Subscribe
Share
Share
Embed
The WP Minute brings you news about WordPress in under 5 minutes -- every week! Follow The WP Minute for the WordPress headlines before you get lost in the headlines. Hosted by Matt Medeiros, host of The Matt Report podcast.
Matt Medeiros (00:04)
Hey everybody, welcome to the WP Minute. Today's special guest, Oliver from PatchStack. Oliver, welcome.
Oliver Sild (00:12)
Hello, happy to be here.
Matt Medeiros (00:14)
I've got to get the housekeeping out of the way. Patch Deck is a fantastic sponsor of the WP Minute. We couldn't do it without them, but they are joined today. ⁓ I was chatting with the team. We're like, when we do sponsorships, we have to bring like core value to the audience. We're talking about like, you know, people lock on the door to sponsor the WP Minute. Like, hey, can we just pitch our product? We're like, no.
No, you can't do that. You have to have some educational values. What we try to do here at the WP Minute is get people educated. And I was talking to your team, there was like, well, we have like a zillion things that we can, we can teach your audience. ⁓ One of them, of course, is the Cyber Resilience Act, which I'll be honest, I know very little about. I'm not an agency owner anymore, but we have a lot of agency owners in the crowd and we can touch upon that and get people ready.
to understand what they should be thinking about ⁓ when faced with trying to understand this stuff. But you all have some new research out. I you have stuff coming out all the time, so I'm sure this will be ⁓ a wealth of knowledge. PatchStack is the dominant force for what I would say WordPress security, ⁓ information, product, scanning, all of the stuff that agency owners and WordPress owners should be aware of.
Oliver, where have you seen PatchStack evolve the most over the last couple of years? ⁓ You know, from simple scanning to now like leading the pack of like saying, hey, we have research. We're trying to understand threats and awareness for WordPress.
Oliver Sild (01:54)
I would say one of the big things that we did, so four years ago we actually did a pivot, right? ⁓ Before that we were called WebArgs and then we were kind of like in the path of building like an all-in-one kind of like a security product and which is a very I would say common thing happening in the WordPress ecosystem is like everyone ends up building some all-in-one solutions because that's the demand, right? Like customers want.
Everything and in many cases pay nothing. That's the kind of like the motor, right? ⁓ So we really like took like a Kind of like a reflection time for ourselves and look into like what we do the best is one of the thing and then also like what like really needs to be solved on this ecosystem ⁓ and We ultimately realized that you know, first of all, we do really good security research like
Half of our team is literally security nerds doing research. We've been doing bug bounties. We've been doing pen testing, stuff like that. So that is our jam, right? ⁓ And then the second thing that we kind of looked into is, over the years, even last year, when we did ⁓ a research together with Sookuri, ⁓
like half a million websites are getting hacked every year, right? That's a lot of websites getting hacked. And why is this happening if we have all sorts of security products on the market doing malware scanning, doing ⁓ firewalls, whatnot, and we're still facing the same problem? ⁓ So we're like, okay, let's try to, instead of, I would say, cure the symptoms, right? ⁓ Let's try to really...
dive into what is the root problem there. And ultimately you end up with people not updating their stuff and those unupdated stuff have a lot of vulnerabilities in them. So specifically security vulnerabilities in plugins that are developed by ⁓ different plugin developers which are ⁓ quite often riddled with vulnerabilities that the users of WordPress... ⁓
are not necessarily patching in time and hackers are taking advantage of it. So I would say that has been really the core focus of Patch Deck. We've gone really heavily into vulnerability, kind of like research, threat intelligence, on that regard. We've partnered up with Google. We created an AI-based code review tool that is finding vulnerabilities on its own on the WordPress plugins. This year alone, I would say we've, I think...
processed around almost 5,000 CVs already. That's like 5,000 new security vulnerabilities that have been reported exclusively to PatchTac. I would say around 75 % of all known security vulnerabilities in the WordPress ecosystem are originally reported to PatchTac through our bug bounty program. And then what we created also is the managed vulnerability disclosure program that now dives a little bit into this cyber resilience act direction.
But this is essentially a platform for plugin developers to stay compliant and to make their code more secure. So a lot of the security reports also go through that.
Matt Medeiros (05:25)
I have a ton of questions about baseline security for WordPress, where just over halfway through 2025, I used to work at a company called Pagely before it was acquired by GoDaddy. Just as an account executive, I was not a ⁓ security specialist on the infrastructure team at all. But we had lot of discussions with customers and clients. It was top priority for them. And this goes back six, seven years ago. I'm wondering for the...
the user out there who's listening to this going, haven't they just solved, you know, patching plugins automatically? Isn't this a thing of the past? ⁓ Why haven't we gone beyond ⁓ that point already? Do some hosts require users to still update manually? Is that a business for them to be like, hey, if you get this plan, you have auto updates? I thought.
Here in 2025, everyone knew to keep their stuff updated. What do you see on your side? And is there one thing people should just be doing besides clicking that update button?
Oliver Sild (06:31)
So you know this is not only a WordPress problem, right? This is not WordPress specific problem. Like when you're looking into the statistics, even on the enterprise market where you have complex infrastructure, IT systems, things like that, the average time it takes ⁓ for a software vulnerability to be patched in a system is like three months, right?
⁓ This is a really, really long time. ⁓ And hackers know about it, so they take advantage of it. You remember when ⁓ WordPress released the feature to enable auto-updates on plugins, right? The first thing that you saw on blogs, if you Googled about this, the blogs didn't talk about this new amazing functionality, like you can now auto-update plugins. Every blog post was like, how to turn this off?
