An ideal WordPress backup solution offers a number of features. However, there are two questions you can ask that will help you choose the best WordPress backup plugin for you. They are , what features does the plugin have, and how do they work?
What Makes an Ideal WordPress Backup Plugin?
There is a long list of features which make an ideal WordPress backup plugin.
Multiple copies of each version
Independent storage and access
Secure site settings
A combination of all of the above sounds like a good deal; doesn’t it?
Most of these features are covered between the popular backup options available on the market. Also, most premium options have most of the above mentioned features. However, it is not useful to say this. It is like saying that every car has an engine, seats, wheels and steering. Just like cars, when it comes to backup solutions, it is all about how they perform; and you really need to do your homework first.
There are two points of entry to the debate on the best WordPress backup plugin. One is the differences in features between all the different plugins; despite the uniform titles. The other point of debate is the user experience. What does a good WordPress backup solution do, and how does it do it? Both these questions should be equally relevant.
In this article we explore how following best practices as well as being efficient can answer both: the ‘what’ and the ‘how’ questions.
1. WordPress Incremental Backup Plugin
Increased load times or frequent timeouts is highly undesirable in today’s competitive environment. This is is particularly a problem for WordPress sites on shared hosting. Incremental backups is perfect for such circumstances.
For example, let us say that you have photography focused website with high resolution images uploaded everyday. If your entire site had to be backed up daily, then chances are that the backups ruin the user experience of you site’s visitors or your backups may cut off for taking up too much server resources.
On the other hand, consider that automatic incremental backups of your WordPress site are done daily. After the first initial full backup, each day only the latest updates are backed up. This ensures that you don’t lose any data while the backup solution does not unnecessarily load your server resources. The plugin can scan the site for changes, recognize that the high resolution images are backed up, and only add the changes to the latest version of the backups. This means that, media – images and videos which are generally the the most heavy files on a site do not become an extra burden with incremental backups.
2. Control over entire WordPress database & all WordPress files
A WordPress sites contain files and tables. You must be able to know that all the tables, and files on your site have been backed up. If not you must be able to add them. This is possible when you have access to a list which gives you this kind of information; a good WordPress backup solution must offer such access. From such a list, you may also be able to download specific files from WordPress backup. The same applies to specific tables in your WordPress database as well. This depends on your requirements but you need to have the option.
Such a feature along with versioned backups allows for restoration of specific files instead of the entire site. This is important if you know the exact pain point on your site. It can be fixed with ease and minimize down-times. This type of granular control is essential when choosing a WordPress backup solution.
The dread of having to sift through thousands of files; when you’re running against the clock to get your site back up and get around to doing business, is unacceptable.
3. One-click Restore/Migrate
When you pay for a solution to do the work for you, then you shouldn’t have to manually restore or migrate your site. Otherwise, there is little point to lightening your wallet, is there? A plugin must allow for one-click WordPress restore and one-click migrate options. Managing your site’s functionality in the most critical hours must not be your headache. Usually in such instances inputting your SFTP credentials, destination URL and email id should be enough to easily migrate your WordPress site.
4. Test restore option
Apart from restores and migrations, it is equally important for you to be able to ensure that your backups or migrations work as desired. Allowing for a test environment to verify the functionality of different backup versions of your WordPress is just a good practice but unfortunately, most plugins don’t offer this. It boosts your confidence in your backups and ensures that the reputation of your blog/business is intact.
5. Great customer support
A service or product which does not allow you to track all the activities from the dashboard, notify you by email will only worry you about routine processes. If the time comes when you have to get your hands dirty, then you should not do the work yourself when you are paying for a service. This is reason you need great customer support.
6. Completely independent dashboard
With a completely independent dashboard you have access to and control over your backups always. This means that, unlike other plugins which store backups in your site’s files, you don’t have to restore your site to get your hands on your safety net a.k.a. your backups. Besides, the whole point of backups is to restore your site. If that is not supported well enough then backups are not good enough by themselves. You need to know that you have access to secure backups. Multiple copies of encrypted off-site backups is a must.
All the above mentioned best practices will ensure that you’ll find the right value for your money when you need the best WordPress backup plugin.
Reaching for your spare tire, only to find out that it is not working; or worse, that it is missing altogether is unacceptable. WordPress backups are a little more complicated than changing car tires and just like your car tires, there is a lot riding on them too. Your lifetime’s work or the hard-earned reputation of your business is at stake.
The number of WordPress (WP) backup plugins that are available in the market today must make it seem that problems regarding backups are a thing of the past. But, as we said, backups are complicated. A lot can go wrong when you are using stand-alone plugins (meaning ones that operate on the Software-as-a-Product model).
Many articles refer to how the SaaS model economically benefits the end user, however, there are many use-case benefits too. In this article we’ll look at some common issues with stand-alone WP backup plugins, and how a managed WP backup service is a better option.
Why Your WordPress Backups Will Fail With the SaaP Model
Installing the plugin is the beginning. Once installed, a stand-alone WordPress backup plugin must be configured. Very often people underestimate how backup plugins may become relatively labor-intensive and accrue more expenditure over time. These may come in different forms including add-ons and premium account features that may be essential to your business.
Some problems you may run into when you’re using a stand-alone WP backup plugin include:
Getting Started: Once a plugin is installed, a remote backup destination must be selected. You can select services like your Google Drive account, Dropbox, or Amazon S3 servers. After this, you must input the login credentials of those accounts.
Add-ons: To get the desired setup for your backups, your plugin may require that you buy an add-on. Add-ons can soon build up to become a considerable list. While calculating the cost of a plugin, add-ons must be accounted for, in order to get a fair estimate.
Saving backups in more than one destination may need an add-on, and extra charges may be applied.
Other features like encrypted backups of your website’s database may not be available unless you pay more for add-ons or upgrade to premium accounts. This means your backups are not really secure even after investing all this time, energy and money.
Tracking: Ensuring that backups are happening is important so that you know exactly what resources you have to draw upon in your hour of need.
If you’re storing backups on your Amazon S3 account, it needs to be configured to send you notifications when backups occur or when changes are made to files (these are called ‘event’ notifications).
Otherwise, you may have to pay more to your plugin company for email notifications. An alternative option is to login to WP website dashboard each time.
Key to Your Backups: While backing up your website to your Dropbox account or your own Amazon S3 account, most plugins store a copy of the API key/S3 access key on your WordPress site. The key is how the WordPress backup plugin on your site accesses the backup destination. This may not be in keeping with best practices of performing WordPress backups. In such cases, a hacker who has access to your site, may also have access to your backups via the security key.
Know-how: Managing your own Amazon S3 account requires you to know how the account stores your information (buckets, objects) and other points like access control, and versioning so that you can make sure that your data is secure.
When You Need to Restore: Apart from all these points, when you need to use your backups to restore your site, you’ll need to unzip the folders and manually restore the files correctly. This may not be the best option for everyone.
Storage Options: The plugin company may provide storage space. This option, like in the case of Amazon S3 servers, is an extra charge over the plugin that you must bear. It is a recurring cost to you, which must be paid periodically (monthly/quarterly).
Like we mentioned backups are complicated. If for any reason backups stop happening or problem occurs, then it is important that you’re notified immediately. For example, an error in the plugin has stopped it from backing up your site without notifying you. Otherwise if you have exceeded the storage limit of your backup destination then backups may stop occurring. Regardless of the scenario immediate notifications are very important.
The burden of solving all of these issues; on top of running your business/blog, fall on you, when you purchase a software product.
Regardless of the cause, the net result is that you’re stranded on the freeway, with no (usable) spare and your tire is a software product. This means, it’s likely that you may not have anyone to call for ‘tech support’. This is not a scenario you want to be caught in when you look for your backups.
Now consider that an expert is looking after your tires, maintaining the air pressure, checking the rims and upgrading the tire as the weather and the terrain changes; along with making sure that it is in the boot of your car. This would simplify and enhance your business, wouldn’t it?
