For hosting companies, security isn’t just about blocking hackers. It’s about protecting customers, keeping a reputation intact, and, in the right setup, adding new revenue. That was the focus of a recent Patchstack webinar that pulled together both the technical and business sides of the industry.
On the panel were:
- Mart Virkus, Head of Marketing at Patchstack
- Lana Rafaela, Product Marketing Manager at Patchstack
- Ben Toth, Partnerships Manager at BitNinja
- Mark Bacsko, Chief Product Officer at BitNinja
During the hour, they dug into why layered security matters and how providers can profit from it.
Why “one size fits all” doesn’t work
“Traditionally, hosting companies have tried to consolidate security stacks into one-size-fits-all solutions,” Mart Virkus, Head of Marketing at Patchstack, said. “The problem is that approach doesn’t really work.”
Patchstack had recently tested that claim. They pushed real WordPress vulnerabilities against standard server and network defences. The outcome was that almost 90% of the exploits sailed through.
No surprise then that the rest of the conversation kept circling back to layered security.
Suggested read: Hosting security tested: 87.8% of vulnerability exploits bypassed hosting defenses
A cheesecake, not a silver bullet
Lana jumped in with an image that stuck.
“If you want to protect users, think in layers,” she said. “Experts usually call it the Swiss cheese model. I prefer cheesecake, but the principle’s the same. Multiple layers reduce risk because each one covers the holes the others miss.”
She broke it down simply: datacentres form the physical layer. Firewalls sit at the network. Servers fight DDoS and malware. And then there’s the application layer, the only one that understands WordPress plugins and business logic.
“Each layer has a unique context,” she explained. “That context is what lets it mitigate specific threats. Firewalls are fine at filtering noise but blind to plugin exploits. Servers can stop floods, but won’t see logic flaws. The application layer is where vulnerabilities get caught.”
Testing security in practice
To back this up, Patchstack ran an experiment. They set up WordPress sites with five different hosts, each running a different stack, and then tried to exploit eleven known bugs.
The results were lopsided.
Two providers didn’t block a single attempt. Cloudflare picked up some noise but missed every WordPress-specific attack. An in-house firewall caught two.
Everything else only got stopped once it hit the application layer with Patchstack.
“This isn’t about saying server or network solutions are bad,” Lana added. “They’re built for different problems. Vulnerabilities are logic flaws in code. The server just sees a request. Unless the application layer recognises it as malicious, it gets through.”
How BitNinja was born
The spotlight then moved to BitNinja. Ben told the story of where it came from.
“We ran a hosting company in 2014,” he said. “We had malware, SQL injections, botnets – the usual. We tried open-source tools, but they needed constant upkeep. We tried enterprise solutions, but they were expensive and still left gaps. Eventually, we built our own.”
That tool turned out to be useful to others, too. “We realised other hosting companies were facing the same issues,” Ben said. “So we sold the hosting business and put all our effort into server security.”
Herd immunity for servers
BitNinja is installed as an agent on the server. It comes with fourteen modules covering different kinds of threats and a central console for managing them. One idea the team is especially proud of is what they call “herd immunity.”
“If one server sees an attack, the IP data is broadcast to everyone,” said Mark. “You don’t need to be attacked yourself to be protected.”
Suspicious IPs aren’t always blocked straight away. They get challenged first.
“Those IPs see a CAPTCHA page hosted on your server,” Mark explained. “If it’s legitimate traffic, it can solve the challenge. If it’s a bot or a bad actor, it stops there. Other BitNinja users will do the same.”
Security as an investment
From there, the talk shifted to the business side. Ben argued that hosts should treat security as more than a cost line.
“Security is a must,” he said. “A breach means reputation damage, churn, sometimes even the end of the business. But it can also be an investment.”
The payoff shows up in different ways:
- Avoiding customer losses after a breach
- Reducing server load by up to thirty percent
- Selling security as an add-on or in higher-tier packages
“Good security is invisible,” Ben said. “That’s why you need to show value to customers. Some hosts send monthly reports on blocked threats. Others build dashboards. Once customers see what’s being stopped, they understand why it matters.”
Where most attacks happen
While BitNinja takes care of server and network defences, Lana pointed out that most of the danger lies higher up.
“In the last few years, ninety-three to ninety-seven percent of security bugs have been WordPress vulnerabilities,” she said. “If you try to stop those at the server layer, they look like normal traffic.”
Patchstack handles that with a large vulnerability database, a bug bounty programme, and mitigation rules that protect without changing site or plugin code.
“We don’t overwrite plugins or files,” Lana said. “The rules sit in front of the site. When a vulnerable plugin is present and someone tries to exploit it, we block it.”
Questions from the audience
The audience wanted details.
Would Patchstack clash with other tools?
“No,” said Lana. “Even if you also use Cloudflare, our rules are very specific. There’s no conflict.”
How long does setup take?
“Three to five days with one or two developers,” she explained. “It’s an API connection. No DNS changes.”
And what about SQL injections?
“We don’t just look for SQL keywords,” she said. “We use software composition analysis to know which plugins are vulnerable, then watch for exploit patterns against those targets.”
Turning security into revenue
Case studies made the point that security can be sold.
WP Umbrella added Patchstack as a paid add-on. One developer put it in place in about five days, and the return came within a month.
Veebimajutus, an Estonian host, included Patchstack in higher tiers, cut support overhead, and doubled revenue per user. Rapyd Cloud bundled Patchstack by default to stand out in a crowded market.
“Security doesn’t have to be a money sink,” said Mart. “It can be part of your core business.”
BitNinja’s partners had similar stories. Some added one-click options in checkout, others ran promotions, and many now send reports to show customers exactly what was stopped.
Old threats, new tricks
The panel also shared what they’re seeing day to day.
“We’ve noticed spikes in probing for very old vulnerabilities,” said Mark, “Attackers seem to be going back to them, probably because they’re finding targets again.”
He also mentioned more fileless malware.
“Some threats live only in memory. They don’t create files to scan. They spawn new processes and hide, which makes them harder to trace.”
Ben linked this to a broader shift. “When everyone went online during COVID, the number of threats exploded – and it never really went back down.”
Lana added a more modern twist.
“Attackers are using GPT-style tools to scan code and create payloads. That means defenders need faster intelligence and targeted rules.”
From reactive to proactive
Mart reflected on how attitudes have changed.
“For a long time, security was something people didn’t want to talk about. Plugin developers brushed it aside. Hosts cleaned up after the fact. But that’s changing. Some of it is regulation, like the EU’s Cyber Resilience Act. Some of it is awareness. We’re moving from reactive to proactive.”
Ben agreed.
“It’s not if you’ll be hacked, it’s when. The real question is whether you’re ready – and whether your customers can see that you’re ready.”
Final thoughts
The session left little doubt: layered security isn’t optional.
Done properly, it doesn’t have to drain resources either. By combining defenses at the network, server, and application levels, hosts can protect customers and build stronger businesses.
“The key is making the invisible visible,” said Ben. “Show customers what you’re protecting them from, and they’ll see the value.”
Hosts who take that approach find that security becomes something customers are willing to pay for.
