A Swiss law firm loses two weeks, its reputation, and tens of thousands of francs after a WordPress hack. The vulnerability had been known for months, the plugin was never updated. So far, so unspectacular. That is exactly the problem.
WordPress runs on more than 40 percent of all websites worldwide. Switzerland included. And it gets hacked, systematically. Anyone who reads that as marketing drama has not yet read the official sources.
What the Federal Office for Cybersecurity says
BACS (Federal Office for Cybersecurity, formerly NCSC) runs a dedicated page for hacked websites. In plain words: content-management systems like WordPress, Joomla and Typo3 are popular targets for attackers, code vulnerabilities are regularly exploited, and installed plugins are among the most common entry points.
Source: ncsc.admin.ch / website hacked (in German)
This is not a private security vendor selling fear. This is the Swiss federal authority whose job is exactly that kind of assessment.
The numbers from the international reports
Three data points every WordPress operator should know.
Q4 2025: more than 2’200 new vulnerabilities. Wordfence’s Threat Intelligence Report documents a roughly 19 percent increase over the previous quarter for the last quarter of 2025. That is 24 new holes per day, seven days a week, statistically speaking.
97 percent of all vulnerabilities come from plugins and themes. Patchstack’s 2024 State of WordPress Security report shows: the WordPress core itself is relatively stable. The problem is the extensions you install so that your site actually does what you want.
Median time between disclosure and mass exploitation: five hours. As soon as a vulnerability is published, the automated scanning starts. Anyone who fails to patch within hours becomes part of the statistic.
Three mechanisms by which WordPress falls
Plugin vulnerabilities. In July 2025, three critical vulnerabilities were disclosed in the “HT Contact Form” plugin, with CVSS scores from 9.1 to 9.8. More than ten thousand websites were affected. Attackers could, without any authentication, upload or delete arbitrary files, including the central wp-config.php configuration file. Delete that file and the entire site reverts to its initial setup state.
Admin-login brute-force. Wordfence blocks more than three billion login attempts on WordPress installations every day. That is the everyday background noise. Every weak admin password is an open door.
Outdated themes and core versions. Germany’s BSI regularly publishes CVE advisories for WordPress versions. In December 2025 alone, advisories were issued covering WordPress Core up to version 6.8.2. Skip the released update and you keep running with the known hole.
The day after the hack
A realistic scenario, not invented:
Monday morning you open your browser and see your website showing spam ads. Or, more embarrassing, a client calls and asks why your site redirects to a gambling page. You try to log in. The WordPress admin no longer responds.
From that moment, the clock is running.
Day 1. You look for someone who does emergency cleanup. Day rate from CHF 1’500. First job: figure out what has been compromised. Last week’s backup? Possibly already infected, because the attack started days earlier.
Days 2 to 3. Cleanup is in progress. The website is offline. In Google search results, the listing now reads “This site may harm your device”. Google removes you from the index until the problem is resolved. The SEO ranking you built over years, neutralised.
Days 4 to 5. Logs get analysed. Was customer data exfiltrated? If yes, Article 24 of the revised Swiss FADP applies: notification to the FDPIC within 72 hours. Also to the affected individuals, depending on risk. For a Treuhänder or law firm, professional-conduct consequences are possible.
Week two. The website is online again. But the next vulnerability is already waiting in the next plugin update. You have to choose: patch everything and hope, or change the architecture.
Total cost, typically: CHF 5’000 to 15’000. Plus the opportunity cost of the downtime. Plus reputation damage, which is not measurable in francs.
That is the normal scenario. With a ransomware attack or a targeted data-leak hack, it gets longer and more expensive.
WordPress vs serverless: the sober comparison
A website does not have to be a running server. Here are the four dimensions that matter for SMEs:
| Dimension | WordPress (classic hosting) | Serverless (Astro on AWS) |
|---|---|---|
| Hosting cost | CHF 20 to 80 per month, fixed, independent of traffic. Plus plugin licenses and maintenance contracts. | Cents to a few francs per month, pay-per-request. Zero traffic costs zero. |
| Failure mode | Under a traffic spike: slow or offline. After a hack: days to weeks offline. | CloudFront SLA 99.99 percent. Under a traffic spike: scales up automatically. |
| Attack surface | Admin login, plugins, themes, database, FTP access. Weekly security updates required. | Static HTML at the edge. No server endpoint exposed. No plugins. No database. |
| Scaling | Server upgrade required, manual. Under a traffic spike, typically an expensive emergency migration. | Scales automatically from one visitor to a million without intervention. |
The conclusion: not every website has to be serverless. But if your website is a calling card rather than an interactive system with login, it is fair to ask why there is a running server behind it at all.
What does not run cannot be hacked. What consumes nothing costs nothing. That is the physics of the architecture, plain and simple.
What you can do now
If you run WordPress and do not want to migrate: the most important steps are regular updates, an audit of installed plugins, strong admin passwords with two-factor authentication, and daily backups that do not sit on the same server.
If you are planning a new website, or considering a relaunch: seriously evaluate the alternative. A modern Astro site on AWS, or on a comparable CDN, is the clean answer to this problem today.
I have put together a checklist that you can download as a PDF. It walks you through an honest stocktaking of your current website, with concrete actions you can carry out yourself. The current version is in German.
→ Download PDF: WordPress security checklist for Swiss SMEs 2026 (in German)
If you have questions about the architecture of a new website, or want to know whether a migration makes sense for you, book a 30-min call. Honest answer included, even if the answer is: stay on WordPress, but fix the following things.
Sources
- Federal Office for Cybersecurity BACS, website hacked, what now? (in German)
- Wordfence Threat Intelligence Report Q4 2025 (German summary at bitskin.de)
- Patchstack State of WordPress Security 2024 (German summary at wp-munich.de)
- HT Contact Form vulnerabilities July 2025, CVE-2025-7340/7341/7360 (in German)
- BSI advisory for WordPress Core, December 2025, CVE-2025-58246, CVE-2025-58674 (in German)
- Statistic: 13’000 hacked WordPress sites per day (German summary at level-nord.de)
- Swiss Federal Act on Data Protection (FADP / revDSG), Art. 24 notification duty (in German)