The hardware used by your WordPress hosting provider can give you a lot of grief and be heavy on your wallet too. But, do you know what the issues are, and how a robust WordPress backup solution can help you?

Most of us think about subscription plans, security, and many other details when thinking about hosting a WordPress site. Few of us think about the kind of hardware that is used by the hosting and the problems that we could experience because of hosting hardware issues.

Hosting hardware issues could take your site down
Hosting hardware issues could take down your WordPress site

This may be with good reason- for one, such information is hard to get because hardware of hosting services is always out of sight, and there is no way to verify it. The second reason is that most of us may not know what are the questions we have to ask.

While there are many challenges which you may face while hosting your WordPress site, we’ll focus specifically on the hardware issues which may eventually end up affecting your site’s performance, security, and its existence.

A hosting service basically needs the following hardware:

  • Servers
  • Storage
  • Communication Equipment
  • Infrastructure Issues – Cooling and Heating

Rising competition in the hosting market space makes many demands. These demands may not all be met in the best possible manner by all host providers and this often manifest in hardware issues.

Server Failure

A server motherboard comprises CPU, memory, and network adapters among other things. All these components have a failure rate and regular wear and tear  leads to their failure. Of Course, as it is known, using ECC RAM may decrease the failure rate.

Apart from this, increases in temperature may accelerate this process and cause the CPU or RAM to fail. Power surges also lead to motherboard, and/or its components failing.

A host of software reasons may also lead to the motherboard on a server failing. This can be due to server overload through legitimate traffic or hack attacks.

Hard Disk

There is no magic, hard disks are used for storage of data in data centers. As you will well know, a hard disk is a mechanical device, meaning it relies on its parts moving to read and write data. This exposes hard disks to not only natural wear and tear but also, failures from excessive heat due to friction.

Now, imagine having hundreds and thousands of such devices stored in a single center. Some are bound to fail and fail much before their mean time between failures. A good hosting company will ensure that dated hard disks are phased out and new ones are installed periodically.

There may also be issues after maintenance work. Simple issues like physical damage caused by someone dropping hardware or not plugging in the wires correctly may occur too.

Communication Equipment

While most of us know of servers and hard disks, users rarely think of  the cables and network switches. Data centers on the other hand generally have to pay more attention to such things. Reports in 2013 of how 4 major hosting providers were taken out by a network switch failure; and users had to experience downtime, is proof of this fact. Network failures are a real threat to the functioning of your WordPress site and the reputation of your site.

Outdated Hardware

Extending the life cycle of hardware in data centers can be due to lack of maintenance or a cost cutting measure; either due to lack of budget or due to the desire to remain competitive. Cables, hard disks, etc. usually are not thought of by consumers. It may be easy to not replace them at the right time. This brings down the performance of the servers and in turn the performance of your WordPress site.

Apart from these issues certain other factors that have to do with the supporting infrastructure and maintenance of the data center affect the health and performance of hardware.

Infrastructure Issues – Insufficient Cooling

Apart from the regular functioning of servers and storage other factors may contribute to this issue. rooms may be stuffed with servers, or servers may be stuffed with too many sites. Such practices contribute to inefficient energy consumption and increased heating. In such cases it is not easy to scale up the cooling infrastructure wherein planning and space may be short. Other factors like ‘spaghetti cables’ may also aggravate the problem.

This is not simply to say here are the problems. The impact of heating issues on your WordPress site’s performance, your finances and reputation is real. Heating issues may regularly lead to:

  • Hard disk crashes
  • Longer load times due to hardware performing at below par levels
  • Pages not loading, etc.

The decrease in traffic and transaction from increased load times and frequent downtime is a fact that is increasingly well documented.

Natural Disasters and Accidents 

Natural disasters may not be something we think about on a daily basis but is obvious once stated. Natural disasters can destroy racks – servers, and hard disks, and make the building shell itself inaccessible.

Accidents may seem less obvious but they are real possibility and have caused considerable damage to the hardware of hosting servers. From a SUV crashing into a Rackspace facility costing them reportedly US $3.5 million in refunds to fire caused by drill in an adjacent building burning down an Amazon data center, accidents are a real possibility and cause considerable damage. The first example doesn’t not account for the cost of downtime which was estimated to have lasted 5 hours.

Not accounting for accidents in your WordPress site’s disaster recovery plan is a mistake.

Independent WordPress Backups Can Come to Your Rescue

The first step to being prepared for all eventualities of hardware failure with your WordPress hosting is knowing about them. Then, having good, independent WordPress backups may help you significantly reduce downtime and keep your business running. In this case, the question to ask is “Are your backups completely independent of your hosting provider’s hardware?”. If the hardware of hosting provider, located in one or two locations is compromised then can you still access your backups? If the answer is no then you need you revisit your backup strategy. You can look at BlogVault to explore a robust WordPress backup solution.

WordPress is an Open Source CMS, meaning both: vulnerabilities AND their patches are all visible to the WordPress community. So how does this make WordPress secure?

If you studied in a more orthodox school, you might have dreaded tests, (at least I did.)

So when I first heard of the concept of Open Book tests, I thought it was a joke. I had a very similar reaction to what I learned about WordPress’ transparent security model, because I couldn’t even begin to understand how declaring weaknesses could be good for security.

But despite my opinions of what security should work like, WordPress is not only one of the most secure CMSes in the world, it’s also the most popular. How does the platform manage this feat?

WordPress is the most popular CMS in the world
WordPress is the most popular CMS in the world

Security through transparency

A concept that most Open Source CMSes use, security through transparency means that every vulnerability, (and its patch) is disclosed to the community using the CMS.

News about an attack not only alerts users of vulnerabilities, it also lets hackers know exactly what is vulnerable and how. The situation can be compared to a pharmacist seeing your prescription and having an idea of the illness you have.

This also means that those who maintain the vulnerable code (and the community) work to patch it as quickly as possible, and release it to all of their users.

This begs the next question:

What causes vulnerabilities in code?

There is no such thing as perfectly secure code. Nonetheless the possibility of vulnerabilities increases when:

  • The code doesn’t follow the best security practices.
  • The team working on the code isn’t experienced enough.
  • The code doesn’t undergo multiple reviews.
  • The team is ineffective or slow in acting on fixing known vulnerabilities.

How does security work on WordPress?

Well the answer lies in its community, and contributors.