How to make sure that the updates are turned off. Like literally when we when like I remember, you know laughing about it It's actually kind of sad but I did you know find it funny It's like when it was rolled out like every single post like everyone was talking about how to turn it off how to make sure that the customers don't enable it, know, accidentally and things like that and the reasoning is behind, you know that Like I think there's some mistrust in
Matt Medeiros (07:25)
Yeah, yeah.
Oliver Sild (07:50)
the plugins that people have been using historically and them maybe breaking the sites and things like that. ⁓ I guess agencies are a little bit freaked out about having those updates being done automatically and then maybe there is something that this... It's not even about whether it actually breaks something. It's the fear of maybe it breaks something. ⁓ And that is ultimately one of those problems, right? That's why people are not keeping them updated and...
And another statistic that I would add here is that when we've done... So every year we are releasing this State of WordPress security report. For the past two years we've been doing it in partnership with Sukuri. And around 30 % of the security vulnerabilities found in plugins and themes, 30%. So 30 % is not getting a patch. So...
In 30 % of the times, you don't even have the ability to update anything. We know that there is a security vulnerability on a plugin, but when you go and ⁓ log into a WordPress install and look into the list of plugins, you see everything is up to date. ⁓ And of course, then there's also the problem of all the abandoned plugins, ⁓ which is a separate problem in Zone. So, yeah.
Matt Medeiros (09:09)
Is this,
is that lag, that 30 % number, do you think that's specific to WordPress or perhaps maybe you're only researching WordPress and other CMSs, but is that specific to WordPress because people come in, they build a theme or a plugin, they try to make a go at it as a business and they just can't do it and then they kind of abandon it and user doesn't know because there's no relationship. How much of that is happening where people just kind of like give up on that plugin or theme?
And now it's just left to just, I guess, lack of a better word, get exploited over the years. Is that a big thing or is it just they're not doing it right, a majority of them?
Oliver Sild (09:47)
So a lot of them are just like, you they are, you report the vulnerability to them, they don't respond for a long time. They don't really, I guess, care about it or they don't even have a place where to contact them. And then, you know, we also have responsibility in front of the security researchers who are reporting those vulnerabilities and also to let the customers know that they have a vulnerability that has been going unpatched. So...
Once you make it public and when they find out about it somewhere, then they might react in a week or two. But when a vulnerability is already published, hackers are seeing it immediately so they can go after and start exploiting those websites because they know that the customers have no idea about that. And then there's this other group of vulnerabilities where the developer is comp...
is basically missing, right? So it's a plugin that has been added to the repository some time ago. Maybe it's a really simple functionality that ⁓ is getting added on the website. ⁓ But the developer built it maybe five, ⁓ six, ten years ago. ⁓ And it could be that it became, it suddenly become a popular plugin like three years ago. But that was already after the developer left and...
started working on some other stuff and things like that. So ultimately the plugin gets abandoned and then this plugin also gets ⁓ closed down. Last year in October we did like a WordPress ecosystem, like a cleanup event, ⁓ where we literally looked into plugins that have low install counts and then we're looking for vulnerabilities there. Just intentionally to see like how many of those plugins are not going to get patched at all and whether they are abandoned or not.
and we closed down, I think, like 1,000 plugins in a month, which were like, you know, they never received a patch. They still haven't received a patch, and the developers have already gone to do something else. So I think there's still quite a lot of those plugins in the repository that are completely abandoned, that have like, you know, maybe 1,000 active installations, but when you're counting all of those abandoned plugins together, having, you know...
Matt Medeiros (11:37)
Wow. Wow.
Yeah.
Oliver Sild (12:02)
that they have critical security vulnerabilities, hackers can just go after them, the users cannot do anything about it with updates.
Matt Medeiros (12:11)
I don't want to accelerate the conversation immediately into AI because that's a whole thing. But I mean, I just tested out and published on the YouTube channel, ⁓ Automatics recently announced a Telex application where you chat bot and you can build ⁓ blocks or guess mini plugins. I built a little thing that connected up to just as an experiment API over to Pexels to pull images in from the Pexels photo repository. Really cool as a power user. I'm like, yeah, I like this stuff.
Oliver Sild (12:16)
Hahaha.
Matt Medeiros (12:41)
but then immediately in my head, I'm thinking, my God, anybody can build any software and just run this on their site. And now you're just gonna have the common person who's just like, I need this functionality, connect to Facebook to do this thing, and then next thing you know, like something is happening and code is really bad. ⁓ That's like, I mean, I can't even imagine to think about how to analyze ⁓ research and thwart.
those kinds of threats when it's not even like a bad actor, it's just somebody who doesn't know what they're doing with code on their own site. ⁓ What are your thoughts on like protecting the user at that level?
Oliver Sild (13:18)
Yeah.
I ⁓ think Matt also shared some statistics about the amount of plugin submissions that .org is getting. think there's been like, yeah, so I don't remember what the number was, like 78 % increase or something like that. ⁓ Because of AI, there's just so many new plugins being added into the repository. We've talked to people in the community who have like, you know,
Matt Medeiros (13:35)
because of AI now. Yeah.
Yep. Yep.
