Today, we’re excited to announce the next generation of Patchstack firewall engine. The new engine is engineered to provide the most efficient application layer protection possible, with even greater vulnerability coverage and industry-leading performance.
Over 50% of all known WordPress-related (core, plugins, themes, etc.) security vulnerabilities in 2023 have been originally reported by Patchstack Alliance and first published on our WordPress vulnerability database.
Being the absolute leader of WordPress vulnerability intelligence has made it possible for us to innovate yet again and bring you the most advanced application security available to all WordPress applications.
vPatch vulnerabilities with complete confidence
The new protection engine allows the vPatch rules to be made for even the most complicated security vulnerabilities with the lowest possible risk of causing false positives or disrupting the functionality of the website.
Patchstack's vPatches provide high-precision protection against all security vulnerabilities with high and medium Patchstack Priority scoring (our new scoring system that indicates the possibility of becoming exploited).
Patchstack includes more than 5000 individual vPatch rules which provides the largest vulnerability coverage on the market. All Patchstack vPatches are carefully prepared and tested and auto-deployed to sites immediately when a vulnerability has been detected.
Additional protection modules are now available
While vPatching is the most efficient way of preventing attacks against known security vulnerabilities, the new protection engine allows us to also deploy advanced WordPress core hardening techniques and run more complex rules with a non-existent performance impact.
With this release, you can find two new protection modules under the “Protection” page, on your Patchstack app. You can enable them on all sites by default or choose the specific websites where you wish to run the selected modules only.
Advanced Hardening for WordPress
With this release, we are introducing the advanced hardening for WordPress which covers the common shortcomings of WordPress core security and prevents the exploitations of some of the most common attacks in the WordPress ecosystem.
This module prevents malicious file uploads, avoids sensitive information disclosure via the configuration files, denies privilege escalation attempts and exploitations that try to register admin accounts, prevents options changes, and much more. It receives additional core hardening rules as the WordPress platform evolves.
The Advanced Hardening for WordPress module takes into account different permission levels depending on the specific technique deployed to avoid any false positives. In case you’re using a WordPress management tool that remotely accesses the website, you may need to whitelist it.
Generic OWASP module
We have made some changes to our generic OWASP protection module and have removed WordPress-specific rules from it. The removed WordPress-specific rules were replaced with the better advanced hardening rules within the Advanced Hardening module.
It includes generic firewall rules against OWASP's top 10 vulnerability types including XSS, SQLi, RCE, and other known exploitation methods. Please note, due to its generic nature this module may cause false positives for more complex applications.
For this reason, we’ve set an “optional” tag to this module as it should be used with caution (especially on bigger sites that use WooCommerce, LMS plugins, different page builders, etc.).
10x faster and more lightweight
One of the things loved by our users is how lightweight Patchstack is. This is thanks to our sharp focus on doing only what matters for the security of your websites and leaving out everything else whose value is questionable or should be done at the server or networking level instead.
One of the many reasons why Patchstack is the selected security partner for the largest hosting companies in the world such as GoDaddy, Cloudways (Digital Ocean), Hostinger, One.com, etc. is the lowest possible performance impact even when Patchstack is deployed to a very large number of websites at scale.
With this update, we keep pushing the boundaries to bring you the most performant application security for WordPress. For example, the new engine can parse and understand JSON-based firewall rules and can determine if specific parameters are present before continuing to process the rule conditions.
This and many other fundamental upgrades to the Patchstack protection engine have made it approximately 10 times faster compared to our old engine (which was already the most lightweight compared to the competition).
Here’s a benchmark of our new engine that runs through 100 rules within a single request (which is unlikely in the real-life scenario as we deploy rules dynamically only when a vulnerability is present):
PHP 5.6: 0.0020, or about 2 milliseconds
PHP 7.3: 0.0013 seconds, or about 1.3 milliseconds
PHP 7.4: 0.00017 seconds, or about 0.17 milliseconds
PHP 8+: 0.00011 seconds, or about 0.11 milliseconds
A new way to create custom rules
One of the benefits of Patchstack is that we allow our paid users to create an unlimited amount of custom protection rules that they can deploy on the sites. The new protection engine comes with a significant update on how custom rules can be created.
Simple custom rule creation
With this update, we’ve introduced a library of pre-configured templates for protection rules so it’s easier than ever to create custom rules to whitelist/block IP addresses, URLs, HTTP agents, etc.
Advanced custom rule creation
We’ve also opened up the full capabilities of our new protection engine to anyone who wants to create custom rules that could match anything within the HTTP protocol. This gives complete freedom to build advanced and complex rules directly within our JSON rule editor.
Patchstack app and plugin updates
This update also comes with a major update on our plugin, which now runs the new engine. If you’re a Patchstack user already, make sure to update the plugin to the latest version to be able to access the new protection modules.
The plugin also comes with some other minor updates such as the redesigned protection engine block page, which allows the blocked user to copy the error codes that they can present to the support in case some of the custom rules are not working as intended.
With the introduction of new protection modules, the Patchstack app now gives you an overview of which protection modules are active on a given website and also presents a mini-chart to show a quick overview of recently blocked threats.
This update is an important milestone to us, as it gives us a new foundation on which we can continue innovating and bring the WordPress ecosystem the security its users deserve.
The introduction of new security modules is part of our new direction, where the modules will essentially become an “app store” like experience for WordPress application security - all powered by our lightweight yet advanced engine.
Now with the new engine released, we will be shifting our focus on the app, to improve the workflows, and integrations and make Patchstack App the best security companion for any WordPress developer & agency.