WordPress consists of two main parts:

  • WordPress core, which is basically the standard base and framework that any WordPress site is built on
  • WordPress add-ons, which includes plugins, themes, and widgets.

Security for WordPress’ core

The core of WordPress is developed and maintained by a tight team with some of the best, most experienced security experts from around the world.

While it’s not possible to create perfectly secure code, these experienced security experts maintain the best WordPress security practices by ensuring that there are no obvious loopholes in functionality or in code that hackers could potentially exploit.

The code developed also undergoes multiple revisions for stability and security. This makes it more thorough.

But it doesn’t end there… if and when vulnerabilities are discovered, they are fixed as soon as possible, with the patch made available in the next release.

So while the are major releases  (such as WordPress 4.6) that deal with feature additions, special care is also made to make minor releases (like WordPress 4.6.1) that thoroughly deal with security issues.

As a result, there haven’t been any major exploits on WordPress’ core in a very long time.

Security for WordPress add-ons

Currently, there are close to 47,000 plugins and more than 4,100 themes listed on the repository.  There are also a very large number of plugins and themes hosted on third-party websites such as Themeforest, etc.

The WordPress community is very large, and the developers of these add-ons range from beginners to experts. Because of this, add-ons have many more vulnerabilities than can be seen with the WordPress core.

And even though these add-ons are open source, they have very few developers working on them. So with respect to security, not only do they not get the benefit of Open Source (which is that many people work on one project from many different perspectives), but they also suffer bad guys being able to exploit the additional visibility.

To add to this, we at BlogVault have seen a number of cases where sites have been hacked because the plugins or themes that they had installed didn’t follow the best security practices. This adds to their vulnerability.

Moreover, since a lot of the contributors are hobbyists, many of these projects get abandoned or do not get sufficient attention from the developers who made them time. This causes outdated plugins to have even disclosed vulnerabilities without a patch. The most recent case of this happening was that of W3 Total Cache plugin which was not updated for a considerable time even after a major disclosure.

Discovering vulnerabilities, declaring patches

In case of vulnerabilities, WordPress encourages the practice of “responsible disclosure”, which means reporting vulnerabilities directly to those who maintain the code they were found on. Whether this happens or not though, depends on who finds the vulnerabilities.

There are usually three kinds of people looking for vulnerabilities on WordPress:

  • White-hat hackers, who are the good kind of hackers. They test systems and code for vulnerabilities. If they find any loopholes that can be exploited, they alert the developers in charge of the systems being tested.
  • Hobbyists/users who either just stumble upon a vulnerability, or have the technical knowledge to recognize that the existing functionality/code could be exploited.
  • Black-hat hackers. The bad guys who look for vulnerabilities to exploit.

This is why there’s always a race on. The first two groups (along with those who maintain the code), try to get a patch out as soon as possible, while the black-hat hackers try to exploit it faster.

Once a patch is worked on, it’s distributed via communication on the WordPress repository, WordPress news sites, tech blogs, etc.

The thing is, after a patch has been distributed, even a hacker oblivious to the vulnerability could easily reverse-engineer it to find out which part of the code was vulnerable, and how it could be exploited. Once they figure that out, it isn’t too hard to find out if sites have an outdated, exploitable version of WordPress, or a particular plugin/theme/widget.

So is a WordPress site secure?

It always looks like WordPress is under heavier attack because of the number of vulnerabilities which are disclosed.

This could be because WordPress is a popular CMS, and therefore a popular target for hackers… or because this is how security on WordPress works. Threats have to be disclosed so that users can prepare themselves. Patches have to be declared so that users are protected.

But to be honest, WordPress isn’t perfectly secure… because there is no such thing as a secure software.

Hackers are always trying to exploit sites for a number of reasons, so just as there are ways to patch vulnerabilities, there will always be ways to find ways around them, or pervert functionalities to create new ones. And just as hackers come from every corner of the community (and even from outside it), developers within the community rise to the occasion.
So while it might be impossible to make any WordPress site completely impervious to attacks, there are ways to harden websites, and recover quickly, such as implementing a reliable backup solution like BlogVault, and an intelligent malware cleaner, such as MalCare.

Flywheel being a managed WordPress hosting service offers great features including WordPress backup. The increase in features and focus specialization is certainly reflected in the price too. So, are Flywheel backups worth it?

Flywheel is a managed WordPress hosting platform. They exclusively host WordPress sites and as a result, Flywheel is optimized for that platform. This means that you can expect WordPress backups and services that are a cut above your run-of-the-mill shared hosting environments on other web hosts. With this, costs rise proportionally as well. So, does this mean that we will discover a web host WordPress backup on which you can rely? Read on, to find out!

A Screenshot of Flywheel's website
A Screenshot of Flywheel’s website

Before we begin, welcome back to our series reviewing backups by web hosts. Check out our previous articles in this series on backups by WP Engine, HostGator & SiteGround if you’re interested in how they backup your WordPress site.

Flywheel Backups:

As usual we would, ultimately, be looking to answer one question- Can you rely on Flywheel for your WordPress backups? Being a hosting service dedicated to WordPress, Flywheel is optimised for the CMS and provides backups as a part of its service. However are the WordPress backups completely independent of Flywheel? Let’s find out.

  • Flywheel makes nightly automated backups of your WordPress site.
  • You access 30 days of backups through your dashboard.
  • Flywheel’s documentation says that it backs up everything in your WordPress folder including uploaded files.
  • Backups are stored offsite on Amazon S3 servers.
  • Apart from these features you  can download your backups in .zip format; and restore your WordPress site with a single click.

Points to keep in mind:

  • When you are restoring your site, visitors are going to see a ‘site down for maintenance’ message.
  • Flywheel provides a staging environment to test changes and updates to your site.

Review of Flywheel backups

Flywheel allows you to force backups anytime you want. This is helpful when you have to make updates or major changes to your site. When you are restoring your site, it automatically prompts you to make a restore of the current version. It is a handy feature to have as you can roll back your site in case the restoration process does not work out. However Flywheel does not function as complete WordPress backup service despite getting many things right. As a consumer you will have to decide if you can ignore issues or do you want to go for the best WordPress backup plugin.

Backup Descriptions

When you force a backup, you are prompted to provide a backup description. In such a case, you can name the backup according to the reason you are performing the backup. For  example, if you are updating plugin X, then you can name the backup as ‘before updating plugin X’. Although you have 30 days of backups available on a list in the Backups tab of your Flywheel dashboard, you can immediately identify this one.

