Introducing BlogVault as an Online Backup for WordPress Platform
WordPress Backups is justified regardless the venture you’ve made in for your site. The day may come when you get hacked, when something turns out to something bad, your server might get crashed or you’re hosting organization lose everything and you don’t have a backup. Would you endow all your diligent work to a Backup Plugin with just a couple of thousand downloads, blended surveys or no expert help?
It’s never too late to care about having Online Backups for WordPress. Your WordPress requirements keep differing, yet, the question “do we have backups?” arises after a catastrophic loss has occurred. This is when Backups are felt necessary.
In today’s world of technology and internet, not taking backup seriously for your websites is equal to being weak and irresponsible. You may think it as too tedious or too expensive. As a general rule, if something with your site turns out badly, you could lose everything.
All sites on the web are vulnerable to hacking attempts like DDOS assaults, data theft and loss. This could happen even to the most secure sites on the web. An online backup solution for your website is your insurance against all those terrible things. It enables you to keep your content safe and reestablish your site after an accident.
Committed to create website security and backups, simple and productive Blogvault mitigates the dangers related with site crashes and also the harm caused by malware and hacks. BlogVault having helped thousands of clients across the globe to keep up an effective website security posture has partnered with few biggest names such as Pantheon and WPEngine. Prioritizing quality over everything else, BlogVault specializes in BackUp, Security, Manage WordPress, Staging, and Monitoring.
BlogVault is the solution for everything. One of the highest ranked and most popular scheduled backup plugin, it simplifies backups and restoration. With more than thousands of active installs, you can Backup your files and database into the cloud and restore them with just one click!
Why is it necessary to have Online Backup for WordPress with BlogVault?
At BlogVault, backups provide the best security practices as to offer the safety net for your business. BlogVault takes responsibility to separate your Backups from the risks your site faces.
A simple start with BlogVault, login to the online portal and find the URL of the WordPress site or blog you might want to take backup. In the following step, install the BlogVault’s plugin on the site. The plugin will act as an arch to the online backup benefit so that you can recover all the data about your WordPress instalment and take back up.
The BlogVault’s plugin could be installed automatically and on the other hand, you can even download and install it manually. After installing and activating the plugin, the service by BlogVault shall automatically start taking backing up your WordPress files and database.
Advantages of Online WordPress Backup Services
You have options to buy a third-party storage service such as Amazon Cloud where store the WordPress backups
You just have to pay your subscription and the WordPress backups are stored in a remote and secure a place for you
If you backup your WordPress using BlogVault’s plugin, the main benefit of storing your WordPress backups remotely is reliability.
With BlogVault, there is a secure WordPress Backup Storage
You can also make sure that your Backups are not tampered with or deleted by storing the WordPress backups in a remote location.
When you choose a right WordPress backup plugin you get to get access to services to have the right and secure infrastructure where your backups are stored. BlogVault has it!
BlogVault when compared to other sites
Yet again talking about plugins for WordPress, there are a few that are outstanding. There are 1000’s of plugins that are battling to be the best. But how unique and different is BlogVault from other plugins.
In the below screenshot you’ll find few unique features that no other backup plugins will offer.
Wrapping the text up, taking a Backup with a WordPress CMS is fundamental so that it guarantees that you don’t lose any content, theme or file. It’s always a good idea to take a backup both your content and database. However, you may need to do them independently at times. The manual backup process is somewhat arduous but provides the control over the procedure.
Do you have a WordPress site? If yes, then it is important to remain up-to-date regarding the most excellent security measure with the main goal to shield your site and information from any dangers.
There are definitely many website owners who are nagging about the security of WordPress.
According to my opinion, an open source content is powerless against a wide range of threats. However, if we think practically, we also need to consider in a different way. Suppose it’s valid partially, yet none of us can blame WordPress.
Why can’t we blame the WordPress? Whose fault is it that your site got hacked? As a site proprietor, there are a few duties that you need to deal with. Henceforth the major question always depends on what you are going to do to save your site from being hacked?
Today organizations of all sizes are not safe due to the increase in threats. Over 90,978 attacks occur every minute on an approximate. Luckily, there are several methods used to protect the WordPress site. One of the most popular solutions among all is using WordPress Backup and Security plugins.
How To Manually Work On WordPress?
WordPress a web application in view of PHP and MySQL and thus you have to take backup of all the documents and its database as an alternative to your site. The simplest approach to duplicate your documents is by means of FTP. Ensure that you spare all the documents and organizers in the catalog WordPress that is introduced into your site.
The WordPress database can be moved down to some other database. Just take after the directions in our instructional exercise on the most proficient method to backup MySQL databases. In fact, if you have numerous MySQL databases and you ponder which one your site is utilizing, open the wp-config.php record in the WordPress root organizer and you’ll see the database name spared by the DB_NAME alternative.
The question about WordPress security will definitely arise in everyone’s mind, as the hackers are around frequently trying to infiltrate WordPress sites. Even while there are several limitations, WordPress is secure.
The team working for the security of WordPress are diligent enough to stop all kinds of vulnerabilities that surface inside the WordPress center. Security patches are incorporated into center updates that are released reliably on a regular basis. For instance, there are times where they have fixed in less than 40 minutes of a vulnerability disclosure.
But the condition is that you have to stay up-to-date with the WordPress in order to apply all the security fixes that are taken off. Luckily, through a couple of clicks, updates can be promoted consequently or physically. You can likewise put off the automated updates. But at the same time, you also need to run the tests that are comparable in advance.
But the most practical and the basic actions that you can utilize to improve the security of your site is keeping it up-to-date. Each and every other method you apply is also important, yet it won’t benefit you in any way if the WordPress itself is vulnerable.
Here are a few tactics that can help you to secure your WordPress Website –
A Stable Login Page That Avoids Violent Attacks
Despite the fact that every individual is aware of the standard WordPress login page URL (domain-name/wp-login.php or domain-name/wp-admin/), hackers make an attempt to make a dangerous threat as the backend of the website is accessed from the main URL. So I would recommend you to customize your login page URL along with the page’s interaction.
You might think why one should customize their WordPress Plugin?
Brute force attack is the most common type of hacking on WordPress. In this type of attack, hackers try to get inside of your website/blog by attempting various usernames and passwords. There are many ways that assist you to prevent brute force attacks. One of the major steps you can take to reduce the chances of getting attacked is by changing the WordPress admin login page URL
Tip: Steps You should follow to Customize your Login page URL.
The simplest way to change your Login URL is by installing, activating, and configuring a security plugin to your WordPress site.
With this, you’ll be able to change
/wp-admin/ to /admin/
/wp-login.php to /login/
/wp-login.php?action=register to /register/
Change URL according to the page you select in the plugin settings
Before we move ahead, I would recommend you to understand the WordPress Security options before you make any changes in the settings section. Have a discussion with your host before you take on any unusual step that you aren’t sure off. Follow all the instructions for Better WordPress Security and updating of your Dashboard options.
1 Step: Take a complete backup of your site. Once you’ve completed taking the backup, verify it before you move to the next step.
2 Step: Install and activate a WordPress Security Plugin is best for your site. Ensure that the features are good enough to manage your Login URL.
3 Step: Install and Setup a WP security plugin. Once the setup is ready,
Open wp-admin or wp-login options page
Create the backup selection
Allow the security plugin to change WP core files
Click “Secure My Site From Basic Attacks” button.
Click the “Hide” tab.
Check the “Enable Hide Backend” box.
Enter your desired register, login, and admin pages or leave them at the security plugin’s defaults of “register”, “login”, and “admin”.
Click “Save Changes”.