How to Ensure That Your WordPress Backup Always Works
And, how can the SaaS model solve the issues mentioned above, for you?
When you get a subscription to a software, you are getting a service. A team of experts are managing and maintaining the software and the hardware. They are responsible for granting you access.
Let us clarify, SaaS doesn’t mean that there is no need to download and install a plugin. As in the case of BlogVault, the plugin can be very light as all the complexity sits on the provider’s server, where the heavy-lifting is done. For the user this means:
Zero-configuration: Install the plugin and it begins its work. You are ready to use BlogVault from the moment your subscription is active. The backup process starts automatically when you first login.
(This is the main reason this list is relatively short. Remember the long list of configuration issues with standalone backup plugins? Web-hosted software means, all of that responsibility for the managing the plugin and off-site storage is off your hands. Everything is covered for in the subscription.)
Lesser load on the site, better performance– Site performance and page load times are crucial to delivering good user experience cannot be overstated, as even marginal differences show measurable changes in results.
Rapid Updates: Updates happen mostly on the service provider’s server, reducing the frequency of updates required on your site.
Backups are safe even when your site is compromised: Backups; because they are completely independent of your website, are accessible even when your website is down. You don’t need to get your site running to access your backups.
Incremental Backups: This means large sites are also completely backed up without hassle. Backing up only the changes means faster and more efficient backups.
Expert Tech Support: A team of experts maintain the software and the hardware. You can not only count on tech support, but know that the team can be highly responsive as they are maintaining the backups themselves. This can help at times of Test Restore, Auto Restore and Migrations. For more on these features you can check out BlogVault.
Now you know the differences between SaaP and SaaS models in the context of WordPress Backup. Make an informed choice that gives you the most scope for developing your business, without adding to your task list or financial burden.
WordPress site owners are constantly asked to update their sites. But keeping track of updates is incredibly difficult, because of the frequency and number of updates to be made. This is why automating updates might a useful practice.
If there’s one piece of advice in the world of WordPress for site owners, it’s this: update, update, update. Updating WordPress is easy in theory, especially since all site-owners receive notifications about core and plugin updates. When it has to be put into practice, though, updating WordPress is its own beast. Not only might updates break WordPress sites; they might also cause incompatibilities, and be impossible to undo as well. This is why it’s important to always have a reliable backup solution for WordPress sites.
Updating WordPress is an important task though, because of new features that might impact user experience, but also security updates that help against major vulnerabilities. However, with WordPress receiving updates very frequently on the Core as well as the add-on front, it is difficult to keep up with all the changes, and apply them. This is why automating updates on WordPress sites might be a workable solution for you as a WordPress site owner.
Types of WordPress Updates
While updates for WordPress add-ons have both developmental as well as security updates, updates for WordPress core perform different functions. Based on these functions, WordPress Core updates can be categorized into:
Release updates, which contain both Major and Minor releases.
Major updates contain developmental changes including the addition of new features, or changes to core technologies on WordPress. Every major release is named after a major jazz musician.
Minor updates contain security patches and fixes. As a result, they are highly recommended, and are automated by default on every installation of WordPress. Every WordPress site is recommended to run these updates since they contain important security updates that keep WordPress sites safe.
Developmental updates, which are only for the changes that might be unstable– these updates are what future developments are built on. Also known as ‘bleeding edge’ updates, they are only meant for sites running the developmental version of WordPress.
Translation updates (which are language packs), and come in handy if your WordPress site has multilingual support.
Depending on your comfort-level with code, and the time you’re willing to spend maintaining your site, you could automate your WordPress site’s updates manually, with the help of a plugin, or via managed WordPress services. Every method has its pros and cons, so it’s best to choose one with careful thought.
Automating WordPress Updates the Manual Way
This method will require you to make changes to your WordPress installation’s core files.
How to automate updates to WordPress Core the Manual Way
Updating WordPress Core includes making changes to the wp-config.php file.
WordPress contains a parameter called define( ‘WP_AUTO_UPDATE_CORE’) in the wp-config file. The value you assign this function determines WordPress release update is automated.
To Automate All WordPress Core Updates
Assign the value ‘true’ to the above function, as demonstrated:
define( ‘WP_AUTO_UPDATE_CORE’, true );
This will enable the automation of all release updates, developmental updates, and translation updates on your WordPress site.
To Only Automate WordPress Core Minor Release Updates
As mentioned, WordPress automatically makes Minor release and translation updates to your site. However, if you disabled all automatic updates by assigning the above function the value ‘false, you would have disabled Minor updates too. Just assign the value minor to the same function above, instead of true. This will disable all updates other than Minor updates, which keep your WordPress site secure.
Here’s how you do it:
define( ‘WP_AUTO_UPDATE_CORE’, minor );
How to Automate Updates to WordPress Add-ons the Manual Way
Automatically updating add-ons isn’t recommended by WordPress, since the developers’ updates might work for that plugin/theme, but might be incompatible with other add-ons or elements on your WordPress site. However, if your WordPress site is simple and has very few plugins/themes that are compatible with each other, it might not be as big a problem.
In order to manually configure your installation of WordPress to update plugins & themes, you have to make modifications to a filter called auto_update_$type, found in the wp-admin folder. The value assigned to $type determines which WordPress add-on is updated automatically.
To automatically update all plugins on your WordPress site, the filter must read:
The code isn’t complex, so it’s beginner friendly.
Manual automation is free.
WordPress site owners won’t have to install an extra plugin just to keep their site up to date.
Cons of Manual Automation of Updates
The changes have to be made to the WordPress wp-config.php files and the wp-admin folder. This might make some WordPress users uncomfortable, especially since changes to the WordPress core files are not recommended.
Making the changes to code might require some time, especially for WordPress novices.
If your site crashes with any update, you will have to check your site’s status after disabling each update manually.
Automating Your WordPress Site with Plugins
This method comes in handy for WordPress site-owners who do not want to tinker with code themselves, and don’t mind installing an extra plugin on their site. A couple of examples of plugins that help automate updates, are Advanced Automatic Updates, and WP Updates Settings.
How to Use the Advanced Automatic Updates Plugin
Step 1: Install and activate the plugin.
Step 2: Locate the plugin under your WordPress site’s Settings tab, and click on it.
Step 3: Check the kind of updates you would like to automate on your WordPress site.
If you would like notifications about these updates to be sent to an email address other than the one of the site owner, you can enter it here:
As you can see, you can also disable email notifications about the same, and request for debug information (in case you’re running development updates).
How to Use the WP Updates Plugin
Step 1: Install and activate the plugin.
Step 2: Just like for the Automatic Updates plugin, locate the Updates tab under your Settings tab, and click on it.
Step 2: Choose the kind of WordPress Core release updates you would like to automate on your WordPress site.
Step 3: Choose whether you would like to automatically update add-ons on your WordPress site.
Step 4: If you’d like translation and developmental updates, click on the appropriate check-boxes.
Pros of Automating Your WordPress Updates With a Plugin
These plugins do the work for you: you don’t have to manually tinker with any code; they’ll do it for you.
Most plugins that automate WordPress sites allow you to enable or disable different updates with a single click.
Cons of Automating Your WordPress Updates With a Plugin
This will require you to install an extra plugin just for updating your WordPress site.
Some plugins only update WordPress core, while others will allow you to update add-ons as well.
You, as a WordPress site owner, will still need to weed out problems if your site crashes with updates.
Using Managed Services to Automate Your WordPress Site
There are two types of managed services you could use to automate updates on your WordPress site: managed WordPress hosting, and WordPress support and maintenance services.
Managed WordPress Hosting
These services help manage your WordPress site’s hosting issues, as well as a few issues related to your WordPress site as well. A couple of examples of managed WordPress hosting services/ managed WordPress hosting providers are Flywheel, and WP Engine. These services automate the update of your entire WordPress site, but after the following steps meant to benefit you no matter the state of compatibility of your WordPress site:
The hosting provider checks their systems for compatibility with WP updates (whether this includes both core and add-on updates depends on the web host).