Forcing a backup on Flywheel first results in a pop-up asking for a backup description to help tell backups apart
Forcing a backup on Flywheel first results in a pop-up asking for a backup description to help tell backups apart

Automatic backups on the other hand, can only identified by their dates and the number of posts, pages, comments, plugins & uploads. There is very little to differentiate what has exactly changed since the last backup. This is particularly painful when you start making backups before updates, restores, and so on. This interrupts with the automatic backups repeating number of posts or pages or jumbling them up. A hack most people would think of, to restore the backup version with the most posts or uploads will not work in such a case.

Flywheel's automatic backups are hard to tell apart
Flywheel’s automatic backups are hard to tell apart

Downloading Backups from Flywheel

Downloading backups is very easy you can do it from the BACKUPS tab in your Flywheel dashboard itself. Once you have opted to download a particular backup, you will get an email notification informing you that your backup is ready for download.

Downloading Flywheel's backups is easy
Downloading Flywheel’s backups is easy

One thing we did notice when we unzipped the downloaded backup is that, wp-admin and wp-include files were missing from the downloaded backup.

Our downloaded backup didn't contain the wp-admin and wp-include files
Our downloaded backup didn’t contain the wp-admin and wp-include files

We must mention that we had no issues with restoring the site from our dashboard. This means that Flywheel will have a backup of those folders. But, you can’t access those folders of your site when you simply download a backup from the Flywheel dashboard. It is more a question of convenience- how easily can you access all the files on your site?

Does Flywheel backup give you control?

In case some files are being excluded from backups, you cannot simply add files to your backup right from the dashboard of your account. You can’t know the specific files or directories being backed up either.

This lack of granular control extends to downloads and restores too. Your backups as mentioned are zipped and sent to you. You do not have the option of choosing which files or tables you want to download. While this outs some sort of a burden on your storage space or labor the matter is a little more serious when it comes to restores.

Losing Data When You Lose Control Over Backups

Flywheel restores your site by removing all the old files and replacing them with the backup version you have chosen. This means that changes made in this interim will be lost. In case you know that a specific plugin or file is the issue, then you can restore only those files or plugins without losing your data.

Ideally, making incremental restores to your WordPress site would not ensure that it is up and running quicker but will also ensure that changed data since the restore also is not lost.

Of course you can always make a backup before restoring, and then download it. You would then have to upload all of that content again and make sure to take a backup of this latest version of your site. However, this seems like a circuitous way to solve the issue.

On the note of control over backups, we thought we’d mention that you also cannot customize your backup schedule.

Conclusion on Flywheel Backup:

A summary of FlyWheel's backups
A summary of FlyWheel’s backups

As expected Flywheel gets a lot things right however, their backups still don’t cut the standard of a complete WordPress Backup service. As Flywheel mentions on their site, they’d like to work with the “best of breed” for everything. If you too are looking for that “best of breed WordPress backups” then you might want to look elsewhere.

Stay safe & always, always backup!

WordPress backups by WP Engine are generally solid but may not be completely independent of the hosting service. Read on to find out not only if you can rely on their backups but also if the feature is convenient to use?

WP Engine is one of the most popularly used hosting services to host WordPress sites today. It provides its users with an array of features that include robust security, data backups, good speed, & customer service. In this article, we’ll discuss the data backup and restore features of WP Engine at length.


A screenshot of the WPEngine website
A screenshot of the WPEngine website


Before We Begin: Our Backup Mantra

No hosting service is by itself a sufficient security measure, because all web hosts including WP Engine can be vulnerable. We firmly believe that your WordPress security is best served by a strong combination of actions. At the foundation of that security pyramid must be a robust WordPress backup plan that will allow you to keep your website’s best form online always and solve problems- malware cleaning, compatibility issues, etc., offline, without harming you or your audience/consumers.

WP Engine Backup

Accessing Your Backups on WP Engine

WP Engine backups can be accessed by clicking on your ‘Install’ name and then clicking on ‘Backup Points’. You can also create a ‘Backup Point’ manually at any time you want by clicking on ‘Backup Now’ option before making any drastic changes to your site.

Backup Schedule on WP Engine

WP Engine displays the last 40 backup points at any particular time. They perform automated daily backups of your WordPress site – files and database. However, the backup schedule is automatically set by WP Engine, and there’s no option for you to schedule your backups at a preferred time. To make backups lightweight and fast, WP Engine smartly ignores files like logs, cache, and backup data. Also, to ensure that your backups are safe and secure, they’re encrypted at the source itself and stored in a geographically separate location from your site.

Downloading Your Backups From WP Engine

Moving on, there’s a ‘Download ZIP’ option present next to the ‘Backup Now’ option that lets you download a zipped copy of your site backup. On clicking ‘Download ZIP’, the download process gets initiated immediately. Once the ZIP folder containing the backup archive is ready for download, you’ll get an email from WP Engine containing a link to download it (this, I received within 5 minutes).


Screenshot highlighting the discrepancies between downloaded backup ZIP and remote website
Screenshot highlighting the discrepancies between downloaded backup ZIP and remote website


Screenshot highlighting the folders missing in the downloaded backup ZIP
Screenshot highlighting the folders missing in the downloaded backup ZIP


In addition to Production backups, WP Engine also generates backups of your staging site. Staging backups work the exact same way as Production backups, and can be accessed via the ‘Backup Points’ tab itself, by clicking on ‘Staging’ backups.


WP Engine generates both Production backups and Staging backups
WP Engine generates both Production backups and Staging backups


The one issue here is that of details of backup points. As you can see in the above screenshot, backup points only have date, time and a short description. You cannot see details of which files/tables were backed up, excluded and what are the specific changes that occurred between the chosen backup and the one immediately preceding it. While the descriptions help, if all you see is ‘daily checkpoints’ in your list you may have to make a few trail runs at times before you find the right WordPress backup version.

WP Engine’s Restore Feature

With WP Engine, you can easily restore to an earlier backup version on your site by choosing a Backup Point and clicking on ‘Restore’. By default, WP Engine restores only files. If you want to restore site’s database too, then you need to select the ‘Restore DB’ option on the pop-up that appears upon clicking ‘Restore’. There is however no direct way to restore only the database (sans files).