Oliver Sild (13:50)
There's like kits to basically use with AI to build plugins and things like that. So, you know, so many of the new plugins that are being added into the repository are generated by AI. Now, the question is, once we identify a security vulnerability in one of those plugins, which we continuously do, ⁓ like we already find vulnerabilities ⁓ in those plugins, and quite a lot in Frank, ⁓ the problem is that the developer who used this...
who used AI to build those plugins, they have no idea how to fix those vulnerabilities. ⁓ Well, they can ask AI to fix it, but that's not often a very... I always tell a good story that when I was in the Google engineering offices in Munich, ⁓ we were with the Gemini security team there, and they were ⁓ trying to use Gemini, and they have this big... ⁓
They have basically like a SEC element, like there's LNMs for security. And they were trying to see whether AI can fix security vulnerabilities, right? So they were like, okay, let's make a test. We have vulnerable software, let's ask AI to basically fix that vulnerability. And then they ran a benchmark of like, okay, does this now have still the vulnerability or doesn't? And then they saw that, okay, AI was capable of removing the vulnerability in quite a high percentage of times.
But then when they started looking into it, what they did was it just commented out code. So it you know, it broke the application ⁓ just to not make it vulnerable. But, you know, that would obviously cause, you know, ⁓ a bunch of other problems. ⁓ But the thing with AI is, obviously, the number of vulnerabilities going up ⁓ is quite significant. ⁓ But there is, I would say, even a bigger problem is the fact that
Matt Medeiros (15:21)
That's what I would do. Yeah.
Oliver Sild (15:44)
AI is also available for the hackers. can, like, we have a solution internal, like, Patch Deck has a system, which is basically like, we take a WordPress zip file, ⁓ we run it into a system, there's like a multi-level process with different AI modules including, it basically builds a whole context of that application and then looks how the data flows within the code base through multiple layers and then figuring out whether there's vulnerabilities anywhere in the code base and it does that for the entire...
plugin in one go. These kind of solutions are available also for the hackers to basically scan, know, potentially through, well, it's going to be expensive with AI, but they can in theory, like scan through the entire WordPress repository to find those security vulnerabilities and then also use the same AI to write exploitation scripts. And now this is a big problem because ⁓ in the past, ⁓
The hackers that were the fastest were the ones that were the most skilled. They found a new vulnerability and then they quickly wrote an exploit script to basically hack as many websites before the users had time to update. That barrier is now gone. Any script kitty that can follow vulnerability databases, anything like that, they're like, okay, this plugin, this version has a vulnerability. Give that, I don't know, vulnerabilities like a CVE to AI and tell like, hey, can you write me a...
Can you find the vulnerability where it was specifically and can you write me an exploitation script to basically test my systems? Actually, it's a full blown exploitation script. They can go and weaponize it in so short time. We're already seeing that the vulnerabilities are weaponized in a matter of hours, sometimes in 30 minutes. So now this time is getting even shorter and please show me one agency.
Matt Medeiros (17:26)
Yeah. Yeah.
Right. Yeah.
Oliver Sild (17:37)
who after a plugin is receiving an update goes and updates everything in 30 minutes. Nobody does that. So that's the challenge that we are going to face, or facing already.
Matt Medeiros (17:41)
Yeah. Yeah.
Yeah.
Yeah. And I would say like obviously the broader scope, right? Because anyone who's launching, well, like a person like me, Bolt, Replet, like we're just building JavaScript apps now that are just whatever we want. And it just we're not even doing the working in the confines of WordPress anymore. Like I'm able to build these things. And just the other day I was away last week and every day I was getting it. It's one of those things where I get an email.
and it's from the OpenAI API. And it's like, your account's been funded. So I'm like, okay, so like five bucks. And then like the next day, your account's been funded five bucks. I'm like, because I built this app that reads a bunch of WordPress news sites and aggregates it and summarizes it. So I'm like, must be a lot of news happening. So then it's like the next day, your account's been funded again for five bucks. I'm like, how much is my API key being processed for PulseWP? So I log in.
to my OpenAI API console, and it's just like all these image requests coming through for my API key, and I'm like, I'm not the one making these image requests. My app does not do this. So somewhere along the line, I built something and the API key was left out into the public somewhere and somebody was abusing it. Now it's easy, because I could just.
Oliver Sild (18:52)
Ha ha.
Matt Medeiros (19:05)
I just delete that API key. I mean, I was just like, okay, that's how I found it. Like, that's how I mitigated it. But there's gonna be a lot of people who don't know that and can't make like these decisions. yeah, I mean, no real question there, but it's just like, that's the world we're headed into, I think, with AI. And I've seen it with Replet, like they have a security scanning thing, but you know, who's gonna do that? I mean, I don't think many people are gonna do that when they're playing around with this stuff.
Oliver Sild (19:17)
Yeah.
I just...
For sure, I mean, in general, the cost of using AI to build simple websites is ultimately going to be greater than just slap a CMS on it, right? People don't realize that, but you're building an application with AI, and then the cost of doing every edit... You have to consume LLM and the resources for every single edit you want to make on this website. For every bug fix, every time you're paying those LLM credits.
⁓ And then we are running those AI meetups here in the co-working space where I am right now and people like They like they try to build an e-commerce website with like lovable and with V0 and stuff like that and they're like it's gonna get like so expensive Like they're like I wish I just use a WooCommerce site and just you know slap it into WooCommerce host it somewhere pay just like a monthly fee for the hosting and You know, that's it, right? ⁓ So at one point we are getting to a
Matt Medeiros (20:17)
Yeah, yeah.
Oliver Sild (20:30)
to a question, you know, that's a little bit away now from the topic of security, but like, ⁓ should we vibe code everything? ⁓ And maybe it makes sense to just use something that is already working out of the box and we don't need to reinvent the wheel every single time and actually spend insane amount of compute to do it all over and over again. So it's like really inefficient.
