Umbrella dashboard for a central HQ.

Simply plug in your Patchstack App API key and you'll be good to go!

A shared vision for a safer WordPress ecosystem

Patchstack and WP Umbrella share a mission: to make professional WordPress site management safer, simpler, and more scalable.

We’re thrilled to support WP Umbrella in offering best-in-class protection for their users, and we’re looking forward to helping more professionals stay ahead of threats with smarter security.

Want to learn more about how Patchstack can help protect your company’s users? Start here.

The post WP Umbrella Partners with Patchstack for Real-Time Vulnerability Protection appeared first on Patchstack.

Today, we are super excited to launch the new version of the Patchstack mVDP platform, which now comes with an AI-based code review tool, team management features and a discussion board that helps plugin developers improve their code faster.

With more and more software being generated by AI, we are witnessing a significant increase in new vulnerabilities and an equal increase in AI-generated security reports, which makes managing the security of plugins more important than ever.

Complete security suite for plugins

While our managed VDP remains free to all plugin developers, we are introducing a new Security Suite tier, priced at $75 a month. This includes $40 worth of AI tokens for code security reviews per month. Additional AI credits can be purchased if needed.

When working with hundreds of plugin developers and managing VDPs for more than 700 plugins, we’ve learned that in many cases, more than one developer needs to access the same reports. To make sharing information and access less painful and more secure, the Security Suite plan comes with a team management feature with 5 seats included by default.

Another widely requested feature has been the ability to use Patchstack as a secure channel whenever there is a need to communicate directly with the vulnerability reporter. For that, the Security Suite tier includes a discussion board where you can directly chat with the researcher who reported an issue.

AI code review 🤝 human research

The new Security Suite tier combines the best of both worlds. Your plugins will receive boosted visibility (100% AXP bonus) in the Patchstack Alliance ethical hackers community, which encourages security researchers to report significantly more bugs and help plugins fix more vulnerabilities faster.

Additionally, our AI code review tool can scan through your entire codebase to find WordPress-specific security issues and highlight potential improvements. We are currently launching this in beta, but we’ll have much many releases to share in the coming months.

Also, all Security Suite users will get patch recommendations from our internal security research team, regardless of whether the vulnerability was reported by a human or discovered with the AI scanner.

This means that not only will you speed up your vulnerability management process, but you’ll also be able to release fixes faster.

Don’t leave CRA compliance to the last minute

As you may know already, the Patchstack mVDP platform was built with the support of the European Union. At the end of 2024, the European Union passed the Cyber Resilience Act (CRA), which will hold software vendors accountable for the security of their products.

This will also affect many WordPress plugins (all commercial plugins, or plugins maintained by a legal entity). Patchstack helps WordPress plugins become CRA-compliant by setting up a secure VDP, coordinating vulnerability disclosures, and reporting vulnerabilities to the European vulnerability database (managed by ENISA).

Cyber Resilience Act penalties are almost identical to those of GDPR. The deadline for first compliance is already in 2026. You can read more about CRA requirements and compliance here.

The post NEW: Patchstack AI code review tool and Security Suite for plugin vendors appeared first on Patchstack.

In addition to our other initiatives, we’ve also participated in the Cloudfest 2025 Hackathon with a project meant to address supply chain security. 

Wait, Why Supply Chain Security?

The rising importance of OSS supply chain security is backed by new regulatory requirements and increasing security threats. The EU Cyber Resilience Act, which came into force in December 2024, mandates that manufacturers, software developers, importers, distributors, and resellers ensure their products with digital components remain secure throughout their lifecycle. 

Other challenges include:

• Ensuring access to security updates
• Maintaining separate security and feature update channels
• Implementing vulnerability disclosure programs
• Providing transparency through Software Bill of Materials (SBOM) and Supply-Chain Levels for Software Artifacts (SLSA) 

Unfortunately, many OS projects (especially CMSes) lack the tools and workflows to meet these requirements.

What Did We Do During the Cloudfest Hackathon to Strengthen OS Security?

During the hackathon, we got some truly skilled folks together to brainstorm about a useful solution. After discussing, we decided to work on a CMS-agnostic approach for SBOM (Software Bill of Materials) implementation. 

VIDEO: https://x.com/patchstackapp/status/1901272766407491585

What Is SBOM?

An SBOM is basically a dependency tree with all libraries and their version used in a specific app. There are tools to gather information but mainly based on package manager dependencies files, and not thinking that apps have several layers of development, which might or might not imply the use of these package managers.

