On April 22, 2026, GoDaddy began rolling out Patchstack vulnerability detection to its Managed Hosting for WordPress customers, with Patchstack confirming the integration broadly in a June 3 announcement that named GoDaddy as a full-integration partner. The bigger story is what the deal confirms: Patchstack now sits in the security stack of most major managed WordPress hosts, either as a deployed protection layer or as the vulnerability intelligence feed behind the host’s existing tools.
The roster reads like a directory of managed WordPress hosting. WP Engine, Hostinger, Cloudways, Nexcess, Pantheon, ManageWP, and Pagely use Patchstack threat intelligence to inform customer notifications. WebPros, which owns cPanel, Plesk, and WHMCS, includes Patchstack as a core component of its all-in-one hosting stack alongside CloudLinux, Imunify360, and Extendify. GoDaddy’s April integration adds the world’s largest domain registrar to the full-integration tier. The Estonian vendor’s vulnerability database accounted for 66.6 percent of all named WordPress vulnerabilities reported through the CVE program in the first half of 2025, making Patchstack the largest WordPress CVE Numbering Authority by volume.
Key facts
- GoDaddy integration: announced April 22, 2026; live across eligible Managed Hosting for WordPress plans
- Patchstack partner confirmation: June 3, 2026 press release naming GoDaddy as full-integration partner
- Patchstack vulnerability share: 66.6% of named WordPress CVEs in H1 2025 (largest CNA by volume)
- Full-integration partners: GoDaddy, WebPros, ManageWP, BigScoots, HostArmada, Krystal, Servebolt, Zone, Solid Security, plus others
- Vulnerability monitoring partners: WP Engine, Hostinger, Cloudways, Nexcess, Pantheon, Pagely, Seravo, Hosting.com, plus others
- Premium tier: RapidMitigate virtual patching with 10,000+ vulnerability-specific rules
- Not on Patchstack: Kinsta, SiteGround, Bluehost (Newfold), Pressable (Automattic)
What GoDaddy’s Integration Delivers
GoDaddy customers on Managed Hosting for WordPress now receive automatic Patchstack vulnerability detection inside the existing hosting environment. The integration runs without requiring an additional plugin or manual configuration. When a vulnerability is disclosed that affects the specific plugins or themes installed on a customer’s site, the detection layer flags it as soon as the disclosure enters Patchstack’s database.
For sites on premium plans, Patchstack’s RapidMitigate technology deploys vulnerability-specific protection rules against the exact CVEs present on the site. RapidMitigate runs at the WordPress application layer rather than at the network edge, giving it context a generic web application firewall cannot see: the plugin version installed, the vulnerable functions, and the user roles that can trigger them. Patchstack maintains over 10,000 such rules and states that it can apply mitigations up to 48 hours before a CVE is publicly disclosed, through coordinated researcher access.
GoDaddy already operates a security stack. Sucuri, which GoDaddy acquired in March 2017, handles malware scanning and post-compromise cleanup. Imunify360 runs at the server level for traffic filtering. Patchstack fills a layer neither component addressed directly: vulnerability-aware, CVE-specific protection that knows what is actually installed on each customer’s site.
Shwetal Covert, director of product management at GoDaddy, framed the move in the announcement: “Small businesses shouldn’t need to navigate website security on their own. As vulnerabilities are disclosed and exploited faster, managed hosting providers have an important role to play in helping customers manage that risk.”
Patchstack Is Already Under Most Major Managed WordPress Hosts
The June 3 release reads as a single partnership announcement. The Patchstack partners page reads as a near-comprehensive inventory of managed WordPress hosting.
Full Security Partners, where Patchstack is offered as an integrated add-on rather than purely as a threat feed, include GoDaddy, WebPros, BigScoots, HostArmada, Krystal, Servebolt, Zone, Libyan Spider, JetHost, and Solid Security (formerly iThemes), among others. WebPros is the most consequential of these: the company owns cPanel, Plesk, and WHMCS, which together form the control-panel duopoly underpinning a substantial share of all WordPress hosting globally. Patchstack ships inside the WebPros stack alongside CloudLinux, Imunify360, AccelerateWP, and Extendify.
Vulnerability Monitoring Partners, which consume Patchstack threat intelligence to inform their own customer notifications, include WP Engine, Hostinger, Cloudways, Nexcess, Pantheon, Pagely, Seravo, and Hosting.com. Many maintain their own security tooling at the network or application layer but rely on Patchstack’s database to know which CVEs to act on. Patchstack reported 4,462 vulnerabilities to the CVE program in the first half of 2025, more than Wordfence, WPScan, GitHub, and Microsoft combined. Wordfence, the next-largest WordPress CVE Numbering Authority, operates a different distribution model than Patchstack: Wordfence reaches over 5 million sites through its widely deployed security plugin, while Patchstack distributes mostly through hosting partnerships. Wordfence’s CVE disclosure volume trails Patchstack’s by a wide margin. The figures here come from Patchstack’s own reporting. A hosting provider can build its own WordPress vulnerability research operation or subscribe to Patchstack’s feed and concentrate engineering on infrastructure. Most are choosing the second path.
Why GoDaddy Layered Patchstack on Top of Sucuri
Patchstack does not replace Sucuri. It runs alongside. The distinction is timing in the attack lifecycle. Sucuri’s malware scanning is most useful after a site has been compromised, detecting the resulting backdoors, redirects, and SEO spam injections. Imunify360 and similar server-layer tools work before a request reaches the application, filtering traffic based on generic patterns. Patchstack operates in the middle of the request lifecycle, inside WordPress itself, with awareness of which plugins are installed, which versions are running, and which CVEs apply.