WP Engine restores the DB files with the sites files
WP Engine restores the DB files with the sites files


Once the chosen backup is restored, you’ll receive an email from WP Engine intimating you of the same. WP Engine’s restore process is quick and efficient, although it seems to delete new files in the process. This might result in a loss of data upon restoration of a backup version. One good thing to note here is that when you restore your site to a previous backup version, WP Engine automatically creates a new backup point, so you can easily go back to the way your site was before performing the restore if the your website isn’t functioning correctly after the restoration process.


WPEngine creates a pre-restoration checkpoint so you can go back to a version of your site before the restore
WPEngine creates a pre-restoration checkpoint so you can go back to a version of your site before the restore


The Last Word

One of the good things about WP Engine is that it prompts you to create a restore point whenever you’re about to make any new change to your WordPress site.

WPEngine prompts to create checkpoints or restore points whenever any change is to be made to your WordPress site
WPEngine prompts to create checkpoints or restore points whenever any change is to be made to your WordPress site

Also, before making any updates on your site, it automatically generates a backup of your site. WP Engine is an excellent hosting provider for WordPress sites, no doubt about it, and if you don’t mind shelling out big bucks for quality service, it’s definitely worth a go!

Here’s a brief summary of the features offered by WP Engine backups:

A summary of WPEngine's backup
A summary of WPEngine’s backup

As can be seen from the above table, WP engine backups are good and do the basic job. The backups are encrypted and are infact stored off-site. Backups are also made daily. However, if you want features like real-time backups, easy automated backup validation and one-click migration of your backup to a different URL or host; if you want to be able to schedule your backups, and control what tables/files get backed up and what get ignored, then you might need to look for a more complete WordPress backup solution other than WP Engine backups.

When you run a WordPress website, it can be distressing and even annoying when visitors suggest that you might be hacked, based on their PC’s antivirus notifications. Here is why and how this happens.

One of the most harrowing experiences for any WordPress website owner, is that of getting hacked, especially when they don’t even know that they had been harboring malicious code. This is why it’s helpful to be aware beforehand, of the signs that your WordPress site has been hacked.

A very common sign of a hack nowadays, is that of visitors’ antivirus software (like Avast, Avira, Kaspersky, or Norton) flagging websites.

PC antiviruses can alert users of WordPress websites containing harmful code
PC antiviruses can alert users of WordPress websites containing harmful code

When this happens, it can be confusing to new website owners on WordPress because of the general idea that PC antiviruses can’t scan WordPress websites, and vice versa.

What most people don’t know, though, is that there are a number of PC antivirus softwares that also scan URLs of websites that users visit.

Most of the time this feature comes with the premium versions of antivirus software though.

Why do computer antivirus products scan websites?

First of all, these products don’t effectively scan the entirety of a WordPress website.

However, some antivirus solutions for personal computers have a feature called ‘URL Scanners’, to make sure that the user of the computer doesn’t get affected by malicious websites. These scanner check if URLs entered have been reported in the past for malicious code that could affect computers.

Avira Pro's URL Scanner protects users from malicious websites
Avira Pro’s URL Scanner protects users from malicious websites

Even innocent-looking websites could infect computers by an exploit called ‘drive-by-downloads’. These are malicious files that websites scam their visitors into downloading, such as a free game .exe file.

How do computer antivirus products scan websites for malware?

URL scanners examine web pages against a repository of reports of threats to see if they have had any instances of malware reported in the past.

Since companies producing antivirus softwares and security solutions need to keep updating their collection of malware signatures, their list is up to date. Resources like VirusTotal (a subsidiary of Google dedicated to scanning files and URLs), collaborate with these companies and aggregate the signatures to help keep the dataset relevant.

Signatures of antivirus solutions present on VirusTotal are updated every 15 minutes, so the latest datasets are always used. Since VirusTotal is also a free, online, public offering that helps scan files and URLs, every file and URL sent to VirusTotal is sent to antivirus and security companies to help them keep up to date. When a signature is detected by one of the PC antivirus solutions that collaborate with VirusTotal, it is, by default, sent to all the collaborators (67 in total for URL scanners), that do not detect the resource. These signatures are also stored in a database, that all premium collaborators are given access to.

What to do once a PC antivirus flags your website

Once your website has been flagged, it is best to take the following steps:

Step 1: Update your WordPress website

Outdated versions of WordPress core, themes, or plugins could all have vulnerabilities, one of which the hacker might have exploited. However, there are chances that updating these elements might break your site. This takes us to our next step.

Step 2: Invest in an intelligent WordPress malware scanner and cleaner

This step is crucial. Selecting a solution in this regard that works to efficiently scans for hacks and removes malicious code would save you a lot of trouble. However, it’s important to make sure that this solution doesn’t report false positives, and yet doesn’t miss any malware.

Step 3: Invest in a reliable WordPress backup solution

It is important that you invest in a robust, dependable WordPress backup solution. This way, once your site is clean, you can back your site up, before experimenting with updated versions of WordPress core, themes, or plugins that have lesser vulnerabilities.


It can be distressing to hear from visitors to your site that you might be hacked. However, hacks and malicious code cause more damage with time. It is important to act on this information as quickly as possible.

Hacks catch WordPress site owners by surprise since they are carried out discreetly to exploit websites’ resources. The Pharma hack makes use of your website’s search rankings. Do you know how to get rid of it?

Over the past couple of weeks, we’ve been covering some of the ill-effects of being hacked, and how to recognise a hack. In that progression, one of the most discreet ways hackers use your site, is via Black Hat SEO techniques.  Black HAT SEO hacks make use of the legitimate links and content on your site, so cleaning them up requires expertise, and time.

What is Black Hat SEO?

In short, Black Hat SEO (also known as ‘spamdexing’) is an exploit of a vulnerability on your website where attackers target your highest-ranking pages. Hackers perform this bad SEO practice so their websites gain easy traction from your website’s search engine ranking.

Attackers first identify the high-ranking pages on your website. They then insert their links into those pages, and hence hijack these rankings to affect their websites. The malicious content isn’t seen on the front-end of the affected websites, but is visible to search engines.

However, in the long run, this poisons your site’s ranking.

The WordPress Pharma hack poisons your website search engine ranking
The WordPress Pharma hack poisons your website search engine ranking

Not only does your website rank lower… since these methods go against search engine guidelines, there is a high possibility of your website getting blacklisted too. This doesn’t matter to the hackers because they’re looking for a quick way to boost their website ranking instead of putting in the hard work for it. Once your website has been blacklisted, they’ll perform the same SEO hack on another website to maintain their ranking.

