Cloud WordPress backups are good when they are independent. They might not be if you’re using your personal cloud storage accounts(for example on Dropbox, Drive or Amazon S3). Read on to know how and why you shouldn’t do it.

 

Are your cloud storage accounts safe?

 

 

We know that following best practices to make WordPress backups means that your backups should not be dependent on your website/server/web host. This means that you must be able access and use your backups without having to access your WordPress site/server/web host. These kind of backups are known as independent backups and are according to best practices of performing WordPress backups.
However, it is easy to think that off-site backups are the same as independent backups. They are not. This is because off-site WordPress backups are not necessarily independent. This is has to do with how WordPress plugins upload backups to your accounts.

 

 

 

WordPress Backups Compromised by API Keys

Plugins which upload your WordPress backups to your Amazon S3, Drive, or Dropbox accounts usually store a copy of your account’s API key on your site. This is what allows those plugins to interact with your accounts, and upload backups. This is part of the setup procedure for many (if not all) backup plugins.

While making automatic uploads to an off-site location is a convenient option, doing so by storing API keys may not be the safest option for you. The simple reason for this is that it is the same as leaving the keys to your bank vault in your living room. The whole point of a vault is to secure whatever you store in there from being burgled. If you leave the keys to the vault, then you have granted access. Backups are also like your most precious possessions. They are what you depend on in your hour of need; hence they must be completely independent of your site.

Continuing from the previous point, if you are using a security key from your Amazon S3 account in multiple locations then your backups may be in trouble even if your site is safe. Even  if one of the sites using that particular security key is hacked then the hacker has access to all the contents on that account.

This is why BlogVault does not ask users for personal accounts but automatically stores multiple copies of backups in different destinations. All these copies are also encrypted; providing your data and additional layer of security. You can access them independent of your web host or WordPress site via your BlogVault dashboard.

 

Limited Storage Space

One of the major attractions of using these storage services as destinations for your WordPress backups is that they offer free storage space. However, if you make backups daily (as you should), and you have large site, then this may not be enough.

This is even more true if you are using the account for reasons other than backups or you are backing up multiple WordPress sites with the same account. Pretty soon you may find yourself paying extra for storage space. So, the economic benefits of not paying for storage may not stand for long; and these economic benefits are anyway diminished when compared to security concerns.

 

Cloud WordPress Backups in Personal Accounts May Equal Personal Data

In case of a hack, losing your backups and your business or blog data may be bad enough but that will certainly not be the end of it. The risk of using a personal storage account is simply too great when you consider that other information you store on the account which may be of a personal nature can also be at risk.

 

Restoring WordPress Backups

All backups have one purpose; restores– to recreate your site using your WordPress backup. Firstly you must have backups to use. Secondly, those backups must be functional and easy to restore. When you are using your personal accounts configured with the backup plugin on your site, both cannot be taken for granted.

The first point has been addressed in the very beginning of this list. As for the second point, even though you may have backup files, if they are altered in any way or are not secure, then using those backups to restore your WordPress site will do more harm than good to your business. BlogVault allows you to Test Restore your backups with a single-click. This way you will not be in doubt.

Even if the files are functional, backups are often uploaded in .zip folders. You may have to spend a considerable amount of time finding the right backup version to restore your site and then upload then .zip folder to your plugin to restore your site. However, this is not possible when your entire site is down because your backup plugin was on your site too. This is why you must be able to access and restore/migrate your backups completely independent of your WordPress site.

On the other hand if you manage to get your site running, then there still may be issues. Restoring a large site takes time and server resources. For this reason, they are, many times cut off. This makes full restores of large sites nearly impossible on some accounts; especially on shared hosting.

 

Cloud WordPress Backups Must Be Independent

If you have not checked your backups because your WordPress site is working fine at the moment, then you may be left with an unwanted surprise when your website goes down in the future.

Use best practices and opt for a service which will provide a comprehensive WordPress backup solution that will keep you worry-free, allowing you to enjoy the ride.

 

Reaching for your spare tire, only to find out that it is not working; or worse, that it is missing altogether is unacceptable. WordPress backups are a little more complicated than changing car tires and just like your car tires, there is a lot riding on them too. Your lifetime’s work or the hard-earned reputation of your business is at stake.

 

Building a WordPress website, and maintaining it along with its backups, is no joke.

 

The number of WordPress (WP) backup plugins that are available in the market today must make it seem that problems regarding backups are a thing of the past. But, as we said, backups are complicated. A lot can go wrong when you are using stand-alone plugins (meaning ones that operate on the Software-as-a-Product model).

The  WordPress Backup Plugins vs. managed WordPress Backup Service debate can be framed as Standalone Plugin vs. Software as a Service model (Saas).

Many articles refer to how the SaaS model economically benefits the end user, however, there are many use-case benefits too. In this article we’ll look at some common issues with stand-alone WP backup plugins, and how a managed WP backup service is a better option.

 

Why Your WordPress Backups Will Fail With the SaaP Model

Installing the plugin is the beginning. Once installed, a stand-alone WordPress backup plugin must be configured. Very often people underestimate how backup plugins may become relatively labor-intensive and accrue more expenditure over time. These may come in different forms including add-ons and premium account features that may be essential to your business.

