Introducing WP Remote Virtual Patching

When a plugin vulnerability is disclosed, updating is the obvious fix.

But in the real world, it is not always that simple.

Some sites can be updated right away. Some need testing first. Some are stuck on an older version because the latest update caused issues last time. And sometimes, you are waiting on a client before you can touch anything.

Meanwhile, the vulnerability is public, and the site is still exposed.

That gap between “we know this needs to be fixed” and “we can safely update it” is exactly what Virtual Patching is built for.

With WP Remote Virtual Patching, you can protect vulnerable sites while you test updates, wait for approvals, or plan a safer rollout.

So what is Virtual Patching, exactly?

The easiest way to think about it is this:

When a known vulnerability is found in a plugin, theme, or WordPress core, Virtual Patching helps block the attack before it can reach that vulnerable code.

Once a vulnerability is disclosed, we analyze it and create a protection rule for it. That rule gets pushed to the firewall, where it can catch exploit attempts and stop them before they get to the site.

So even if the plugin hasn’t been updated yet, the site isn’t just sitting there exposed.

The actual update is still the real fix. You should absolutely install it.

But Virtual Patching gives you breathing room.

It protects the site while you test the update, wait for client approval, or deal with all the other things that make “just update it” a lot more complicated in real life.

Why is this such a big deal for agencies?

Because you’re not dealing with one WordPress site. You’re dealing with 20, 50, maybe 200 of them. So when a new vulnerability shows up, it’s not just “update the plugin and move on.” It becomes a bunch of decisions you have to make at once.

Can this site be updated right away? Does this one need testing first? Is this plugin tied to a checkout flow, a booking form, or some custom setup that broke the last time you touched it? And what if the plugin author hasn’t even released a fix yet?

That’s the part people often miss. Updates aren’t always instant, and in a lot of cases, they shouldn’t be. If a client’s site is important to their business, you’re going to test before you push changes live. That’s not being slow. That’s doing the job properly.

The problem is, attackers don’t care about your process. They’re not waiting for staging, QA, or client approval.

Virtual Patching helps with that gap. It gives you a way to protect client sites while you handle the update the right way, instead of leaving them exposed while everything gets sorted out.

We’ve already built a library of 5,000+ patches

We’ve also built up a pretty large patch library already.

Over the past few months, we’ve been working in the background on more than 5,000 virtual patches. These cover vulnerabilities disclosed across the WordPress ecosystem over the last three years, and they’re now being rolled out to help protect WP Remote sites automatically.

To be clear, WP Remote and MalCare have had rule-based protection and virtual patching for a while. This isn’t the first time we’re doing it. Earlier, though, we used it more selectively, mainly for high-risk vulnerabilities that we could see being actively exploited across our network.

What’s changing now is the scale.

We’re moving from selective protection to a much more comprehensive approach. We’re starting with 5,000+ patches, and that library will keep growing as new vulnerabilities are discovered, analyzed, and added.

When something new drops, you’re covered fast

When a new vulnerability shows up, speed matters.

Once it’s public, attackers don’t take long to react. A lot of the scanning is automated, so bots can start looking for vulnerable sites within hours.

That’s why we built our patching pipeline around fast response. Once a vulnerability is validated, we create the virtual patch and roll it out quickly. For Premium customers, those patches are applied automatically after validation, so there’s no manual setup and nothing extra for you to switch on.

But speed is only half of it. Coverage matters just as much.

For example, in one recent 7-day window, our systems covered 144 vulnerabilities. The closest competitor we tracked covered 43.

If you’re managing a large portfolio of client sites, that difference adds up. More coverage means fewer gaps to worry about. Faster protection means less time where a vulnerable site is sitting exposed.

Precise enough to not break your clients’ sites

It also has to be precise.

A firewall rule can’t just block everything that looks even slightly suspicious. That might sound safer, but in practice it creates a different problem: false positives.

And if you run an agency, you know how painful that can get. A rule that blocks a real customer from checking out, stops a contact form from submitting, breaks a login page, or gets in the way of wp-admin isn’t really a security win. It’s just another urgent ticket.

So we’ve been careful about how these patches are built. Each virtual patch is tested to block the actual exploit while keeping the rule as narrow as possible.

The goal is simple: stop the attack, not the site.

Broad rules can look good on paper, but real websites are messy. They have forms, plugins, payment flows, custom code, and edge cases everywhere. The protection has to work in that world, not just in a clean test environment.

That’s what we’re aiming for with Virtual Patching in WP Remote: protection that’s strong enough to matter, but precise enough to stay out of the way.

A safety net that fits how agencies actually work

Virtual Patching is not a replacement for updates.

You should still update vulnerable plugins, themes, and WordPress core as soon as you safely can. That part doesn’t change.

But agencies know what “as soon as possible” really means. It means as soon as the update has been tested. As soon as you know it won’t break a checkout flow, a form, or a client’s custom setup. As soon as the client gives approval. As soon as there’s actually a fix available.

That’s where Virtual Patching helps.

It gives you a safety net for all the awkward in-between moments: when a vulnerability is public but the fix isn’t out yet, when a site needs testing before you push the update, when a plugin update looks risky, or when your team is working through a long list of affected sites.

It doesn’t replace the update. It gives you room to do the update properly, without leaving the site exposed while you get there.

That’s the point of Virtual Patching in WP Remote. It’s built for how agencies actually work, not for some perfect version of WordPress maintenance where every site can be updated the second a vulnerability is announced.

It’s all part of WP Remote’s Vulnerability Shield

Virtual Patching is now part of WP Remote’s Vulnerability Shield, powered by MalCare.

With this launch, you’re not just getting alerts and malware cleanup. You’re getting proactive shielding against thousands of known WordPress vulnerabilities, automatically.

It’s another layer in our Atomic Security approach: practical, layered protection built specifically for WordPress.

• You get visibility into which sites are vulnerable.
• You get malware scanning and cleanup.
• You get firewall protection.
• And now, you get virtual patches that shield vulnerable sites before you’ve updated them.

For you, that means fewer exposed sites, a lot less panic when the next big vulnerability drops, and a much stronger security story to tell your clients.

Available now

Virtual Patching is gradually rolling out to WP Remote customers on Premium and Advanced plans, plus legacy Plus plans.

New patches are applied automatically in the background, so you get protected without configuring anything manually.

We built this because we know agencies need more than a notification telling them something’s wrong. You need protection that’s working while your team is still deciding, testing, updating, and keeping clients happy.

That’s exactly what Virtual Patching delivers: fast, precise, proactive protection against known WordPress vulnerabilities.

If you want to see how it fits into the broader protection stack, WP Remote security brings vulnerability alerts, firewall protection, malware scanning, and cleanup into the same workflow.

And honestly? This is just the start. We’re launching with 5,000+ patches and we’re not slowing down. We’re building one of the most comprehensive virtual patching systems WordPress has ever seen.