One of the most well-known ways Black Hat SEO affects WordPress sites, is via an exploit called the Pharma Hack.

What is the WordPress Pharma Hack?

The WordPress Pharma hack is an exploit of a website’s vulnerabilities to display pharmaceutical products along with the actual site’s pages or products on the search page. Since this is an exploit that uses Black Hat SEO, these pharmaceutical products don’t display on or affect the actual pages of the website. Instead, the website ranks lower on search engines’ results.

Why does it take so long to detect?

When we say that the spam links and content isn’t visible to users, we mean that it only shows up when someone looks for the site on Google. The description beneath the link to the website will show something related to the pharmaceutical products from the hacker’s site.

Even if you (the admin) of the site looks through the HTML source code, you won’t find the spam links or content.

This is because the malicious content is disguised and placed in your WordPress blog’s plugin folders, and in your database.

Since the exploit only affects the highest ranking pages and not all the pages on the site, it becomes more difficult to find.

How does it work?

Most of the time, hack files (malicious code) is encoded, or named to look like legitimate WordPress files. For example, if the Akismet plugin has hack files, they could be named “akismet.cache.php” instead of “akismet.gif”, “akismet.php” or “readme.txt” (which are the only three files that an uninfected Akismet folder has). Similarly, any file outside of the default files available with your original WordPress plugin install should be looked at closely, since they could be hack files.

With the WordPress Pharma hack though, the hack files are encoded (sometimes backwards), and are injected into the plugins folder.

The malicious code pings Google with requests for the list of highest ranking pages on your website. It then stores this information in its database, and targets them when it runs.

How to clean up the WordPress Pharma Hack

  1. Go through your plugins folder using your FTP client.
  2. Make sure your viewing options are set to show hidden files.
  3. Check directories of every active plugin on your website.
  4. Look for files that have encoded names.
  5. Once you find the hack files, it is important that you delete them. This will get rid of the symptoms of the hack. However, you will have to remove the malicious files in your database too in order to get rid of the hack from the root.
  6. Before you tamper with any database file, it is recommended that you backup your WordPress site so that any change you make to your site isn’t permanent. This way, even if you make a fatal mistake, you can rollback changes and go back to a working version of your site.
  7. Deleting the rogue functions in your WordPress database will need some technical expertise: you will have to access phpMyAdmin, and delete the database entries that contain malicious code. If this step is not done, the consequences of the hack will still prevail.
    The easier option to manually looking for and deleting presumed hack files, would obviously be to use an intelligent hack scanner and cleaner that doesn’t raise false alarms, and yet doesn’t miss malicious code.


Black Hat SEO hacks, and other SEO spam is difficult to remove from your site. What’s worse is that if you get blacklisted by search engines like Google for it, requesting for a review, and getting reviewed for this kind of exploit takes the longest time to process, out of all the types of hack review requests. This is why time is of the essence in attacks like the WordPress Pharma Hack.
Efficient hack scanning and cleaning systems that require technical assistance, take up to 12 hours to clean up malicious code, but the question is whether you can afford that time. This is why it’s important to use an efficient, automated malware scanner and hack cleaner.

When your web hosting service suspends your hacked WordPress website, it can be painful. But web hosts have legitimate security concerns behind this action.

Any experienced WordPress website owner knows that there are no truly secure, impenetrable websites; just hardened ones. But when your website has been hacked, it can be a bit of a salt-in-wound situation when your web host suspends your website.

Web hosts shutting your site down can be very frustrating
Web hosts shutting your site down can be very frustrating

Is suspending the hacked site the only course of action?

While suspending your account is one of the actions that web hosts take, it isn’t the only one. If you’re with a good web hosting company, they will:

  1. Send email notifications about:
    • Details about the exploit on your site, and links to it
    • A reminder that you are responsible for securing your site
    • A list of outdated (vulnerable) scripts and a notification if you’re using an outdated version of WordPress
    • A clear deadline for you to get back to them or get suspended
  2. Offer to clean the malware on your site, for a price (this depends on whether the web hosting company also offers security measures)
  3. Offer to restore a clean back up of your site (this depends on whether the hosting service offers reliable backup solutions)

Naturally, not all web hosts provide more than one option, and what is offered depends on the scope of their service at the price-point you’re utilizing it at.

Why is suspending my website an option?

As we explained above, not all web hosts have reliable backup-and-restore or security measures offered along with their service.

So if your web host chooses option 1 (sending an email notification and then suspending your WordPress site), they might do so to protect one of the following parties:

  • Visitors to your site (in case of individual hosting)
  • Other sites on the hosting server, and their visitors (in the case of shared hosting)

Reasons why hosting providers suspend WordPress sites on shared hosting

Serious issues could arise in the case of shared hosting, especially if the hosting provider doesn’t have reliable security measures. This is because one hosting server would support multiple websites, (as separate entities on that server), which would all be required to share the server.

For example, if one website on your shared hosting server consumes too much bandwidth for files, all the other websites on that one hosting server are also affected.

So if the malicious code from one infected website manages to find its way to your server, everyone on the server would be infected. Attacks like these could be incredibly simple; for example, a hacker could craft malicious code to executes simply when admin tasks are performed.

In cases like these, a practical solution would be to suspend your infected WordPress site, until the hack is cleaned out.

What damage can hackers cause with access to a hosting server?

Here is an overview of the damage a hacker can wreak when they have access to your website’s hosting server:

1. They can send spam mail from your server:

The attacker’s main aim in this case would be to send their spam mail using your hosting server.
However, if they abuses it enough, they could get your DNS server blacklisted by email providers such as Gmail, Yahoo, Outlook, etc.

In the case of individual hosting, not only would you be unable to send regular mail to your subscribers, your web host wouldn’t be able to send any mail to anyone else from that server either.

In the case of shared hosting, every website using that server would get blacklisted by email providers.

Suspending your account would prevent your hosting server from getting blacklisted, no matter which type of hosting server you use.

2. They can infect your visitors’ profiles/websites:

Attacks such as Cross-site scripting are notorious for spreading like wildfires. A hack on your website could spread to a number of your visitors when they simply open up a page leading to your website.

In the case of individual hosting, this would only affect your site’s visitors.

In the case of shared hosting, attacks like cross-site scripting have the potential to affect the visitors to every website on that particular server. This possibility can be mitigated if your shared hosting provider has a robust security system and separation between the websites on that server.

In either case, shutting down your hosting service could help mitigate the damage and get to the source of the malicious code.

