Database – essential for data management
All the data that is being served on any WordPress site is pulled straight from the server’s database.
That is so, because storing all the data inside the database makes websites dynamic and easily managable – you don’t have to change any code of your files, to be able to change content on your website.
So that’s why all the CMSs – including WordPress – rely heavily on the database.
WordPress core — the brain of WordPress
WordPress core is what runs all the files and makes database connection with your server.
WordPress core consists mostly of hundreds of PHP and JS files, which all work together.
To run WordPress in your server, you will need to upload all the WordPress core files to your server.
You can view and download the entire WordPress core here:
https://github.com/WordPress/WordPress
Plugins — the building blocks of WordPress site
Plugins are third-party software that can be installed and activated to your WordPress core. Plugins mostly consist of bunch of PHP/JS/CSS files that you host on your server. They are needed to help build your site functionality.
During the process of plugin installation, a new folder is created inside the /wp-content/plugins/ folder in your server. The folder is named by the slug of that plugin. All the plugin files will be available there.
For example, when installing the plugin “Contact Form 7”, a folder is created /wp-content/plugins/contact-form-7
Some of the popular plugins and use cases:
- Contact Form 7
For building email forms on the website - Elementor Page Builder
Drag & drop page builder used by over 20% of WordPress sites - Yoast SEO
Helps you implement all the best SEO practices on the website - Hello Dolly
Example plugin that comes with every WordPress installation. Made for plugin developers to learn. - Patchstack
Protects WordPress plugins, WordPress core and WordPress themes against attacks
WordPress repository has over 60’000 free plugins to install. Check them out here:
https://wordpress.org/plugins/
Themes — giving your WordPress site some appearance
Third element of what a normal WordPress site consists of, is a theme.
Similarly to plugins, a theme also consists of mostly PHP/JS/CSS files.
The installation process is also the same as for plugins, but with slight differences.
During the process of theme installation, a new folder is created inside the /wp-content/themes/ folder in your server. The folder is named by the slug of that theme. All the theme files will be available there.
For example, when installing the theme “Hello Elementor”, a folder is created /wp-content/themes/hello-elementor
WordPress repository has over 13’000 free themes to install. Check them out here:
https://wordpress.org/themes/
Mu-plugins — what are these?
Mu-plugins is short for “must-use plugins”. Must-use plugins are the type of plugins that run before any other theme or plugin in WordPress. For web hosts, mu-plugins are commonly used to add support for host-specific features, especially those where their absence could break the site.
WordPress core does not allow deactivating mu-plugins from inside WordPress admin. Mu-plugins can only be deactivated by deleting the files from the server manually.
Mu-plugins are located in /wp-content/mu-plugins folder.
When installing Patchstack, both mu-plugin and normal plugin of Patchstack will get installed on the server. Mu-plugin is used to filter the malicious traffic before anything else gets loaded in WordPress.
Usage of slugs in WordPress ecosystem and Patchstack
Whole WordPress ecosystem uses slugs to identify plugins and themes. Every plugin and theme has its own unique slug. When you open WordPress.org plugins repository, and open any plugin, you can see the slug from the URL.
For example – Hello Elementor theme slug is “hello-elementor”.
Patchstack uses these same slugs for marking the vulnerabilities in the Patchstack vulnerability database.
As you can notice, the URL has the same slug, as the plugin itself has in WordPress repository.
These slugs are also used to indentify vulnerabilities in Patchstack users’ websites as well.
How the identification works:
- The WordPress site sends information about all installed plugins and themes to the Patchstack API. This information includes a list of plugin and theme slugs along with their version numbers.
- The Patchstack servers then check this data against the Patchstack database to determine if these slugs and versions match any known vulnerability entries. If matches are found, the system checks whether any of these have virtual patches available.
- If vulnerabilities are detected, the Patchstack API sends the results back to the WordPress site. Virtual patches for the vulnerable versions are then synchronized with the site’s database.