Matt Medeiros (20:52)
Yeah,
yeah, yeah, no, I'm 100 % there with you. And I think that might be one of the, like one of the things that I'm always trying to do is like, how are we like still supporting WordPress, the project, like how are we still making sure that people want to use this tool, whether it's for like the blog side of it, like, hey, I just want to be an end user, I want to publish words, or I'm a developer, I want to build sites or solutions for clients. And, you know, I think that myself included, everyone's so excited about AI.
But when you start to spend the cycles, like the mental cycles of building a piece of software, I think this might be the one good thing that comes out of this, or one of the many good things that comes out of this, is people realize, ⁓ yeah, it's not as easy to do it. Like, version one was great. Like, your immediate MVP was like, look how awesome that was. But then you had to like fine tune it and get it right and like ship it so that it worked. And you're like, this took forever.
Like I spent a ton of tokens and this took forever. Now who the hell is gonna fix it when I need another feature? And I think what people, I hope people do is like you said, like WooCommerce is right here. Why didn't I just use this? Right? And you start to realize like, that was nice. Yeah.
Oliver Sild (21:52)
Yeah.
And then you have people who can actually come and help you when you're getting stuck
because with AIs, when you get stuck, you're basically like, you have to find a JavaScript engineer who is then going to untangle the entire mess and then figure out where something went wrong. So it is definitely a tricky one to solve and I think it creates a lot of ⁓ technical depth. And I think ultimately the question also is like...
This is something that has always been coming back. I remember five years ago, everyone's like, yeah, but who cares about WordPress? You have Wix and Shopify and things like that. We've already been through that with WordPress, right? PHP has been dead for the past 20 years. ⁓ It's kind of the same thing. ⁓ And to think with Wix and Shopify and things like that, and then where people are still shocked why people continue to use WordPress is the fact that the main misconception is that
Matt Medeiros (22:45)
Yeah, yeah.
Oliver Sild (22:57)
people think that people want to build their own websites. People don't want to build their own websites. That's why we have agencies. ⁓ And the question is whether agencies are now going to use AI to vibe code stuff, because to build something for their customer, that's a really tricky question because it's going to be so much more expensive for an agency to build customer and e-commerce store.
⁓ by wipe coding it and spending tons of money on LLM compared to using something that they already know very well and they can get the stable product out, which requires less maintenance actually than later figuring out like all the tangled mess that the LLM created. So I think that this market dynamic that we need to take into account here as well when it comes to AI and also the security side, right? Because we know the challenges, the security challenges of WordPress. You know, we know about that.
But when we think about like, wipe coded applications, like the security challenges of a wipe coded application is a black box. Like anything can come and jump out of it, you know, any minute that you are not prepared for. Yeah. ⁓
Matt Medeiros (24:05)
Right. Right.
Yeah. Yeah. It's
good business for PatchStack though. have plenty of customers knocking on the door. ⁓ Speaking of customers, for the agencies and the freelancers out there listening, where does PatchStack sit in ⁓ the solution for these types of customers?
Oliver Sild (24:14)
It definitely is.
Matt Medeiros (24:31)
If we go to PatchStack.com slash pricing, we can see it starts off at $69 a month, billed annually 25 websites. To me, says, hey, we're for the professional. We're for the freelancer who's got a bunch of clients. We're for the agency that's got a bunch of clients. This isn't just I'm a pizza shop and I have a website for my pizza store and I just need security. I mean, I'm sure they could pay the 70 bucks, but I think this is geared more towards that freelancer or agency. How do you?
want somebody to onboard to that experience. Like what should they be thinking when they deploy this against their portfolio of sites?
Oliver Sild (25:07)
So, Patch Deck is used by agencies and freelancers quite a lot to essentially, and also developers ⁓ to cover the ⁓ vulnerabilities in the WordPress application itself. Hosting companies, cover with the DNS firewalls, like Cloudflare and things like that, cover, they make sure that some bots are not taking your site down with insane amount of requests, like DDoS attacks and stuff like that.
or just kind of filtering out some spam and things like that. So, Patch Deck specifically focuses on providing the fastest protection to WordPress specific vulnerabilities, which web application firewalls and hosting level security solutions are applying to. ⁓ And what agencies do is they, you you can just go and sign up to the developer plan and you can kind of very quickly connect WordPress sites with it. And then very common use cases to basically include the security into your care plans.
we really recommend all agencies to basically offer maintenance and care plans to their customers because that is first of all commercially one of the best ideas to generate their current revenue, but this is insanely needed for everyone who has a WordPress site because continuous maintenance is something that everyone needs when they have a WordPress website. If you don't want to stress out every night, like, my God, like...
Can I go to sleep because maybe 1 a.m. in the morning one of the plugins is releasing an update that includes a security fix and then I need to quickly go and update it. What PatchTac does is that we are actually, for every single vulnerability that is getting published in the world, we create custom crafted security rules for it. So when a vulnerability is found in an update that is released in a plugin, we can automatically mitigate that without any action needed from the agency so they can...
wait to update whenever they want to actually update without leaving the website exposed. And that is the main benefit of Patch Stack essentially. then we work with a lot of hosting companies, right? Like one of the core focus for Patch Stack is actually hosting partnership and different partnerships with products like ⁓ WP Umbrella, example, ⁓ many different hosting companies that we work with, PageLink, that you mentioned, where Patch Stack can be a risk,
That is the place where if you just have like a little bakery or a pizza shop, whatever, and you just have one website, then the place where you should get PatchTag is through your hosting provider. There's no need for you to like have a whole blown PatchTag kind of like, you know, account and you know, the dashboard and you know, all the bells and whistles. You can just go to your hosting company, pay, you know, $2 a month and your website is protected. So that is how we've kind of like approached it. We have a full security suite for agencies.
