Along with hacked user accounts, vulnerable plugins are the most common threat vector criminals use to break into WordPress sites. As vulnerabilities emerge, software vendors release security updates or “patches” that fix the vulnerabilities in their code. Vigilant site owners, administrators, and agencies managing sites for their clients will quickly apply security patches. However, they might not be fast enough to block every attack. And as vulnerabilities reported in WordPress plugins surge in 2023, 40-50% go unpatched every week. What if you’re using a vulnerable plugin you can’t update or easily replace? That’s where virtual patching comes in to save the day.
Unpatched vulnerabilities — and attacks on WordPress sites — are increasing
In 2023, CVE numbering authorities (CNAs) reported over 4,500 new vulnerabilities in the WordPress ecosystem. That’s more than the last three years combined. Worse, the percentage of vulnerabilities with no patch available has risen to 40-50% of the total vulnerabilities disclosed each week.
Unfortunately, not everyone can update their site as quickly as new updates become available. They may have limitations like testing and approval chains to follow before they make breaking changes. And not everyone will notice there is a security update as soon as it becomes available.
Naturally, there’s a lag between the time when a software vendor learns about a vulnerability in their code and when they issue a security release. Sometimes, hackers exploit critical zero-day vulnerabilities they discover before any patch exists. A zero-day vulnerability is one that hackers are exploiting at the same time everyone else learns about it. It’s the worst case possible.
The answer to all these threats is virtual patching.
Virtual patches protect vulnerable plugins without a security update
Even if a patch for vulnerable code doesn’t exist, it’s often clear how attackers will exploit it with malicious HTTP requests. A Web Application Firewall (WAF) can block those requests with special rules. That’s what virtual patches are. They’re custom firewall rules that prevent malicious requests from ever reaching your site and exploiting vulnerable code.
Virtual patches are provided to Solid Security Pro users automatically as threats emerge. Enable them in your Solid Security Pro firewall to protect your site. Combined with timely software updates and hardened user authentication — other Solid Security Pro features — your WordPress site is virtually untouchable by attackers, thanks to virtual patches.
How virtual patching works
“Virtual Patching” is a term that emerged in the information security industry as an intrusion prevention technique. “External Patching” or “Just-in-time Patching” are less common but more descriptive alternatives for “virtual patching.” You’re not patching the vulnerable code itself. We’re not changing any code on your site. Instead, a firewall is blocking attempts to exploit known vulnerabilities. The patch is “virtual” because it is “external” to the software it protects. The virtual patch is deployed “just in time” as zero-day attacks emerge and no patch for the vulnerable code exists. This buys you time to apply a security update when possible.
Virtual patching in Solid Security Pro
Here’s how virtual patching works to protect WordPress sites in Solid Security Pro:
- Solid Security Pro’s site scan notifies you of vulnerable code on your site. It could be a plugin, theme, or WordPress core. More than 90% of the time, it’s a plugin.
- Solid Security Pro checks with Patchstack’s database to confirm a virtual patch is available. That means Patchstack has identified the vulnerability as a high or medium risk. It’s under attack now, almost certainly will be attacked soon, or stands a strong likelihood of being attacked soon.
- Solid Security Pro deploys the virtual patch for the vulnerability on your site. Your site is now protected from attack. The virtual patch will be removed when you fix the vulnerability with a security update or remove the vulnerable code.
Learn more about virtual patching from the Open Worldwide Application Security Project (OWASP).
Why virtual patches in your firewall provide better security than a malware scanner
Many WordPress security plugins offer malware scanners as a key feature. They try to scan for all known types of malware on your site, which adds significant load to your server resources and slows down your site. Malware scanners often create false positives and can’t detect all malware. Some malware even knows how to detect the malware scanner and disable or trick it into reporting your site is clean.
Constantly looking for signs that your site may have been hacked is not a security measure. It’s an insecurity practice. Peace of mind comes from preventing known attacks from ever happening at all. That’s what virtual patching does. It’s an effective form of site hardening that only blocks real threats.
Our partners at Patchstack provide virtual patches to Solid Security Pro users automatically as threats emerge. You’re protected if you have virtual patching enabled in your Solid Security Pro firewall.
You can build a defense in depth by creating multiple layers of protection with Solid Security Pro. Activate automatic updates, advanced user authentication, and virtual patches in Solid Security Pro to reduce your risk nearly to zero.
Solid Security is part of Solid Suite — The best foundation for WordPress websites.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed
