We have carefully assigned the Patchstack Priority scores to all historic vulnerabilities, and the scores are now added to every new vulnerability. (Some of you may have already noticed “Priority” levels on the Patchstack Database vulnerability entries.)

Today, we roll Patchstack Priority out to all our users!

Vulnerability prioritization for Patchstack users

Patchstack users can now prioritize and filter vulnerabilities directly on their main dashboard.

By default, vulnerabilities will be sorted based on their Patchstack Priority score and date (newest first).

If you have planned maintenance windows for your websites, you can jump into the Patchstack App to see what needs your attention first. You’ll see which vulnerabilities could be resolved with a security update and which vulnerabilities are mitigated by the Patchstack vPatches.

As we continue working on the Patchstack Priority, the users will soon also get a “security tasklist,” recommending when to update specific software and helping you optimize your security maintenance.

Our Developer and Business users will be able to adjust their notifications. For example, if you'd only like to receive notifications for high-priority threats, toggle it in the Settings, and alert fatigue will be no more!

Different levels of Patchstack Priority

With the rapidly increasing amount of security vulnerabilities being fixed in the WordPress plugin ecosystem, it’s more important than ever to know where to put the attention first. Unfortunately, setting a focus is difficult when everything seems equally severe.

Patchstack Priority sets vulnerabilities into three categories, so users direct their attention to where it’s needed first and reduce noise from vulnerabilities which are not an imminent threat.

Patchstack Priority simply sets all vulnerabilities to High, Medium and Low:

High Priority:

• Expected to become actively exploited
• Known to be actively exploited already
• Receives a vPatching rule from Patchstack
• Recommended time to patch/update (RTTP): 0 days.

Medium Priority:

• Could be exploited in more targeted attacks
• Is not yet publicly known to be exploited
• Receives a vPatching rule from Patchstack
• Recommended time to patch/update (RTTP): 7 days.

Low Priority:

• Not expected to become exploited
• Not known to be exploited
• Does not require a vPatching rule from Patchstack
• Recommended time to patch/update (RTTP): 30 days.

The priorities are updated as we get more data, ensuring you always know what needs your attention first.

Data behind the Patchstack Priority

Patchstack Priority is a dynamic scoring system, which takes into account different variables to predict whether a vulnerability will:

1. Become actively mass-exploited, or
2. Potentially be exploited in more targeted attacks, or
3. Be unlikely to become exploited.

We analyze each vulnerability and the software where we found the vulnerability. Then, we compare them with similar vulnerabilities in the past that we have attack data for.

We also monitor each vulnerability in real time in case we need to increase the priority.

Some of the variables we analyze when assigning Patchstack Priority to security vulnerabilities include the following:

• Analyzing the vulnerability prerequisites (i.e. What privileges are required for the vulnerability to be exploitable?)
• Analyzing the vulnerability type (i.e. Some vulnerabilities like RCE are more prone to exploitation than others, such as CSRF.)
• Analyzing the software itself (i.e. how big of a target it is, where it’s commonly used, how many active installs it has, etc.)
• Analyzing the standard CVSS scores
• Monitoring active exploitation attempts

What’s next?

In addition to introducing Patchstack Priority so you know what to tackle first, our team has also made more changes to the Patchstack App:

• An easier way to control the Protection modules and search and review the protection logs
• See active modules on the Apps Overview page
• Partner Mode in the plugin
• New rule creation page for our new firewall engine (and templates)

And more!

Stay tuned for more updates as our team works to help you take charge of your WordPress security.

Try Patchstack Priority in your dashboard, and let us know if you have any feedback!

The post Patchstack Is Introducing Patchstack Priority appeared first on Patchstack.

In short, this means that more people will know whether they have hidden security risks on their websites.

This is also exciting news because the partnership highlights a big mindset shift happening in the WordPress ecosystem, with more companies thinking about security proactively rather than reactively.

Plugin vulnerabilities (which accounted for 93% of all WordPress vulnerabilities last year) are a very common security risk - but they're also easily preventable, especially now that we have a lot more awareness and information on them.

If you've been following our work you may have noticed we talk about growing our database of vulnerabilities pretty much exponentially every year. And while that growth may sound alarming it's a good thing because security researchers working that much harder to combat the issue.

We said in our big WordPress security roundup whitepaper back in March, that the WordPress ecosystem leaders (like Cloudways) must be showing a positive example by dealing with vulnerabilities in a proactive, responsible & mature manner.

How does the Cloudways integration work?

The Cloudways vulnerability scanner can see which WordPress core, plugin, and theme versions are installed on your website. It periodically checks these versions against the Patchstack Database to see if any are affected by a security issue. If a vulnerability is found, the user will be notified and led to check the affected versions.

The vulnerability scanner will also show recommended actions for vulnerable components (generally this means updating the plugin, or removing it if no updates are available). You can also get more details about the specific issue:

Please keep in mind that the integration does not include Patchstack's vPatching protection layer - it only shows you information about vulnerabilities, and you'll ultimately have to take necessary steps to mitigate them yourself.

What is included, however, is our 48-hour early warning for vulnerabilities found by Patchstack Alliance, which should give you enough time to figure out the best course of action. This early warning is critical as we know from our data that in some cases, vulnerabilities may be exploited within hours of them becoming public.

About Cloudways

Cloudways is a leading managed cloud hosting and software as a service (SaaS) provider for small to medium-sized businesses (SMBs). Cloudways is part of DigitalOcean, which helps developers, startups and small and medium-sized businesses rapidly build, deploy, and scale applications to accelerate innovation and increase productivity and agility.

The post Patchstack Partners With Cloudways appeared first on Patchstack.

While our WordPress vulnerability database has become immensely popular, we've heard that many would love to set up alerts for specific plugins which they use on their websites.

Since we launched our database, we promised to keep the data free and openly accessible, so building a free version around it was a logical next step.

Introducing Patchstack Community (Free) plan

We are very excited to announce that starting from today, everyone can download Patchstack directly from the official WordPress repository and sign up for a free Patchstack account.

Patchstack Community (Free) plan will allow you to add up to 10 websites to your Patchstack account without a charge.

You can finally have all the security information about your sites on a single dashboard and you will receive e-mail alerts when any of the WordPress plugins, themes, or core versions become vulnerable.

Introducing Patchstack Business plan

We've been actively collecting feedback from digital agencies and freelancers who built a lot of sites and manage even more. Historically, it has been difficult to manage costs on a larger scale due to strict site-based pricing.

Today, we're happy to announce the Patchstack Business plan, which is our new flagship plan that covers all your current and future websites with a fixed monthly or annual fee.

New product UI, website, and pricing

With the two brand new Patchstack plans, we have also released an updated UI that gives a lot more details about each individual vulnerability found on your websites.

With the updated product and new plans, we've also reworked our website and pricing.

Check it out here and don't forget to share the news with your friends who've been missing out!

The post Introducing New Patchstack Community & Business Plans appeared first on Patchstack.