And then we do very deep integrations with hosting companies to provide that level of protection on scale. And then those who have just a single website or whatever, they can get PatchTac through the hosting provider that they're already using. Just to make life a lot easier for everyone and kind of make sure PatchTac is available and accessible as well as possible.
Matt Medeiros (28:24)
You mentioned before that you've done some partnership work with or work together with Secori before. my standpoint, from the sidelines, maybe I missed the memo. Aren't you guys competitors? How does that work? Or is it just a shared knowledge of, just like we share knowledge in WordPress, you're sharing knowledge in security. that what that is?
Oliver Sild (28:39)
Ha
So that's the beauty of Patch Tech in the sense where we decided to not be all in one solution and we decided like, we're like really going bang on this one problem. Like we are going to do like the best track intelligence in the ecosystem. We obviously are controlling basically the data flow of all the security vulnerabilities. So we just cover like this one lane, right? So we just like.
We know about the vulnerabilities before anyone else and that allows us to protect the customers from vulnerabilities before anyone else as well. At the same time, we don't want to do any of the malware scanning stuff. We don't want to do any of the, I don't know, ⁓ generic kind of like IP blocking reputation stuff that, know, DNS firewalls and things like that do. So that kind of leaves a door open for us to partner up with other security companies that do all these kind of things. So for example, with Sookuri we're hiring the partnership.
I-Theme Security, now Solid Security, we are in partnership with them, which is powered by Patch Deck, WBUMU Defender, powered by Patch Deck. So we are kind of like building this foundational layer of protecting WordPress websites from plugin vulnerabilities, which happens to be the main way how WordPress websites are getting hacked. And so we want to just make this available across the ecosystem as widely as possible.
I honestly believe that the only way to do that is through very deep partnerships. And that partnerships include also partnering ⁓ with someone that others may consider competitors of ours. In fact, a week ago, we announced an ⁓ open web security alliance ⁓ where we basically have invited every stakeholder in the ecosystem who is providing hosting.
who have plugins that are basically powering a lot of different websites, security companies who are providing security services in the ecosystem. We have created what's called Patch Deck Alliance where we essentially share the information about the latest threats, the incidents and things like that so we can all work together as a community and basically make sure that information gets shared within the ecosystem, within all the security teams ⁓ to make all the customers safer. this is...
our approach to trying to make the biggest impact in the ecosystem.
Matt Medeiros (31:11)
Yeah, that makes sense. No, it's obviously a smart move. ⁓ Towards the end here, I want to talk about the Cyber Resilience Act. Again, going back to my Pagely days, I remember when GDPR was about to become a thing and it was... ⁓ I don't want to say the fish were jumping into the boat, but as a sales guy, people were like, hey, we need this. We need to make sure that we have hosting that supports this. For folks listening who haven't heard about the Cyber Resilience Act yet, how can we just sum it up for the freelancer or small...
agency owner out there. What does this mean to their day to day, ⁓ if at all?
Oliver Sild (31:45)
Yeah, so one of the first things I have to say is like if you remember what happened when GDPR became the thing, what needs to be understood that cyber resilience act is going to be way bigger. It is going to impact a lot more companies and it is, know, with GDPR it's like I can just tell you like, we are compliant. Like I don't need to show you anything, but I can like say like, yeah, we have like all these data processes internally in place and like.
We keep the registries and whatnot and like, we're totally compliant, right? Which, you know, we have the cookie notice, you know, we're fully compliant, which is rarely the case. With the Cyber Resilience Act, essentially what it does is that whenever, if you're selling a digital product, ⁓ in which case, if you're a digital agency, selling a customer a WordPress website, that is a digital product and it needs to have a CE mark.
the same CE mark that you put on physical products that you sell in the European market, right? So regardless whether you're American company, I don't know, wherever you're from, if you're selling, like it's not even if you're selling your product in Europe, if you're making the product available to the European, like if there is a possibility for a European citizen to buy your product, you need to have ⁓ compliance with the cyber resilience act.
And some of the simple things then comes like vulnerability management ⁓ is mandatory. So whenever there is a security vulnerability found in your digital product, that includes all the plugins. So if you're a plugin developer and there is a security vulnerability in your plugin, are... ⁓ First of all, you need to have vulnerability management in place. You need to have the supply chain security covered. You need to have ⁓ S-bombs basically like software build-off materials that basically...
It's like an ingredient list of what your software is made of, right? You need to have a security point of contact. That's why we created this PatchTag MVDP program where over 1,000 plugin ⁓ vendors already have a PatchTag access their security point of contact. So you need to have all these things set in place. And then if there is a security vulnerability found, you need to make sure that it's reported into the European vulnerability database. You need to make sure that the customers...
are always going to be notified when there's a security vulnerability in your product. You need to publicly... ⁓ You need to make it public that there is this vulnerability. And like all these things are very easily checked from the outside. So now you need to take into account that if you fail in any of those things, then...
In most of the cases when you have compliances like that coming up, the companies that are going to make the most money are law firms, right? And now you need to take into account is that law firms can easily check whether your software is compliant with the cyber resilience act or not. Do you have a security point of like, do you have a VDP program? This is mandatory. If your plugin does not have a VDP program, proper security point of contact, then the law firm can just find one user of your plugin.
and then tell them, we're going to basically make a lawsuit, ask for damages, and then they're going to split whatever the fines they are going to do for that. This is already happening with the Accessibility Act, by the way, where people are like, they've been damaged by the websites not being accessible and things like that. Law firms are making all these lawsuits and then basically they settle and then they are making money and pushing those companies into compliance.