And that’s it. And not to forget, follow the above steps so that you can easily change your Login URL.
It Is Also Important That You Protect Your Admin Dashboard
Admin dashboard which is the most protected section of all is also one of the most engaging parts for a hacker. Thus, for a hacker, assaulting the most grounded part is the biggest challenge. If succeeded, then it’s a moral triumph and they utilize this source to do lots of damage in your website.
Protect Your Database
Dealing with your database is the most crucial part as the majority of your site’s information and data is stored in there. So do you think that your Database is protected?
Well…, moving ahead!!!
While I spoke about the WordPress security and how you can keep your WordPress site, a secure one, let’s also take a look at the WordPress backup.
A backup for your site is always essential in case something goes wrong. Let’s cover up at the useful ways to backup your WordPress website.
Why is Backup Necessary for your WordPress Site?
Internet threats are increasing. And yet, you might have heard about why you need to take backups of your site in your external devices. Threats on the website have been really hard and thus Backing up your website helps you to safeguard against those threats.
A regular backup of your website is vital and thus all website owners are aware of it. It is important to be serious about the threats that are occurring in the present world of internet. As an owner of the website(s) you cannot be ignorant on hackers or mistakes that are occurred internally. Taking backup is helpful in certain ways. Here is why is taking a backup important,
Threat from the Hackers
A Catastrophe in your computer
When your updates go wrong
Viruses, trojan and other malware can hit your PC
An error occurred by an employee due to negligence
How To Backup Your WordPress Site With BlogVault?
You might have come across your clients or friends complaining about the nasty run they had with the hackers. Hackers can slash of your website with DDOS attacks and as a security precaution, the web host can shut your site down for a couple of days. It can definitely be a frustrating one. But if you are lucky enough to have a backup, then it’s easy to tuck away with working safely and seal off the security hole, hit the restore button and just like that, come back in business. What would you do if you lost your website(s) to hackers, how would you return?
I’ve experienced getting hacked sometime recently. Since I didn’t have a backup solution that I could depend on, I had to reconstruct my site from the scratch with no outside help.
Regardless of whether you lose your webpage to the terrible folks or break something because of a mistake occurred manually, you can just depend on a solid backup solution for recovering and reestablish your site to its previous magnificence. This is the place BlogVault, the subject of this long audit comes in.
The BlogVault benefit assumes control from that point, and you can backpedal to the same old thing. You don’t need to affirm messages and so forth, simply begin moving down your website from the Blogvault dashboard.
BlogVault is basically a Backup service solution. It is a very simple solution that can be made use of. A robust backup solution, Blogvault will help organisations of all sizes. After you’ve joined BlogVault, you’re instantly provided with a dashboard that will help you manage your site. With the help of BlogVault, you can schedule your backups automatically for your whole site. This helps you to save the storage space in your server as the backup will be saved in the off-site server. Even if you’re not logged into BlogVault, the backups will run unnoticed.
BlogVault a unique service that can be utilized in a progressive way to deal with your website by taking backup frequently. BlogVault looks at your site and makes a comparison with all the old Backups and saves your time by restoring with the latest version flawlessly.
We’re all human by the day’s end, and the activity of frameworks by admin, particularly when overburdened with spam, can be really challenging. This is the reason why backups and security exists. Every time your site goes down or information is lost you can simply rely on BlogVault.
An ideal WordPress backup solution offers a number of features. However, there are two questions you can ask that will help you choose the best WordPress backup plugin for you. They are , what features does the plugin have, and how do they work?
What Makes an Ideal WordPress Backup Plugin?
There is a long list of features which make an ideal WordPress backup plugin.
Multiple copies of each version
Independent storage and access
Secure site settings
A combination of all of the above sounds like a good deal; doesn’t it?
Most of these features are covered between the popular backup options available on the market. Also, most premium options have most of the above mentioned features. However, it is not useful to say this. It is like saying that every car has an engine, seats, wheels and steering. Just like cars, when it comes to backup solutions, it is all about how they perform; and you really need to do your homework first.
There are two points of entry to the debate on the best WordPress backup plugin. One is the differences in features between all the different plugins; despite the uniform titles. The other point of debate is the user experience. What does a good WordPress backup solution do, and how does it do it? Both these questions should be equally relevant.
In this article we explore how following best practices as well as being efficient can answer both: the ‘what’ and the ‘how’ questions.
1. WordPress Incremental Backup Plugin
Increased load times or frequent timeouts is highly undesirable in today’s competitive environment. This is is particularly a problem for WordPress sites on shared hosting. Incremental backups is perfect for such circumstances.
For example, let us say that you have photography focused website with high resolution images uploaded everyday. If your entire site had to be backed up daily, then chances are that the backups ruin the user experience of you site’s visitors or your backups may cut off for taking up too much server resources.
On the other hand, consider that automatic incremental backups of your WordPress site are done daily. After the first initial full backup, each day only the latest updates are backed up. This ensures that you don’t lose any data while the backup solution does not unnecessarily load your server resources. The plugin can scan the site for changes, recognize that the high resolution images are backed up, and only add the changes to the latest version of the backups. This means that, media – images and videos which are generally the the most heavy files on a site do not become an extra burden with incremental backups.
2. Control over entire WordPress database & all WordPress files
A WordPress sites contain files and tables. You must be able to know that all the tables, and files on your site have been backed up. If not you must be able to add them. This is possible when you have access to a list which gives you this kind of information; a good WordPress backup solution must offer such access. From such a list, you may also be able to download specific files from WordPress backup. The same applies to specific tables in your WordPress database as well. This depends on your requirements but you need to have the option.
Such a feature along with versioned backups allows for restoration of specific files instead of the entire site. This is important if you know the exact pain point on your site. It can be fixed with ease and minimize down-times. This type of granular control is essential when choosing a WordPress backup solution.
The dread of having to sift through thousands of files; when you’re running against the clock to get your site back up and get around to doing business, is unacceptable.
3. One-click Restore/Migrate
When you pay for a solution to do the work for you, then you shouldn’t have to manually restore or migrate your site. Otherwise, there is little point to lightening your wallet, is there? A plugin must allow for one-click WordPress restore and one-click migrate options. Managing your site’s functionality in the most critical hours must not be your headache. Usually in such instances inputting your SFTP credentials, destination URL and email id should be enough to easily migrate your WordPress site.
4. Test restore option
Apart from restores and migrations, it is equally important for you to be able to ensure that your backups or migrations work as desired. Allowing for a test environment to verify the functionality of different backup versions of your WordPress is just a good practice but unfortunately, most plugins don’t offer this. It boosts your confidence in your backups and ensures that the reputation of your blog/business is intact.
5. Great customer support
A service or product which does not allow you to track all the activities from the dashboard, notify you by email will only worry you about routine processes. If the time comes when you have to get your hands dirty, then you should not do the work yourself when you are paying for a service. This is reason you need great customer support.
6. Completely independent dashboard
With a completely independent dashboard you have access to and control over your backups always. This means that, unlike other plugins which store backups in your site’s files, you don’t have to restore your site to get your hands on your safety net a.k.a. your backups. Besides, the whole point of backups is to restore your site. If that is not supported well enough then backups are not good enough by themselves. You need to know that you have access to secure backups. Multiple copies of encrypted off-site backups is a must.
All the above mentioned best practices will ensure that you’ll find the right value for your money when you need the best WordPress backup plugin.
Reaching for your spare tire, only to find out that it is not working; or worse, that it is missing altogether is unacceptable. WordPress backups are a little more complicated than changing car tires and just like your car tires, there is a lot riding on them too. Your lifetime’s work or the hard-earned reputation of your business is at stake.
