After a site has been compromised, we often get criticized for, “Not keeping my site safe”. It’s not a reasonable criticism. There isn’t a magic bullet to use against attackers.
We do scan every web server request for something like 10,000 known attacks using the web server plugin mod_security. The rule set for scanning is updated daily to stay on top of the most recent kind of attacks, both generic and specific.
Every request also has to pass through 2 firewalls. The first of these examines every packet, checking whether it came from a known bad actor IP address or is malformed in any way, which is a clue that it may have a bad intent. The second firewall watches activity, looking for patterns typical of compromise attempts. A simple example is repeated login attempts with different user names and passwords. This is called a brute force login attack.
Yes, it would be possible to expand the screening to improve safety more. The trouble is, the list grows exponentially as you expand it. If we attempted to include anything like all possible attacks, web pages would never appear. The servers would be too busy with screening to get around to sending them.
So why isn’t that enough? The usual problem is the web scripting language PHP. Sadly, it is vulnerable to attack by default. Unless the programmer using it is aware of possible ways to compromise it and takes steps to prevent those compromises, a script will be vulnerable. When you install a set of scripts on your site (such as WordPress) you have placed your security in the hands of the authors of the script. There is no getting around this.
It is critically important to keep your site running the most up to date software available. Even a short delay in updating can be fatal. The more popular the software you are using, the more important this becomes. We deal with WordPress compromises every day which should not have happened.