This is what is going to happen. ⁓ Right now WordPress is completely non-compliant. ⁓ Agencies need to take into account that they need to start having vulnerability management in place for every single website that they're going to sell. ⁓ Plugin developers need to have VDPs in place and the same things. ⁓ All the security updates need to be separated from functional updates. There's quite a lot of change that WordPress.org itself needs to do as well to make...
all of this even possible for the plugin developers to become compliant and so forth. And the law was already passed. So the law was passed in October last year. ⁓ This, sorry, next summer in June, the first obligations are kicking in, which means that the first obligations are basically the obligation of having VDPs. And if there is a vulnerability, you need to report vulnerabilities to all customers. So if you're an agency and the website...
has a plugin that is vulnerable, you have an obligation to let the customer know of that vulnerability ⁓ and then ⁓ provide some level of mitigation and things like that. So vulnerability management is going to become essentially mandatory in that regard. And the full obligation, I think, is starting to kick in in somewhere 2027. But we have less than a year to basically for the first ones.
Matt Medeiros (36:51)
And how has PatchStack the product had to change? Let me ask it this way, ⁓ trying to not be just like a strong sales pitch for it, but does one just sign up and have an account and all of this stuff is now taken care of because you have PatchStack? Or, because I remember with GDPR, it wasn't just like, switch over to Pagely because Amazon infrastructure, ⁓ Redis database over here, front end over here, everything's separated, yada, yada, yada. ⁓ There was still work to be done.
Oliver Sild (37:11)
Yeah, yeah.
Matt Medeiros (37:20)
there was administrative work to be done. Is it as easy as just signing up for Patch Stack and then you're checking a lot of the boxes or there's still a lot of like stuff that these organizations will have to do?
Oliver Sild (37:21)
Mm.
So
Cyber Resilience Hacked has types. based on the importance of the software or the digital product that you're offering, for example, if it's a security software and a firewall product, for example, which is the category that we have, which is the highest category, then you have the highest amount of compliances. So we started working on our compliance five months ago already without even having a lot of the information known to us.
And what we're doing is actually documenting all of our process of us becoming compliant first. And it is quite a lot of work, right? We are going through the hardest, like we are like on the hard mode, right? So we're going through that. So there's things that companies need to do themselves as well. But because we've run through this process, we've already looked like, okay, if we need to do those things, we need to make sure that our product includes those features that help others who are now going to follow getting compliant.
for them to just basically make that easier, right? So, you know, that includes like the entire MVDP platform that we created, which was actually co-founded by European Union as well, where plugin developers can just sign up to it, they can add their plugins, it immediately gives like a visibility into like all the vulnerabilities found in their plugins, ⁓ how they are getting, you know, solved, there's a secure channel how vulnerabilities are going to get reported, they immediately have the VDP. Like if you're going, if you have a plugin,
and you're signing up to Batch.com VDP, which is completely free by the way, because we did build it together with European Union, then you're going to be compliant for the stage one, which is happening June 2026. So that is the first part to get covered. Next things that you can do there is to keep your S-bombs, which are going to be required as well, things like that. So we're adding all of those based on the new law into the platform. So plugin developers can get compliant. And then...
agencies who build WordPress websites as digital products to their customers, they can be compliant when they are using PatchTag, install it on their customers, and then the customers can get notified about the vulnerabilities and so forth. So that's basically how we are kind of like building it up to support ⁓ the shift that is happening on the ecosystem because of the Cyber Resilience Act. I also gave a talk at WordCamp Europe ⁓ this year about that. So...
on wordpress.tv I think or wordcamp.tv you can actually see my talk as well so I recommend checking it out as well.
Matt Medeiros (39:58)
Yeah, I'll link that up in the show notes. I'm on PatchStack. By the way, PatchStack.com, the footer. This is the best footer I've ever seen in my life because there's so much. You have all these like new updated like number badges for all this stuff. There's so much information and stuff in your footer. If someone goes, I scroll down to the footer, there's the active VDP directory. It says 858 WordPress plugins with active vulnerability disclosure programs. This means that these.
Oliver Sild (40:15)
Yeah.
Matt Medeiros (40:27)
plugins in this ⁓ directory or this database here, they're what? They're sharing the data with you and they're letting you know like, ⁓ we found something.
Oliver Sild (40:37)
For
all these plugins, PatchTac is their security point of contact. You see Elementor there, for example. If anyone in the world finds a security vulnerability in Elementor page builder, then Elementor is saying, great, report that to PatchTac. ⁓ We then process it, we validate it, and then we control the disclosure process for this vulnerability to be published. We help Elementor team to basically fix it up and things like that.
Matt Medeiros (40:45)
Yep, yep, yep.
Oliver Sild (41:07)
If you're, for example, an Elementor user, ⁓ then the best security for your website to keep your website protected is actually coming from PatchTag because we always know about Elementor vulnerabilities first, and that also allows us to essentially mitigate those vulnerabilities even before any other security company becomes aware that there is a security vulnerability in the first place. there's nearly 1,000 plugins who have already decided to make PatchTag their security partner basically for that.
So definitely I recommend to first of all check this list for that reason. So if you're using any of those plugins, it might make sense for you to use PatchStack to secure your websites as well. But also look at those plugins and think of like, hmm, I want the plugins that are installed on my website to be in this list because that means that they're also CRA compliant. Because they are already having VDP set up, they are already running ⁓ those security processes that are...