The number of WordPress (WP) backup plugins that are available in the market today must make it seem that problems regarding backups are a thing of the past. But, as we said, backups are complicated. A lot can go wrong when you are using stand-alone plugins (meaning ones that operate on the Software-as-a-Product model).
Many articles refer to how the SaaS model economically benefits the end user, however, there are many use-case benefits too. In this article we’ll look at some common issues with stand-alone WP backup plugins, and how a managed WP backup service is a better option.
Why Your WordPress Backups Will Fail With the SaaP Model
Installing the plugin is the beginning. Once installed, a stand-alone WordPress backup plugin must be configured. Very often people underestimate how backup plugins may become relatively labor-intensive and accrue more expenditure over time. These may come in different forms including add-ons and premium account features that may be essential to your business.
Some problems you may run into when you’re using a stand-alone WP backup plugin include:
Getting Started: Once a plugin is installed, a remote backup destination must be selected. You can select services like your Google Drive account, Dropbox, or Amazon S3 servers. After this, you must input the login credentials of those accounts.
Add-ons: To get the desired setup for your backups, your plugin may require that you buy an add-on. Add-ons can soon build up to become a considerable list. While calculating the cost of a plugin, add-ons must be accounted for, in order to get a fair estimate.
Saving backups in more than one destination may need an add-on, and extra charges may be applied.
Other features like encrypted backups of your website’s database may not be available unless you pay more for add-ons or upgrade to premium accounts. This means your backups are not really secure even after investing all this time, energy and money.
Tracking: Ensuring that backups are happening is important so that you know exactly what resources you have to draw upon in your hour of need.
If you’re storing backups on your Amazon S3 account, it needs to be configured to send you notifications when backups occur or when changes are made to files (these are called ‘event’ notifications).
Otherwise, you may have to pay more to your plugin company for email notifications. An alternative option is to login to WP website dashboard each time.
Key to Your Backups: While backing up your website to your Dropbox account or your own Amazon S3 account, most plugins store a copy of the API key/S3 access key on your WordPress site. The key is how the WordPress backup plugin on your site accesses the backup destination. This may not be in keeping with best practices of performing WordPress backups. In such cases, a hacker who has access to your site, may also have access to your backups via the security key.
Know-how: Managing your own Amazon S3 account requires you to know how the account stores your information (buckets, objects) and other points like access control, and versioning so that you can make sure that your data is secure.
When You Need to Restore: Apart from all these points, when you need to use your backups to restore your site, you’ll need to unzip the folders and manually restore the files correctly. This may not be the best option for everyone.
Storage Options: The plugin company may provide storage space. This option, like in the case of Amazon S3 servers, is an extra charge over the plugin that you must bear. It is a recurring cost to you, which must be paid periodically (monthly/quarterly).
Like we mentioned backups are complicated. If for any reason backups stop happening or problem occurs, then it is important that you’re notified immediately. For example, an error in the plugin has stopped it from backing up your site without notifying you. Otherwise if you have exceeded the storage limit of your backup destination then backups may stop occurring. Regardless of the scenario immediate notifications are very important.
The burden of solving all of these issues; on top of running your business/blog, fall on you, when you purchase a software product.
Regardless of the cause, the net result is that you’re stranded on the freeway, with no (usable) spare and your tire is a software product. This means, it’s likely that you may not have anyone to call for ‘tech support’. This is not a scenario you want to be caught in when you look for your backups.
Now consider that an expert is looking after your tires, maintaining the air pressure, checking the rims and upgrading the tire as the weather and the terrain changes; along with making sure that it is in the boot of your car. This would simplify and enhance your business, wouldn’t it?
How to Ensure That Your WordPress Backup Always Works
And, how can the SaaS model solve the issues mentioned above, for you?
When you get a subscription to a software, you are getting a service. A team of experts are managing and maintaining the software and the hardware. They are responsible for granting you access.
Let us clarify, SaaS doesn’t mean that there is no need to download and install a plugin. As in the case of BlogVault, the plugin can be very light as all the complexity sits on the provider’s server, where the heavy-lifting is done. For the user this means:
Zero-configuration: Install the plugin and it begins its work. You are ready to use BlogVault from the moment your subscription is active. The backup process starts automatically when you first login.
(This is the main reason this list is relatively short. Remember the long list of configuration issues with standalone backup plugins? Web-hosted software means, all of that responsibility for the managing the plugin and off-site storage is off your hands. Everything is covered for in the subscription.)
Lesser load on the site, better performance– Site performance and page load times are crucial to delivering good user experience cannot be overstated, as even marginal differences show measurable changes in results.
Rapid Updates: Updates happen mostly on the service provider’s server, reducing the frequency of updates required on your site.
Backups are safe even when your site is compromised: Backups; because they are completely independent of your website, are accessible even when your website is down. You don’t need to get your site running to access your backups.
Incremental Backups: This means large sites are also completely backed up without hassle. Backing up only the changes means faster and more efficient backups.
Expert Tech Support: A team of experts maintain the software and the hardware. You can not only count on tech support, but know that the team can be highly responsive as they are maintaining the backups themselves. This can help at times of Test Restore, Auto Restore and Migrations. For more on these features you can check out BlogVault.
Now you know the differences between SaaP and SaaS models in the context of WordPress Backup. Make an informed choice that gives you the most scope for developing your business, without adding to your task list or financial burden.
WordPress site owners are constantly asked to update their sites. But keeping track of updates is incredibly difficult, because of the frequency and number of updates to be made. This is why automating updates might a useful practice.
If there’s one piece of advice in the world of WordPress for site owners, it’s this: update, update, update. Updating WordPress is easy in theory, especially since all site-owners receive notifications about core and plugin updates. When it has to be put into practice, though, updating WordPress is its own beast. Not only might updates break WordPress sites; they might also cause incompatibilities, and be impossible to undo as well. This is why it’s important to always have a reliable backup solution for WordPress sites.
Updating WordPress is an important task though, because of new features that might impact user experience, but also security updates that help against major vulnerabilities. However, with WordPress receiving updates very frequently on the Core as well as the add-on front, it is difficult to keep up with all the changes, and apply them. This is why automating updates on WordPress sites might be a workable solution for you as a WordPress site owner.
Types of WordPress Updates
While updates for WordPress add-ons have both developmental as well as security updates, updates for WordPress core perform different functions. Based on these functions, WordPress Core updates can be categorized into:
Release updates, which contain both Major and Minor releases.
Major updates contain developmental changes including the addition of new features, or changes to core technologies on WordPress. Every major release is named after a major jazz musician.
Minor updates contain security patches and fixes. As a result, they are highly recommended, and are automated by default on every installation of WordPress. Every WordPress site is recommended to run these updates since they contain important security updates that keep WordPress sites safe.
Developmental updates, which are only for the changes that might be unstable– these updates are what future developments are built on. Also known as ‘bleeding edge’ updates, they are only meant for sites running the developmental version of WordPress.
Translation updates (which are language packs), and come in handy if your WordPress site has multilingual support.
Depending on your comfort-level with code, and the time you’re willing to spend maintaining your site, you could automate your WordPress site’s updates manually, with the help of a plugin, or via managed WordPress services. Every method has its pros and cons, so it’s best to choose one with careful thought.
Automating WordPress Updates the Manual Way
This method will require you to make changes to your WordPress installation’s core files.
How to automate updates to WordPress Core the Manual Way
Updating WordPress Core includes making changes to the wp-config.php file.
WordPress contains a parameter called define( ‘WP_AUTO_UPDATE_CORE’) in the wp-config file. The value you assign this function determines WordPress release update is automated.