Some problems you may run into when you’re using a stand-alone WP backup plugin include:

Configuration issues

  • Getting Started: Once a plugin is installed, a remote backup destination must be selected. You can select services like your Google Drive account, Dropbox, or Amazon S3 servers. After this, you must input the login credentials of those accounts.
  • Add-ons: To get the desired setup for your backups, your plugin may require that you buy an add-on. Add-ons can soon build up to become a considerable list. While calculating the cost of a plugin, add-ons must be accounted for, in order to get a fair estimate.
    • Saving backups in more than one destination may need an add-on, and extra charges may be applied.
    • Other features like encrypted backups of your website’s database may not be available unless you pay more for add-ons or upgrade to premium accounts. This means your backups are not really secure even after investing all this time, energy and money.
  • Tracking: Ensuring that backups are happening is important so that you know exactly what resources you have to draw upon in your hour of need.
    • If you’re storing backups on your Amazon S3 account, it needs to be configured to send you notifications when backups occur or when changes are made to files (these are called ‘event’ notifications).
    • Otherwise, you may have to pay more to your plugin company for email notifications. An alternative option is to login to WP website dashboard each time.
  • Key to Your Backups: While backing up your website to your Dropbox account or your own Amazon S3 account, most plugins store a copy of the API key/S3 access key on your WordPress site. The key is how the WordPress backup plugin on your site accesses the backup destination. This may not be in keeping with best practices of performing WordPress backups. In such cases, a hacker who has access to your site, may also have access to your backups via the security key.
  • Know-how: Managing your own Amazon S3 account requires you to know how the account stores your information (buckets, objects) and other points like access control, and versioning so that you can make sure that your data is secure.
  • When You Need to Restore: Apart from all these points, when you need to use your backups to restore your site, you’ll need to unzip the folders and manually restore the files correctly. This may not be the best option for everyone.
  • Storage Options: The plugin company may provide storage space. This option, like in the case of Amazon S3 servers, is an extra charge over the plugin that you must bear. It is a recurring cost to you, which must be paid periodically (monthly/quarterly).

Notification Issues
Like we mentioned backups are complicated. If for any reason backups stop happening or problem occurs, then it is important that you’re notified immediately. For example, an error in the plugin has stopped it from backing up your site without notifying you. Otherwise if you have exceeded the storage limit of your backup destination then backups may stop occurring. Regardless of the scenario immediate notifications are very important.

The burden of solving all of these issues; on top of running your business/blog, fall on you, when you purchase a software product.

Regardless of the cause, the net result is that you’re stranded on the freeway, with no (usable) spare and your tire is a software product. This means, it’s likely that you may not have anyone to call for ‘tech support’. This is not a scenario you want to be caught in when you look for your backups.

Now consider that an expert is looking after your tires, maintaining the air pressure, checking the rims and upgrading the tire as the weather and the terrain changes; along with making sure that it is in the boot of your car. This would simplify and enhance your business, wouldn’t it?

 

How to Ensure That Your WordPress Backup Always Works

And, how can the SaaS model solve the issues mentioned above, for you?

 

When you get a subscription to a software, you are getting a service. A team of experts are managing and maintaining the software and the hardware. They are responsible for granting you access.

Let us clarify, SaaS doesn’t mean that there is no need to download and install a plugin. As in the case of BlogVault, the plugin can be very light as all the complexity sits on the provider’s server, where the heavy-lifting is done. For the user this means:

  • Zero-configuration: Install the plugin and it begins its work. You are ready to use BlogVault from the moment your subscription is active. The backup process starts automatically when you first login.

(This is the main reason this list is relatively short. Remember the long list of configuration issues with standalone backup plugins? Web-hosted software means, all of that responsibility for the managing the plugin and off-site storage is off your hands. Everything is covered for in the subscription.)

  • Lesser load on the site, better performance–  Site performance and page load times are crucial to delivering good user experience cannot be overstated, as even marginal differences show measurable changes in results.
  • Rapid Updates: Updates happen mostly on the service provider’s server, reducing the frequency of updates required on your site.
  • Backups are safe even when your site is compromised: Backups; because they are completely independent of your website, are accessible even when your website is down. You don’t need to get your site running to access your backups.
  • Incremental Backups: This means large sites are also completely backed up without hassle. Backing up only the changes means faster and more efficient backups.
  • Expert Tech Support: A team of experts maintain the software and the hardware. You can not only count on tech support, but know that the team can be highly responsive as they are maintaining the backups themselves. This can help at times of Test Restore, Auto Restore and Migrations. For more on these features you can check out BlogVault.

 
Now you know the differences between SaaP and SaaS models in the context of WordPress Backup. Make an informed choice that gives you the most scope for developing your business, without adding to your task list or financial burden.

 

Daily backups offer a balance between minimizing data loss & minimizing load on server/site. Is it, however, the most optimum WordPress backup frequency for your WordPress site? Here’s what you need to know about the different methods; and the pros and cons of each of them.

 

Daily backups are the most practical backup frequency for a majority of WordPress sites that have scheduled updates every day.

 

Daily WordPress Backups

Who is it for?

Daily backups are a good option for sites which make numerous changes in a month. These may be blogs that predominantly have content additions everyday, or news/magazine sites which have scheduled daily updates.

Even if daily changes are not made to your site, daily backups may be worth considering. WordPress sites depend on plugins, and themes. As you well know updates to plugins and themes, along with updates to WordPress Core are very important for the sake of your site’s security, and functionality.

Updates are not released at the same time and different plugins and themes have to be updated regularly. While these updates are important, they are part of a complex mix of softwares that together form your WordPress site. If you make an update and the site crashes then it is easy to pinpoint the problem. Often this is not the case. Problems only surface days; maybe weeks after a handful of changes are made. In such cases identifying the issue is a laborious matter.

Performing daily backups ensures that such updates are also saved. You can then restore your site with minimal or no data loss, and figure out any issue affecting your website, later. When you restore your site, fewer of those updates have to be made to harden your site’s security. Otherwise, without those updates, even if you restore your site it may have many vulnerabilities putting you at constant risk.

 

Advantages of Daily Backups

Good backup solutions optimize between resources consumed and efficiency. Daily backups bring the following advantages:

  • Reduces data loss
  • Provides the option of multiple backup versions to test and restore
  • Requires least tinkering once restored – updates made to plugins and themes can be retained.

 

Methods for Making Daily Backups

You can make daily backups in a few different ways. While all the methods used to make daily backups will offer the above mentioned advantages, each method also brings its own challenges. Let us explore them one by one.

Manual Backups

Making manual backups of your WordPress site is an additional, laborious job to add to  your everyday business task list. Remembering to make backups or taking out the time for it may not always be possible.

Securely storing backups is another issue that you are solely responsible for while making manual backups. HDDs or external HDDs or USB drives have been known to fail. Local storage devices, and the data stored in them can also become infected with malware.