⁓ from the official guidelines and things like that. So hopefully we'll see more more plugins there. ⁓ Right now we're getting like 100 new plugins every month, so it's quite active. ⁓
Matt Medeiros (42:15)
When the Cyber Resilience Act says that like the phase one, the end user needs to have VDP, is that what this is? They need to be able to... Okay, so if you're an agency owner, would you apply to the program or would you just say, no, I just need to look for these plugins?
Oliver Sild (42:24)
Yes, exactly this.
So if you're an agency ⁓ and you're building a WordPress application, you need to make sure that all the software that you're using to build the digital product is compliant with the CRA. So every plugin that you as an agency are going to install on a WordPress site, you need to make sure that they are already CRA compliant, right? So this is how it kind of starts to snowball into... That's why plugin developers should actually start...
Matt Medeiros (42:58)
Right, yes.
Oliver Sild (43:03)
working on that right now because otherwise those who are going to be late, they are starting to basically lose customer base because agencies can't use them. And then if agencies don't actually do properly vulnerability management and they don't look into the plugins that are have the compliance, the agencies are starting to lose customers because ⁓ enterprises who want to have a website built, they need to also have their website compliant and they need to ask the agency like, hey, do you have an S-bomb for our website?
are all those components that you are using compliant, it starts to of like pile down. so that's why I'm saying it is going to affect the entire ecosystem.
Matt Medeiros (43:40)
Yeah, yeah, yeah. And like, you know, if if you're an enterprise or a bigger business, like if they're launching a website next year, I mean, that's already started. Right. Like, so that plan has probably already started with an agency and they're already thinking like, well, when this launches in the summer of twenty twenty ⁓ six, you know, we're going to need to have this phase one checked off. So, yeah, no, it makes sense. Yeah, it's interesting ⁓ hearing from you like how much patched that differentiate differentiates.
Oliver Sild (43:48)
Yeah.
Matt Medeiros (44:09)
against the all-in-one solutions on information, like information and education. ⁓ You know, that's fantastic. mean, that's great. ⁓ Where can folks go? Okay, so I'll link up the, there was a hosting report too. I wanted to pull up, I think somewhere.
Oliver Sild (44:28)
It's
on the website, there's a banner on the front page and top of it under the menu bar. If you click on that...
Matt Medeiros (44:34)
Yeah, resources,
case study. Oh, right here, yes, hosting security tested 87.8 % of vulnerability exploits bypass hosting defenses. Let's wrap up with this one. How? How does 87.8 of vulnerability exploits bypass hosting defenses? I think a lot of people try to put their trust, in fact, I myself put trust in my host. Are they not have the right tooling? Are they not?
quick enough on the turnaround time? Like, how do we get these hosts to say, ⁓ let's get this defense set up before these exploits happen?
Oliver Sild (45:12)
So the whole test actually came from the point where everyone is like, people are like saying like, actually if you search, if you Google or if you ask AI, I don't know, AI results are anyways coming from whatever people have basically written on Google, right? But like, if you ask like, give me like five tips how to keep my WordPress site secure. Number one tip is choose a secure hosting. ⁓ And that's what a lot of people are.
Matt Medeiros (45:29)
Makes no sense to me.
Oliver Sild (45:40)
ultimately relying on because when then they are looking okay I'm gonna look for secure hosting and then this hosting company saying like we have firewalls and you know we have you know all the bells and whistles that is coming from security and then the customer's like great I don't need to think about security I'm covered if that would be the case then why do we why are we still in a situation where like half a million WordPress websites are getting hacked a year like it doesn't make sense right ⁓ and then I had this like ⁓
argument with Matt Mullenweg on Twitter where he's like, yeah, but like all these vulnerabilities are already covered by hosts on the network layer. I'm like, hmm, okay. Let's run a test on that because what we see is completely different. In fact, we've been running a honeypot project. So what we did years ago already is like we signed up to every single hosting company that we could look for, ⁓ registered the domain and installed the WordPress site there and then installed PatchTac on it and then...
Occasionally, we install vulnerable plugins in it. And just to see what is basically reaching patch tag, what is being blocked on a level, hosting level, things like that, then we just continuously see that basically all the new vulnerabilities, everything hits patch tag, which means that all the previous layers have failed. So we're like, okay, let's do a ⁓ control test. Let's take different kind of hosting services that use different sort of security products. ⁓
that use Cloudflare in front of every website. And then let's take, to not make it biased, let's take only the most critical vulnerabilities that everyone has seen on the news, right? Like the very big ones that have been mass exploited, there's been warnings all over the place, there's news sites talking about those vulnerabilities, and let's test whether the attacks against those vulnerabilities are reaching PatchTag or not. Because the way how PatchTag works, right? We create...
security rules per vulnerability. We are not like kind of like pattern-based security solution where we're like just trying to figure out like hmm this looks like an attack right so we don't do this kind of thing like we have every vulnerability that is added into our database we're going to create the security rule just specific to it right. So we run those tests and then what we realized is that like you know what the percentage was like almost 88 percent of those vulnerabilities just go straight through.
There's multiple layers of defenses deployed on the hosting level. Cloudflare on front of it, and there's solutions like Immunify and whatnot in the middle of it. ⁓ And then they still, we were able to exploit the vulnerabilities on those websites and gain full site control ⁓ with our patch stack installed. And what essentially that showed us is that the vulnerabilities, the most dangerous vulnerabilities
that are WordPress specific logic flaws that allow you to basically bypass authentication or basically change options on a WordPress install and ⁓ create an admin account basically. Or where just like the plugin code is so broken that it just allows you to just get into the admin interface with completely normal looking requests. WAFs just are completely blind to these kind of vulnerabilities.
the security solutions are looking for like, does it look sophisticated cross-site scripting attack? Like these attacks don't look sophisticated at all. They look like, they almost like those attacks look like a normal use of application, but this normal use is actually like a bug in those plugins that allow you to ⁓ gain administrative privileges. And you can even get access to, you can like get like full control over the website without even adding malware on the website.