They then mail you beforehand with the dates for your WordPress site’s update.
Every managed hosting service performs a backup of your WordPress site before the update. Only after this do they perform the update.
Once they perform the update, they check for issues.
If your WordPress site is not compatible with the update, the managed hosting provider restores your site with the backup that they made.
The service then mails you about the status of the update (successful/unsuccessful, and reasons if unsuccessful).
If you’ve tested your site and found it incompatible, you can ask certain web hosting services to postpone updates till you fix the issue at hand.
Plugin and theme updates are not done automatically by managed WordPress hosting services, simply because different plugins have settings that might conflict with each other and break your site.
If you’d still like to automate the updates of add-ons, you can get in touch with your WordPress host about the same.
Since each managed hosting service has different terms and conditions, and pricing plans, it is recommended that you read their documentation carefully, and then get in touch via email or from their in-website chat support.
Pros of Using a Managed Web Hosting Service With Automatic WordPress Updates
You, as a WordPress site owner, don’t have to fiddle with the WordPress core files.
Your WordPress hosting service tests and runs WordPress updates for you.
Cons of Using a Managed Web Hosting Service With Automatic WordPress Updates
Managed WordPress hosting comes at a price.
These services don’t take care of all the issues that might come up during updating your WordPress site. If your site has certain customizations that makes it incompatible with WordPress updates, these services might mail you asking for you to seek a professional developer’s assistance. This means even if you’re paying a premium price for managed hosting, you might also have to hire a WordPress developer separately.
WordPress Support and Maintenance Services
WordPress support and maintenance services (such as WP Curve, WP Maintainer, and Valet), are perfect for super-busy site owners who can afford to have a full-time service just for maintaining their WordPress sites. In terms of updates and maintenance, these services usually perform the following functions:
Core and add-on updates.
Support/repairs in case of incompatibility.
Audit of the security and maintenance of your site so the chances of it breaking upon update are reduced.
Regular backups to rely on in case of incompatibility with any update.
Similar to managed WordPress hosting services, it is recommended that you go through the list of their offerings, (and their pricing plans) carefully. All you have to do after that, is contact them over email, or from their respective websites.
Pros of Depending on WordPress Support and Maintenance Services
Since you are paying these services specifically to maintain your WordPress site, you can expect them to solve any problems you might have while updating your WordPress site.
You need not hire a developer to this end.
Cons of Depending on WordPress Support and Maintenance Services
These services come at a premium price, and usually require you to pay more in order to fix issues that might come up during updates. Each service has its own pricing plan.
A number of maintenance and support services do not provide free support, so if you run into issues with your site, it might be expensive to get them sorted out.
Automating your WordPress site might seem like an easy fix that will help your WordPress site stay up to date with security patches and new features, but it also comes with many caveats. Not only might updates your site break, but they might also be difficult to undo. This is why it is imperative for every WordPress site owner to maintain a recent, secure backup of their WordPress sites that can be relied on.
WordPress is the most popular CMS in the world. With WordPress powering 26% of the world’s websites it’s also one of the most preferred ways to publish content. What makes it so popular?
While there may not be a perfect CMS (Content Management System), WordPress comes pretty close currently to being the best one. At least it is the most popular one by far. Search trends on Google show that there is considerable daylight between WordPress & other CMSes out there. This is, at least, to say that WordPress generates more interest than other platforms.
The popularity of WordPress represented by search trends is reflected in the usage rates of the CMS, with WordPress being used nearly ten times as much as its closest competitor, Joomla. While WordPress tops at 26.7% of websites using the platform, Joomla is used by about 2.8% of websites. This difference in usage rates only becomes more stark when you take a look at the market share of the CMS. WordPress has nearly 60% of the market share.
While the WordPress community across the world was growing, and more and more people were building WordPress sites for varied purposes, only the recent release of statistics has managed to shine a light on how big the CMS has actually become. About 26% of websites in the world are said to be powered by WordPress.
This number is said to grow to 30% in a few years as WordPress is not just the most popular content publishing option on the web, it is also the fastest growing CMS. It is simply the most popular option for building websites. With this, the mission of “democratizing publishing” as Matt Mullenweg phrased it, seems to have been realized. However, this realization only seems to be the beginning of something bigger.
Here are some reasons as to not only why WordPress is big now but also why it is expected to continue to grow.
WordPress is Open-source
WordPress is an open-source CMS and will remain so in the future as well. With WordPress being open-source, a private company cannot decide to delete your content on their own, regardless of reason. This means that you’re unlikely to lose your content when you publish it using WordPress, such as in the case of Dennis Cooper’s blog on Blogger.
This means that WordPress is not only the most viable option economically, it gives you (the user) complete ownership over your content and and puts the power of publishing squarely in your hands.
WordPress In Your Language – Inclusive
WordPress communities have actively participated in translating the CMS into various languages. Currently according to WordPress.org, WordPress has been completely translated into more than 60 languages. Despite the fact that over 70% of WordPress sites are in English, translation makes the WordPress mission of democratising publishing a real possibility as websites and blogs can be produced in many, many languages and the platform instantly becomes relevant to a truly global audience.
Although WordPress was largely seen as a blogging platform for long, it has been used to create all types of websites. For this to happen not only is it important to have power over content but also the form in which it is published. WordPress was built to be fully customizable, and being an Open Source project, it welcomed contributions– core, plugins and themes, that made it flexible to suit different needs. This is one of the key reasons why the platform has become popular.
WordPress Plugins & Themes – There is a plugin for that!
Themes help enhance the design and functionality of WordPress sites (header:image+text, body:video, sidebar:archive, footer:about company). They provide different templates. Plugins help customize these templates to add more functionality (to make header a carousel, to help site load faster), widgets usually help only appearance (eg: to add footer, sidebar to site).
Plugins and themes are what make it possible to employ WordPress is for building website for various purposes. This is also why there are so many contributors to plugins and themes. While many contributors are professionals, or companies, there is also a large community of amateurs and hobbyists working to make WordPress conducive for every need.
WordPress Plugins & Themes
Plugin Repository -47, 211 Plugins
Downloads – 1,432,006, 605
Spoilt for choice
Thousands of free themes on WordPress.org
85 commercially supported GPL themes
Themes for every purpose
Themes changed – In August 2016 – Nearly 2 million times
The interest in WordPress and growing repository of plugins and themes has also encouraged many third-party companies and developers to produce premium themes, plugins and services professionally.
The power wielded by social media platforms is huge. One only needs to take a look at the number of users on social media platforms and their importance becomes clear; particularly for large businesses looking to find a portal to engage their target audience. There are more than a billion users on Facebook alone. Combine this with the growing importance of Twitter as a promotional and engaging platform for large business, and you realise why the ability to embed these posts in your WordPress is such a big deal. As this article on Business 2 Community mentions, “Twitter is the place to engage with companies: While just 20 of the of Fortune 500 companies actually engage with their customers on Facebook, 83% have a presence on Twitter— as do 76% of the NASDAQ 100, 100% of Dow Jones companies, and 92% of the S&P 500.”
Being able to provide an experience for users to engage with authoritative long form content & instantly share it with their connections in bite size form to start a conversation all on a single platform can be a powerful tool for businesses.
While WP gives users control over content it also understands that the real power of content is amplified through connections, which is what social media platforms are all about.
Embedded in WordPress
WordPress Is A Rising Star
As more people use a platform, chances are that its following will increase because their interest has been roused. If so many people are choosing WordPress then there must be use value from the CMS. The continued growth of the CMS however can be attributed to the initial inklings that pushed them to use WordPress proving true. The scary or exciting part is that all the points that make WordPress useful are only growing bigger and stronger market-wise. We have seen this in the growth of the WordPress market.
