Security updates that close the window for attackers
Systematic patch management, vulnerability scans and incident response for Shopware and WordPress — part of every SLA maintenance contract from €199 per month. We close known security gaps before they can be exploited.
from €199
SLA packages per month
24 h
response time for critical patches
14 %
of all breaches via known vulnerabilities (Verizon, 2024)
50+
managed projects
Security updates are the single most effective measure against cyberattacks on online shops and websites. According to the Verizon Data Breach Investigations Report 2024, 14 percent of all data breaches were enabled by exploiting already known and patched vulnerabilities (Verizon, 2024). This means these attacks would have been preventable through timely patching. Our patch management service ensures your systems are continuously up to date and protected against known attack vectors. From Shopware maintenance to WordPress care, we cover all relevant platforms — systematic patch management is part of every SLA maintenance contract from €199 per month.
Our Patch Management Process
Patch management is not a one-time task but a continuous process with defined procedures. Our approach covers the entire chain: from detecting new vulnerabilities through risk assessment and prioritization to tested rollout and post-deployment monitoring. This structured process minimizes both the risk of unpatched systems and the risk of faulty updates.
Detection and Classification
We monitor security advisories for all deployed software components: CMS core, plugins, themes, PHP versions, web server and operating system. New vulnerabilities are classified by CVSS score and relevance to your system.
Vulnerability Types and Their Impact
Online shops are exposed to various categories of vulnerabilities. Each category requires specific countermeasures. The following overview shows the most common vulnerability types and their potential impact on your shop.
SQL Injection
Manipulation of database queries that can lead to data leaks, data manipulation or complete takeover of the database. Frequently affects poorly coded plugins and contact forms.
Cross-Site Scripting (XSS)
Injection of malicious code into the web page that executes in visitors' browsers. Can be used to steal session cookies, for phishing and to redirect to malicious sites.
Remote Code Execution
Execution of arbitrary code on the server. The most severe vulnerability category, which can lead to complete system takeover. Requires immediate patching.
Authentication Bypass
Circumvention of access controls that enables unauthorized access to the admin panel or protected areas. Frequently affects plugin-specific authentication mechanisms.
Path Traversal
Access to files outside the intended directory. Can expose configuration files with database credentials, log files with sensitive information or backup files.
Cross-Site Request Forgery
Execution of unintended actions on behalf of an authenticated user. Can enable configuration changes, data modifications or privilege escalation.
Vulnerability Scans and Incident Response
Beyond reactive patching of known vulnerabilities, we conduct proactive vulnerability scans that identify potential security issues before attackers discover them. Our scans include checking all software versions against CVE databases, analyzing server configuration for misconfigurations, verifying HTTP security headers, SSL/TLS configuration testing and analyzing file permissions and exposed directories.
Prioritized vulnerability report
Scan results are compiled into a prioritized report that ranks found vulnerabilities by severity and recommends concrete remediation measures. For shops under an ongoing maintenance contract, we run these scans at regular intervals automatically. As a standalone service, we offer one-time security audits that provide a comprehensive snapshot of your security posture.
- Findings sorted by CVSS score with concrete remediation advice
- Regular automatic scans for contract customers
- One-time security audit also as a standalone service
Incident response when it counts
Despite all preventive measures, a security incident can occur. For this eventuality, we have documented incident response processes that enable a rapid, coordinated reaction: immediate containment of the incident, forensic analysis to identify the attack vector, cleanup and restoration of the system, and measures to prevent recurrence.
- Documented flow: containment, forensics, cleanup, recovery
- Post-incident analysis with root cause and lessons learned
- WAF instant shield until the official patch
Every security incident culminates in a documented post-incident analysis that identifies the root cause and derives lessons learned. These findings feed into improving our protective measures and ensure that comparable attacks are detected earlier or prevented in the future. Details about our emergency support can be found on the dedicated page.
Server and Infrastructure Hardening
Security does not end at the application layer. The underlying server infrastructure must also be hardened and kept up to date. Our infrastructure hardening includes firewall and Fail2ban configuration, SSH hardening with key-based authentication and disabled root login, regular operating system updates, PHP version management and configuration of Content Security Policies.
Web Application Firewall
Configuration and maintenance of WAF rules that block common attack patterns such as SQL injection, XSS and path traversal at the network level before they reach the application.
SSL/TLS Management
Configuration of secure TLS versions and cipher suites, automatic certificate renewal, HSTS headers and regular review of SSL configuration against current best practices.
PHP Security Configuration
Disabling dangerous PHP functions, restricting open_basedir, correct error_reporting settings for production environments and regular upgrade to supported PHP versions.
Logging and Audit Trail
Configuration of comprehensive access logs, error logs and security events. Centralized log analysis enables early detection of suspicious activities.
Access Control and SSH Hardening
Key-based SSH authentication, disabled root login, Fail2ban against brute force attacks and port restrictions. Only authorized personnel receive server access.
Database Security
Restricting database user privileges to the minimum necessary, encrypted connections, regular checks for default credentials and securing against remote access.
Systematic Patch Management Compared
| Aspect | Without systematic patching | With managed patch management |
|---|---|---|
| Response to critical CVEs | Random, often only after an incident | Critical patches within 24 hours |
| Testing before deployment | Directly on the live system or not at all | Staging test with rollback point |
| Zero-day protection | Unprotected until the official patch | Immediate WAF rule as interim protection |
| Overview of components | Unknown patch status of plugins | Complete inventory with vulnerability matching |
| Compliance evidence | No documentation for audits | Gap-free patch history for GDPR and PCI DSS |
| Monthly cost | €0 — until the first security incident | predictable from €199 per month |
Patch management in the SLA maintenance contract
- Basis €199 per month — first response within 8 hours
- Business €349 per month — first response within 4 hours
- Enterprise €699 per month — first response in 45 minutes, real-time security dashboard
- Vulnerability scans, patch reporting and WAF care in every package
Systematic security updates are part of every maintenance contract. The SLA tier determines the response time for critical flaws — critical patches are applied within 24 hours in every tier. Minimum term 6 months.