The initial idea was to create a light PHP library that could be used to generate SBOM based on two approaches and merge all in one report:

• Collect infrastructure-based dependencies information, like “composer” libraries file (`package.json` file), or “npm” libraries file (`application.json` file), in the same way as Github actually does, but with an in-depth exploration of all these files, and merging all of them after all.
• Static Code Analyzer (SCA) over the code itself, to gather all library inclusions done in code. This brute-force process happens over those plugins/themes/sections of the app where a “package.json” or “application.json” file doesn’t exist.

The output expected is a report using a standard SBOM schema. At this moment, there are two main schemas:

• SPDX, funded by the Linux Foundation (https://spdx.dev/)
• CycloneDX, funded by the OWASP Foundation (https://cyclonedx.org/) 

We also planned to have the following integrations ready to show the use by different Content Management Systems (CMS) or frameworks (like Laravel):

• WordPress plugin, which connects to the “Site Health” module and “WP-CLI”, so it can be loaded in both environments
• TYPO3 admin extension
• Laravel Artisan command

For this goal, we created:

• SBOMinator3000: The PHP base library
• Transformatron: The SBOM standards transformation tool from one standard to the other.
• Scaninator: The SCA tool to extract all libraries inclusion directly from the code.

The impact of this tool is immense, not only because the regulations going into effect mean professionals will start getting fines, but also because it’s a much-needed change in the open-source ecosystem and a solid foundation for a more secure software supply chain.

Who Does This Tool Help?

If you’re among the following, you’ll get use out of SBOMinator: 

• 👤 Site Owners: During deployment, updates, to quickly assess the dependencies in use.
• ⚖️ Compliance Officers: Check for regulatory compliance.
• 🌐 Web Hosts: Track and secure multiple sites.
• 🏢 Agencies: Ensure transparency, maintenance, and security.
• 👩🏾‍💻 Software Maintainers: For transparency, trust, and swift fixes.

In total, we delivered 9 repositories grouped in a Github organization (SBOMinator), 150+ files, and 16000+ code lines.

Technologies used

We made our solution using PHP as base-language, but we also used the following technologies:

• GitHub for repositories, collaboration, and code synchronization
• Packagist for publishing the outcome software packages.
• Google docs and slides for documentation and presentation
• diagrams.net for architectural diagrams
• Mattermost for communications during the event

How Does SBOMinator Integrate with Existing OS Projects?

We knew we wanted SBOMinator to be able to integrate with any open-source project that uses PHP and JavaScript as base languages. 

At this point, we worked on a demo to get it integrated into WordPress as a plugin, in WP-CLI and WordPress Site Health, a TYPO3 integration, and Laravel Artisan.

In fact, during the hackathon, the main idea was to collaborate with two other teams present in the hackathon which were working on the Site Health concept and the use of AI in WP-CLI.

Our Team Members

Our team comprised of 12 members:

• 9 Software developers / Software Engineers
• 1 Frontend developer / Designer
• 2 Dev Rels / Business

For our goal, this team was a perfect fit!

"Aha!" Moments Worth Sharing 💚

All the team members regularly checked in with one another several times per day during the course of the hackathon. 

Each time, we made sure that everyone was clear about the aims and the goals, and this resulted in several “aha!” moments such as clearly identifying how data flows in and out of the tools that we were building and how it could facilitate the development of extensions for any PHP CMS ecosystem, not just the ones that we are familiar with.

At some point, we found niches for some side projects that have interesting values as outcomes by themselves. Suffice it to say: our team was really into it!

Redirecting those efforts to the main scope was another challenge, but these spontaneous ideas will remain as possible projects after the hackathon.

What’s Next for SBOMinator?

The tools that the team built during the hackathon are the foundation of what can potentially become the basis for much wider adoption of SBOM. The very project helps increase awareness of software supply chain security within the WordPress and TYPO3 ecosystems.

Right now, our team is assessing everyone’s availability to keep working on the project. We’re also hoping to acquire funding as there is a big interest in continuing the work started during the hackathon.

Let’s check back in a few months!

GitHub repository link and all other project relevant links

Documentation: https://github.com/sbominator/docs

Project: https://github.com/sbominator

Packagist: https://packagist.org/packages/sbominator/

The post Cloudfest Hackathon 2025: SBOMinator to Secure the OSS Supply Chain appeared first on Patchstack.

We are excited to announce that the entire Patchstack App is now accessible completely as an API and as of today - all Patchstack Developer accounts can use the API without any extra charge. With more than 100 endpoints to interact with, the possibilities are truly endless.

This is an important step for us which allows our customers and partners to integrate Patchstack into their existing tools and workflows. Patchstack's mission is to provide the fastest protection to security vulnerabilities and covering all possible automation & integration requirements plays a big role in making this possible.