People who contribute to the CMS:
Amateurs & Hobbyists
All contribute to the WordPress community and make it richer. There are also many areas for contributions with:
“WordPress Hacked!”: Strengths As Weakness
All this interest will definitely attract some unwanted attention too. It is already a concern for many that the top Google search suggestions for– “Is WordPress…” are “Is WordPress free”, or “Is WordPress secure”. The popularity of WordPress makes it a target for hackers or at least is perceived to do so. When a platform runs more than a quarter of all websites, the payoffs from being able to hack it will also be big.
WordPress is a target rich environment with many players at every level coming on board
Development of themes & plugins done by amateurs
All of these points make WP websites an attractive option for hackers. It is inevitable isn’t it when a platform offers so many opportunities and is so popular that it will attract the those who are nefarious.
However, this perception of the most popular CMS, also being the most insecure one is simply not true. WordPress Core has been very secure, and more and more spotlight is being shone on hardening and securing WordPress sites than ever before. The growing market share and popularity has brought about the challenge of scale. It has converted WordPress’ most cherished tools– plugins and themes into double edged swords; if only in part. This is because most of the vulnerabilities exploited in the last few years have come from issues dealing with plugins and themes or WordPress site maintenance issues. Scale and an unregulated, fast-growing market have contributed to the many strengths and weaknesses of WordPress.
This is not mentioned as a warning sign but for the sake of spreading information. Awareness of pain points can lead to resolving or managing them more efficiently. WordPress is a community driven project & is based on informed users taking action.
You too can take some steps to put in place best practices for your website and not make it easy for hackers. Chances are that all it takes to protect you site is to make it a little bit harder for hackers, but it is interesting to see how many people miss out on the easy steps.
With all these points considered there is no doubt that WordPress is here to stay; and if anything, it will only grow bigger in the coming years. Being part of its community and this open source project may seem like a double edged sword for some, but if you stay informed and put in basic best practices in place then you will not only be safe with your WordPress site, but happy as well.
WordPress website owners are always cautioned to keep their installations of WordPress, plugins and themes up to date. But when a plugin hasn’t been maintained or updated from the developer’s end, potential exploits threaten everyone who has it installed.
Being someone who grew up in the 90’s, I still love video and audio cassettes. But as the world progressed to new technologies, the companies making the cassettes kept updating their technologies and methods too, and for good reason. No matter how I loved the uniqueness of magnetic tape, even I understood that it had its faults. It was time to move on.
Most of the time, WordPress works in the same way too. The minute a problem is identified, developers work to release a fix for it, whether it’s an add-on or something on WordPress core.
This is why almost every piece of advice on the internet about ‘security practices for WordPress’ always first mentions that WordPress site users have to update every element on their site.
But what does one do when the technology itself isn’t updated, and after a vulnerability has been reported? The possibilities this opens up to hackers, are endless, which makes this a particularly alarming situation.
W3 Total Cache is a WordPress caching plugin that helps sites load faster. A website’s load time, as any website owner knows, affects its reputation, views, and business. The faster it loads, the better it is perceived by its visitors. This is why caching plugins are so widely used in the WordPress community.
W3 Total Cache in particular, had over 1 million active installs when the vulnerability was declared.
This was because it had features that made it considerably better than other caching plugins, according to those who used it. Not only did the plugin caches every aspect of the WordPress site, from the HTML elements to objects in WordPress sites’ database, it also cached mobile cache well. Most other caching plugins only cached the HTML elements of a page, making their performance considerably lower.
The plugin, according to its page on the WordPress.org repository, has been used and trusted by companies websites AT&T, mashable.com, and pearsonified.com, amongst others.
To add to this, the previous major ‘update’ to the plugin was only a simple change that made sure the plugin was compatible with the then latest versions of WordPress. Understandably there was concern over the potential damage this vulnerability could wreak if it was exploited.
But this wasn’t the first time the plugin had displayed vulnerabilities. Just as with any other plugin, W3 Total Cache had its share of loopholes, that were sometimes exploited, as with the case of other caching plugins like WP Super Cache too.
This brings us to the most important course of action. When faced with a plugin or theme that is obviously out of date:
Disable the plugin/theme until an update addressing the vulnerability has been released
If it’s not a premium plugin or theme, follow its support forum on WordPress.org
If an update with the patch for the vulnerability takes more than 48 hours to come through since the vulnerability is announced, try and contact the developer informing them about the vulnerability and quoting your sources.
In the meanwhile, try and find alternatives that are compatible with your site in order to keep your site fully functional.
If the update takes more than a month to come through, you could ask the community if someone would like to adopt the theme/plugin. Obviously this procedure has steps that you will have to follow, after communicating the problem to both, the WordPress team, and the community.
This is why it’s important to always have a backup plan: you never know when a plugin is going to stop being updated.
After all, a number of contributors are developers who contribute to the community as a hobby. It takes a lot of time and effort to not only create a plugin, but to identify how to patch up vulnerabilities and do it according to the best security practices as well.
Moreover, when the plugin/theme is actually updated, you never know if it’s going to break your WordPress site. Reliable backup solutions that allow you to test your backups before they go live on your site, are not just an option in such cases… they’re a necessity.
Making WordPress Backup to Dropbox seems like an attractive option due to ease of use & low cost. However, is it the best practice & will restores be as easy as backups?
There are generally two ways you can make a WordPress backup to Dropbox. The first way requires two processes to be completed. You can manuallydownload WordPress files using a FTP client and then download your WordPress database using phpMyAdmin. Then you can upload it all to Dropbox. WordPress.org recommends having at least three copies of a given backup and Dropbox can serve as the destination of one of those three copies.
The other way is seemingly easier. Backup your WordPress database and files with a backup plugin. Backup & Restore Dropbox, Dropbox Backup by Supsystic, and WordPress Backup to Dropbox are all plugins which backup to Dropbox.
Other plugins like Backup Guard, and UpdraftPlus WordPress Backup Plugin provide Dropbox as one of the optional destinations for backing up. IN the case of the the former the option is available only in the PRO version, where as in the case of the later it is an add on.
The process is simple You will need to input your Dropbox login credentials, confirm them and you are done. Some plugins will regularly backup your WordPress site to Dropbox according to the schedule you have set. Tracking this may be another matter altogether.
Apart from the simple process, cost is another factor which makes Dropbox a seemingly attractive option for backups. Some plugins which allow you to backup your WordPress site to Dropbox are free. Dropbox itself is free up to 2 GB so you may feel there are no extra costs with this option.
WordPress Backup to Dropbox: Think again!
In order to backup up your WordPress site to Dropbox, plugins will need to store a copy of your Dropbox account’s API key on the site itself. This means that you are keeping a spare key to your backups on your site. What is the point of leaving a copy of your bank vault’s key in your living room? You might as well have left your valuables in the living room too, right?
Backing up to Dropbox is indeed simple enough. Our WordPress backup plugin offers users the option to upload backup to Dropbox too. Users who know a particular version to be without any problems can download the backup to their Dropbox account. This is not a default option when you use the BlogVault plugin and regular backups are not made to your Dropbox account. We do this because we follow best practices for WordPress backups. Know more about why backups to Dropbox is not safe.
However, if you’re relying on Dropbox only to provide the safety net for your WordPress site then you are in trouble, at least according to our experience.
Dropbox Backups & Restores
Apart from all of these points, there is another issue to making WordPress backup to Dropbox only- restores. Afterall the entire point of making backups is to empower us when we need to restore our business or blog.
Most WordPress backup plugins zip your files; meaning they download your site in .zip or .gz files. You cannot view .zip or .gz files in Dropbox anyway and you have to download the files to sort them out. In this case Dropbox becomes a temporary storage solution rather than a comprehensive backup solution.
Seemingly simple matters like clutter. Regularly backing up to Dropbox clutters your account. You may not be able to find the files you desire quickly, when you need them. When you have to restore your site, you don’t want to sift through thousands, if not millions, of files.
Tip: When backing up to Dropbox
Ensure that you label the downloaded backups in an organised manner so that you know can categorise different backups. This will be helpful when you have to restore your site.