To Automate All WordPress Core Updates
Assign the value ‘true’ to the above function, as demonstrated:
define( ‘WP_AUTO_UPDATE_CORE’, true );
This will enable the automation of all release updates, developmental updates, and translation updates on your WordPress site.
To Only Automate WordPress Core Minor Release Updates
As mentioned, WordPress automatically makes Minor release and translation updates to your site. However, if you disabled all automatic updates by assigning the above function the value ‘false, you would have disabled Minor updates too. Just assign the value minor to the same function above, instead of true. This will disable all updates other than Minor updates, which keep your WordPress site secure.
Here’s how you do it:
define( ‘WP_AUTO_UPDATE_CORE’, minor );
How to Automate Updates to WordPress Add-ons the Manual Way
Automatically updating add-ons isn’t recommended by WordPress, since the developers’ updates might work for that plugin/theme, but might be incompatible with other add-ons or elements on your WordPress site. However, if your WordPress site is simple and has very few plugins/themes that are compatible with each other, it might not be as big a problem.
In order to manually configure your installation of WordPress to update plugins & themes, you have to make modifications to a filter called auto_update_$type, found in the wp-admin folder. The value assigned to $type determines which WordPress add-on is updated automatically.
To automatically update all plugins on your WordPress site, the filter must read:
The code isn’t complex, so it’s beginner friendly.
Manual automation is free.
WordPress site owners won’t have to install an extra plugin just to keep their site up to date.
Cons of Manual Automation of Updates
The changes have to be made to the WordPress wp-config.php files and the wp-admin folder. This might make some WordPress users uncomfortable, especially since changes to the WordPress core files are not recommended.
Making the changes to code might require some time, especially for WordPress novices.
If your site crashes with any update, you will have to check your site’s status after disabling each update manually.
Automating Your WordPress Site with Plugins
This method comes in handy for WordPress site-owners who do not want to tinker with code themselves, and don’t mind installing an extra plugin on their site. A couple of examples of plugins that help automate updates, are Advanced Automatic Updates, and WP Updates Settings.
How to Use the Advanced Automatic Updates Plugin
Step 1: Install and activate the plugin.
Step 2: Locate the plugin under your WordPress site’s Settings tab, and click on it.
Step 3: Check the kind of updates you would like to automate on your WordPress site.
If you would like notifications about these updates to be sent to an email address other than the one of the site owner, you can enter it here:
As you can see, you can also disable email notifications about the same, and request for debug information (in case you’re running development updates).
How to Use the WP Updates Plugin
Step 1: Install and activate the plugin.
Step 2: Just like for the Automatic Updates plugin, locate the Updates tab under your Settings tab, and click on it.
Step 2: Choose the kind of WordPress Core release updates you would like to automate on your WordPress site.
Step 3: Choose whether you would like to automatically update add-ons on your WordPress site.
Step 4: If you’d like translation and developmental updates, click on the appropriate check-boxes.
Pros of Automating Your WordPress Updates With a Plugin
These plugins do the work for you: you don’t have to manually tinker with any code; they’ll do it for you.
Most plugins that automate WordPress sites allow you to enable or disable different updates with a single click.
Cons of Automating Your WordPress Updates With a Plugin
This will require you to install an extra plugin just for updating your WordPress site.
Some plugins only update WordPress core, while others will allow you to update add-ons as well.
You, as a WordPress site owner, will still need to weed out problems if your site crashes with updates.
Using Managed Services to Automate Your WordPress Site
There are two types of managed services you could use to automate updates on your WordPress site: managed WordPress hosting, and WordPress support and maintenance services.
Managed WordPress Hosting
These services help manage your WordPress site’s hosting issues, as well as a few issues related to your WordPress site as well. A couple of examples of managed WordPress hosting services/ managed WordPress hosting providers are Flywheel, and WP Engine. These services automate the update of your entire WordPress site, but after the following steps meant to benefit you no matter the state of compatibility of your WordPress site:
The hosting provider checks their systems for compatibility with WP updates (whether this includes both core and add-on updates depends on the web host).
They then mail you beforehand with the dates for your WordPress site’s update.
Every managed hosting service performs a backup of your WordPress site before the update. Only after this do they perform the update.
Once they perform the update, they check for issues.
If your WordPress site is not compatible with the update, the managed hosting provider restores your site with the backup that they made.
The service then mails you about the status of the update (successful/unsuccessful, and reasons if unsuccessful).
If you’ve tested your site and found it incompatible, you can ask certain web hosting services to postpone updates till you fix the issue at hand.
Plugin and theme updates are not done automatically by managed WordPress hosting services, simply because different plugins have settings that might conflict with each other and break your site.
If you’d still like to automate the updates of add-ons, you can get in touch with your WordPress host about the same.
Since each managed hosting service has different terms and conditions, and pricing plans, it is recommended that you read their documentation carefully, and then get in touch via email or from their in-website chat support.
Pros of Using a Managed Web Hosting Service With Automatic WordPress Updates
You, as a WordPress site owner, don’t have to fiddle with the WordPress core files.
Your WordPress hosting service tests and runs WordPress updates for you.
Cons of Using a Managed Web Hosting Service With Automatic WordPress Updates
Managed WordPress hosting comes at a price.
These services don’t take care of all the issues that might come up during updating your WordPress site. If your site has certain customizations that makes it incompatible with WordPress updates, these services might mail you asking for you to seek a professional developer’s assistance. This means even if you’re paying a premium price for managed hosting, you might also have to hire a WordPress developer separately.
WordPress Support and Maintenance Services
WordPress support and maintenance services (such as WP Curve, WP Maintainer, and Valet), are perfect for super-busy site owners who can afford to have a full-time service just for maintaining their WordPress sites. In terms of updates and maintenance, these services usually perform the following functions:
Core and add-on updates.
Support/repairs in case of incompatibility.
Audit of the security and maintenance of your site so the chances of it breaking upon update are reduced.
Regular backups to rely on in case of incompatibility with any update.
Similar to managed WordPress hosting services, it is recommended that you go through the list of their offerings, (and their pricing plans) carefully. All you have to do after that, is contact them over email, or from their respective websites.
Pros of Depending on WordPress Support and Maintenance Services
Since you are paying these services specifically to maintain your WordPress site, you can expect them to solve any problems you might have while updating your WordPress site.
You need not hire a developer to this end.
Cons of Depending on WordPress Support and Maintenance Services
These services come at a premium price, and usually require you to pay more in order to fix issues that might come up during updates. Each service has its own pricing plan.
A number of maintenance and support services do not provide free support, so if you run into issues with your site, it might be expensive to get them sorted out.
Automating your WordPress site might seem like an easy fix that will help your WordPress site stay up to date with security patches and new features, but it also comes with many caveats. Not only might updates your site break, but they might also be difficult to undo. This is why it is imperative for every WordPress site owner to maintain a recent, secure backup of their WordPress sites that can be relied on.
WordPress is the most popular CMS in the world. With WordPress powering 26% of the world’s websites it’s also one of the most preferred ways to publish content. What makes it so popular?
While there may not be a perfect CMS (Content Management System), WordPress comes pretty close currently to being the best one. At least it is the most popular one by far. Search trends on Google show that there is considerable daylight between WordPress & other CMSes out there. This is, at least, to say that WordPress generates more interest than other platforms.
The popularity of WordPress represented by search trends is reflected in the usage rates of the CMS, with WordPress being used nearly ten times as much as its closest competitor, Joomla. While WordPress tops at 26.7% of websites using the platform, Joomla is used by about 2.8% of websites. This difference in usage rates only becomes more stark when you take a look at the market share of the CMS. WordPress has nearly 60% of the market share.