To celebrate this launch (and the winter holidays), new Developer plan customers will get 50% off the Developer plan for the first three months! 🎁The offer will expire on January 8th, 2025.

If you already have a free Patchstack account, you can redeem the offer here. Or head to the pricing page to create an account & claim your discount!

What can you do with our API?

Everything you can see and do in your Patchstack App account can now be controlled over an API. That includes access to all logs, reports, the ability to add and remove sites, enable/disable settings, or even control virtual patches and your custom rules.

Some example use cases:

• Integrate with your email marketing software to send out monthly security reports to your customers.
• Integrate Patchstack inside your own product and let your customers enable (and control) Patchstack directly from your platform without them leaving your service.
• Pull IP addresses of attackers that try to exploit vulnerabilities into your DNS firewall to block them on the network layer.
• Integrate with Enterprise SIEM/SOC tools and pull vulnerability data and logs directly into it.
• Build any kind of automations with Zapier, IFTTT, etc.

How to get your API key?

You can get your own API key by logging into your account and navigating to the integrations page. You can also see all endpoints and the documentation here.

If you use our API to build some cool integrations, don't forget to share them with us. We would love to highlight them in front of Patchstack's customers and community!

The post NEW: Announcing Patchstack API for Endless Automations appeared first on Patchstack.

Our mission to provide the fastest mitigation to security vulnerabilities is core to our long-term vision of becoming a global cyber-security leader with the biggest impact on open-source security. Today, we are excited to finally reveal the next chapter of our journey.

We truly believe that the only way to reach a dream so ambitious is to work closely together with the entire open-source community. Patchstack already works closely with the leading digital agencies and web hosting companies in the world - and now it's time to work with plugin developers to level up the ecosystem security standards together.

Patchstack has been the pioneer of next-gen WordPress security for many years now. 4 years ago, we launched the first open bug bounty program for all WordPress plugins and recently we paid out the highest-ever bounty of $14,400 for a single WordPress plugin vulnerability. In 2023, 73% of all (5,948) vulnerabilities were originally published by Patchstack and in 2024, we are on track for another record-breaking year.

We are not just the leading WordPress vulnerability intelligence provider, but in 2023 Patchstack also ranked #1 as the most active CNA (CVE naming authority) globally - processing and triaging the largest volume of software security vulnerabilities in a single year. This requires significant work and is not possible without carefully optimized processes and automation - especially when the vulnerability disclosures have to be coordinated with every stakeholder.

Our knowledge and professionalism are backed by hundreds of plugin developers such as Elementor, WProcket, YITH, RankMath, ACF, and many others who have chosen Patchstack as their official security partner. Today, we expand this to everyone, for free!

Bringing new security standards to the WordPress ecosystem

Patchstack's managed VDP platform is built in collaboration with the European Union to help open-source software companies become compliant with the upcoming Cyber Resilience Act.

It is available to all open-source projects built around WordPress and WooCommerce platforms and hosted in any public repository such as WordPress plugins repository, GitHub, Envato marketplace and more.

The Patchstack VDP platform includes a central dashboard with an overview of all current and past security reports affecting your plugins. Each plugin/software receives its own VDP (vulnerability disclosure program) page to which potential security issues can be reported. All reports will be first validated by Patchstack and collected in the main dashboard, prioritized and filtered based on required action and severity.

CRA compliance for plugin developers

The Cyber Resilience Act (CRA) introduced obligatory software support and vulnerability disclosure guidelines for all commercial software with users in the European Union. The law is expected to be passed in Q4 2024.

The Patchstack VDP platform helps automate the following CRA compliance requirements:

• Requirement: Set up a vulnerability disclosure policy (VDP)
• Requirement: Share data with EU vulnerability database
• Requirement: Notify users about new vulnerabilities
• Requirement: Notify users about vulnerability exploits
• Requirement: Provide security updates separately from functional updates

The Patchstack VDP platform helps improve the overall security of your software through the following services:

• Patchstack provides a secure and streamlined channel for sensitive security reports
• Patchstack validates all vulnerabilities to cut off noise and "beg bounty" reports
• Patchstack coordinates vulnerability disclosure between all involved parties
• Patchstack verifies all patches before they are released to avoid incomplete fixes
• Patchstack offers guidelines and consulting to simplify & de-risk disclosures
• Additionally, Patchstack provides full code review and security auditing services (paid).

If you're a developer or a product company and have a plugin built for WordPress - get started and set up your security program here!

Need help? Our documentation covers the entire process.

The post Introducing the Patchstack VDP platform appeared first on Patchstack.