Zum Inhalt springen
Proactive security updates

Security updates that close the window for attackers

Systematic patch management, vulnerability scans and incident response for Shopware and WordPress — part of every SLA maintenance contract from €199 per month. We close known security gaps before they can be exploited.

SLA packages from €199 per month Critical patches within 24 hours Shopware and WordPress

from €199

SLA packages per month

24 h

response time for critical patches

14 %

of all breaches via known vulnerabilities (Verizon, 2024)

50+

managed projects

Security updates are the single most effective measure against cyberattacks on online shops and websites. According to the Verizon Data Breach Investigations Report 2024, 14 percent of all data breaches were enabled by exploiting already known and patched vulnerabilities (Verizon, 2024). This means these attacks would have been preventable through timely patching. Our patch management service ensures your systems are continuously up to date and protected against known attack vectors. From Shopware maintenance to WordPress care, we cover all relevant platforms — systematic patch management is part of every SLA maintenance contract from €199 per month.

Patch management
The life cycle of a critical flaw
From disclosure to a verified patch — we close critical flaws in under 24 h, high ones in under 72 h.
Open critical flaws02 closed
Critical response avg18 hSLA: 24 h
Patches wk 2712staging tested
Components monitored846 systems
CVE-2026-0473 · CVSS 9.8
02:14 · Detected
CVE alert from advisory feed, shop plugin affected
02:41 · Classified
critical, deadline under 24 h
03:05 · Staging test
checkout and payment verified
03:20 · Live and verified
patch rolled out, scan confirms the fix
Response deadline by CVSS
CVSS 9-10under 24 h
CVSS 7-8under 72 h
CVSS 4-6maintenance window
Zero-dayWAF instant shield
Patch coverage wk 2792 %
SLA packagesfrom €199 per month
Critical flaw 02:14Patch 03:20 · verified
The patch control center of our managed service: CVE prioritization by CVSS, response deadlines, staging tests and patch activity at a glance. Example view — values are illustrative.

Our Patch Management Process

Patch management is not a one-time task but a continuous process with defined procedures. Our approach covers the entire chain: from detecting new vulnerabilities through risk assessment and prioritization to tested rollout and post-deployment monitoring. This structured process minimizes both the risk of unpatched systems and the risk of faulty updates.

Vulnerability Types and Their Impact

Online shops are exposed to various categories of vulnerabilities. Each category requires specific countermeasures. The following overview shows the most common vulnerability types and their potential impact on your shop.

SQL Injection

Manipulation of database queries that can lead to data leaks, data manipulation or complete takeover of the database. Frequently affects poorly coded plugins and contact forms.

Cross-Site Scripting (XSS)

Injection of malicious code into the web page that executes in visitors' browsers. Can be used to steal session cookies, for phishing and to redirect to malicious sites.

Remote Code Execution

Execution of arbitrary code on the server. The most severe vulnerability category, which can lead to complete system takeover. Requires immediate patching.

Authentication Bypass

Circumvention of access controls that enables unauthorized access to the admin panel or protected areas. Frequently affects plugin-specific authentication mechanisms.

Path Traversal

Access to files outside the intended directory. Can expose configuration files with database credentials, log files with sensitive information or backup files.

Cross-Site Request Forgery

Execution of unintended actions on behalf of an authenticated user. Can enable configuration changes, data modifications or privilege escalation.

Vulnerability Scans and Incident Response

Beyond reactive patching of known vulnerabilities, we conduct proactive vulnerability scans that identify potential security issues before attackers discover them. Our scans include checking all software versions against CVE databases, analyzing server configuration for misconfigurations, verifying HTTP security headers, SSL/TLS configuration testing and analyzing file permissions and exposed directories.

Prioritized vulnerability report

Scan results are compiled into a prioritized report that ranks found vulnerabilities by severity and recommends concrete remediation measures. For shops under an ongoing maintenance contract, we run these scans at regular intervals automatically. As a standalone service, we offer one-time security audits that provide a comprehensive snapshot of your security posture.