Testing backups before restoring/migrating them can become a challenge when you are making manual backups and storing them locally.

Web Hosting Service

While many web hosting services offer backups and it is a seemingly convenient option, it is important to note that not all hosting services offer daily backups. Most of the time, premium web hosts like Flywheel, and WP Engine that do offer daily backups come at a premium price. Sometimes web hosts offer other backups solutions as add-ons and these come with additional costs.

A premium price tag may not be the only drawback when you choose your hosting service as your WordPress backup service. Backups with web hosts don’t have backup descriptions, which makes identifying and restoring the right version a very tedious process. Also, if your backups are stored by your web hosts then they might not be completely independent of your site. It means that your backups may be exposed to all the risks to which your site is exposed. For example, if your hosting service is hacked or the infrastructure is affected by a natural disaster, then chances are that along with your website, your backups are also lost. This is not an ideal way to store backups.

WordPress Backup Plugin

Some backup plugins are free and allow you to schedule your WordPress backups. While these plugins will help you perform daily backups, storage may be an added issue for you to consider. This is because not all plugins offer independent storage options. You can link your cloud storage account (for example, your Dropbox account) to these plugins. Doing so, however, usually means that the plugins store an API key of these accounts on your WordPress site. API keys are how the backup plugins communicate with your backup destination. However, it exposes backups to similar risks as your site. This may allow for your backups to be compromised when your site is hacked.

Backup plugins have to be installed on your site. If you lose access to your site for some reason then using the plugin to restore your site is not possible.

Tip: If you decide to use a WordPress backup plugin it may become important for you to track your WordPress site’s traffic. Backups can be resource intensive and making a backup when most visitors come to your site might slow the site and spoil the user experience.

WordPress Backup Service

A WordPress backup service offers a more complete  backups solution. Backup services perform incremental backups and automatically upload backups to completely independent storage.

Incremental backups mean that only those parts of the site which have changed since the last backup are stored. This means that you do not have to worry about large sites not getting backed up, or about forgetting to perform backups.

Backup storage comes as part of the service and you do not have risk using your personal accounts. Backup services also offer simplified processes for restoring and migrating your site. BlogVault offers you a one-click, test restore option which allows you test your sites on an automatically generated staging environment, before restoring them.

 

Choosing a WordPress backup frequency and solution for your site depends on a few factors– budget, frequency of changes to the site, time available, and the size of the site. There is a case to be made for daily backups as the most optimum frequency for most sites, barring sites with a high frequency of changes like e-commerce or news sites, (which might need solutions providing real-time backups instead). Knowing the advantages and challenges with making daily backups can help you make an informed decision.

 

Frequent WordPress backups can minimize data loss and thereby greatly help your business. However, they can be resource-intensive and affect your WordPress site performance, if not done right.  

Frequent backups present some obvious advantages which are particularly important for WordPress (WP) sites. Content creation takes some planning, effort and resources. Losing such content may become a major setback for your website. Daily backups minimize data loss in such cases.

Finding secure storage solutions is a real challenge with frequent WordPress backups.

Finding secure storage solutions is a real challenge with frequent WordPress backups.

WordPress sites are dependent on many third party plugins and themes. WordPress site owners are always running the risk of installing software that is not compatible with other plugins or themes on the site or installing those which may have some vulnerabilities. The risk of losing data from frequent updates and third-party software vulnerabilities is mitigated to a degree by having up-to-date backups.

 

Advantages of Frequent Backups

  • Minimize data loss
  • Reduce downtime
  • Retain updates & functionalities on WP sites

 

What are Frequent Backup Options?

Of course real-time backups is the best solution to achieve the goals stated above. Hourly/Daily backups may be the most frequent options apart from that.

 

Challenges with Frequent Backups

Higher frequency of performing backups brings its own complications. Backing up sites not only makes demands on your server resources but also brings up the issue of secure storage of the backups made. To add to the list of issues to consider, tracking whether backups have happened correctly and what has been backed up is not always easy.

 

Backups are Complicated

We have been in the business of premium WordPress backup service for over five years now. A number of things can, and do go wrong with backups. Sometimes when someone opts to backup their site manually, it is as simple as forgetting to perform frequent backups.

Often, WordPress site owners don’t know if backups are happening according to plan. Sometimes not all files are backed up.

In cases where site owners may have backups, restoring sites may not be easy. At other times, site owners who are relying on backups by web hosting services may not be fully aware of backup & storage policies. As a result, there have been times when WordPress site owners find out that there may not be any backups when they need it the most.

 

Resource Intensive

Increased load on your server resources could lead to an increased  site load time or pages crashing. Otherwise, the user experience of visitors to your site may be spoiled because certain elements in the site may not function as intended.

 

Large Sites Offer Their Own Problems

 

Backing up larger sites takes more time & more resources. In such cases it is possible that certain sites may not get backed up at all. This is because hosting services; especially on shared hosting, have policies about the time, and the server-resources that a particular task can take. In such cases although you may have employed a backup solution, your site may have not been backed up at all, or may have been backed up incompletely. In both cases, restoring the site is not possible.

 

Storage Space & Security

Frequent backups lead to multiple copies. Storing these copies securely can be a challenge. Storing backups on your own Dropbox accounts or local storage devices like your PC’s hard drive (HDD) or USB drive is not recommended.

Backups stored locally can become infected with malware as you are constantly browsing and downloading files. Also, HDDS or USB drives have been known to crash. This doesn’t even account for the risks associated with accidents and natural disasters.

Storage may drive up the cost of storing backups as you may have to invest in independent storage solutions.
In all the above cases the real risk is that eventually when you need to restore your site you may not have backups, have incomplete or infected backup files. This is not the optimal scenario for your business. Probably a good way to evaluate a backup solution is to list some scenarios in which you would need to rely on backups, and see if the backup solution in question will give you access to backups and allow you to restore your WordPress site.

 

The Answer?: Backup Service as a Solution

A WordPress backup service like BlogVault will not only take care of storage space and security but make incremental backups. This intelligent approach ensures that even large sites on shared hosting can be completely backed up. Apart from this backups services may also eliminate cache and log files from backups, thereby reducing problems at the time of restores. All of this is done automatically, thereby eliminating the human errors so that you can go about your business without worry.

