Since 2007 · 32 long-term client partnerships · WAF + Virtual Patching · Starting at €9.90/month · Code Rescue for emergencies

WordPress Security: Protection Against Hackers, Malware, and Data Loss

Multi-layered protection: WAF, 2FA, virtual patching, daily backups. In the event of an immediate hack: Code Rescue in under 30 minutes, even at night.

WordPress is the world’s most widely used CMS and, according to Sucuri, the most common target of attacks—over 80% of all hacked CMS websites run on WordPress. Not because WordPress is insecure, but because most installations are not maintained. Outdated plugins, weak passwords, missing updates—these are the entry points.

We make your WordPress secure. Preventively, systematically, and with continuous monitoring.

Since 2007 · 18+ years of WordPress 32 long-term customer partnerships WAF + Virtual Patching (Business plans and above) 99.9% uptime · 4-hour recovery time in the event of a hack Code Rescue < 30 min in an emergency
Request a security check WordPress hacked? Code Rescue
WordPress Security — WAF, 2FA, Virtual Patching, starting at €9.90/month
WordPress Security · Code Rescue After a Hack < 30 min

Curing pipeline

Unsere Härtungs-Pipeline im Überblick

WordPress security isn't just a matter of installing a single plugin. We rely on defense-in-depth: multiple layers of protection that complement each other.

// wp-hardening.yaml 
# Hardening pipeline
waf:
         Brute-force + SQL injection blocked
patching:
    Virtual patching prior to official update
auth:
        2FA · Login limit · XML-RPC disabled

# Monitoring
scan:
        Vulnerability check every 6 hours
malware:
     Regular malware scan
Pipeline · documented STATUS · ACTIVE

Attack vectors

The five most common entry points

What we block as a preventive measure—and what we check first after every WordPress hack.

  1. gateway 01

    Outdated plugins and themes

    According to Sucuri, over 50% of all WordPress hacks occur within hours of a security vulnerability being made public. Solution: Regular updates, vulnerability scans every 6 hours, and virtual patching at the firewall level.

  2. gateway 02

    Brute-force attacks

    Thousands of login attempts per minute, especially via XML-RPC. Solution: Disable XML-RPC, limit login attempts, enable 2FA, and deploy a WAF.

  3. gateway 03

    Low intake

    Weak passwords, no 2FA, unlimited login attempts, too many admin accounts. Solution: Password policy, 2FA for all admin accounts, role review (minimal privileges), automatic logout rules.

  4. gateway 04

    Open-source code editor in the admin panel

    By default, any admin user can access the theme and plugin editors. If an account is compromised, this allows direct access to the source code. Solution: Disable the code editor, strengthen admin accounts, and regularly review user permissions.

  5. gateway 05

    Missing or incorrect HTTPS

    Login credentials in plain text, mixed content warnings, expired certificates. About 40% of SME websites lack end-to-end SSL encryption. Solution: Set up an SSL certificate, enforce HTTPS, and set the HSTS header.

Two-Factor Authentication (WordPress 2FA)

2FA is the simplest and most effective way to prevent account takeovers. Even if your password is leaked or guessed, the attacker won't be able to log in without the second factor.

What we set up:

  • TOTP-based 2FA (Google Authenticator, Authy, 1Password) — the best balance of security and usability
  • Backup codes in case the second factor is unavailable
  • Role-based requirement — at least for all admin and editor accounts
  • Magic Link login as an alternative (for very infrequent logins)
  • Hardware tokens (YubiKey) available upon request for critical accounts

WordPress 2FA takes three minutes to set up per account and requires an approval process with your team. After that, your biggest security vulnerability is closed.

Stack of measures

Eight Security Components

Defense in depth: multiple layers of protection, not just a single plugin.

  1. building block 01

    Web Application Firewall (WAF)

    Filters out malicious requests before they reach WordPress. Brute-force attacks, SQL injections, known exploits.

  2. building block 02

    Vulnerability scanning

    Automatically checks for new plugin and theme vulnerabilities every 6 hours.

  3. building block 03

    Virtual Patching

    Firewall-level exploits are blocked before an official update is available.

  4. building block 04

    Daily Backups

    Databases, files, media — tested and recoverable.

  5. building block 05

    Access hardening

    2FA, strong passwords, limited login attempts, XML-RPC disabled.

  6. building block 06

    Uptime Monitoring

    24/7 monitoring with instant notifications.

  7. building block 07

    Security Headers

    Content Security Policy, X-Frame-Options, Referrer Policy, HSTS.

  8. building block 08

    Malware scans

    Regular checks for hidden malicious code injections.

Has your WordPress website been hacked? Immediate steps to take

Standardized 5-step process:

  1. Analysis — What happened, and how did the attackers gain access?
  2. Cleanup — Remove malware, identify and delete infected code
  3. Securing — Close the entry point, activate WAF, harden access points
  4. Recovery — Restore a clean backup, perform functional testing
  5. Monitoring — 30 days of enhanced monitoring following the incident

No guesswork, no panic. Get in touch, we’ll take care of it.

In case of an acute emergency (site down, active malware, end customer calling every hour): Code Rescue — Response < 30 minutes, even at night and on weekends, starting at €270/hour.