Matt Medeiros (49:29)
Hmm.
Oliver Sild (49:29)
⁓
So even the malware scanners and things like that didn't pick up anything. So this is the challenge. That is why I think, specifically agencies need to kind of like, okay, we really need to look into the WordPress application as a separate place where security needs to be applied. And we cannot necessarily just rely on a hosting company having a firewall somewhere and things like that because they just, those firewalls are trying to...
Matt Medeiros (49:54)
Yeah.
Oliver Sild (49:58)
protect the network or these firewalls are trying to protect the hosting server stack, right? But what we need, where most of the attacks are happening is the application layer, which the WordPress installation itself. So that needs to have a dedicated security.
Matt Medeiros (50:14)
It's fascinating. mean, what, all right, fine, one last question. And I'm curious if maybe you see this, I maybe you do. What the heck are people doing with exploiting sites? Like, what's the most common thing? Is it like a Bitcoin generator? Like spam links? ⁓ Spam links to casinos? Like, what is it that people are doing en masse against, to hack into these sites?
Oliver Sild (50:19)
Hahaha.
They make money. Every website online is a resource. One of the big things that is being done is they just take control over the website to use that website as a node in their botnet. And then on the dark web, you are selling DDoS services, for example, to run targeted attacks against someone and take someone down. Cloudflare is continuously blocking off insane...
DDoS attacks where it's like terabytes of data being run against services to basically pull down massive things. So a lot of those attacks are actually coming from compromised websites. Like when we're seeing a lot of attacks are coming from OVH, from different hosting companies, we see that the websites themselves are attacking other websites. So that is one of the things. And then of course, ⁓ when it's e-commerce sites, they inject like just that...
Matt Medeiros (51:29)
Yeah, yeah.
Oliver Sild (51:36)
Basically like a keylogger in the front end of the website where all the keystrokes that customers are adding on the website is being sent to the hackers. Well, that obviously means all the credit card billing information that they are adding in when they're doing checkouts, right? Like all this information is being sent to ⁓ the hackers. So they get credit card information and basically money from there.
Matt Medeiros (51:50)
Yeah, yeah, yeah, yeah.
Oliver Sild (52:00)
SEO stuff, right? So they don't need to add malware to the website, know, then they get busted, right? They don't want to deface the website because they would get busted. Much more beneficial for the hackers is to gain or basically compromise the website in such a way that they are kind of like stealthy on the background. They have full control over the website, but they don't necessarily reveal it. So they could like, you know, sometimes add, you know, some links to your blog posts, you know, to get backlinks.
You know, probably you know how many services that are like, hey, we can sell you backlinks on that number of websites and things like that. You know, they make a lot of money with that. So these are all these things, know, redirecting traffic is one of the things like, you know, everyone knows about the Japanese SEO spam. Also, there's like services to kill other companies SEO by basically intentionally doing black SEO techniques to basically kill someone like your competitors.
Matt Medeiros (52:34)
Yeah, yeah,
Yeah.
Oliver Sild (52:59)
SEO, right? All these things is services on the black market that you can basically enroll to and, you know, earn a lot of money. a lot of site... The scary part is that a lot of like what we are seeing is, you know, half a million websites got hacked last year, right? Okay, these are the ones that we detected malware on, but there's so many sites that are hacked that nobody knows that they are hacked. So that is what is concerning me the most.
Matt Medeiros (53:00)
Yeah, yeah, yeah.
Ahem.
Yeah,
Yeah, yeah, it's wild. I think there's better illegal ways to make money. Come to the New York Stock Exchange. All right. Oliver from PatchStack. PatchStack.com. Oliver, thanks. I mean, I was headed into this conversation going, I don't know anything. What am I going to ask? And it's just a ton of information. ⁓ Thanks so much.
Oliver Sild (53:31)
Yeah.
Matt Medeiros (53:50)
for hanging out and sharing that. so much for sponsoring the WP Minute. All these resources will be linked up. Again, if you go to the patch tag footer, there's a ton of resources there. I'll link up this hosting security blog post. The WP Minute is ⁓ soon to launch ⁓ a course on how to select ⁓ WordPress hosting companies, and we'll definitely use this ⁓ as a resource. Oliver, anywhere else you want folks to go to say thanks?
Oliver Sild (53:51)
Thanks for inviting me.
You can find me on X or Twitter or whatever it's called nowadays. Maybe it's getting a new name soon, who knows. Anyways, you can find me there and you can always DM me and reach out.
Matt Medeiros (54:30)
heard Elon just got a bunch of the AI engineers from Facebook and I was like, didn't Facebook just pay these guys like hundreds of millions of dollars to go there and now he's stealing them too? Like what's happening?
Oliver Sild (54:40)
It's like some guys are making bank like they're just moving from one company to other and it seems like the same group of people just going to whoever raised the latest so
Matt Medeiros (54:43)
Yeah.
Yeah,
they're definitely the ones laughing. Like who wants it? It's nuts. Anyway, thanks for hanging out everybody. Thanks for watching the WPminute.com slash subscribe. It's the number one way to stay connected. See you in the next episode.
Oliver Sild (54:51)
Yeah.