The Patchstack team has collected and analyzed all the 2025 data about the security of the WordPress ecosystem. Their our annual report shows that attackers are getting more sophisticated, it is getting harder to clean sites, and mention is made of the fact that security procedures may need to change given the rise of AI custom code.

A selling point of many hosting providers is that they provide security for WordPress sites. Some hosting providers even suggest that WordPress security plugins are not needed if you are using their hosting. Well, Patchstack tested this out and the results weren’t good. Don’t get rid of your security plugins yet.

Patchstack released a mid-year vulnerability report. There is some self-congratulation of their success as Patchstack now reports far more CVE’s than others in the WordPress space, but also now they apparently file more security issues than Microsoft. An interesting insight is that more than half of the vulnerabilities reported so far this year can be exploited without needing to hack credentials or have site access.

If you are going to be at WordCamp Asia, Patchstack is running a “Capture the Flag” hacker challenge. They already have over 100 people signed up.

The entire Patchstack app is now available as an API for free for people on their Developer plan. This allows for the integration of Patchstack with your own workflow and automations.

Patchstack reports on a WordPress security cleanup last month of plugins in the directory with vulnerabilities.

This podcast interview with Miriam Schwab and Oliver Sild might be of interest to developers interested in the free Patchstack managed Vulnerability Disclosure Program. They discuss how the program works and how it is of benefit to theme and plugin developers.

The well respected WordPress security company, Patchstack, received $5M in funding from Emilia Capital. Also, Joost de Valk, co-founder of Yoast will be joining their board.

Patchstack announces a free Vulnerability Disclosure Platform for WordPress developers to help them manage disclosures. This will help developers comply with the upcoming EU Cyber Resilience Act.