3. They can use your server as a bot in a DDoS attack against another website:

Denial of Service (DoS) attacks aim at making a website unavailable by overloading it with requests. Distributed Denial of Service (DDoS) attacks overload the same website with requests from a number of sources so that its server denies service. These sources could be other websites’ servers.
If a hacker gets control of your server, they could use it as a bot pinging (or attacking) other websites.

In case of individual hosting, this would mean that your site would be blocked by other servers and networks’ firewalls, as well as search engines.

In case of shared hosting, not only your site, but every site on the same server would get blocked as they all share the same IP address.

4. They can shut your website down and use ransomware techniques:

Ransomware is exactly what it sounds like; hackers take your website down and only allow you access to it, or get it back up if you paid them a specific amount.

In the case of individual hosting, only you would have to bear the brunt of a ransomware attack.

In the case of shared hosting, the threat is magnified because of the possibility of breaching your web host’s security measure, and taking a number of websites in one go.


Obviously whether any of these attempts succeed or not, depends on your hosting company’s security measures.

It can be frustrating to get taken down by the web host you depend on. But in the long run, this is for the good of your website, their service, and your visitors.

Therefore, one of the first steps you should take, for everyone’s sake, is to get an intelligent malware scanner and cleaner that will clean out hacks.
It is also very important that you perform a forensic-style analysis of when exactly your WordPress site was attacked, how the hack happened (the vulnerability that was exploited, how it was exploited), the damage caused, and the other vulnerabilities on your site that could be exploited.
Using a reliable backup solution is also of paramount importance, especially since it helps you easily, and quickly restore a clean version of your site while you clean out the hacks.

WordPress hacks always feel personal, especially when you discover your website had been compromised for a while. This is why it’s important to recognize a hack from the first signs.

Cybersecurity is one of the biggest threats to anyone who has an online presence nowadays. This is because hackers keep hacking for a number of reasons have a number of motivations, and to them your website is the means to an end. It almost always feels personal though. At BlogVault, lot of our customers over the years have said they felt slighted by hackers, especially because they invested a lot in the creation of a site.  And what adds insult to injury in many cases, is the fact that most victims didn’t even know they’d been hacked for months or even years, even if the hackers performed common attacks on the websites .

The scenario can be compared to having a home with the most secure doors, and many windows. When a thief breaks into your home only to steal a few slices of bread every day, since it’s small enough to not be noticed right away, the theft can go on for a while. In many case, the thief makes sure to not do anything that attracts your attention so you don’t know about the one window that makes the house easy to break into.

Although WordPress core is secure and has been kept safe, WordPress sites have a number of plugins, widgets, and themes, any of which might be vulnerable. So even if you notice something amiss, it can take a while to figure out which ‘window’ needs fixing.

It can be difficult to figure out which entry point is being used
It can be difficult to figure out which entry point is being used

This is why we thought of giving you a few signs of hacks to watch out for. If your answer to any of these questions is ‘yes’, you might need to invest in an intelligent malware scanner and cleaner, to clean out the instances of malware on your site.

Sign #1: Browsers warn visitors about your website with variants of “This site may be compromised”

Browsers like Mozilla Firefox and Chrome are kept up to date with relevant and new malware signatures. So if your website has malicious code and people look for it, they display messages just like the one below:


One sign that you've been hacked is that of browsers displaying warnings about it
One sign that you’ve been hacked is that of browsers displaying warnings about it

Sign #2: Subscribers complaining about spam mail from your website?

Here’s something to think about: If you’re not spamming visitors who have signed up to receive mail from your website, who is?

Sign #3: You’ve been hacked before, and noticed the same weird activity on your site

This could be because of a Backdoor that attackers might have installed during the last hack of your site. The main purpose of the Backdoor is to allow them continuous access to your site long after the main hack is cleaned. As a result, backdoors are generally unobtrusive so that they aren’t usually detected with hacked files.

So even if you have updated the vulnerable plugin/theme that the attacker exploited to install the Backdoor, the malicious code remains, and can still be used to grant them access to your site and resources.

Sign #4: Has your site suddenly become slow or unresponsive? Is it showing a 500 server error?

This is definitely one red flag to look out for, especially when you know the number of legitimate visitors to your site hasn’t increased, but your site has been slowing down or displaying the generic 500 error, like this one:

Error 500 is what displays when your server is overloaded
Error 500 is what displays when your server is overloaded

Usually this error results from an increased use of the server. Among a number of possibilities, this could be because the attacker is using your server to perform functions that you didn’t authorize, such as sending spam mail, using your server as a bot that they have total control over.

Sign #5: There are plugins/themes you haven’t installed, or admins you haven’t authorised

If an attacker gets admin access to your site, they obviously can do anything they want. However, if they choose a more devious action such as uploading a malicious file masquerading as a plugin to perform whatever function, they could not only do whatever they wanted, but also use it as a backdoor.

Sign #6:Visitors complaining about their PC Antivirus solutions flagging your site

Believe it or not, this is possible! Antivirus solutions that are generally used on computers are designed to protect the user(s) from malware that could be installed from a website. So if a user (who has this antivirus solution installed on their computer) visits your infected website that could affect the computer, warnings similar to this one might pop up:

A number of PC antivirus solutions have URL scanners that could alert the user when they detect malicious code on a website
A number of PC antivirus solutions have URL scanners that could alert the user when they detect malicious code on a website

Sign #7: Do pharmaceutical company search results show up when you look for your website?

The WordPress Pharma hack is a pretty famous attack. This hack used bad SEO tags such as those about performance-enhancing drugs, antidepressants etc. The thing about this attack is that it isn’t visible to the site’s regular visitors, or even if you check the HTML tags because the hack infects the site’s database and files. However, search engines pick them up, and obviously help the pages with these tags rank higher.

Sign #8: Visitors to your website keep getting redirected to other sites

Another red flag you should look for is if your visitors complain about searches for your website lead them to a blank page, some other domain, or back to the search engine.

Sign #9: Your web host has disabled your site

If you’re on shared hosting, this could happen as a result of your website using up too much of the server’s resources, or because of security issues (such as malware that could take control of the entire server, as in SQL injection attacks).

Sign# 10: Google, Bing, and other search engines blacklist your site

One of the most obvious signs that your site has been hacked includes that of having your site flagged by search engines. Search results for your site display results such as those below:

Search engines display warnings to users when they detect malware on a website
Search engines display warnings to users when they detect malware on a website

This is the ultimate sign, and one that brings the most ill reputation. If you’re running a business, having your website blacklisted is bad because Google and other search engines could even  stop crawling or listing your site.