The result, in GoDaddy’s positioning, is a defense layer that addresses a case generic WAF and post-compromise cleanup do not handle well: a CVE in a popular plugin, disclosed publicly, exploited within hours, against thousands of sites whose owners have not yet applied the upstream patch. Network-layer WAF cannot reliably block the exploit because the payload often looks like legitimate plugin traffic. Post-compromise cleanup runs after the damage. Vulnerability-specific virtual patching is positioned to fill the gap.
The 87.8% Bypass Test That Argued for the Shift
Patchstack published a study in August 2025 that measured how often hosting-layer defenses block WordPress plugin vulnerability exploits. The methodology: identical WordPress test sites deployed across five anonymized hosting providers (using Cloudflare WAF, Monarx patching, Imunify360 with ModSecurity, ConfigServer firewall, and ModSecurity alone), exploited with 11 known plugin CVEs using straightforward techniques and no evasion.
The result: hosting-layer defenses blocked 12.2 percent of exploits. 87.8 percent bypassed every network and server-level protection before Patchstack’s application-layer engine intercepted them. The vulnerabilities tested spanned privilege escalation, SQL injection, cross-site scripting, broken access control, and file upload flaws across plugins including WooCommerce Payments, GiveWP, and TI WooCommerce Wishlist.
The test is published by Patchstack using Patchstack’s preferred methodology and should be read with that context. The underlying argument is consistent with independent observations: generic pattern-based WAF struggles against application-layer plugin vulnerabilities because the malicious payload often looks indistinguishable from legitimate plugin usage. A WAF cannot tell a SQL injection from a legitimate query unless it knows the application’s specific schema and the vulnerability’s specific vector.
Hosting M&A Consultation
Get one-on-one advice on maximizing your hosting company’s valuation and navigating the sale process.
AI-Accelerated Threats Match the Patchstack Pitch
The architecture argument has been live for years. What changed in 2025 and 2026 is the threat tempo. Anthropic’s Claude Mythos Preview, revealed April 7, 2026, identified thousands of previously unknown vulnerabilities across major operating systems and browsers in internal testing, developing working exploits in 72.4 percent of attempts. The model was released to approximately 40 organizations through Project Glasswing on the condition that it be used only for defensive purposes. Patchstack itself sits in that broader pattern of defenders consolidating around AI-aware tooling.
Patchstack’s 2026 State of WordPress Security report finds that approximately half of high-impact WordPress vulnerabilities are exploited within 24 hours of disclosure, with a weighted median time-to-first-exploit of five hours. The report also documents 11,000+ new WordPress ecosystem vulnerabilities in 2025, a 42 percent year-on-year increase, with more high-severity issues than the previous two years combined. Patchstack uses this statistic to position RapidMitigate.
Oliver Sild, Patchstack CEO and co-founder, framed the architecture argument in the announcement: “AI is accelerating how quickly attackers can find and exploit vulnerabilities. Most traditional security approaches are still reactive and rely on generic protections, which can leave gaps at the point where vulnerabilities are actually exploited. Security needs to move away from a ‘spray and pray’ approach toward precise, website-level protection applied where it’s actually needed.”
A defense that depends on customer action within a five-hour exploitation window fails at scale. A defense that targets specific CVEs on specific sites before public disclosure is structurally aligned with how attacks now move.
Who’s Not on Patchstack and What They Use Instead
Not every managed WordPress host has joined the Patchstack ecosystem. The notable absences pattern with each host’s strategic position:
- Kinsta runs its own security model built on Cloudflare WAF (OWASP Core Ruleset), DDoS protection, isolated Linux container per site, and 24/7 malware scanning. The host does not publicly disclose a vulnerability intelligence partner.
- SiteGround operates SiteGround Security, an in-house plugin and infrastructure stack with its own scanning and threat detection. SiteGround Security competes with Patchstack at the plugin layer rather than consuming it.
- Newfold Digital brands, including Bluehost and HostGator, use a different mix of security tooling than GoDaddy’s Sucuri-centric stack, primarily SiteLock as the security add-on with Cloudflare-based DDoS protection at the network layer.
- Pressable, owned by Automattic, integrates Jetpack Security and Akismet, drawing on Automattic’s internal threat intelligence rather than a third-party vulnerability database.
The absences pattern with strategy. Kinsta and SiteGround built their own. Newfold competes commercially with GoDaddy and uses an overlapping but separate vendor stack. Pressable inherits Automattic infrastructure. The Patchstack pattern is near-universal coverage of the segment of managed WordPress hosting that does not maintain its own vulnerability intelligence operation. GoDaddy’s April 22 integration is the most recent confirmation of where that segment’s default is settling.
Sources
- Patchstack partners directory - Patchstack (official)
- Shield your WordPress site with GoDaddy's Patchstack integration - GoDaddy Blog (official)
- State of WordPress Security in 2026 - Patchstack
- Hosting security tested: 87.8% of vulnerability exploits bypassed hosting defenses - Patchstack
- RapidMitigate: Next-gen vulnerability mitigation for websites - Patchstack
- Open Source Vulnerability Database - Patchstack
- Patchstack vs Wordfence - Patchstack
- GoDaddy Acquires Sucuri to Advance Digital Security for Customers - GoDaddy (official)
- Claude Mythos Preview - red.anthropic.com (official Anthropic)
- Estonian startup Patchstack raises $5M Series A - Invest in Estonia