You need to safeguard your data in a more robust manner to ensure that in your hour of need you know not only know that you have access to backups but also that they are functional. Especially, if you’re running a small business or a popular blog then you might want to look at a more holistic solution for backup and continue making WordPress backup to Dropbox only as an additional step.
Figuring out the best security option, (especially making the decision between a WordPress firewall and an antivirus) for your website requires a lot of research and technical know-how. But if you’ve decided on getting a WordPress firewall, NinjaFirewall is one of the options that you will have to consider.
This is why decided to test NinjaFirewall (v 3.2.4) for you, and to do it from a WordPress newbie’s point of view. We’ve pitted it against against the common exploits on WordPress sites to see if it stands our tests of fire.
A Web Application Firewall (or a WAF) provides customizable inspection and runs as an appliance, plugin, or a cloud-based service.
Host-based firewalls on WordPress help protect against threats originating within the host (which, in this case, is your website). This means that they help reduce the risks of vulnerabilities in your website being exploited.
NinjaFirewall allows you to install and configure it just like a WordPress plugin, but it’s a ‘stand-alone’ plugin that intercepts all requests made to WordPress. The fact that it’s ‘stand-alone’ means it has its own settings, options, policies and rules that you can configure. If you’ve googled NinjaFirewall, you’d have seen phrases saying that the firewall ‘sits in front of WordPress’. This simply means that NinjaFirewall intercepts requests with the aim of alerting you of, and stopping any suspicious activity/requests before they affect your site.
There are also a few hiccups that you might face during installation, that the NinjaFirewall team has documentation for, which is great, if you aren’t a beginner with WordPress, and know the basics enough to understand code.
What NinjaFirewall Claims to Do for You
NinjaFirewall claims to intercept and determine which traffic to allow to your site. Upon installation, the firewall backs up your php.ini and .htaccess files and then modifies them to intercept every request made to your site. It then filters requests and traffic using extensive rules (and a whitelist), to separate good requests from malicious ones. The bad requests are dropped while normal requests are forwarded to your WordPress site. Its aim as a firewall, is to prevent your site from getting hacked, by avoiding bad requests from the get-go.
NinjaFirewall has a lot of features, that help towards this end, and many varied security functionalities to your site.
NinjaFirewall has a lot of features, that help towards this end, and many varied security functionalities to your site. Each feature of NinjaFirewall has different options and settings, and we hope to explain the most important ones below:
This is where you enable or disable NinjaFirewall. You can also customize the error messages to be displayed on your site when the firewall detects a bad request.
If you’ve got NinjaFirewall installed on another site and have configured it according to your needs, you can import it to a fresh installation in the Firewall Options section. The only requirement is that both sites should have the same versions of NinjaFirewall.
Importing another configuration of NinjaFirewall will override any firewall-related rule, option or configuration that exists on the site you’re importing to.
Most of the options that control how NinjaFirewall works, are in the “Firewall Policies” section.
None of these options are customizable though: the majority of them are Yes/No options, or have checkboxes. The first few options let you decide whether you only want traffic with an SSL certificate or you’re okay with traffic that comes from other sources. Since a lot of hacks originate from file uploads, the firewall also allows you to choose whether you want to allow them or not. These first few options are easy enough to configure:
But as you scroll down the list, they get more and more complex. Some options even caution the user to not click on them if the user doesn’t understand what they entail. NinjaFirewall has documentation to explain all of these options, but some of them might still need some technical knowledge. This is why we’re going to try and break it all down for you.The HTTP variable is what requests information from a web page.
Scanning it for dangerous values is a great move, especially since hacks depend on GET, POST and REQUEST variables.
Sanitizing these variables makes sure that the website interprets strings as such, and not as commands.
These options keep out suspicious bots from crawling your site:
The HTTP response headers help in protecting your site from other hacks that originate from the browser’s end.
There are also a few options that are unique to WordPress:
These help protect your site from SQL dumping ( i.e. creating a snapshot of and storing all of your website’s database files); as well as a number of shell scripts.When a hacker tries to attack your site, they make a number of attempts, and depend on error messages to determine whether their attack worked or not. NinjaFirewall has the following options to not let your site display revealing error messages:
And then there are other ‘various’ options that you can enable:
NinjaFirewall also has options that control the requests made to and the access to WordPress core files and directories:
This section is also where you can modify the firewall’s whitelist:
File Check This feature helps create a ‘snapshot’ of files changed by comparing original files (or existing ones) against modifications. Once you create a snapshot (that you can later download or delete), it allows you to scan your site for file changes. You can not activate this scan before you create a snapshot.
Anti-Malware The NinjaFirewall also has an Anti-Malware feature, that allows you to scan for hacks. According to NinjaFirewall’s documentation, this feature doesn’t alert you of spammy links, (like those that might redirect your visitors to porn sites).However, it does alert you based on signatures of malware, that could damage your site. This isn’t a great way to go about scanning sites though, especially since hacks are complex.This is probably why this is the one feature on NinjaFirewall that allows you to add custom rules or signatures, for malware or suspicious activity.
NinjaFirewall has handy documentation for how to go about this. You will need to understand what to create signatures for, in order to make use of this feature.
The Anti-Malware feature poses a couple of issue though. More on them here.
The firewall logs any suspicious activity in the Firewall Log section, but you can set how often it alerts you, and what to alert you of:
This way, if the Firewall blocks any attacks, you can see what happened, from the Firewall log. It’s always good to examine why/how it blocked the attack.
Brute Force Attacks are a different thing altogether- NinjaFirewall has a separate option to help protect against these attacks: Login Protection.The option asks for HTTP authentication credentials, without which you can’t enable this option. You can also set the message displayed when the firewall blocks such attacks.
Firewall Log It is what it sounds like: a log of everything NinjaFirewall found unusual, according to the rules you set in Firewall options. So if you’ve asked to be notified about any plugins updated, deleted or created, this log will contain all the details.
Live Log This feature monitors HTTP and HTTPS traffic on your site, so it aims at protecting against any traffic related attacks (like Brute Force, DDoS, or weird IPs trying to access your site.)
NinjaFirewall has a set of ‘rules’ according to which it operates.
These rules are mostly signs, or signatures of attacks that it tries to prevent. According to NinjaFirewall’s documentation, the rules are downloaded from the WordPress.org repository, and the plugin doesn’t contact NinTech’s servers during the update process.
You can’t add your own rules, but you can modify them in the Firewall Policies section, if they’re greyed out in the drop-down.
This feature allows your installation of NinjaFirewall to be up to date. Setting the firewall up to check for security rules is a tradeoff between choosing your custom configuration, and keeping your site secure.
Of course, you could ask to be notified about the changes and then go back to fix the changes so they suit your requirement though.
What we tested it against
We ran a series of tests to evaluate first-hand, the efficiency of NinjaFirewall, against some of the common attacks WordPress sites face. For this, we created a test-site (which would be the stand-in for your website): 126.96.36.199/wordpressThe vulnerabilities we tested the firewall against were:
1. SQL Injection
The Firestorm real-estate plugin (actually v 2.03), is one that contained a vulnerability that allowed for SQL Injection. This plugin allows you to add real estate listings to your WordPress site.
Testing NinjaFirewall against SQL Injection
To exploit this vulnerability, we tried accessing entering SQL code into the Firestorm plugin to get data from wp_users. (For those of us who don’t know what wp_user actually does, it allows you to get data from, and modify both the roles and capabilities of WordPress users other than the admin.)
Here is the SQL code we used:
188.8.131.52/wordpress/wp-content/plugins/fs-real-estate-plugin/search.php?ProvinceID=35335 UNION SELECT 1, user_pass, 3, 4, 5, 6, 7, 8 from wp_users.
Because this version of the plugin in vulnerable, it will execute the code to try and select the user credentials from users 3, 4, 5, 6 and 7.
We used this in our browser’s address bar.