 

With a WordPress backup service restoring your site is always the goal. When the time comes you will have multiple backups versions; securely stored, from which you can choose. You can also automatically restore your site with a single-click. Of, course a backup service comes with a more premium price tag but with the price you’ll have backups with best practices at your disposal.

 

WordPress has become the most preferred content publishing platform online, and its popularity is continuously growing. For hackers, this means a bigger target with greater payoffs. Are you, as a WordPress site owner committing basic security mistakes that make it easier for them?

 

Common mistakes Website owners make

 

WordPress is the most popular platform to build websites on, and its popularity has only been growing. The CMS has something to offer anyone who has ever wanted to own a website. The WordPress community is supportive, and consists of developers who can build anything in code as well as code-averse site-owners who are given a world of add-ons to make their sites extensible, and more functional.

 

However, maintaining a WordPress site comes with a number of caveats, which are difficult to navigate. The case is worse for new site-owners, since committing a small mistake could knock their site offline, or make it vulnerable to hackers’ attacks.

 

Knowing the common mistakes made, and avoiding them, is key to keeping your WordPress site safer. This is why we’ve come up with a list of the basic security mistakes that WordPress site owners and users make. Are you making any of these mistakes currently?

 

1. Not updating WordPress and its add-ons

Now while the rest of our list talks about mistakes to definitely avoid committing, this issue is a little more complicated. This is why we’ve chosen to get this out of the way right in the beginning.

Everybody talks about keeping WordPress Core and add-ons (themes and plugins) up-to-date, for the sake of security, as well as to add new features to the site. However, you as a WordPress site owner, have one good reason for not doing so– incompatibility.

Your WordPress site could break because of:

Updating WordPress Core

There are two kinds of updates on WordPress Core that keep it up-to-date with the best features, and security measures on the web.

  • Major updates (like 4.5 or 4.6): These add new features and functionality to WordPress.
  • Minor releases like Release 4.5.1 and 4.5.2: These are dedicated to security patches, and bug fixes.

There are a couple of catches with these releases. For one, it can be cumbersome to keep up to date with all of them. Version 4.5, for example, was released on April 12, while 4.5.1 was released 14 days later, and 4.5.2 was released about 10 days after 4.5.1. Secondly, while WordPress Core upgrades are designed to be compatible with all the previous versions; (even the first one), it doesn’t always work out that way. So when WordPress site owners update their WordPress core, their site crashes.

Updating WordPress add-ons (plugins, themes, and widgets)

There a number of problems you could run into while updating WordPress add-ons. Since the developers could be pressed for time or not have the expertise, they can’t make sure that their updates are compatible with every single version of WordPress. As a result, they could be incompatible with previous updates of WordPress Core. Moreover, even add-ons that are coded to be backward compatible might not be developed with other add-ons in mind. Lastly, add-ons’ updates contain significant security patches and bug fixes, which change the way they work and hence cause conflicts. One example of this was the security patch for RevSlider (a premium carousel plugin), that changed the way the plugin worked.

As a result, updating even just one plugins could cause your site to break. If compatibility issues between WordPress Core and an add-on are a concern, the safest route to take, would be to ask the plugin developer to release an update for the plugin, while also looking for alternatives that work with your other add-ons.

The key to keeping your WordPress site secure, is to update every part of your WordPress site. The consequences to your site, its data, and your site’s visitors are all too great to not update.

 

2. Buying/using bad add-ons

As mentioned, WordPress add-ons don’t necessarily have the stringent code quality or security measures in place that WordPress Core does.This is why it’s important for WordPress users and site owners to pay attention to pick a good theme/plugin. Every good add-on has one basic characteristic– it has has good code. But even if you don’t know how to judge the code of a theme/plugin, there are a few characteristics which you spot:

  1. They’re available via a reputed source: This means they’re on the WordPress.org repository, or with well-known theme/plugin seller, like Themeforest, Elegant themes, etc. Just as with material goods, buyers should be wary of a premium theme being available on a questionable website at a huge discount.
  2. They have good reviews and ratings from genuine, long-time users.
  3. They’ve stood the test of time: The longer a theme or plugin has been available, the more bug fixes and security updates they should have.
  4. They get updated often and have been recently updated (in the past 2 months) from the developer’s side

Installing a bad theme/plugin could have a number of consequences for your site, whether in a way that affects function (such as slowing down your site), or in a malicious way, such as sending spam mail on your site’s behalf. Apart from all this, having an add-on with malicious code on your site causes search engines to mark your site as malicious, and hence blacklisted.

 

3. Using bad login practices

There are a number of simple login mistakes that WordPress site owners make, from sticking with easy to guess credentials, to staying logged in on their sites. This makes it easier for hackers, who usually use bots (just like search engine crawler bots), to look for websites with vulnerabilities.

Sticking with the default username (admin) reduces the time bots need to crack your login credentials, by 50%. Combining that with the use of a weak password only makes attacks on the login page (like a Brute Force attack, or a Dictionary attack) that much easier. Once the bots crack your login credentials, the hacker can login as you, and legitimately perform admin-level functions. This is why it’s important to enforce good login practices, and secure your WordPress login page. A couple of other simple ways (and there are more ways) to protect your login page are renaming the administrator account to reflect a different username. WordPress site owners have to look out for legitimate ways to harden their login page though– some widely recommended practices such as  moving your login page to a custom URL, are unnecessary, and can ruin your site’s user experience.

 

4. Making every contributor to the site an ‘administrator’

WordPress sites have different system users with different levels of access, in order to give the site owner the power to assign responsibilities to different users. This also serves as a way to give those with fewer responsibilities, the access to only specific areas they need access to. This principle (known as the Principle of Least Privilege), is one of the basic elements of security on any system.