  • Findings sorted by CVSS score with concrete remediation advice
  • Regular automatic scans for contract customers
  • One-time security audit also as a standalone service
Prioritized vulnerability report26 findings
Findings by severity
Critical (CVSS 9.0-10)2
High (CVSS 7.0-8.9)5
Medium (CVSS 4.0-6.9)11
Low (CVSS 0.1-3.9)8
Top priority — act now
Outdated shop plugin with known RCE — patch under 24 h
CMS core with auth bypass — staging test in progress
Missing security headers — next maintenance window

Incident response when it counts

Despite all preventive measures, a security incident can occur. For this eventuality, we have documented incident response processes that enable a rapid, coordinated reaction: immediate containment of the incident, forensic analysis to identify the attack vector, cleanup and restoration of the system, and measures to prevent recurrence.

  • Documented flow: containment, forensics, cleanup, recovery
  • Post-incident analysis with root cause and lessons learned
  • WAF instant shield until the official patch
Incident response when it countsIncident closed
Alert
Containment
Cleanup
Recovery
Anomaly detected — access pattern conspicuous
System isolated, WAF rule active contained
Forensics: attack vector identified
Cleanup completed, backup verified
Recovery — operations confirmed

Every security incident culminates in a documented post-incident analysis that identifies the root cause and derives lessons learned. These findings feed into improving our protective measures and ensure that comparable attacks are detected earlier or prevented in the future. Details about our emergency support can be found on the dedicated page.

Server and Infrastructure Hardening

Security does not end at the application layer. The underlying server infrastructure must also be hardened and kept up to date. Our infrastructure hardening includes firewall and Fail2ban configuration, SSH hardening with key-based authentication and disabled root login, regular operating system updates, PHP version management and configuration of Content Security Policies.

Web Application Firewall

Configuration and maintenance of WAF rules that block common attack patterns such as SQL injection, XSS and path traversal at the network level before they reach the application.

SSL/TLS Management

Configuration of secure TLS versions and cipher suites, automatic certificate renewal, HSTS headers and regular review of SSL configuration against current best practices.

PHP Security Configuration

Disabling dangerous PHP functions, restricting open_basedir, correct error_reporting settings for production environments and regular upgrade to supported PHP versions.

Logging and Audit Trail

Configuration of comprehensive access logs, error logs and security events. Centralized log analysis enables early detection of suspicious activities.

Access Control and SSH Hardening

Key-based SSH authentication, disabled root login, Fail2ban against brute force attacks and port restrictions. Only authorized personnel receive server access.

Database Security

Restricting database user privileges to the minimum necessary, encrypted connections, regular checks for default credentials and securing against remote access.

Systematic Patch Management Compared

AspectWithout systematic patchingWith managed patch management
Response to critical CVEsRandom, often only after an incidentCritical patches within 24 hours
Testing before deploymentDirectly on the live system or not at allStaging test with rollback point
Zero-day protectionUnprotected until the official patchImmediate WAF rule as interim protection
Overview of componentsUnknown patch status of pluginsComplete inventory with vulnerability matching
Compliance evidenceNo documentation for auditsGap-free patch history for GDPR and PCI DSS
Monthly cost€0 — until the first security incidentpredictable from €199 per month

Patch management in the SLA maintenance contract

from €199 per month net
  • Basis €199 per month — first response within 8 hours
  • Business €349 per month — first response within 4 hours
  • Enterprise €699 per month — first response in 45 minutes, real-time security dashboard
  • Vulnerability scans, patch reporting and WAF care in every package

Systematic security updates are part of every maintenance contract. The SLA tier determines the response time for critical flaws — critical patches are applied within 24 hours in every tier. Minimum term 6 months.

Why Timely Patching Is Critical

The time between a vulnerability being published and its active exploitation by attackers is getting shorter. Automated scanning tools systematically search the internet for known vulnerabilities, and once an exploit is available, unpatched systems are attacked within hours to days. In this window, it is decided whether your shop is on the safe side or becomes a target. Our patch management aims to keep this window as small as possible.

Particularly critical are vulnerabilities in widely used plugins and CMS core components, as they affect a large number of potential targets and are especially attractive to attackers. When a critical vulnerability in a popular plugin is published, a race begins between defenders and attackers. Our advantage: we actively monitor the relevant security channels and have standardized processes that enable rapid response. This allows us to often deploy critical patches within hours of their release on our managed systems.

Zero-Day Vulnerabilities and Emergency Measures

Zero-day vulnerabilities are security gaps for which no official patch exists at the time of discovery. This situation requires rapid action and creative countermeasures. Our approach to zero-day vulnerabilities includes immediate risk assessment for all managed systems, implementation of temporary compensating controls such as WAF rules or access restrictions, enhanced monitoring for exploit attempts and immediate installation of the official patch as soon as it becomes available.