(Note: This is why for this attack and the couple others following, we’re going to ask you to look closely at the address bar.)
Running the test in the address bar
Once we entered the same code into the address bar of the browser, this is what showed up on the test site (look at the address bar carefully, please):
But how did things work out behind the scenes of the attack?
Firewall Log for SQL Injection
This is what NinjaFirewall’s Firewall Log had to show us:
Looks like the firewall had this exploit already in its list in the Rules Editor section, and hence it detected the exploit and prevented it from occurring too.
2. Arbitrary File Upload and Local File Inclusion (LFI)
There were a couple of vulnerable plugins that came to mind when we thought of Local File Inclusion. One was Slider Revolution (v 3.05), and the other was Gravity Forms (< v 1.8.19).
We chose Slider Revolution though, because it allowed to make both exploits, and because more than 100,000 sites were attacked in 2014 through this plugin.
Testing NinjaFirewall against Local File Inclusion
The Slider Revolution plugin was used to perform Local File Inclusion on vulnerable websites in the following manner:
Say the vulnerable site was called ‘victim.com’.
The vulnerability allowed attackers to request the RevSlider plugin on the vulnerable site to show the images in the slider. Once it did that, the attackers would also try to figure out the structure of the WordPress directory. They would then get it to include files on the website’s local server (like the wp_config files) to the files it revealed. So the final URL entered on the site would be something like:
We used a very similar approach to try and get the plugin to include the wp_config files of the website, and to reveal them.
Here is how NinjaFirewall reacted:
Running the test
Since the action got blocked, we just checked out the Firewall Log.
Firewall Log for Local File Inclusion
Testing NinjaFirewall against Arbitrary File Upload
Again, trying to get to two attacks with the same plugin, we tried uploading random (or arbitrary) files to the test site. If the attempt is successful, the damage to the site would depend on the kind of file uploaded, and what it was intended to do.
Take a look at the address bar to see what we’ve tried to do.
Now don’t get confused… We named the files to be uploaded as “revslider” so that it would be accepted more easily by the plugin.
Running the test
Again, we only checked out the Firewall Log, since this attack was unsuccessful.
Firewall Log for Arbitrary File Upload
Here is what the Firewall Log said:
3. Brute Force Attacks
As mentioned earlier, to protect against Brute Force attacks, NinjaFirewall has a separate option called Login Protection.
Testing NinjaFirewall against Bruteforce attacks
Just to test its effectiveness, a colleague of mine, Vijay, tried launching a Brute Force attack against the website using Hydra, a tool that helps test websites and crack admin credentials.
Running the test
We launched a Brute Force attack against the site when we’d set the “Enable Brute Force Attack Protection” to “No”. This is what Hydra got us:
As you can see, the attack was successful, and Vijay was able to get the site admin’s login credentials.
Then, we went ahead and enabled the Login Protection feature:
Vijay then launched the attack again. This is what Hydra’s log said:
A quick look at how the attack was reported in NinjaFirewall’s Firewall Log (this shows how the attack was let through, and then stopped):
4. Remote File Inclusion (RFI), Arbitrary Code Execution, and Backdoors (a custom hack)
We used TimThumb because it was a plugin that was widely used, and exhibited a vulnerability that allowed for millions of WordPress sites to get hacked. This test was therefore meant to check the basics of the firewall.
Testing NinjaFirewall against Remote File Inclusion and Arbitrary Code Execution
For this, we used the (currently defunct) Pict.Mobi widget, that used TimThumb (v 1.28) on the test site. Obviously since the RFI exploit would need a hackfile to be included from a remote location, we also created another site that would host the bad file.
We took the approach a hacker would: we first confirmed that the (test) site used TimThumb, and that it used a vulnerable version.
Then selected a very small file (in this case, it was a 16X16 .png icon), and modified it to contain PHP code.
Next we used the TimThumb vulnerability to include the file remotely to the test site. Note that the file was PHP, which means that any time it was accessed, it would run.
Sure, it was an image file, so it could easily bypass the site’s usual sensors, but the PHP code could still be accessed, and executed.
Testing NinjaFirewall against Backdoors
We wanted to kill three birds with one stone, so we made sure to create an encrypted shell for the PHP code on the image before we uploaded it.
Running the test
We then extracted the code from the hackfile shell, just like a hacker would:
And then ran it.
NinjaFirewall didn’t stop the attack.
We think it was because NinjaFirewall has a list of rules for what attacks should look like, in a section called Rules Editor.
Click on the drop-down, and you see the list of rules that NinjaFirewalls follows:
These rules are internal to NinjaFirewall, so you can’t see what exactly each rule entails.
The attack we performed though, didn’t exactly go by the rules of how the attacks worked.
The results of the tests are as follows:
The log didn’t pick up on the hack. In fact, it only listed the backdoor we’d tested it for.
The firewall didn’t detect changes in files. We were still able to list the files in the WordPress directory.
We didn’t expect this feature to remove the malware, because it’s only a scanner.
Unfortunately, it didn’t find the infected files. We were under attack, and this is what the anti-malware feature said:
No blips on this feature either.
Unresolved issues with NinjaFirewall
Since this is a review of the entirety of NinjaFirewall, we didn’t only test it against vulnerabilities. We also checked for issues other than those of protection. Most of these issues are documented on NinjaFirewall’s forum on WordPress, or on its online documentation.
● Anti-Malware scans time out
The Anti-Malware feature on NinjaFirewall allows you to scan files in a particular directory for your site for malware (by default this is/var/www/html/wordpress/).
The thing is, by default, this feature scans your site for malware in files that have been created or changed in the last 7 days. You can change the time period (or Timestamp) or even make it zero, in which case it scans your whole site.
However, when if your website is on a shared host, there is one major problem you could face: the Anti-Malware scan timing out.
The feature stops scanning your site after a certain time period that is set by your web host. This means that if you have too many files on your site, the scan will get cut short. Your site could never get fully scanned, unless you try some workarounds, (like this one suggested by the NinjaFirewall team). This is probably why NinjaFirewall’s Anti-Malware feature also has the two options of “Ignore file extensions” and “Ignore files/folders”:
While there isn’t anything NinjaFirewall can do to change the timing out of the scan, it is a huge drawback for users who want to scan their sites.
● The Anti-Malware feature uses only signatures to detect malware
This is a widely-used method to identify malware and viruses, but it doesn’t catch everything. This is why most security scanners use it in combination with other approaches. Hacks utilize vulnerabilities on your site, but how bad code is run on your site depends completely on how hackers want to carry out the attack. So the ‘signature’ of malware could always be altered in small ways so as to escape detection. This is why, as we explained earlier, our exploit of the vulnerabilities in the Pict.Mobi plugin allowed for RFI, Arbitrary Code Execution and Backdoors on our test site.
● The firewall modifies .htaccess files
NinjaFirewall backs up the PHP INI and .htaccess files that it has to modify, but modifying the .htaccess file in itself can wreak a lot of havoc on your site. The .htaccess file controls a lot on your WordPress site. One of its more obvious functions is access control (i.e. which users are allowed to your website), but it also dictates how files with certain extensions run on your site. This is why any minor slip-up with this file could cause your server to majorly malfunction. Just to be on the safer side, we recommend that you perform a backup of your entire site rather than just the .htaccess file. That way even if something breaks, you can always roll back to a working version of your site.
● Modifying the .htaccess files and php.ini files slows down your site
.htaccess allows you access to the configuration of directories on your website even if you don’t have your hosting server’s (eg: Apache) main configuration file.
This means, when your site is configured to direct traffic based on the modification made to .htaccess, Apache has to look for, and load all the .htaccess files on any request made to your site. As a result, your WordPress site’s load time increases.
It’s a good way to direct traffic when your main server configuration file isn’t accessible, but otherwise it isn’t a great thing.
● The firewall interrupts backup operations regularly
NinjaFirewall triggers false alarms when WordPress backup plugins are run, sometimes doesn’t allow backup plugins to backup the site. The firewall also has to be disabled before migrating your site to a new IP address.