If you don’t see a warning among the search results, finding out if your website has been blacklisted is as simple as using sites like StopBadware, which is a subsidiary of Google.

If your site displays any of these signs, you should first make use of an intelligent hack scanner and cleaner, like MalCare, that doesn’t raise false alarms, and works quickly. Time is of the essence in the case of a hack.

Getting your website blacklisted is always a bad thing. But as in any crisis, it’s always important to know what to do next, and how to remedy the situation.


Having search engines blacklist your site can be a harrowing experience.
Having search engines blacklist your site can be a harrowing experience.

If you’re a website owner, having your website hacked, and then blacklisted, is a horrendous thing to discover. Not only will have to deal with the consequences of the hack, but since your website is also blacklisted, Google and other search engines will stop crawling your site, and showing visitors warnings. This means you’ll be missing out on new searches, and losing your hard-earned reputation as well.

If you’re new to owning a website and the hassles that come with it, all of this might seem a little intimidating.

This is why we’ve chosen to give you most comprehensive guide to dealing with your website being blacklisted.

Here are just the basic steps if you’d rather have a quick run-through:

How to find out if your website has been blacklisted

There are a few ways to find out if your site has been blacklisted, or has been blacklisted because of malware on your site.

  • Enter the URL of your site on Clearinghouse, or sites like it: StopBadware is a site that works in association with Google to help owners of hacked sites.
    Its tool, Clearinghouse, lets you know if your site has been blacklisted or not, simply by entering the URL in its search box. Since it aggregates security information from major search engines and security companies, its list is up to date, and takes only a couple of hours to reflect new changes. Once you enter your site’s URL, Clearinghouse will check if there are records of your site being blacklisted, and will let you know accordingly:

    Checking if your site has been blacklisted is as simple with tools like StopBadware's Clearinghouse Search
    Checking if your site has been blacklisted is as simple with tools like StopBadware’s Clearinghouse Search
  • You could also enter your website’s name into Google and check the search results. If the descriptions for your website show a variant of “This site may harm your computer”, you’ve been blacklisted.
    A sample of a warning that displays when your site has been blacklisted as a result of a hack
    A sample of a warning that displays when your site has been blacklisted as a result of a hack
  • If you’ve verified your website with Google’s Search Console, they would have sent an email notification about finding malicious software (or malware) on your site, and hence blacklisting your site. Below is a sample of the email you will receive:

Dear site owner or webmaster of (,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on

Below is an example URL on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):


Here is a link to a sample warning page:

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised

2) the site doesn’t monitor for malicious user-contributed content

3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:

Once you’ve secured your site, you can request that the warning be removed by visiting

and requesting a review. If your site is no longer harmful to users, we will remove the warning.


Google Search Quality Team

Why was my website blacklisted?

When hackers infect good websites with malicious code, the infected websites might collect banking details, contact or personal information from, or launch spam mail aimed at the website’s visitors. The infected websites might also be used to infect the visitors’ computers… depending on what the malicious code on your website was written to do.

Therefore, your website might have been blacklisted because it contains malware. Security companies and search engines blacklist sites that contain malicious code, in an attempt to try and protect the sites’ visitors.

What to do about my blacklisted website?

Once you find out that your site has been blacklisted, there are a few steps to make sure that your site is listed again:

Step#1: Access Google Search Console

  • If you don’t have a Google account to use the Search Console
  1. Create a free Google Search Console account if you don’t have one.
  2. Click on the “add site” button on Google’s Search Console and follow their instructions to verify your site.
  • If you’ve already verified your website using Google’s Search Console

As mentioned previously, Google would have already notified you about your site being unsafe, via email, with the steps to be followed in case you have been blacklisted. What it doesn’t explain though, is how to go about key points such as “remove the malicious content from (your) pages” and “fix the vulnerability”.

Step#2: Take your site offline, put up a page that says “Under maintenance”

This will help keep your visitors safe, and keep the attacker from wreaking more damage to your site, while you look for the malicious files on your website. You can take your site offline by doing one of the following:

  1. Going to your WordPress file directory and renaming the index.php file to something like indexold.php
  2. Manually adding a 503 redirect to your .htaccess file
  3. Changing the Privacy mode of your site
  4. Using certain plugins
  5. Contacting your web host and asking them to temporarily suspend your site

Step#3: Look for malware and bad files on your website

Vulnerabilities on WordPress usually exist on outdated versions of themes, plugins, widgets, and in WordPress directories that you don’t usually visit. This is why it can be difficult to detect a hack.

What you can do, though, is to update every outdated component on your site, and delete components that you don’t use. However, it’s not just enough to identify hacks… you have to clean out malicious files too. This is why identifying an intelligent hack scanner and cleaner is of paramount importance. You don’t want to get alerted by false alarms, nor do you want miss getting rid of any malicious code.

Step#4: Request a review for your website

Once you remove all instances of malicious code from your website, it’s important to inform search engines about your progress.

There are two ways you could go about this:

  1. Sending a review request to Google with your Google Search Console:In general, review requests to Google depend on the type of malware detected on your site.
    • Reviews related to phishing take about a day to process
    • Reviews related to sites hacked with spam usually need a few weeks to process since spam-related- hacks are usually tricky, and require manual investigation from the search-engine’s side
    • Reviews related to other malware will need a few days to process
  2. Sending an independent review request to resources such as StopBadware: This is as simple as entering your website’s URL in their ‘Request Search’ page.

    Requesting a review from StopBadware (we entered a URL to get this result)
    Requesting a review from StopBadware (we entered a URL to get this result)

    Once all instances of malicious code on your site are removed and your site is verified to be clean, all warnings will be removed, and your site will function as usual.

Step#5: Backup your website!

Keeping a backup of your WordPress site will keep you safe in the future. You could restore an uninfected version of your site, and then request a review, which makes the whole process a little shorter.

Step#6: Always perform a forensic analysis

Performing a post-hack analysis of your site will help you see the different openings for attacks that hackers find. If you’ve used a good malware scanner and cleaner, this should be easy. Finding these vulnerable points and hardening them will make your website a little less penetrable.


It’s never easy knowing that your website contains malware and could be a risk to your visitors. It also results in a loss of reputation. But getting to the root of the problem and eliminating malware can help keep you, and your website’s visitors safe.

