In 2018, WebARX launched the first version of its security platform and grew to 3,000 users. Earlier this month, the company decided to rebrand to Patchstack. Outside of customers getting the name wrong, the company had grown beyond its original SaaS product, providing other services like PlugBounty, an open-source bug-hunting platform. Earlier this year, they also acquired ThreatPress, a WordPress security service provider. Combining the three created an opportunity to relaunch the brand.
Patchstack is a website security company. Instead of focusing directly on the core WordPress software, it dives into the world of third-party extensions. For WordPress, that means monitoring and patching vulnerabilities in plugins, themes, and any other components users might install. The service’s primary audience includes developers and digital agencies. It helps them to identify issues and provides almost real-time patching to eliminate threats.
Oliver Sild, Patchstack founder and CEO, already had the PlugBounty idea back in 2018. “I realized it’s impossible to tackle the security issues in the WordPress ecosystem if we don’t have a big and strong community behind security as there is behind plugin/theme developers. I created a platform where security researchers can quickly put together a detailed security report for any WordPress plugin and which then will be delivered to the plugin developer.”
The new Patchstack Red Team was what was previously the PlugBounty project. His company and other WordPress ecosystem members contribute to the “prizepool,” cash paid out monthly to the top security researchers based on scores from their contributions. All findings are also made publicly available for free through the Patchstack Database.
“We manage the triage process by following a strict responsive disclosure policy and make sure the information reaches the right person and that the vulnerability will get properly fixed,” said Sild.
Patchstack had already kept an internal database to compare customer software versions. After adding PlugBounty to the mix, it needed a public database to give credit to the community of security researchers.
“We had discussions with different database vendors in the ecosystem, but the vision really clicked with ThreatPress,” said Sild. “The founder of ThreatPress also joined our team and is now running the Patchstack Database and Patchstack Red Team operations. Patchstack Database will be providing information about security vulnerabilities in the WordPress ecosystem and will remain free to use for the public. We also have API which hosting companies can use to notify their customers about vulnerabilities within the websites.”
Sild said that approximately 95% of security vulnerabilities in the WordPress ecosystem are from third-party code. “The best thing you could do is making sure you have your websites updated,” he said when asked about the low-hanging fruit that any site owner could take care of.
“The second big issue is the pirated and nulled plugins — keep in mind that if you found a premium plugin/theme for free, then there is a reason behind this,” he said. “It’s a trap many people fall into, and without their knowledge, they infect their own website with malware and backdoors. And how can I not mention passwords? Please use password management tools such as LastPass, KeePass, and try to enable two-factor authentication on all your accounts.”
Free versions of commercial plugins and themes that are secure and up to date are possible to find. However, the average end-user would have no way of knowing if that was the case.
Patchstack is a SaaS product. Once users create an account through its system, it will guide them to connect their website with the Patchstack WordPress plugin.
“Once the website is connected, it sends environment details (plugin, theme, core, PHP, etc. versions) to Patchstack,” said Sild. “Patchstack then compares all the versions with known security issues and notifies the user if outdated/vulnerable code is detected.”
Patchstack has different security modules, which can be enabled or disabled from the settings screen. One that is on by default is WordPress Virtual Patches. This feature detects if a vulnerable plugin is in use on the site and sends virtual patches immediately.
The service has a cloud-based dashboard, allowing users to access details for all of their sites in one place.
“Patchstack allows you to create custom security alerts and send them on emails and Slack channels when vulnerable or outdated plugins are detected,” said Sild. “It provides a central overview on all the different security issues across an unlimited number of sites, and you can export a monthly PDF report for each website if needed. Additionally, to how many vulnerabilities and security issues you have on your websites — the Patchstack dashboard is also telling you when any of the vulnerable plugins/themes on your websites have been attacked, and you’ll have granular details about each threat that has been blocked.”