WordPress has five different user roles:

  1. Super admin or Admin: Has full control over add-ons, content, files, and users on the site. (Super admin is someone who has Admin access over multiple sites, and controls the network administration for those sites too).
  2. Editor: Has full control over content and files, can publish anyone’s content, and is allowed to add script tags for formatting.
  3. Author: Can only create, modify, publish and delete their content.
  4. Contributor: Can only read, edit and delete content. No publication rights.
  5. Subscriber: Can only read content. No other rights

So say you run a successful news website or a blog with a regular guest blogger contributing once a month… You would best assign the guest blogger the role of  ‘Contributor’ or ‘Author’.

Assigning the ‘Admin’ role instead, however, will put your WordPress site at a greater risk. Just imagine what would happen if they deleted a post by another author, a plugin or even an Editor by mistake!

Giving users unrestricted access could also allow hackers to exploit your site more easily. A good example of this kind of damage, was how TechCrunch got hacked by OurMine, a commercial security group that hacks accounts to publicize their services. The site was hacked using one of its contributors’ accounts.

 

5. Being a hoarder

Keeping old add-ons and users presents a number of opportunities to hackers. As a site-owner, it is only natural to experiment with plugins and themes. In the process though, it is easy to forget about unused add-ons in your site’s repository. However, since you no longer use them, you also don’t update them. This opens up your site to a number of exploits.

Forgetting to delete old users (especially contributors) long after they’re gone, allows hackers access your site legitimately after a previous hack (like a Brute Force attack). This is one of the ways WordPress site owners are hacked for a long time without even knowing about it.

 

6. Not checking past uploads

Similar to hoarding add-ons and users, WordPress site owners also fall in the trap of never cleaning out their Media Library, the uploads folder, or the includes folder.

Hackers know this too. This is why they could easily upload a hack-file that looks like an image, and execute a hack later. This is how a number of exploits on the TimThumb vulnerability were carried out.

This method could also be used to create a backdoor. So even if malicious code is removed, and the WordPress site is kept up to date, it will still be susceptible to hacks.

 

7. Not having a reliable backup solution to depend on

Having a backup solution for your WordPress site is paramount to security. Not only does having a clean backup of your WordPress site make it easier to restore your site in case of a hack or blacklisting, it also allows you to scan your site’s code for irregularities and fire-fight more efficiently. However, most WordPress site owners don’t realize that the solutions they’re relying on are not dependable, until it’s too late. Backups must be the perfect disaster recovery solution, so they should be fool-proof, and adhere to the best WordPress security practices. Not only should they be independent of the WordPress hosting service, but they should be independent of your site, be stored in multiple locations, and have both: WordPress files and database encrypted and backed up.

If your site encounters a problem caused by anything as disastrous as your hosting provider being hacked to the deletion of files, not having a good backup plan would lead to your site experiencing a long downtime or worse.

 

The mistakes listed in this article are basic, and yet widely committed by WordPress site owners. Keeping your WordPress site secure lies not in being sure of impenetrability (because there is no such thing as a perfectly secure site), but in making it harder for hackers to achieve their target.

 

If you commit, or have committed any of these simple mistakes in the past, the best way to ensure that there is no malicious code on your site, would be to invest in an intelligent auto hack cleaner for WordPress sites, like MalCare.

 

The hardware used by your WordPress hosting provider can give you a lot of grief and be heavy on your wallet too. But, do you know what the issues are, and how a robust WordPress backup solution can help you?

Most of us think about subscription plans, security, and many other details when thinking about hosting a WordPress site. Few of us think about the kind of hardware that is used by the hosting and the problems that we could experience because of hosting hardware issues.

Hosting hardware issues could take your site down

Hosting hardware issues could take down your WordPress site

This may be with good reason- for one, such information is hard to get because hardware of hosting services is always out of sight, and there is no way to verify it. The second reason is that most of us may not know what are the questions we have to ask.

While there are many challenges which you may face while hosting your WordPress site, we’ll focus specifically on the hardware issues which may eventually end up affecting your site’s performance, security, and its existence.

A hosting service basically needs the following hardware:

  • Servers
  • Storage
  • Communication Equipment
  • Infrastructure Issues – Cooling and Heating

Rising competition in the hosting market space makes many demands. These demands may not all be met in the best possible manner by all host providers and this often manifest in hardware issues.

Server Failure

A server motherboard comprises CPU, memory, and network adapters among other things. All these components have a failure rate and regular wear and tear  leads to their failure. Of Course, as it is known, using ECC RAM may decrease the failure rate.

Apart from this, increases in temperature may accelerate this process and cause the CPU or RAM to fail. Power surges also lead to motherboard, and/or its components failing.

A host of software reasons may also lead to the motherboard on a server failing. This can be due to server overload through legitimate traffic or hack attacks.

Hard Disk

There is no magic, hard disks are used for storage of data in data centers. As you will well know, a hard disk is a mechanical device, meaning it relies on its parts moving to read and write data. This exposes hard disks to not only natural wear and tear but also, failures from excessive heat due to friction.

Now, imagine having hundreds and thousands of such devices stored in a single center. Some are bound to fail and fail much before their mean time between failures. A good hosting company will ensure that dated hard disks are phased out and new ones are installed periodically.

There may also be issues after maintenance work. Simple issues like physical damage caused by someone dropping hardware or not plugging in the wires correctly may occur too.

Communication Equipment

While most of us know of servers and hard disks, users rarely think of  the cables and network switches. Data centers on the other hand generally have to pay more attention to such things. Reports in 2013 of how 4 major hosting providers were taken out by a network switch failure; and users had to experience downtime, is proof of this fact. Network failures are a real threat to the functioning of your WordPress site and the reputation of your site.

Outdated Hardware

Extending the life cycle of hardware in data centers can be due to lack of maintenance or a cost cutting measure; either due to lack of budget or due to the desire to remain competitive. Cables, hard disks, etc. usually are not thought of by consumers. It may be easy to not replace them at the right time. This brings down the performance of the servers and in turn the performance of your WordPress site.

Apart from these issues certain other factors that have to do with the supporting infrastructure and maintenance of the data center affect the health and performance of hardware.

