Patchstack has announced that they’ve added a new Free plan that allows one person to add up to 99 sites to their account. In addition to the free plan, their plugin is also now available in the WordPress plugin directory which acts as a connector to their SaaS offering.
If you’re unfamiliar with Patchstack, you’re not the only one. Until today, I’ve never heard of the company. However, they’ve been around since 2018 when they were under the name WebARX. According to Oliver Sild, Founder and CEO of Patchstack, the company has performed security services for plugin developers for years.
“We’ve been doing pen-testing for plugin developers for years and then created our SaaS product to detect vulnerabilities and ship automated patching (virtual patches),” Sild said.
“After that, we launched the first bug bounty program for WordPress plugins/themes and basically built a very active community of ethical hackers behind us.”
In 2021, within half the year, the company helped identify and fix more than 1,000 plugin vulnerabilities. This is a sharp increase from the 578 vulnerabilities reported in 2020. One of the reasons behind the sharp increase is the heavy marketing of their bug bounty program in 2021.
“This year we’ve paid about $10,000 in bounties to devs/ethical hackers who help other plugin devs fix security issues and have received over 1,182 reports since April this year,” Sild said. “So I think we’re kind of a reason why there are so many vulnerabilities discovered lately.”
I asked Sild if he gets sad about the fact that there are so many plugin vulnerabilities despite it being good for business. “I think it’s a good thing that these vulnerabilities are being discovered,” he responded. “It’s much worse if the vulnerabilities just sit there, waiting for someone malicious to take advantage of them. We just started to iron these issues out in the WordPress plugin ecosystem on a scale, the numbers are going up now but hopefully, in the long run, they will start to drop.”
Some of the features in the free plan include component detection, vulnerability monitoring, real-time threat alerts, and actionable suggestions. At the moment, Patchstack does not notify users of monitored plugins that are temporarily removed from the plugin directory. However, Patchstack does monitor those changes internally and plans to roll those features out to subscribers in the future.
For detailed information on how the service works and what each pricing plan includes, check out the Patchstack website. If you use Patchstack, I’d like to hear about your experience in the comments.