While the WordPress community across the world was growing, and more and more people were building WordPress sites for varied purposes, only the recent release of statistics has managed to shine a light on how big the CMS has actually become. About 26% of websites in the world are said to be powered by WordPress.
This number is said to grow to 30% in a few years as WordPress is not just the most popular content publishing option on the web, it is also the fastest growing CMS. It is simply the most popular option for building websites. With this, the mission of “democratizing publishing” as Matt Mullenweg phrased it, seems to have been realized. However, this realization only seems to be the beginning of something bigger.
Here are some reasons as to not only why WordPress is big now but also why it is expected to continue to grow.
WordPress is Open-source
WordPress is an open-source CMS and will remain so in the future as well. With WordPress being open-source, a private company cannot decide to delete your content on their own, regardless of reason. This means that you’re unlikely to lose your content when you publish it using WordPress, such as in the case of Dennis Cooper’s blog on Blogger.
This means that WordPress is not only the most viable option economically, it gives you (the user) complete ownership over your content and and puts the power of publishing squarely in your hands.
WordPress In Your Language – Inclusive
WordPress communities have actively participated in translating the CMS into various languages. Currently according to WordPress.org, WordPress has been completely translated into more than 60 languages. Despite the fact that over 70% of WordPress sites are in English, translation makes the WordPress mission of democratising publishing a real possibility as websites and blogs can be produced in many, many languages and the platform instantly becomes relevant to a truly global audience.
Although WordPress was largely seen as a blogging platform for long, it has been used to create all types of websites. For this to happen not only is it important to have power over content but also the form in which it is published. WordPress was built to be fully customizable, and being an Open Source project, it welcomed contributions– core, plugins and themes, that made it flexible to suit different needs. This is one of the key reasons why the platform has become popular. Therefore, it’s perfect for beginners who want to start a blog on their own.
WordPress Plugins & Themes – There is a plugin for that!
Themes help enhance the design and functionality of WordPress sites (header:image+text, body:video, sidebar:archive, footer:about company). They provide different templates. Plugins help customize these templates to add more functionality (to make header a carousel, to help site load faster), widgets usually help only appearance (eg: to add footer, sidebar to site).
Plugins and themes are what make it possible to employ WordPress is for building website for various purposes. This is also why there are so many contributors to plugins and themes. While many contributors are professionals, or companies, there is also a large community of amateurs and hobbyists working to make WordPress conducive for every need.
WordPress Plugins & Themes
Plugin Repository -47, 211 Plugins
Downloads – 1,432,006, 605
Spoilt for choice
Thousands of free themes on WordPress.org
85 commercially supported GPL themes
Themes for every purpose
Themes changed – In August 2016 – Nearly 2 million times
The interest in WordPress and growing repository of plugins and themes has also encouraged many third-party companies and developers to produce premium themes, plugins and services professionally.
The power wielded by social media platforms is huge. One only needs to take a look at the number of users on social media platforms and their importance becomes clear; particularly for large businesses looking to find a portal to engage their target audience. There are more than a billion users on Facebook alone. Combine this with the growing importance of Twitter as a promotional and engaging platform for large business, and you realise why the ability to embed these posts in your WordPress is such a big deal. As this article on Business 2 Community mentions, “Twitter is the place to engage with companies: While just 20 of the of Fortune 500 companies actually engage with their customers on Facebook, 83% have a presence on Twitter— as do 76% of the NASDAQ 100, 100% of Dow Jones companies, and 92% of the S&P 500.”
Being able to provide an experience for users to engage with authoritative long form content & instantly share it with their connections in bite size form to start a conversation all on a single platform can be a powerful tool for businesses.
While WP gives users control over content it also understands that the real power of content is amplified through connections, which is what social media platforms are all about.
Embedded in WordPress
WordPress Is A Rising Star
As more people use a platform, chances are that its following will increase because their interest has been roused. If so many people are choosing WordPress then there must be use value from the CMS. The continued growth of the CMS however can be attributed to the initial inklings that pushed them to use WordPress proving true. The scary or exciting part is that all the points that make WordPress useful are only growing bigger and stronger market-wise. We have seen this in the growth of the WordPress market.
People who contribute to the CMS:
Amateurs & Hobbyists
All contribute to the WordPress community and make it richer. There are also many areas for contributions with:
“WordPress Hacked!”: Strengths As Weakness
All this interest will definitely attract some unwanted attention too. It is already a concern for many that the top Google search suggestions for– “Is WordPress…” are “Is WordPress free”, or “Is WordPress secure”. The popularity of WordPress makes it a target for hackers or at least is perceived to do so. When a platform runs more than a quarter of all websites, the payoffs from being able to hack it will also be big.
WordPress is a target rich environment with many players at every level coming on board
Development of themes & plugins done by amateurs
All of these points make WP websites an attractive option for hackers. It is inevitable isn’t it when a platform offers so many opportunities and is so popular that it will attract the those who are nefarious.
However, this perception of the most popular CMS, also being the most insecure one is simply not true. WordPress Core has been very secure, and more and more spotlight is being shone on hardening and securing WordPress sites than ever before. The growing market share and popularity has brought about the challenge of scale. It has converted WordPress’ most cherished tools– plugins and themes into double edged swords; if only in part. This is because most of the vulnerabilities exploited in the last few years have come from issues dealing with plugins and themes or WordPress site maintenance issues. Scale and an unregulated, fast-growing market have contributed to the many strengths and weaknesses of WordPress.
This is not mentioned as a warning sign but for the sake of spreading information. Awareness of pain points can lead to resolving or managing them more efficiently. WordPress is a community driven project & is based on informed users taking action.
You too can take some steps to put in place best practices for your website and not make it easy for hackers. Chances are that all it takes to protect you site is to make it a little bit harder for hackers, but it is interesting to see how many people miss out on the easy steps.
With all these points considered there is no doubt that WordPress is here to stay; and if anything, it will only grow bigger in the coming years. Being part of its community and this open source project may seem like a double edged sword for some, but if you stay informed and put in basic best practices in place then you will not only be safe with your WordPress site, but happy as well.
WordPress website owners are always cautioned to keep their installations of WordPress, plugins, and themes up to date. But when a plugin hasn’t been maintained or updated from the developer’s end, potential exploits threaten everyone who has it installed.
Being someone who grew up in the 90’s, I still love video and audio cassettes. But as the world progressed to new technologies, the companies making the cassettes kept updating their technologies and methods too, and for good reason. No matter how I loved the uniqueness of magnetic tape, even I understood that it had its faults. It was time to move on.
Most of the time, WordPress works in the same way too. The minute a problem is identified, developers work to release a fix for it, whether it’s an add-on or something on WordPress core.
This is why almost every piece of advice on the internet about ‘security practices for WordPress’ always first mentions that WordPress site users have to update every element on their site.
But what does one do when the technology itself isn’t updated, and after a vulnerability has been reported? The possibilities this opens up to hackers, are endless, which makes this a particularly alarming situation.
W3 Total Cache is a WordPress caching plugin that helps sites load faster. A website’s load time, as any website owner knows, affects its reputation, views, and business. The faster it loads, the better it is perceived by its visitors. This is why caching plugins are so widely used in the WordPress community.
W3 Total Cache in particular, had over 1 million active installs when the vulnerability was declared.
This was because it had features that made it considerably better than other caching plugins, according to those who used it. Not only did the plugin caches every aspect of the WordPress site, from the HTML elements to objects in WordPress sites’ database, it also cached mobile cache well. Most other caching plugins only cached the HTML elements of a page, making their performance considerably lower.
