Vulnerability Patcher
Automatically detect known vulnerabilities in your WordPress plugins, themes, and core, apply virtual patches through WAF rules, manage auto-updates by severity, and roll back problematic changes.
Overview
The VistoShield Vulnerability Patcher continuously monitors your WordPress installation for known security vulnerabilities. When a vulnerability is detected, the plugin can apply a virtual patch immediately (blocking the attack vector without modifying plugin files), schedule an automatic update, or notify you for manual action.
Key capabilities include:
- Synchronized vulnerability database from multiple sources (WPScan, NVD, Patchstack)
- Scheduled and on-demand vulnerability scanning
- Virtual patching via WAF rules that block exploit attempts without changing code
- Severity-based auto-update policies with scheduling controls
- Automatic pre-update backups with one-click rollback
- Configurable notifications with severity thresholds
Installation & Activation
- Upload the
vistoshield-vuln-patcherfolder towp-content/plugins/ - Navigate to Plugins → Installed Plugins in your WordPress admin
- Click Activate next to VistoShield Vulnerability Patcher
- Go to VistoShield → Vuln Patcher to run your first scan
Vulnerability Database
The plugin maintains a local vulnerability database synchronized from multiple sources:
| Source | Coverage | Sync Frequency |
|---|---|---|
| WPScan Database | WordPress plugins, themes, and core | Every 6 hours |
| National Vulnerability Database (NVD) | CVE entries related to WordPress ecosystem | Every 12 hours |
| Patchstack | Real-time virtual patch rules for WordPress | Every 6 hours |
You can trigger a manual sync from VistoShield → Vuln Patcher → Database. The database status indicator shows the last sync time and total number of tracked vulnerabilities.
Scanning
Vulnerability scans compare your installed plugins, themes, and WordPress core version against the local vulnerability database.
| Setting | Default | Description |
|---|---|---|
| Scan Frequency | Twice daily | How often automatic scans run. Options: hourly, twice daily, daily, weekly. |
| Scan Scope | All | What to scan: plugins only, themes only, core only, or all. |
| Include Inactive | Yes | Whether to scan inactive (deactivated) plugins and themes. |
To run a manual scan, navigate to VistoShield → Vuln Patcher → Scanner and click Scan Now. Results are displayed immediately and stored in the scan history.
Virtual Patching
Virtual patches protect your site from known exploits without modifying any plugin or theme files. They work by adding targeted WAF rules that block the specific attack vectors associated with a vulnerability.
How virtual patching works:
- A vulnerability is identified in one of your installed components
- A matching virtual patch rule is fetched from the vulnerability database
- The rule is applied to the VistoShield WAF, blocking requests that match the exploit pattern
- When the component is updated to a patched version, the virtual patch is automatically removed
| Setting | Default | Description |
|---|---|---|
| Auto-Apply Virtual Patches | Critical & High | Severity levels that trigger automatic virtual patch application |
| WAF Integration | Enabled | Whether virtual patches are injected into the VistoShield Firewall rules |
| Patch Mode | Block | Block matching requests or Log-only for monitoring |
Auto-Updates
Configure automatic updates based on vulnerability severity from VistoShield → Vuln Patcher → Auto-Updates:
| Severity | Default Action | Description |
|---|---|---|
| Critical (9.0–10.0) | Immediate update | Update is applied as soon as it is available |
| High (7.0–8.9) | Scheduled update | Update is queued for the next maintenance window |
| Medium (4.0–6.9) | Notify only | Administrator is notified; manual action required |
| Low (0.1–3.9) | Notify only | Logged for informational purposes with optional notification |
Maintenance windows are configurable by day and time. For example, you can set updates to run only on Tuesdays and Thursdays between 02:00 and 04:00 server time.
Rollback
Before every auto-update, the plugin creates a backup of the affected component. If an update causes issues, you can roll back:
- Navigate to VistoShield → Vuln Patcher → Update History
- Find the problematic update in the list
- Click Rollback to restore the previous version
- The virtual patch for the vulnerability is automatically re-applied after rollback
| Setting | Default | Description |
|---|---|---|
| Backup Retention | 30 days | How long component backups are stored before cleanup |
| Storage Location | wp-content/vs-backups/ | Directory where pre-update backups are stored |
| Auto-Rollback | Disabled | Automatically rollback if the site returns a 500 error after update |
Notifications
Configure alert thresholds and delivery channels from VistoShield → Vuln Patcher → Notifications:
- Email — Send alerts to one or more email addresses. Supports HTML and plain text formats.
- Admin Notice — Display a WordPress admin dashboard notice for vulnerabilities at or above the configured severity.
- Digest Mode — Instead of individual alerts, send a daily or weekly summary of all detected vulnerabilities.
You can set a minimum severity threshold for each notification channel independently. For example, send emails only for Critical and High severity issues while showing Admin Notices for Medium and above.
FAQ
Does the plugin modify my plugin or theme files?
Virtual patches do not modify any files. Auto-updates use the standard WordPress update mechanism, which replaces files in the same way as a manual update from the dashboard.
What happens if a virtual patch causes a false positive?
Navigate to VistoShield → Vuln Patcher → Virtual Patches, find the patch, and switch it to “Log Only” mode. Review the firewall logs to confirm the false positive, then report it via the support channel.
Can I exclude specific plugins from auto-updates?
Yes. From the Auto-Updates settings, you can add plugins and themes to an exclusion list. Excluded components will still be scanned and flagged, but updates must be applied manually.
How much disk space do backups use?
Each backup stores only the plugin or theme ZIP file, typically a few megabytes. The backup retention setting automatically cleans up old backups beyond the configured age.