Why Timely Patching Is Critical
The time between a vulnerability being published and its active exploitation by attackers is getting shorter. Automated scanning tools systematically search the internet for known vulnerabilities, and once an exploit is available, unpatched systems are attacked within hours to days. In this window, it is decided whether your shop is on the safe side or becomes a target. Our patch management aims to keep this window as small as possible.
Particularly critical are vulnerabilities in widely used plugins and CMS core components, as they affect a large number of potential targets and are especially attractive to attackers. When a critical vulnerability in a popular plugin is published, a race begins between defenders and attackers. Our advantage: we actively monitor the relevant security channels and have standardized processes that enable rapid response. This allows us to often deploy critical patches within hours of their release on our managed systems.
Zero-Day Vulnerabilities and Emergency Measures
Zero-day vulnerabilities are security gaps for which no official patch exists at the time of discovery. This situation requires rapid action and creative countermeasures. Our approach to zero-day vulnerabilities includes immediate risk assessment for all managed systems, implementation of temporary compensating controls such as WAF rules or access restrictions, enhanced monitoring for exploit attempts and immediate installation of the official patch as soon as it becomes available.
The temporary compensating controls are individually tailored to the vulnerability and the affected system. For an SQL injection vulnerability in a plugin, for example, we can create specific WAF rules that block the attack vector without restricting the plugin's functionality. For a remote code execution vulnerability in the CMS core, it may be necessary to temporarily disable certain functions until the official patch can be applied. Our goal is to maintain security at all times, even when an official fix is not yet available.
Are your systems up to date with patches?
A one-time security scan reveals open vulnerabilities and misconfigurations, prioritized by severity — with a concrete action plan.
Plugin Security Assessment and Risk Analysis
Not all plugins are equally secure. The quality of the code, the manufacturer's response speed to security vulnerabilities, the frequency of updates and the size of the user base are decisive factors for the security risk of a plugin. As part of our maintenance, we evaluate the security history of each installed plugin: How often have vulnerabilities been reported in the past? How quickly has the manufacturer responded? Are there known unresolved security issues? Based on this assessment, we recommend switching to more secure alternatives when needed.
This proactive plugin security assessment is particularly valuable because it identifies risks that pure patch management does not address. A plugin that is currently patched but regularly exhibits new vulnerabilities represents a systematic risk that can only be eliminated by switching plugins. Our recommendations are based on years of experience with various plugin ecosystems and consider not only security but also the functionality and maintainability of alternative solutions.
Beyond this, we watch for plugins that are no longer actively maintained by the manufacturer. Orphaned plugins no longer receive security updates and represent a growing risk over time. We identify such plugins early and jointly develop a migration strategy that makes the transition to a maintained alternative as smooth as possible.
Security Culture and Ongoing Monitoring
Security is not a state you establish once and then forget but a continuous process. Beyond technical patch management, our security work therefore also includes regular review and adaptation of the security configuration. Access permissions are regularly checked for currency, no longer needed user accounts are deactivated, and security policies are adapted to new threat scenarios. This security culture in ongoing operations ensures that the protection level does not erode over time but continuously increases.
Our security approach is not limited to applying patches. We continuously monitor managed systems for anomalies that may indicate a security incident or attack attempt. These include unusual access patterns in web server logs, failed login attempts at conspicuous frequency, unexpected file changes in the file system and suspicious database activities. By combining regular patching, proactive vulnerability scans and continuous monitoring, we create a multi-layered defense that is significantly more resilient than any individual measure.
In addition to technical monitoring, we actively track the threat landscape in the e-commerce space. New attack methods, malware campaigns specifically targeting shop systems and zero-day vulnerabilities in widely used plugins are detected early and incorporated into our protective measures. When a new threat emerges, we proactively check all managed systems for their vulnerability and take immediate countermeasures if necessary, even before an official patch is available.
Compliance, Documentation and Audit Evidence
Online shops are subject to various regulatory requirements that make regular security updates not just advisable but legally required. The GDPR requires in Article 32 the implementation of appropriate technical measures to protect personal data. For shops processing credit card data, PCI DSS requirements apply, which among other things mandate timely patching. Our patch management supports you in meeting these requirements and provides the documentation needed for audits and evidence.
For companies with compliance requirements, gap-free documentation of all security measures is of central importance. Our patch management automatically provides the evidence you need for internal and external audits: When was which patch applied? Which vulnerabilities were closed? Which tests were performed before and after the update? This documentation is relevant not only for GDPR evidence but also for PCI DSS requirements when processing credit card data and for industry-specific compliance standards.
Beyond this, we create comprehensive security reports on request that document the current state of your system: deployed software versions, patch status, results of the latest vulnerability scans, configured security measures and open recommendations. These reports can serve as a foundation for security reviews by your internal IT or by external auditors and demonstrate that your shop is subject to professional security management.
Key Takeaways
- Systematic patch management closes known gaps before they are exploited — 14 % of all data breaches stem from known vulnerabilities (Verizon, 2024)
- Critical security patches (CVSS 9.0+) are applied within 24 hours; for zero-days a WAF rule protects immediately
- Every patch follows the documented path: detection, CVSS assessment, staging test, controlled deploy, verification
- Patch management is part of every SLA maintenance contract from €199 per month — gap-free documentation for GDPR and PCI DSS evidence included
- One-time security audits and vulnerability scans also available without an ongoing contract