Website hacked regulary with WP Defender installed


only with this website ( I have a security problem. All plugins and themes are always up to date. I additionally turned on 2-step-authentification for better security.

But after a while new spam blog posts appear on the blog created by the user "Bernd Aupperle" (account of my customer). When checking WP Defender on the site it says "WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)". But in fact wordpress has been updated to 4.9.4.

I don't understand how the hacker can write blog posts even with 2-step-authentification turned on.

My questions:

1. How can I make my wordpress site safe against these spam blog posts?
2. Why does Defender say that I haven't updated wordpress?

Thanks in advance for any support!

Kind regards,