Patchstack protection
Most WordPress sites are not breached through WordPress core — they’re breached through an outdated plugin or theme with a published vulnerability. The window between a CVE going public and you applying the update is exactly when sites get compromised. Patchstack virtual patching closes that window for you: known plugin and theme exploits are blocked at the edge before they can reach the vulnerable code, whether or not you’ve updated the component yet.
How virtual patching works
Section titled “How virtual patching works”Patchstack maintains a continuously-updated feed of vulnerabilities for tens of thousands of WordPress plugins and themes. managed.dev consumes that feed and enforces a matching rule for each one in front of your site. When a request matches the exploit signature for a known CVE — a crafted parameter, a malicious upload, a specific path — it’s blocked before it reaches PHP.
The key word is virtual. The vulnerable plugin file on disk is untouched; the patch lives in the request-filtering layer in front of it. That means:
- You’re protected the moment a vulnerability is disclosed, not when you next deploy.
- A plugin you can’t update right away (a compatibility hold, a paused release) is still shielded against its known exploits.
- There’s no performance cost to your application and nothing to install.
Coverage
Section titled “Coverage”The feed covers known, disclosed vulnerabilities across the WordPress plugin and theme ecosystem and is updated continuously as new CVEs are published — including many before the plugin author ships a fix. It does not cover unknown (zero-day) vulnerabilities with no signature yet, or custom code you wrote yourself. Those are the job of the other layers in the pipeline.
Where it fits in the pipeline
Section titled “Where it fits in the pipeline”Patchstack is one layer of the security pipeline, and it’s deliberately narrow — it knows about specific, named vulnerabilities. The layers around it cover what it can’t:
- The WAF catches classes of attack (injection, XSS, traversal) generically, including against your own code and zero-days that fit a known pattern.
- Patchstack catches specific exploits for specific components, including payloads that look benign to a generic ruleset because they only matter to one vulnerable plugin.
- ClamAV malware scanning is the backstop: if something does land on disk — through a vector none of the front-line layers caught — scanning detects and quarantines it.
Together they cover prevention at the edge (WAF + Patchstack) and detection on disk (ClamAV), so a gap in one is covered by another.
When Patchstack blocks a request
Section titled “When Patchstack blocks a request”A blocked exploit attempt is recorded as a block event attributed to patchstack
and shown in Security → Blocks, alongside WAF and rate-limit
blocks. A spike of Patchstack blocks against one site usually means a freshly
disclosed CVE is being actively scanned for across the web — a good prompt to
confirm the affected plugin is updated, even though you’re already protected.