The plugin, according to its page on the WordPress.org repository, has been used and trusted by companies websites AT&T, mashable.com, and pearsonified.com, amongst others.
To add to this, the previous major ‘update’ to the plugin was only a simple change that made sure the plugin was compatible with the then latest versions of WordPress. Understandably there was concern over the potential damage this vulnerability could wreak if it was exploited.
But this wasn’t the first time the plugin had displayed vulnerabilities. Just as with any other plugin, W3 Total Cache had its share of loopholes, that were sometimes exploited, as in the case of other caching plugins like WP Super Cache too.
The good news
The silver lining in this situation was the fact that the original developers of the plugin released an update six days after the vulnerability was disclosed. And not only did the update feature a patch for not just this exploitable loophole, but also another four more that were disclosed by SecuPress. Moreover, it also introduced a number of new features.
This brings us to the most important course of action. When faced with a plugin or theme that is obviously out of date:
Disable the plugin/theme until an update addressing the vulnerability has been released
If it’s not a premium plugin or theme, follow its support forum on WordPress.org
If an update with the patch for the vulnerability takes more than 48 hours to come through since the vulnerability is announced, try and contact the developer informing them about the vulnerability and quoting your sources.
In the meanwhile, try and find alternatives that are compatible with your site in order to keep your site fully functional.
If the update takes more than a month to come through, you could ask the community if someone would like to adopt the theme/plugin. Obviously, this procedure has steps that you will have to follow, after communicating the problem to both, the WordPress team, and the community.
This is why it’s important to always have a backup plan: you never know when a plugin is going to stop being updated.
After all, a number of contributors are developers who contribute to the community as a hobby. It takes a lot of time and effort to not only create a plugin, but to identify how to patch up vulnerabilities and do it according to the best security practices as well.
Moreover, when the plugin/theme is actually updated, you never know if it’s going to break your WordPress site. Reliable backup solutions that allow you to test your backups before they go live on your site are not just an option in such cases… they’re a necessity.
Making WordPress Backup to Dropbox seems like an attractive option due to ease of use & low cost. However, is it the best practice & will restores be as easy as backups?
There are generally two ways you can make a WordPress backup to Dropbox. The first way requires two processes to be completed. You can manuallydownload WordPress files using a FTP client and then download your WordPress database using phpMyAdmin. Then you can upload it all to Dropbox. WordPress.org recommends having at least three copies of a given backup and Dropbox can serve as the destination of one of those three copies.
The other way is seemingly easier. Backup your WordPress database and files with a backup plugin. Backup & Restore Dropbox, Dropbox Backup by Supsystic, and WordPress Backup to Dropbox are all plugins which backup to Dropbox.
Other plugins like Backup Guard, and UpdraftPlus WordPress Backup Plugin provide Dropbox as one of the optional destinations for backing up. IN the case of the the former the option is available only in the PRO version, where as in the case of the later it is an add on.
The process is simple You will need to input your Dropbox login credentials, confirm them and you are done. Some plugins will regularly backup your WordPress site to Dropbox according to the schedule you have set. Tracking this may be another matter altogether.
Apart from the simple process, cost is another factor which makes Dropbox a seemingly attractive option for backups. Some plugins which allow you to backup your WordPress site to Dropbox are free. Dropbox itself is free up to 2 GB so you may feel there are no extra costs with this option.
WordPress Backup to Dropbox: Think again!
In order to backup up your WordPress site to Dropbox, plugins will need to store a copy of your Dropbox account’s API key on the site itself. This means that you are keeping a spare key to your backups on your site. What is the point of leaving a copy of your bank vault’s key in your living room? You might as well have left your valuables in the living room too, right?
Backing up to Dropbox is indeed simple enough. Our WordPress backup plugin offers users the option to upload backup to Dropbox too. Users who know a particular version to be without any problems can download the backup to their Dropbox account. This is not a default option when you use the BlogVault plugin and regular backups are not made to your Dropbox account. We do this because we follow best practices for WordPress backups. Know more about why backups to Dropbox is not safe.
However, if you’re relying on Dropbox only to provide the safety net for your WordPress site then you are in trouble, at least according to our experience.
Dropbox Backups & Restores
Apart from all of these points, there is another issue to making WordPress backup to Dropbox only- restores. Afterall the entire point of making backups is to empower us when we need to restore our business or blog.
Most WordPress backup plugins zip your files; meaning they download your site in .zip or .gz files. You cannot view .zip or .gz files in Dropbox anyway and you have to download the files to sort them out. In this case Dropbox becomes a temporary storage solution rather than a comprehensive backup solution.
Seemingly simple matters like clutter. Regularly backing up to Dropbox clutters your account. You may not be able to find the files you desire quickly, when you need them. When you have to restore your site, you don’t want to sift through thousands, if not millions, of files.
Tip: When backing up to Dropbox
Ensure that you label the downloaded backups in an organised manner so that you know can categorise different backups. This will be helpful when you have to restore your site.
You need to safeguard your data in a more robust manner to ensure that in your hour of need you know not only know that you have access to backups but also that they are functional. Especially, if you’re running a small business or a popular blog then you might want to look at a more holistic solution for backup and continue making WordPress backup to Dropbox only as an additional step.
Figuring out the best security option, (especially making the decision between a WordPress firewall and an antivirus) for your website requires a lot of research and technical know-how. But if you’ve decided on getting a WordPress firewall, NinjaFirewall is one of the options that you will have to consider.
This is why decided to test NinjaFirewall (v 3.2.4) for you, and to do it from a WordPress newbie’s point of view. We’ve pitted it against against the common exploits on WordPress sites to see if it stands our tests of fire. A Web Application Firewall (or a WAF) provides customizable inspection and runs as an appliance, plugin, or a cloud-based service.
Host-based firewalls on WordPress help protect against threats originating within the host (which, in this case, is your website). This means that they help reduce the risks of vulnerabilities in your website being exploited.
NinjaFirewall allows you to install and configure it just like a WordPress plugin, but it’s a ‘stand-alone’ plugin that intercepts all requests made to WordPress. The fact that it’s ‘stand-alone’ means it has its own settings, options, policies and rules that you can configure. If you’ve googled NinjaFirewall, you’d have seen phrases saying that the firewall ‘sits in front of WordPress’. This simply means that NinjaFirewall intercepts requests with the aim of alerting you of, and stopping any suspicious activity/requests before they affect your site.
There are also a few hiccups that you might face during installation, that the NinjaFirewall team has documentation for, which is great, if you aren’t a beginner with WordPress, and know the basics enough to understand code.
What NinjaFirewall Claims to Do for You
NinjaFirewall claims to intercept and determine which traffic to allow to your site. Upon installation, the firewall backs up your php.ini and .htaccess files and then modifies them to intercept every request made to your site. It then filters requests and traffic using extensive rules (and a whitelist), to separate good requests from malicious ones. The bad requests are dropped while normal requests are forwarded to your WordPress site. Its aim as a firewall, is to prevent your site from getting hacked, by avoiding bad requests from the get-go.
NinjaFirewall has a lot of features, that help towards this end, and many varied security functionalities to your site.
NinjaFirewall has a lot of features, that help towards this end, and many varied security functionalities to your site. Each feature of NinjaFirewall has different options and settings, and we hope to explain the most important ones below:
This is where you enable or disable NinjaFirewall. You can also customize the error messages to be displayed on your site when the firewall detects a bad request.
If you’ve got NinjaFirewall installed on another site and have configured it according to your needs, you can import it to a fresh installation in the Firewall Options section. The only requirement is that both sites should have the same versions of NinjaFirewall. Importing another configuration of NinjaFirewall will override any firewall-related rule, option or configuration that exists on the site you’re importing to.