Infrastructure Issues – Insufficient Cooling

Apart from the regular functioning of servers and storage other factors may contribute to this issue. rooms may be stuffed with servers, or servers may be stuffed with too many sites. Such practices contribute to inefficient energy consumption and increased heating. In such cases it is not easy to scale up the cooling infrastructure wherein planning and space may be short. Other factors like ‘spaghetti cables’ may also aggravate the problem.

This is not simply to say here are the problems. The impact of heating issues on your WordPress site’s performance, your finances and reputation is real. Heating issues may regularly lead to:

  • Hard disk crashes
  • Longer load times due to hardware performing at below par levels
  • Pages not loading, etc.

The decrease in traffic and transaction from increased load times and frequent downtime is a fact that is increasingly well documented.

Natural Disasters and Accidents 

Natural disasters may not be something we think about on a daily basis but is obvious once stated. Natural disasters can destroy racks – servers, and hard disks, and make the building shell itself inaccessible.

Accidents may seem less obvious but they are real possibility and have caused considerable damage to the hardware of hosting servers. From a SUV crashing into a Rackspace facility costing them reportedly US $3.5 million in refunds to fire caused by drill in an adjacent building burning down an Amazon data center, accidents are a real possibility and cause considerable damage. The first example doesn’t not account for the cost of downtime which was estimated to have lasted 5 hours.

Not accounting for accidents in your WordPress site’s disaster recovery plan is a mistake.

Independent WordPress Backups Can Come to Your Rescue

The first step to being prepared for all eventualities of hardware failure with your WordPress hosting is knowing about them. Then, having good, independent WordPress backups may help you significantly reduce downtime and keep your business running. In this case, the question to ask is “Are your backups completely independent of your hosting provider’s hardware?”. If the hardware of hosting provider, located in one or two locations is compromised then can you still access your backups? If the answer is no then you need you revisit your backup strategy. You can look at BlogVault to explore a robust WordPress backup solution.

We checked SiteGround’s backup with their most basic WordPress hosting plan, StartUp; and distilled some of the pros and cons. This article will help you decide if you should rely on SiteGround backups as part of your website’s security plan.

It is important to mention right at the start that unless you’re manually downloading your backups and storing them securely, none of your backups are completely independent of SiteGround’s infrastructure. You’ll see what we mean as you read the pros and cons of each of the four options listed below. However, it is important to keep in mind that secure WordPress backups mean that they have to be completely independent of the hosting server. That way you can be sure that you have access to your backups in case of regular needs or during a freak accidents when web hosts lose your data.

A screenshot of SiteGround's webpage showing WordPress hosting details

A screenshot of SiteGround’s webpage showing WordPress hosting details

There are 4 ways you can backup your WordPress site hosted on SiteGround

  • The first way is to manually backup your site– make WordPress database backup using phpMyAdmin and make WordPress backup using a FTP Client
  • The second way is to make backups using your cPanel dashboard. You can click on ‘Create Backup’ under Backup Manager
  • The third way is to use Softaculous. The tool is available on your cPanel dashboard as well
  • Fourth way; you can utilize SiteGround’s paid backup service
  • Lastly, you can turn to professional WordPress backup services or plugins

 

Manual WordPress Backup

Manually backing up up your WordPress files and database has nothing to do with the service SiteGround offers. It is the same process with all services when you are on shared hosting. You can read articles on how to backup WordPress using FTP Client and how to make WordPress database backup using phpMyAdmin.

 

SiteGround Backup – Create Backup Tool

 

Backup options seen in the Create Backup tool which is accessed through your cPanel dashboard

Backup options seen in the Create Backup tool which is accessed through your cPanel dashboard

cPanel backups made with the Create Backup tool are generally similar across hosting services. You create a full backup using the Create Backup tool, set an email notification and wait. In some cases in the past we have not received any emails from the hosting service. With SiteGround however, the notifications were always prompt.

Even with the prompt notification however, you will be responsible for logging in to the cPanel dashboard, regularly downloading backups, and maintaining them in a secure fashion.

 

SiteGround Backup with Softaculous

 

Softaculous is another way you can manually backup your WordPress site if you host it on SiteGround.

Softaculous is another way  you can manually backup your WordPress site if you host it on SiteGround.

In terms of implications to the user, Softaculous backups are no different to making backups with the cPanel. Select the tool in your cPanel dashboard and make a backup. As with cPanel backups, unless you are regularly logging in making backups you’re bound to get in trouble. If you only login when your site has an issue or has been infected with a MalWare then you’ll only be backing up a bad copy. The onus again is on you to regularly make backups manually.

Restoring though is a little easier with Softaculous. Once you access the tool, you’ll have a list of the backups you have generated. Next to each backup is a restore icon. You only have to choose one of the backups and click on the corresponding restore.

Restoring your WordPress site with Softaculous is easier than performing manual restorations

Restoring your WordPress site with Softaculous is easier than performing manual restorations

 

Do You have Control Over Your Backups?

Note that in the case of cPanel backups, you cannot download specific file.  Unless you are dealing with SQL database, you don’t have control over which files to download. Choosing the Full Download or Home Directory means that you’ll be downloading the all the files related to all the domain or subdomain of your account. You have to download it all and sift through it later.

With Softaculous you can specify the domain or subdomain you want to download, and then download all the files related to that domain/subdomain.

While restoring, in the case of cPanel backups you can restore specific files or tables if you know what you are doing. In the case of Softaculous you have restore your entire directory and database, thereby restoring the entire site.

Web host backups generally tend to place an extra layer of burden on you. This is a good example of it. However, you can opt for the paid Backup service as an alternative.

 

SiteGround’s Paid Backup Service

SiteGround offers a paid backup service for users of the StartUp hosting plan. Paid backups are automatic backups carried out daily. 30 versions of backups are stored by SiteGround on their servers. When we got in touch with their customer support via chat, SiteGround informed us that the servers are different from the ones on which  your site is hosted.