The temporary compensating controls are individually tailored to the vulnerability and the affected system. For an SQL injection vulnerability in a plugin, for example, we can create specific WAF rules that block the attack vector without restricting the plugin's functionality. For a remote code execution vulnerability in the CMS core, it may be necessary to temporarily disable certain functions until the official patch can be applied. Our goal is to maintain security at all times, even when an official fix is not yet available.

Are your systems up to date with patches?

A one-time security scan reveals open vulnerabilities and misconfigurations, prioritized by severity — with a concrete action plan.

Plugin Security Assessment and Risk Analysis

Not all plugins are equally secure. The quality of the code, the manufacturer's response speed to security vulnerabilities, the frequency of updates and the size of the user base are decisive factors for the security risk of a plugin. As part of our maintenance, we evaluate the security history of each installed plugin: How often have vulnerabilities been reported in the past? How quickly has the manufacturer responded? Are there known unresolved security issues? Based on this assessment, we recommend switching to more secure alternatives when needed.

This proactive plugin security assessment is particularly valuable because it identifies risks that pure patch management does not address. A plugin that is currently patched but regularly exhibits new vulnerabilities represents a systematic risk that can only be eliminated by switching plugins. Our recommendations are based on years of experience with various plugin ecosystems and consider not only security but also the functionality and maintainability of alternative solutions.

Beyond this, we watch for plugins that are no longer actively maintained by the manufacturer. Orphaned plugins no longer receive security updates and represent a growing risk over time. We identify such plugins early and jointly develop a migration strategy that makes the transition to a maintained alternative as smooth as possible.

Security Culture and Ongoing Monitoring

Security is not a state you establish once and then forget but a continuous process. Beyond technical patch management, our security work therefore also includes regular review and adaptation of the security configuration. Access permissions are regularly checked for currency, no longer needed user accounts are deactivated, and security policies are adapted to new threat scenarios. This security culture in ongoing operations ensures that the protection level does not erode over time but continuously increases.

Our security approach is not limited to applying patches. We continuously monitor managed systems for anomalies that may indicate a security incident or attack attempt. These include unusual access patterns in web server logs, failed login attempts at conspicuous frequency, unexpected file changes in the file system and suspicious database activities. By combining regular patching, proactive vulnerability scans and continuous monitoring, we create a multi-layered defense that is significantly more resilient than any individual measure.

In addition to technical monitoring, we actively track the threat landscape in the e-commerce space. New attack methods, malware campaigns specifically targeting shop systems and zero-day vulnerabilities in widely used plugins are detected early and incorporated into our protective measures. When a new threat emerges, we proactively check all managed systems for their vulnerability and take immediate countermeasures if necessary, even before an official patch is available.

Compliance, Documentation and Audit Evidence

Online shops are subject to various regulatory requirements that make regular security updates not just advisable but legally required. The GDPR requires in Article 32 the implementation of appropriate technical measures to protect personal data. For shops processing credit card data, PCI DSS requirements apply, which among other things mandate timely patching. Our patch management supports you in meeting these requirements and provides the documentation needed for audits and evidence.

For companies with compliance requirements, gap-free documentation of all security measures is of central importance. Our patch management automatically provides the evidence you need for internal and external audits: When was which patch applied? Which vulnerabilities were closed? Which tests were performed before and after the update? This documentation is relevant not only for GDPR evidence but also for PCI DSS requirements when processing credit card data and for industry-specific compliance standards.

Beyond this, we create comprehensive security reports on request that document the current state of your system: deployed software versions, patch status, results of the latest vulnerability scans, configured security measures and open recommendations. These reports can serve as a foundation for security reviews by your internal IT or by external auditors and demonstrate that your shop is subject to professional security management.

Key Takeaways

  • Systematic patch management closes known gaps before they are exploited — 14 % of all data breaches stem from known vulnerabilities (Verizon, 2024)
  • Critical security patches (CVSS 9.0+) are applied within 24 hours; for zero-days a WAF rule protects immediately
  • Every patch follows the documented path: detection, CVSS assessment, staging test, controlled deploy, verification
  • Patch management is part of every SLA maintenance contract from €199 per month — gap-free documentation for GDPR and PCI DSS evidence included
  • One-time security audits and vulnerability scans also available without an ongoing contract

Frequently Asked Questions About Security Updates

By submitting you consent to the processing of your details to handle this request. Details in our privacy policy.