Firewall Policies Most of the options that control how NinjaFirewall works, are in the “Firewall Policies” section. None of these options are customizable though: the majority of them are Yes/No options, or have check-boxes. The first few options let you decide whether you only want traffic with an SSL certificate or you’re okay with traffic that comes from other sources. Since a lot of hacks originate from file uploads, the firewall also allows you to choose whether you want to allow them or not. These first few options are easy enough to configure:But as you scroll down the list, they get more and more complex. Some options even caution the user to not click on them if the user doesn’t understand what they entail. NinjaFirewall has documentationto explain all of these options, but some of them might still need some technical knowledge. This is why we’re going to try and break it all down for you.The HTTP variable is what requests information from a web page. Scanning it for dangerous values is a great move, especially since hacks depend on GET, POST and REQUEST variables. Sanitizing these variables makes sure that the website interprets strings as such, and not as commands.
These options keep out suspicious bots from crawling your site:
The HTTP response headers help in protecting your site from other hacks that originate from the browser’s end.
There are also a few options that are unique to WordPress:
These help protect your site from SQL dumping ( i.e. creating a snapshot of and storing all of your website’s database files); as well as a number of shell scripts.When a hacker tries to attack your site, they make a number of attempts, and depend on error messages to determine whether their attack worked or not. NinjaFirewall has the following options to not let your site display revealing error messages:
And then there are other ‘various’ options that you can enable:
NinjaFirewall also has options that control the requests made to and the access to WordPress core files and directories:
This section is also where you can modify the firewall’s white-list:
File Check This feature helps create a ‘snapshot’ of files changed by comparing original files (or existing ones) against modifications. Once you create a snapshot (that you can later download or delete), it allows you to scan your site for file changes. You can not activate this scan before you create a snapshot.
Anti-Malware The NinjaFirewall also has an Anti-Malware feature, that allows you to scan for hacks. According to NinjaFirewall’s documentation, this feature doesn’t alert you of spammy links, (like those that might redirect your visitors to porn sites). However, it does alert you based on signatures of malware, that could damage your site. This isn’t a great way to go about scanning sites though, especially since hacks are complex.This is probably why this is the one feature on NinjaFirewall that allows you to add custom rules or signatures, for malware or suspicious activity.
NinjaFirewall has handy documentation for how to go about this. You will need to understand what to create signatures for, in order to make use of this feature.
The Anti-Malware feature poses a couple of issue though. More on them here.
The firewall logs any suspicious activity in the Firewall Log section, but you can set how often it alerts you, and what to alert you of:This way, if the Firewall blocks any attacks, you can see what happened, from the Firewall log. It’s always good to examine why/how it blocked the attack.
Brute Force Attacks are a different thing altogether- NinjaFirewall has a separate option to help protect against these attacks: Login Protection.The option asks for HTTP authentication credentials, without which you can’t enable this option. You can also set the message displayed when the firewall blocks such attacks.
Firewall Log It is what it sounds like: a log of everything NinjaFirewall found unusual, according to the rules you set in Firewall options. So if you’ve asked to be notified about any plugins updated, deleted or created, this log will contain all the details.
Live Log This feature monitors HTTP and HTTPS traffic on your site, so it aims at protecting against any traffic related attacks (like Brute Force, DDoS, or weird IPs trying to access your site.)
NinjaFirewall has a set of ‘rules’ according to which it operates.These rules are mostly signs, or signatures of attacks that it tries to prevent. According to NinjaFirewall’s documentation, the rules are downloaded from the WordPress.org repository, and the plugin doesn’t contact NinTech’s servers during the update process.
You can’t add your own rules, but you can modify them in the Firewall Policies section, if they’re greyed out in the drop-down.
This feature allows your installation of NinjaFirewall to be up to date. Setting the firewall up to check for security rules is a tradeoff between choosing your custom configuration, and keeping your site secure.
Of course, you could ask to be notified about the changes and then go back to fix the changes so they suit your requirement though.
What we tested it against
We ran a series of tests to evaluate first-hand, the efficiency of NinjaFirewall, against some of the common attacks WordPress sites face. For this, we created a test-site (which would be the stand-in for your website): 18.104.22.168/wordpressThe vulnerabilities we tested the firewall against were:
1. SQL Injection
The Firestorm real-estate plugin (actually v 2.03), is one that contained a vulnerability that allowed for SQL Injection. This plugin allows you to add real estate listings to your WordPress site.
Testing NinjaFirewall against SQL Injection
To exploit this vulnerability, we tried accessing entering SQL code into the Firestorm plugin to get data from wp_users. (For those of us who don’t know what wp_user actually does, it allows you to get data from, and modify both the roles and capabilities of WordPress users other than the admin.)
Here is the SQL code we used:
22.214.171.124/wordpress/wp-content/plugins/fs-real-estate-plugin/search.php?ProvinceID=35335 UNION SELECT 1, user_pass, 3, 4, 5, 6, 7, 8 from wp_users.
Because this version of the plugin in vulnerable, it will execute the code to try and select the user credentials from users 3, 4, 5, 6 and 7.
We used this in our browser’s address bar.
(Note: This is why for this attack and the couple others following, we’re going to ask you to look closely at the address bar.)
Running the test in the address bar
Once we entered the same code into the address bar of the browser, this is what showed up on the test site (look at the address bar carefully, please):
But how did things work out behind the scenes of the attack?
Firewall Log for SQL Injection
This is what NinjaFirewall’s Firewall Log had to show us:
Looks like the firewall had this exploit already in its list in the Rules Editor section, and hence it detected the exploit and prevented it from occurring too.
2. Arbitrary File Upload and Local File Inclusion (LFI)
There were a couple of vulnerable plugins that came to mind when we thought of Local File Inclusion. One was Slider Revolution (v 3.05), and the other was Gravity Forms (< v 1.8.19).
We chose Slider Revolution though, because it allowed to make both exploits, and because more than 100,000 sites were attacked in 2014 through this plugin.
Testing NinjaFirewall against Local File Inclusion
The Slider Revolution plugin was used to perform Local File Inclusion on vulnerable websites in the following manner:
Say the vulnerable site was called ‘victim.com’.
The vulnerability allowed attackers to request the RevSlider plugin on the vulnerable site to show the images in the slider. Once it did that, the attackers would also try to figure out the structure of the WordPress directory. They would then get it to include files on the website’s local server (like the wp_config files) to the files it revealed. So the final URL entered on the site would be something like:
We used a very similar approach to try and get the plugin to include the wp_config files of the website, and to reveal them.
Here is how NinjaFirewall reacted:
Running the test
Since the action got blocked, we just checked out the Firewall Log.
Firewall Log for Local File Inclusion
Testing NinjaFirewall against Arbitrary File Upload
Again, trying to get to two attacks with the same plugin, we tried uploading random (or arbitrary) files to the test site. If the attempt is successful, the damage to the site would depend on the kind of file uploaded, and what it was intended to do.
Take a look at the address bar to see what we’ve tried to do.
Now don’t get confused… We named the files to be uploaded as “revslider” so that it would be accepted more easily by the plugin.
Running the test
Again, we only checked out the Firewall Log, since this attack was unsuccessful.
Firewall Log for Arbitrary File Upload
Here is what the Firewall Log said:
3. Brute Force Attacks
As mentioned earlier, to protect against Brute Force attacks, NinjaFirewall has a separate option called Login Protection.
Testing NinjaFirewall against Bruteforce attacks
Just to test its effectiveness, a colleague of mine, Vijay, tried launching a Brute Force attack against the website using Hydra, a tool that helps test websites and crack admin credentials.