As StartUp plan user, even if you have not subscribed to paid backup service, then SiteGround maintains a copy of the backup to your site. We got in touch with SiteGround  to ask how we can access that copy of the backup. We were informed that, that copy is only for ‘technical experts’ of the hosting servers. Users cannot access it. To do so, you’ll have to subscribe to the paid backup service, which is part of the higher hosting plans; but is not included for the basic plan.

 

To restore your WordPress site via the cPanel dashboard, you'll need to subscribe to the paid backup service to gain access

To restore your WordPress site via the cPanel dashboard, you’ll need to subscribe to the paid backup service to gain access

Paid backup service is especially important for sites hosted on SiteGround during restorations. Even if you have manually backed up your site, you cannot restore it via the cPanel’s Backup Restore tool. To access the Backup Restore tool you have to subscribe to the backup service. If you have not subscribed to the paid service you will see the above screen when you choose the Backup Restore tool. Otherwise you have to upload the files using a FTP client, and import the database using phpMyAdmin. This requires some technical know how, otherwise your restorations can be unsuccessful.

 

Why we think you need a professional backup service?

This means that if you have the basic hosting plan- StartUp, on SiteGround, you either have to do all the heavy lifting (manually make backups), give up some of the finer controls over backups and restores (download and restore entire sites), or just pay for their service. However if you run a small service, then some these shortcomings or financial additions may be worthwhile. If you’re looking for a complete WordPress backup solution, then try out BlogVault, to run your small business or blog than you might have to look elsewhere. Obviously we may be a little biased but we think the option is worth considering if you want peace of mind regarding your safety net- your website backups.

 

Making WordPress Backup to Dropbox seems like an attractive option due to ease of use & low cost.  However, is it the best practice & will restores be as easy as backups?

WordPress backup to Dropbox

Plugins generally store a copy of the API keys to your Dropbox account on your site. In such cases, if your WordPress site is hacked, then your backups maybe compromised too.

There are generally two ways you can make a WordPress backup to Dropbox. The first way requires two processes to be completed. You can manually download WordPress files using a FTP client and then download your WordPress database using phpMyAdmin. Then you can upload it all to Dropbox. WordPress.org recommends having at least three copies of a given backup and Dropbox can serve as the destination of one of those three copies.

The other way is seemingly easier. Backup your WordPress database and files with a backup plugin. Backup & Restore Dropbox, Dropbox Backup by Supsystic, and WordPress Backup to Dropbox are all plugins which backup to Dropbox.

Other plugins like Backup Guard, and UpdraftPlus WordPress Backup Plugin provide Dropbox as one of the optional destinations for backing up. IN the case of the the former the option is available only in the PRO version, where as in the case of the later it is an add on.

The process is simple You will need to input your Dropbox login credentials, confirm them and you are done. Some plugins will regularly backup your WordPress site to Dropbox according to the schedule you have set. Tracking this may be another matter altogether.

Apart from the simple process, cost is another factor which  makes Dropbox a seemingly attractive option for backups. Some plugins which allow you to backup your WordPress site to Dropbox are free. Dropbox itself is free up to 2 GB so you may feel there are no extra costs with this option.

WordPress Backup to Dropbox: Think again!

In order to backup up your WordPress site to Dropbox, plugins will need to store a copy of  your Dropbox account’s API key on the site itself. This means that you are keeping a spare key to your backups on your site. What is the point of leaving a copy of your bank vault’s key in your living room? You might as well have left your valuables in the living room too, right?

Backing up to Dropbox is indeed simple enough. Our WordPress backup plugin offers users the option to upload backup to Dropbox too. Users who know a particular version to be without any problems can download the backup to their Dropbox account. This is not a default option when you use the BlogVault plugin and regular backups are not made to your Dropbox account. We do this because we follow best practices for WordPress backups. Know more about why backups to Dropbox is not safe.

However, if you’re relying on Dropbox only to provide the safety net for your WordPress site then you are in trouble, at least according to our experience.

Dropbox Backups & Restores

Apart from all of these points, there is another issue to making WordPress backup to Dropbox only- restores. Afterall the entire point of making backups is to empower us when we need to restore our business or blog.

Most WordPress backup plugins zip your files; meaning they download your site in .zip or .gz files. You cannot view .zip or .gz files in Dropbox anyway and you have to download the files to sort them out. In this case Dropbox becomes a temporary storage solution rather than a comprehensive backup solution.

Seemingly simple matters like clutter. Regularly backing up to Dropbox clutters your account. You may not be able to find the files you desire quickly, when you need them. When you have to restore your site, you don’t want to sift through thousands, if not millions, of files.

Tip: When backing up to Dropbox

Ensure that you label the downloaded backups in an organised manner so that you know can categorise different backups. This will be helpful when you have to restore your site.

You need to safeguard your data in a more robust manner to ensure that in your hour of need you know not only know that you have access to backups but also that they are functional. Especially, if you’re running a small business or a popular blog then you might want to look at a more holistic solution for backup and continue making WordPress backup to Dropbox only as an additional step.

Why do you need it?

Can your business continue to function if you were to lose your data? If your answer is a clear no, then having a disaster recovery plan is a must for you. At some point down the road, your data is going to be in danger. It could be a machine error. It could be a simple human error. It could be a tornado the size of Nebraska. But sooner or later, you’re going to be in a situation where you’re at risk of losing some or all of your data. Some of the common consequences of a disaster –

  • Loss of business/customers
  • Loss of credibility/goodwill
  • Cash flow problems
  • Loss of operational data
  • Financial loss

90% of businesses that lose data from a disaster are forced to shut down within 2 years of the disaster. 50% of businesses experiencing a computer outage will be forced to shut within 5 years. (Source: London Chamber of Commerce). So, having a disaster recovery plan is the best insurance for your business and entire data. But what are the possible reasons behind this ‘disaster’? And how do you deal with them?

It's wise to have a recovery plan for your website

It’s wise to have a recovery plan for your WordPress site

What Can Go Wrong?

Hardware Failure

While we’ve made huge strides in terms of technology, it’s still not perfect. There are bound to be issues now and then. Hard disks, which are the most popular form of storage media, fail more often than you think. The statistical figure indicated is by no means trivial. Other forms of hardware failure can have a similar impact on your business.

