If you are attentive to the latest news cybersecurity newsand particularly in relation to WordPress security, certainly PatchStack sounds like youa security company arriving ago reporting vulnerabilities in plugins and themes, not without some controversy.
This company maintains a large database of WordPress vulnerabilities, plugins, and themes, which it advertises widely and sometimes They have forced updates of all types of components based on their releases.
The corporate hack of cybersecurity
If you are dedicated to cybersecurity, or any kind, rather than specializing in security solutions, Surely success goes hand in hand with being adept at publishing possible vulnerabilities, regardless of their feasibilitybecause with “responsibility” the company or developer who suffers from the alleged vulnerability is called into question.
And he’s in a bad situation, because…
- If you ignore and modify your code, you are breaking your development flow and roadmap. based on third-party information, which is not always accurate.
- If you don’t pay attention you will be called irresponsible.because when faced with a “possible” vulnerability, ACTION IS NOT TAKEN!
PatchStack, the WordPress security attorney
Surely at some point you have heard so many Security companies thrive in a priori safe areas by publishing reports of insecurity issues in the area, of possible threats, sending press releases on the matter the various dangers that the lack of an excellent preventive security service entails.
Well, in my opinion, PatchStack has been playing this game for a whilepublishing all sorts of “urgent” reports and warnings about possible security vulnerabilities, which on many occasions turned out not to be such, but simply conceptual hypotheses or theoriessomething that another security company, pluginsvulnerabilities.com, reports on its website, showing several cases where PatchStack has released information that is biased at best:
And yes, it’s okay that Pluginvulnerabilities.com is part of the business and you might think (rightly) that it has a partial opinionbut after analyzing Their complaints seem more than reasonable to me, and if unreaddon’t stay in the title 😉
What about the PatchStack plugin?
Going back to the beginning, PatchStack has just released a security plugin for WordPress which, as it states, does the following…
- This plugin can be download it for free without a paid subscription from the official WordPress repository.
- Patchstack is a powerful tool that helps identify vulnerabilities security within all plugins, themes and WordPress core of all your websites.
- Patchstack works with Most active ethical hacker community in the WordPress ecosystem.
- PatchStack Trusted by leading WordPress experts, such as: Pagely, Cloudways, GridPane, Plesk and others.
I summarize:
- If possible download for free without having to pay, but it turns out that to do something you have to pay.
- Yes, it identifies vulnerabilities, once registered on the site and synchronization is activated, which they themselves publish in their reports, which I already mentioned have their “stuff”
- I don’t even want to get into it here, given what I’ve seen from their communication practices.
- Well yes, it is becoming a standard, especially thanks to the cybersecurity business trick we talked about before, and added to the alliances (sic) it is signing.
I’m not telling you, as soon as you install the plugin you suddenly appear here…
Beautiful, is not it?
- WordPress administration design goes through the lining of whims
- It has absolutely no functionality available or configurable from the WordPress dashboard
- You also need an external API to provide any functionality, wherever you offer it
- It states that to activate the “protection” you have to pay $9 in the app (its website)
Exactly everything you don’t expect from a plugin free hosted on WordPress.org. See how true it was that the download was free? The rest is fine…
The PatchStack “app” and the community plan
If you decide to try the protection service the link takes you to log in or register on the PatchStack websiteand once inside you must indicate what you want to protect, which application (web).
In the next step it offers you the expected API key.
What should you copy and paste into the file plugin “settings” screen.
And you can see, on the PatchStack website, why there is nothing else in WordPress administration other than scraping, your application and the wonderful security protection services that PatchStack offers, namely:
- Information about the latest security vulnerabilities in WordPress plugins.
- Information about the latest security vulnerabilities in WordPress themes.
- Information about the latest security vulnerabilities in WordPress core.
- Notices in real time via email if a security vulnerability is detected, for which at no time were you asked for permission to send.
- AND panel central securityin the PatchStack) for up to 10 websites (via the Patchstack app).
That is, this:
If you pay attention, warns you – in red – of two vulnerabilities in the plugins that, going into detail in one that we all know, we would see this…
Let’s take note in detail:
- XSS vulnerability (one of the most dangerous and common) in Gutenberg, the most active and monitored plugin in the entire WordPress ecosystem.
- Taken on August 4, 2022 (results shown October 19, 2023)
- What the vulnerable version is any version earlier than 16.8.1 (the current one, information you read from the readme file of the installed plugin, since this alleged vulnerability has been patched for many, many months)
- In redto avoid this vulnerability (already corrected more than 1 year ago) protection is activated (for a fee).
Does the PatchStack security plugin do anything?
What does all this so far tell us about PatchStack and its “security” plugin?
- It is not a plugin that performs active security actions on your WordPress installation.
- It doesn’t work until you register and activate an API, initially free, that only offers the (supposed) detection of “possible” vulnerabilities.
- Its goal is to sell only the (paid) protection service, since It’s useless.
- Sends you unsolicited and unauthorized emails of alleged security alerts.
And how does the PatchStack protection service work?
surprisingly, This isn’t useless eitheras you can see…
The services that are added at the time of contracting Payment Plans (from $99 per month or $499 per month) are:
- Automatic updates of “vulnerable” software.
- Custom alerts
- Custom reports
- Leave the PatchStack brand
That’s all you sign up for the PatchStack newsletter and enable automatic updatessomething you can only do from WordPress, from good hosting companies or with services like ManageWP, which includes all this and more for free and not only detects vulnerabilities in one service but in dozens of them.
summing up
In my experience, and look, I was warned, The disappointment with PatchStack was capitaland it seems to me to be one of the cruelest security marketing strategies I’ve seen in many years, exploiting the “goodness” of the WordPress plugin directory, its community, and the goodwill and disposition of its users.
So, in my opinion:
- You should not listen to any announcements or security bulletins from PatchStacksince his interest seems to be more commercial than anything else.
- Don’t install its plugin, it’s uselessWell yes, to sell you their service, which is also useless.
If you think I was very critical, you can’t even imagine what I went through…
Are there alternatives?
Obviously:
- Don’t install anything. At least WordPress doesn’t send you warnings about supposed vulnerabilities or scare you with up-to-date, secure plugins.
- Try some of the best free security plugins available and yes, they do things.
Did you like this article? You can’t imagine what you’re missing a YouTube!