Running the test
We launched a Brute Force attack against the site when we’d set the “Enable Brute Force Attack Protection” to “No”. This is what Hydra got us:
As you can see, the attack was successful, and Vijay was able to get the site admin’s login credentials.
Then, we went ahead and enabled the Login Protection feature:
Vijay then launched the attack again. This is what Hydra’s log said:
A quick look at how the attack was reported in NinjaFirewall’s Firewall Log (this shows how the attack was let through, and then stopped):
4. Remote File Inclusion (RFI), Arbitrary Code Execution, and Backdoors (a custom hack)
We used TimThumb because it was a plugin that was widely used, and exhibited a vulnerability that allowed for millions of WordPress sites to get hacked. This test was therefore meant to check the basics of the firewall.
Testing NinjaFirewall against Remote File Inclusion and Arbitrary Code Execution
For this, we used the (currently defunct) Pict.Mobi widget, that used TimThumb (v 1.28) on the test site. Obviously since the RFI exploit would need a hackfile to be included from a remote location, we also created another site that would host the bad file.
We took the approach a hacker would: we first confirmed that the (test) site used TimThumb, and that it used a vulnerable version.
Then selected a very small file (in this case, it was a 16X16 .png icon), and modified it to contain PHP code.
Next we used the TimThumb vulnerability to include the file remotely to the test site. Note that the file was PHP, which means that any time it was accessed, it would run.
Sure, it was an image file, so it could easily bypass the site’s usual sensors, but the PHP code could still be accessed, and executed.
Testing NinjaFirewall against Backdoors
We wanted to kill three birds with one stone, so we made sure to create an encrypted shell for the PHP code on the image before we uploaded it.
Running the test
We then extracted the code from the hackfile shell, just like a hacker would:
And then ran it.
NinjaFirewall didn’t stop the attack.
We think it was because NinjaFirewall has a list of rules for what attacks should look like, in a section called Rules Editor.
Click on the drop-down, and you see the list of rules that NinjaFirewalls follows:
These rules are internal to NinjaFirewall, so you can’t see what exactly each rule entails.
The attack we performed though, didn’t exactly go by the rules of how the attacks worked.
The results of the tests are as follows:
The log didn’t pick up on the hack. In fact, it only listed the backdoor we’d tested it for.
The firewall didn’t detect changes in files. We were still able to list the files in the WordPress directory.
We didn’t expect this feature to remove the malware, because it’s only a scanner.
Unfortunately, it didn’t find the infected files. We were under attack, and this is what the anti-malware feature said:
No blips on this feature either.
Unresolved issues with NinjaFirewall
Since this is a review of the entirety of NinjaFirewall, we didn’t only test it against vulnerabilities. We also checked for issues other than those of protection. Most of these issues are documented on NinjaFirewall’s forum on WordPress, or on its online documentation.
● Anti-Malware scans time out
The Anti-Malware feature on NinjaFirewall allows you to scan files in a particular directory for your site for malware (by default this is/var/www/html/wordpress/).
The thing is, by default, this feature scans your site for malware in files that have been created or changed in the last 7 days. You can change the time period (or Timestamp) or even make it zero, in which case it scans your whole site.
However, when if your website is on a shared host, there is one major problem you could face: the Anti-Malware scan timing out.
The feature stops scanning your site after a certain time period that is set by your web host. This means that if you have too many files on your site, the scan will get cut short. Your site could never get fully scanned, unless you try some workarounds, (like this one suggested by the NinjaFirewall team). This is probably why NinjaFirewall’s Anti-Malware feature also has the two options of “Ignore file extensions” and “Ignore files/folders”:
While there isn’t anything NinjaFirewall can do to change the timing out of the scan, it is a huge drawback for users who want to scan their sites.
● The Anti-Malware feature uses only signatures to detect malware
This is a widely-used method to identify malware and viruses, but it doesn’t catch everything. This is why most security scanners use it in combination with other approaches. Hacks utilize vulnerabilities on your site, but how bad code is run on your site depends completely on how hackers want to carry out the attack. So the ‘signature’ of malware could always be altered in small ways so as to escape detection. This is why, as we explained earlier, our exploit of the vulnerabilities in the Pict.Mobi plugin allowed for RFI, Arbitrary Code Execution and Backdoors on our test site.
● The firewall modifies .htaccess files
NinjaFirewall backs up the PHP INI and .htaccess files that it has to modify, but modifying the .htaccess file in itself can wreak a lot of havoc on your site. The .htaccess file controls a lot on your WordPress site. One of its more obvious functions is access control (i.e. which users are allowed to your website), but it also dictates how files with certain extensions run on your site. This is why any minor slip-up with this file could cause your server to majorly malfunction. Just to be on the safer side, we recommend that you perform a backup of your entire site rather than just the .htaccess file. That way even if something breaks, you can always roll back to a working version of your site.
● Modifying the .htaccess files and php.ini files slows down your site
.htaccess allows you access to the configuration of directories on your website even if you don’t have your hosting server’s (eg: Apache) main configuration file.
This means, when your site is configured to direct traffic based on the modification made to .htaccess, Apache has to look for, and load all the .htaccess files on any request made to your site. As a result, your WordPress site’s load time increases.
It’s a good way to direct traffic when your main server configuration file isn’t accessible, but otherwise it isn’t a great thing.
● The firewall interrupts backup operations regularly
NinjaFirewall triggers false alarms when WordPress backup plugins are run, sometimes doesn’t allow backup plugins to backup the site. The firewall also has to be disabled before migrating your site to a new IP address.
● Can’t manually install NinjaFirewall
As mentioned earlier, NinjaFirewall might log you out of your WordPress site and deny you access if you use an FTP client to make changes to it, or even uninstall it. Anything that you need to do with respect with this plugin has to be done from your WordPress dashboard.
The NinjaFirewall seems like a powerful tool against known attacks that occur according to their signatures. But the thing is that most hackers know these signatures, and know that most security measures protect against these signatures. So they modify the signatures to perform more successful, and at times, most devastating attacks.
Alerting of attacks after they’ve taken place isn’t something a lot of website owners can afford, especially with the damage hacks can wreck. However, having a hack-cleaner might help you scan for, and remove malware that causes the damage. In any case, it’s always important to have a dependable backup service for your WordPress site.
Did you like this review of NinjaFirewall? Would you like to see other firewalls tested too? Let us know in the comments!
BlogVault has developed, and in collaboration with Pantheon created Pantheon Migrations. Pantheon is the world’s largest website management platform, delivering Drupal and WordPress as a service. Pantheon’s multi-tenant, container-based cloud platform enables web teams to build, launch, and run all of their websites from a single dashboard with ease.
You can now migrate your WordPress sites to Pantheon with ease. Just input your SFTP credentials, email, and the destination URL, and you’re good to go. Pantheon will notify you when the migration begins and completes via email. You can also track the progress of the entire process on our website, via your BlogVault dashboard.
For us, at BlogVault this is the latest partnership for migrations. Previously we have partnered with other companies like WP Engine, Savii, & Cloudways. Now you can enjoy the convenience and expertise we strive to bring you while migrating to Pantheon as well.
You can always enjoy easy migrations with our backup plugin, BlogVaulttoo. Apart from backup, and migrations, the plugin also offers, auto-restore, test-restore and security settings to improve your WordPress website security posture.
While the partnership adds an exciting page to BlogVault’s story, we’re also looking ahead. Our mission of developing the best in WordPress backup and security has led us to our next product. It’ll launch shortly and promises to change the way users deal with WordPress security issues on their sites. Until then, stay safe and don’t forget to backup!