Web-hosting Failure

As every site is hosted using one of the providers, a failure on their end undoubtedly spells disaster. Any sort of networking problem can bring down your site. However, this doesn’t pose a big threat to your data. But that’s not the end of it. These hosting providers are a common target of hackers. Once the server is compromised, the hackers have access to all the data that resides on it. The hackers can thus attack 1000s of site by hacking a single provider. Sometimes, hosting providers even suspend your account without prior notice.

Natural Calamities

Natural calamities, though rare, can pose a huge threat to your data. Hurricane Sandy, which hit New York City in 2012, had companies fighting hard to keep their data centers up. It was one of the busiest days for many of them.

WordPress Issues

WordPress, though WP core is known to be stable, has its own share of problems that crop up from time to time. The most common issue that users face is that of version incompatibility. Though WordPress versions are meant to be backward compatible, quite often, a WordPress update ends up breaking a plugin or theme due to incompatibility. Underlying API changes in a new version could also result in breaking parts of your site.

Plugin/ Theme Issues

WordPress is an open platform, inviting a lot of people to develop plugins and themes. Since each plugin and theme is written independently, not all of them follow the same set of coding guidelines and standards. This makes installing new themes and plugins on your site a risky proposition. A new addition may be incompatible with the underlying WordPress version. Some of the changes made by plugins and themes are –

  • Bad database changes
  • Addition of new tables
  • Modification of standard WordPress tables
  • Changing WordPress configuration files
  • Introducing incompatible code
  • Corruption of .htaccess files

This can result in breaking parts of your site or worse, lead to a crash. Upgrading plugins and themes can also lead to similar issues.

Hacks and Vulnerabilities

WordPress core, by itself, is known to be safe and stable. However, plugins and themes added by developers hailing from diverse backgrounds have become game changers when it comes to WordPress security. Plugins and themes together make up the biggest source of  vulnerabilities found in recent times. Popular plugins like MailPoet, W3Total Cache and Super Cache have been exploited to attack thousands of sites. Similarly, themes are also vulnerable to attacks. The TimThumb library included in many themes was exploited to compromise tons of sites.

Hackers are always looking for new ways to launch attacks on WordPress sites. While most hackers look to make quick profits, some do it merely for fun. They can install malware that’s extremely hard to detect and get rid of. They can also wipe out all of your site’s data.

Human Errors

To err is human. But these errors can prove to be very costly. You can delete a single post or the entire database. Ben Congleton of Olark describes in an interview, a case where a human error nearly took down his business.

The reason behind the disaster can vary, but they will all impact you in the same way. They can all potentially take down your site, and thus your business. So what is the best possible plan to recover from a disaster?

Putting Together a Disaster Recovery Plan

Backup, Backup, Backup: the Cornerstone of a Disaster Recovery Plan

Not enough emphasis can be laid on the importance of backups. Taking regular backups of your data is critical for any business. That way if anything untoward happens, you can recover your site in a matter of few minutes. There are multiple options available from which you can choose. However, it is best to opt for a managed offsite backup service like BlogVault that can handle any situation with ease.

Plan for Extended Downtime

Your plan should cover what you will do if the downtime from the disaster is expected to last more than a few days. For instance, there may be a major outage with your hosting provider. You’ll need to identify possible alternatives to host your site.

Emergency Contact

A natural disaster or emergency could cut off all your regular avenues of communication, so adding a communications element to your plan is important as well. Notifying your customers about the downtime is extremely important. However, when you lose data, your customer information is lost too. Hence it is critical that you have a separate emergency contact list, such as all customer email IDs, stored separately in an easily accessible place.

Test the Plan

Do a test run of your disaster recovery plan to make sure that it works when needed. Also ensure that your plan is known to multiple people at your company so that they can spring into action immediately when disaster strikes.

Disasters do happen, and your company’s data is one of its most important assets. When disaster strikes, you need to be sure that you can get your data back quickly, so there is minimal impact to your business. So work on that disaster recovery plan today, in case you already haven’t. Better safe than sorry, right?

As a lot of us following technology news might know by now, TechCrunch was hacked today, by OurMine. The message left by hackers was caught just before the post was taken down:

 

OurMine hacked TechCrunch earlier today, and posted this on the website.

OurMine hacked TechCrunch earlier today, and posted this on the website.

 

According to OurMine’s website, the organisation is made of “professional hackers and vulnerability assessors” who “only care about the security and privacy of your accounts and network”.

And while a tech security company hacking sites to expose vulnerabilities is not very big news; what makes it newsworthy, is the size and reputation of the enterprise being hacked, which in this case, was TechCrunch.

For those of you not in the know, TechCrunch was built on WordPress, which is a hot target for hackers due to the CMS’ popularity. Close to a third of the world’s websites run on WordPress– if you’re a WordPress user, this might alarm you. And while we don’t yet know if the vulnerability exploited by OurMine was on WordPress, the case of TechCrunch is especially disturbing.

This is because TechCrunch was hosted on WordPress VIP. VIP services include priority hosting, offering the best enterprise solutions; and starting at $5,000/month they do not come cheap. As part of the VIP service, the website’s code is subject to rigorous code reviews from the best developers at WordPress. In addition, this service also included a host of security measures that included PAAS, DDOS mitigation, two-factor authentication and an antivirus (among other things). Basically, TechCrunch functioned in the most secure WordPress environment available.

If companies that can afford the best security measures are vulnerable, then it is a signal that there is no foolproof way to safeguard your website.

However this isn’t to say that WordPress VIP and TechCrunch were completely vulnerable. As seen in the thread, the post was taken off TechCrunch’s site within the hour, and things went back to normal almost immediately.

This hasn’t been our experience in general with websites though. In fact, some of our clients have been hacked for years before they even found out about it.

The best way to safeguard your website is to fortify it.

This is what inspired us to work on our new WordPress website security product that will be out soon. It scans for hacks, and auto-cleans them with a single click.

Apart from this, we’re big believers in having a WordPress backup, because it’s the one way you can be completely sure that the damage is reversible.