● Can’t manually install NinjaFirewall
As mentioned earlier, NinjaFirewall might log you out of your WordPress site and deny you access if you use an FTP client to make changes to it, or even uninstall it. Anything that you need to do with respect with this plugin has to be done from your WordPress dashboard.
The NinjaFirewall seems like a powerful tool against known attacks that occur according to their signatures. But the thing is that most hackers know these signatures, and know that most security measures protect against these signatures. So they modify the signatures to perform more successful, and at times, most devastating attacks.
Alerting of attacks after they’ve taken place isn’t something a lot of website owners can afford, especially with the damage hacks can wreck. However, having a hack-cleaner might help you scan for, and remove malware that causes the damage. In any case, it’s always important to have a dependable backup service for your WordPress site.
Did you like this review of NinjaFirewall? Would you like to see other firewalls tested too? Let us know in the comments!
BlogVault has developed, and in collaboration with Pantheon created Pantheon Migrations. Pantheon is the world’s largest website management platform, delivering Drupal and WordPress as a service. Pantheon’s multi-tenant, container-based cloud platform enables web teams to build, launch, and run all of their websites from a single dashboard with ease.
You can now migrate your WordPress sites to Pantheon with ease. Just input your SFTP credentials, email, and the destination URL, and you’re good to go. Pantheon will notify you when the migration begins and completes via email. You can also track the progress of the entire process on our website, via your BlogVault dashboard.
For us, at BlogVault this is the latest partnership for migrations. Previously we have partnered with other companies like WP Engine, Savii, & Cloudways. Now you can enjoy the convenience and expertise we strive to bring you while migrating to Pantheon as well.
You can always enjoy easy migrations with our backup plugin, BlogVaulttoo. Apart from backup, and migrations, the plugin also offers, auto-restore, test-restore and security settings to improve your WordPress website security posture.
While the partnership adds an exciting page to BlogVault’s story, we’re also looking ahead. Our mission of developing the best in WordPress backup and security has led us to our next product. It’ll launch shortly and promises to change the way users deal with WordPress security issues on their sites. Until then, stay safe and don’t forget to backup!
Removing malware from your website, and getting rid of hacks is a painstaking process. When you’re a website owner whose site has been hacked, your online reputation takes a hit. It’s only more distressing when you keep getting hacked. The reason behind this, most of the time, is a ‘backdoor’.
Having a backdoor could be explained with some ease, by comparing it to something we could call a “spare-key situation”.
Suppose you had a spare key to your house, but you dropped it somewhere on your street. Someone creepy has found it, and unfortunately for you, this person also knows exactly where you live. Of course you don’t know about it, but you notice changes at home.
Whether all the furniture in your house is gone, or whether the sofa is always a little warmer in the morning depends entirely on what this person with the spare key is doing in your house. This means unless you change your locks or employ other security measures, this stranger has full access to your home, and will keep coming back.
Hackers also do something similar when they hack WordPress sites.
When a hacker exploits a vulnerability and hacks a site, they want to be able to enter it again in the future. They also want to do so, without needing to put in the effort again. This becomes difficult though, if the site owner closes the vulnerability by updating the exploitable theme/plugin. That is why hackers leave behind code called backdoors on the site. This way, even if the vulnerability is fixed, the backdoor remains. Backdoors are inconspicuous, because the longer they stay hidden, the longer the attacker has a way to get back in.
Backdoors can give hackers complete control through Arbitrary Code Execution. One of the most common backdoors is ‘Filesman’. Since it’s feature-rich, it allows hackers to perform a variety of functions. However, there are others too, which might be just three-four words of code, but prove to be equally dangerous.
A lot of the time, backdoors are disguised as WordPress files, and are hidden by the hacker in a place only they know. You, as an admin, could find the file only if you combed through all the WordPress files. This is especially difficult because backdoors can go in so many different places.
Here are a few places backdoors are usually hidden on your WordPress site:
In core WordPress folders: Adding a new file to, or modifying an existing file in a core WordPress folder (e.g. wp-includes or wp-admin or wp-content) can easily go unnoticed. Especially in the wp-includes folder, since it contains every file ever included to the site. This is why we noticed a lot of backdoors here.
In new, innocent-looking folders: Hackers could add hackfiles to new files that look completely innocuous, like ./images/
Plugins and Themes: Not many people bother to check these folders after the plugins/themes have been installed. This makes these folders a perfect target. Moreover, a lot of plugins have their own vulnerabilities. Another way hackers install backdoors, is by adding a new plugin to the site that looks normal, but is actually malware.
Just to give you a general idea, this is how you identify a backdoor (that looks like a plugin file):
These vulnerabilities are sneaky. They can be passed off by a number of malware scanners as legitimate files, because of the way they’re named. This is why it’s so difficult to identify backdoors.
Backdoors are especially infuriating because sometimes hackers choose to leave more than one of them, in many locations. So even if one was discovered, there would be another way in.
Accurate, efficient scanning and hack removal requires time, and technical assistance (which is expensive usually). If you’d like to test the only one-click, automated hack-cleaner that misses nothing, and sounds no false alarms, we suggest that you try MalCare, for free.
Having your very own website used to be something reserved for developers once upon a time. All that changed with WordPress, and for the better.
But it’s never over.
Whether you run a small blog with a loyal following or a big ecommerce window, your website is an integral part of your life. It represents your passions and reflects your abilities.
Being hacked takes away from you the power to share your best with your readers or customers. In some cases, the damage to your site maybe too deep for you to get your site back up with all the data.
And the worst part is that it looks like a senseless act, especially when your website has no information worth stealing.
This is why we’ve compiled a list that we hope you, a site owner, gain some insight into:
Why hackers hack your site, how hacks cause so much damage, and some common attacks along with real-world examples of those attacks.
While some hacks are aimed at gaining information from your site, most attacks are to accessing your hosting and database servers. If accessed, files on your website’s server could provide to anything from yielding sensitive information, to unlimited access.
Where vulnerabilities are found and how to protect your website
Most vulnerabilities are found in plugins and themes. Keeping them up to date, or deleting ones that you don’t use, is one way you can protect your website, and server.
There are other ways you can keep your website safe though. We’ll talk about them in another post.
The types of hacks
One thing you need to know, is that by knowing the kinds of attacks out there, and parts of your site design you have to pay more attention to, you understand how to stay more secure. However, hacks happen in a number of ways and can be difficult to categorize and understand.
That’s what this two-part series is aimed at helping with. We’ve tried to present a lot of information, in a format that is easy to understand. Hopefully it helps even those of us who aren’t very fluent in code.
In this part, we’re going to talk about:
Arbitrary/Remote Code Execution (one of the most powerful ways to take control of a site)
Remote File Inclusion
Local File Inclusion
SQL Injection attacks
Cross-Site scripting (XSS) attacks
Backdoors (remember this: it’s how websites keep getting reinfected)
Now that we’ve got all of that out of the way, let’s get down to business.
In an ideal scenario, only trusted code associated with your WordPress site can be run on your site/server. The Arbitrary Code Execution (or Remote Code Execution) exploit though, allows hackers to run unauthorized code on your server. Arbitrary Code Execution is dangerous because it allows attackers to take complete control over the website, or the server it’s hosted on, or both.
How the attack works
Attackers first need to get executable code to your website. Vulnerabilities on your website, like the ones that allow File Inclusion (more on this below) lets them do this. They then run it on your server remotely.
A real-world example of an attack exploiting the Arbitrary / Remote Code Execution vulnerability
WP Super Cache and W3 Total Cache are both plugins designed to cache dynamic WordPress pages in order to reduce the sites’ load times for visitors. Plugins like these sometimes use special tags to differentiate static content from dynamic content. Dynamic content is executed on the server.
The problem with this was that WP Super Cache, and W3 Total Cache had vulnerabilities that could be exploited when websites using them, also used comment fields. You see, these vulnerabilities allowed website’s visitors to post comments with (dynamic) PHP code inside special tags.