Many people rely on web hosts for their WordPress backup. Is this a good practice, and are HostGator backups any good?

We believe secure backups which are completely independent of your web host is a must for all who host websites. Otherwise you may find that your backups are lost along with your website. In this case of WordPress users having a strong backup solution is important.

Backups are usually judged by how easy they are to restore, and how little burden they put on your labor or resources to make, store, and secure them. How do HostGator backups measure up on these points?


A screenshot of HostGator's pricing for WordPress websites A screenshot of HostGator's pricing for WordPress website hosting
A screenshot of HostGator’s pricing for WordPress website hosting


HostGator Backups: What do you get?

Frequency: Only once a week

HostGator creates backups of your site once every week. However, this is done on a random day of the week. There is no fixed day or time when your site(s) are backed up each week.

Ideally, we believe that automatic backups must be done daily. If it is automated then even better.

Storage: Only one copy of backup

Only one copy of backup is stored by HostGator. Each new round of backups overwrites the previous one. If you have a problem with your site, then chances are that the latest backup will also have the same problems. Restoring from that version may not be the best solution.

Ideally, multiple copies of backups need to stored. as part of backup best practices suggests that at least three copies of a backup must be maintained in three different off-site locations.


Your account is only eligible for automatic backups if it has less than 100,00 files and is less than 20GB. If you exceed this limit then your website will not be backed up automatically. You can only generate manual backups using the Create Backup tool in the cPanel dashboard; that too up to 150,000 files. If your site(s) has more than 150,000 files then HostGator recommends that you contact them for assistance. This means that even if you take up the responsibility of backing up your site regularly and maintaining the backups yourself, you might run into a lot of issues with processes.


A screenshot of the limits on file size, and number on HostGator's backup
A screenshot of the limits on file size, and number on HostGator’s backup

You can track your usage (number of files and size) in your cPanel dashboard. It shows up in a bar on the left side of your cPanel dashboard. If you exceed the size or number of files limit, then HostGator recommends that you contact them for assistance.

Ideally, there must be an easy option to track if the backups are being done and notification system for the same must be reliable.

Backup Access- Timeline

If your account is suspended less than a week after the last backup then you may have access to your backups. If it has been more than a week after the last backup then the latest round of backups will overwrite your previous backup.

How to Restore from a HostGator Backup?

Restoring a full backup is not possible through the cPanel interface. It must be done by a root user for the server. For this is you have to fill in a Restoration Request form. Partial restoration of individual tables or files can be done. In the latter case, you can restore the files or database from the cPanel by choosing the Backup Wizard option.

If you plan to use the backup of HostGator then you must pay a fee of $15. This fee is waived only if you provide your own files for backup.

Ideally, restorations have to be easier especially if you are for restoring full backups. Best WordPress backup services not only offer one-click restorations but also give you granular control over restoring individual files and tables; with greater ease. For more information on this check the ‘restoration’ section of the review below.


HostGator Backup Review: Is it worth the risk?

While those are the claims, here are a few cons we noticed when trying HostGator’s backups:

If you have not regularly logged into your cPanel and tracked your files and websites’ size to make sure that they have not exceeded the limit, then chances are that automatic backups may not have happened. If you haven’t downloaded backups too, then you may have no backups at all.

Backups are not Independent of Your Web Host

Another important point is that the backups are not independent of your web host at all. At BlogVault, this is major red flag for us. After all, if you leave the key to your bank’s safety deposit box at home then you might as well leave the valuables at home too.

Lagging Notifications

In the case you exceed the file limit for automatic backups, (like we did) then you can always delete some files to get under limit using the File Manager tool. However, the next time we logged in to the cPanel we still got ‘Backup Skipped’ notification- mentioning that our site was not only not being backed up, but asking us to reduce the number of files as well.


Even when the number of files is within the permitted limit, HostGator asks to delete files for them to be backed up, or to use CodeGuard instead
Even when the number of files is within the permitted limit, HostGator asks to delete files for them to be backed up, or to use CodeGuard instead

A relatively smaller hassle is that even if the number of files in your account is under the HostGator limit for automatic backups and you generate a full backup, the email notification (alerting you to the the fact that the backup is ready to be downloaded) takes a while to arrive or sometimes you don’t get it at all. This doesn’t always mean that backups aren’t done. Sometimes the backup is done, but you just don’t get an email. Again you have to stay logged in and track when the backups have finished and download them.

Restoring Can Be Difficult

When the time for restoring your site comes, you have to sift through files and tables of all the domains and subdomains under your one account and pin point the files you want to restore. This can be a tedious process.

Especially since you can only restore for free if you have downloaded and stored your backups. Storage and security of backups then becomes your headache. Otherwise you have to pay the web hosting service each time you need a restoration; regardless of whether you want to restore a specific file or the entire site.

Considering that WordPress backup services like BlogVault allow for one-click restores, one-click migrations; and even to test backups before you restore your WordPress site, do you really want to go through all the hassle in HostGator’s cPanel?

One WordPress Backup Copy

Having only one backup of your WordPress site’s most recent version means that if you run into a problem today chances are that your backup too has that problem. We are referring to issues with hackers or malware.

Working closely with WordPress backups and security for over five years now, we have learned that many hacks and malware attacks are carried out a lot more subtly than shown in TV shows. The result is that most WordPress site owners don’t even know that they have hacked for months. In most cases the problem generally surface long after it started.

Note: For their part HostGator is upfront in warning you about the backup service they provide. They clarify that the service is offered as a courtesy and that users must not rely on them.

Customer Support

With HostGator, starting a live chat took anywhere between 20-30 mins at least. So if you’re looking for a quick fix for an issue it might not be possible.



Not only are the backups random but you don’t have granular control- you can’t download specific files, or files of a particular subdomain.

Apart from this notifications for skipped backups or manual backups are weak, in the sense that you don’t have reliable email notification. You are expected to login to the cPanel to keep track.

HostGator's features at a glance
HostGator’s features at a glance

* Cost includes web hosting and backups

The only use backups have is for restoring your site. If you have to pay to use your backup then, especially when you cannot keep track of the backups or their functionality, then it is an issue that needs to be addressed.

There is also no way for you to test if your backups are working. It is best to heed HostGator’s warning to not rely on their backups. You might as well plan to manually make backups of your WordPress site, store and secure it. Or, subscribe to a professional WordPress backup service.