Project Example: Malware Rescue for a Small Business

Small business · 12 employees
, 4.5-hour workdays
(anonymized)

Background

  • Monday, 7:30 a.m.: "Website displays third-party content"
  • Outdated contact form plugin exploited
  • Malware in the theme
  • Admin access compromised
  • 400+ spam pages in the sitemap

What we did (4.5 hours)

  • Emergency server access in 20 minutes
  • Clean backup from Friday restored (2 hours)
  • All plugins removed and reinstalled (4 completely removed since no current version available)
  • WAF, 2FA, XML-RPC disabled
  • Google Search Console "possibly hacked" checked + re-review requested
  • Owner training (30 min): Password manager, 2FA, update routine
  • Transition to Business Maintenance (€29.90/month)

Result

4.5 hours
Until it's clean online
48 hours
Google warning removed
14 months
No more incidents
€29.90
Monthly Business Maintenance

We do not disclose full names or company names (confidentiality agreement).

Security as a Service

Four maintenance packages with security

Security isn't a one-time project. New vulnerabilities emerge every week. Our WordPress maintenance packages cover security, updates, and monitoring.

Package 01
Starter
Basic protection

Core/plugin updates, monthly backups, uptime monitoring. Basic hardening.

9,90 €/Monat
NET · CAN BE CANCELED MONTHLY
  • Core + Plugin + Theme Updates
  • Monthly backup
  • Uptime Monitoring
  • Basic Hardening (XML-RPC, Login Limits)
Small websites · Basic protection
Select a starter →
Package 02
Business
Most Popular

Starter + WAF + security scan every 6 hours + weekly backups. Comprehensive protection.

29,90 €/Monat
NET · CAN BE CANCELED MONTHLY
  • Everything from Starter
  • Weekly backups
  • Security scan every 6 hours
  • Web Application Firewall
  • Performance Review (quarterly)
Standard Company Websites
Select Business →
Package 03
Professional
Business-critical

Business + Virtual Patching + Daily Backups + 4-hour Response Time. For sites where downtime costs revenue.

49,90 €/Monat
NET · CAN BE CANCELED MONTHLY
  • Everything about business
  • Daily Backups
  • Virtual Patching
  • Monthly Performance Report
  • Response time < 4 hours
Lead Generation + E-Commerce
Select Professional →
Package 04
Enterprise
Enterprise

Professional + staging environment for test updates + monthly security audits + direct contact with Dennis.

79,90 €/Monat
NET · CAN BE CANCELED MONTHLY
  • Everything from Professional
  • Staging environment for test updates
  • Monthly security audits
  • Dedicated contact person (Dennis directly)
Enterprise · Multi-site
Select Enterprise →
In case of an emergency outside of maintenance hours Code-Rescue is a premium service offering a response time of less than 30 minutes, even at night and on weekends, for a flat rate of €270 per hour. For existing maintenance customers, this is the emergency option outside the scope of the SLA.
Code Rescue Details →

Peace-of-Mind Guarantee

99.9% uptime + 4-hour recovery

We guarantee 99.9% uptime on maintenance packages starting with the Business plan. If your site goes offline or gets hacked due to an update despite our support, we’ll restore it free of charge within four business hours—no questions asked.

No guarantees regarding rankings, traffic, or visitor numbers. The guarantee applies only to availability and recovery time.

// WORRY-FREE GUARANTEE
4 hRecovery
in the event of a hack or update failure — free of charge
Business and above · 99.9% uptime
Dennis Hüttner — WordPress security since 2007, founder of Waterproof Web Wizard GmbH
Dennis Hüttner · WordPress Security

About Dennis

Dennis Hüttner is personally responsible for WordPress security

Dennis Hüttner is the CEO of Waterproof Web Wizard GmbH. He has been working in WordPress security since 2007—from the first waves of brute-force attacks in the 2010s to today’s automated plugin exploits. He responds to critical security vulnerabilities even outside of business hours.

FAQ

Frequently Asked Questions About WordPress Security

Four direct answers regarding plugins, detection, 2FA, and the process.

Is a security plugin like Wordfence enough?

A plugin alone isn't enough. Wordfence and similar tools are one component, but without regular updates, hardened access points, and an external WAF, vulnerabilities will remain. We rely on a multi-layered approach (defense in depth).

How can I tell if my website has been hacked?

Typical signs: unknown files in the directory, unusual redirects, spam links in the source code, warnings from Google ("may have been hacked"), a sudden drop in traffic, third-party content in Google search results, emails not sending (server on spam blacklist). If in doubt: Let us check it out.

Is 2FA really necessary?

Yes. Nearly every account hijacking can be prevented with 2FA. It takes just three minutes to set up per account, and once that’s done, the biggest security vulnerability is closed. For maintenance packages starting with the Business plan, we set up 2FA for all admin accounts by default.

How quickly do you respond in an emergency?

Within the maintenance package SLA (Business 24 h, Professional 4 h). Outside the SLA: Code Rescue with a response time of less than 30 minutes, even at night and on weekends.

Safety Check

Free initial consultation

During the initial consultation, we’ll determine whether quick fixes are sufficient or if a maintenance retainer makes sense. In the event of an urgent hack: immediate code rescue.

Schedule an appointment Emergency: Call
Starting at €9.90/month WAF + 2FA + Backup Code Rescue < 30 min