Since these special tags were executable, attackers used them to run arbitrary commands, knowing that the plugins would execute them. As a result, the comments would return whatever information the attacker requested.
Note: The next few sections will use the terms ‘remote’ and ‘local’. The best way to explain these terms, would be with reference to the hosting server.
You see, a hosting server is a lot like your computer.
Anything on the computer/ hosting server is local (like a local file, folder, or drive).
Anything from outside the computer/ hosting server (like an external hard disk), would be remote.
Most of the time, attackers need to ‘include’ a hack file to your website’s hosting server before they run it. If the vulnerability on your site allows for the file to be included from a ‘remote’ location, it’s called Remote File Inclusion.
How the attack works
Remote File Inclusion is a type of vulnerability that allows an attacker to request your website to include a remote file, which usually consists of executable code. (PHP files are an example). Once your website processes the request and includes the file to your server, the attacker executes the code remotely. (This is why we explained Arbitrary Code Execution first).
Once the attacker does this, depending on what the included file was created to do, it can cause data-theft, or other serious damage to your site.
A Real-World Example of an attack exploiting the Remote File Inclusion vulnerability
Attackers exploited a vulnerability on the TimThumb plugin to first perform Remote File Inclusion, and then Arbitrary Code Execution. And even when the vulnerability was patched in version 2.0, this plugin was so widely used,that it caused millions of sites to be hacked. Even today, we see hacks because of it.
TimThumb let users import images from image-hosting websites (like flickr.com and imgur.com) and edit them on the fly, especially to make thumbnails. The plugin had a list of trusted websites, and only URLs that came from websites were accepted. This process of allowing access based on a list is called ‘whitelisting’.
The problem with TimThumb though, was that it didn’t check the actual source of the file; only checked for URLs that looked like they came from a trusted website.
Here’s a brief explanation of what the plugin did:
Once the plugin accepted URLs that linked to an executable PHP hackfile, the file got included remotely to the website’s server. Attackers could then run it, and cause massive damage.
*Disclaimer: None of the URLs or file names in the example are real; they’re only used to illustrate the example.
b. Local File Inclusion attacks
The Local File Inclusion vulnerability is somewhat similar to Remote File Inclusion, except that it includes ‘local’ files. Attackers could also use this kind of file inclusion as a prelude to executing Arbitrary Code.
How the attack works
This vulnerability allows attackers to access files on the hosting server, that aren’t typically available to the regular visitor. Such files can be used to get admin access, steal confidential data etc.
Let’s say your site allows users to access website files through URL parameters. This is one bad way to have coded your site:
<?php include($_GET[‘file’]); ?>
The logic used to write this command is bad the user can enter any filename into the URL parameter. If your WordPress site has a file with this name, it’ll get executed.
Since our bad code is including files without validation, an attacker can use it to access sensitive files (like passwd file):
Ultimate Member is a WordPress plugin that makes it possible for visitors to your site to sign up and to create user profiles for them. The plugin exhibited a vulnerability in July this year, when it incorporated user-supplied input in the ‘page’ parameter without proper validation. This allowed for anyone who had access to the membership form to retrieve some sensitive information from local WordPress PHP files.
3. Injection attacks
All websites require user inputs, whether it’s for logging in, or even just to go to the next page through a click. When a website allows visitors to enter inputs, hackers can introduce code to attack the website, or its server. Exploits that follow this method, are known as Injection attacks.
There are many different kinds of Injection attacks, but a couple of the most rampant ones include SQL injection (which allows access to your website’s database through MySQL commands or queries), and Cross-Site Scripting.
This Injection attack exploits text fields that allow users’ entries. The reason this attack is so dangerous, is because SQL commands could be used to add, modify or delete data on your WordPress’ database.
How the attack works
Every one of us has seen the WordPress login page– you enter your username and password to access the dashboard.
Suppose your username is ‘admin’ you enter it in the login form.
This input is then looked up in the database to check if such a user exists. The thing is, instead of a valid username, you could also input some SQL code.
Now if, for some reason the website directly used the dangerous SQL while looking up the user, the site could be exploited. Fortunately, core WordPress takes extreme care to make sure that user inputs are sanitized before being used while accessing the database. Various themes and plugins, however, sometimes don’t validate input, thus leading to an exploit.
Again, the modifications that could be made to your database are innumerable, and the results depend on what is modified. Here are a couple of a generic examples of how an attacker could carry out SQL injection, and why it would be dangerous:
Here’s another example of SQL injection (this time in code)… Suppose we input ‘admin’ in the following code:
The following code would be executed:
So just imagine what would happen if you entered:
(cue: violin screech from Psycho)
This goes to show you need to have a lot of checkpoints to make sure your plugins are safe. You can never be sure enough.
*Disclaimer: Again, code in the example above isn’t something you could execute. It’s just there for illustrative purposes.
A couple of real-world examples of attacks exploiting the SQL injection vulnerability:
1. Booking Calendar is a WordPress plugin that was used for making online reservations based on availability. Unfortunately, just a couple of days ago, an SQL injection vulnerability was discovered on this plugin. The vulnerability allowed an attacker to view data from websites’ servers’ databases. Fortunately, the vulnerability was revealed to the developers of the plugin before anyone else, and they fixed it in an update.
Note: If you’ve got this plugin installed in a theme, or it’s on your website as a standalone plugin, we ask that you update it immediately.
2. Yoast SEO is one of the most popular SEO plugins for WordPress with over a million installs.
Versions before 184.108.40.206 had a SQL vulnernability issue. This issue existed in spite of the plugin actually taking measures to protect against SQL Injection. This was because the authors of the plugin made use of a WordPress function called ‘esc_sql()’, which opened a doorway for the vulnerability. So the plugin wasn’t foolproof.
Cross-site scripting usually affects web applications, when user inputs are directly included as part of web pages.
How the attack works
This means if you’re an admin of a WordPress site, attackers could use XSS to get access to your cookies, or login information, or even just change the content on your site, without you even knowing it. Your sites’ visitors seeing that page via a vulnerable browser would get affected too.
A real-world example of an attack exploiting the Cross-Site Scripting vulnerability
Jetpack, again one of the most popular WordPress plugins available, offers WordPress.org users the ease-of-use that WordPress.com users enjoy.
More recently though, the Jetpack plugin had another XSS vulnerability, that was patched in version 4.0.3.
See, the plugin analyzed HTML code looking for things like video links that it could embed in the page automatically.
If you’ve detected hacks on your website, and have painstakingly gotten them removed, you’d understandably be perplexed when the site is hacked again. The thing is, hackers often leave a bit of malicious code hidden in another part of your website that allows them to re-enter and reinfect your site again and again. This is obviously why it’s called a ‘backdoor’.
How the attack works
Backdoors are sneaky little vulnerabilities. Most of the time hackers use other vulnerabilities to try and launch one kind of attack. Once they get access to the website, they immediately put in an infected file in an inconspicuous folder completely different from where the original attack started. The file never links to any URL, whether on your website or off, or calls attention to itself. In fact, one of the only ways to find it is if the admin of the website combs through the site’s file system. This makes it extremely hard to detect, even by malware scanners. However, since the hacker knows exactly where the file is, he or she can access, and execute it to override any admin functions.
One specific, yet highly popular backdoor, is the ‘Filesman’. Filesman is feature-rich, so it can do a variety of things, including giving complete access to everything on your site.
With a vulnerability like the Backdoor, it’s important to keep deleting plugins and themes that you’re not using.
It’s easy to ignore the notification on your WordPress admin dashboard that says you have a bunch of plugins to update, but your WordPress site’s security relies heavily on it.
As you can see, finding hacks and getting rid of them can be a ridiculously tedious affair. Most efficient hack-scanning and cleaning systems available require technical assistance. And if you take time-zones into consideration, removal could take about 12 hours or so.