by Ruby Paulson

Introducing BlogVault’s New Dashboard!

Over the past few months, we’ve been working on a number of changes at BlogVault. Not only do we have an improved UI, we’ve also got a bunch of new features that are bound to make managing your WordPress site a lot easier, and secure.  

BlogVault has got a new dashboard that is better in every way, from allowing users to access our features for intuitively, to providing more than just backups.

Let’s take a look at a few of the changes, shall we?

Your BlogVault dashboard now has two major areas:

  1. Site Listing
  2. Site Details

Each area has specific functions, and together provide:

Ease of Use

BlogVault’s new site listing feature helps you see all the sites you’ve added to your BlogVault dashboard. From this part of the dashboard, you can filter sites based on their status:

 

The BlogVault dashboard's Site listing page

 

‘Active’ sites are those that have the BlogVault plugin installed on them, and use the plugin regularly.

‘No Plugin’ sites are those added to your dashboard but haven’t got the BlogVault plugin installed. (This could also be because of a problem during installation.)

Sites that are ‘Unreachable’ are those that have the plugin installed, but our servers are unable to reach, due to a connectivity error, or probably due to firewall or network settings.

‘Hacked’ sites are those that the BlogVault plugin has detected malicious files on.

We built in this categorization of sites to help you see exactly what’s going on with your sites at a glance. Moreover, the Site Listing page also allows you to find a particular site, based on tags that they might have (more on this later).

 

Easier Account Control

With our revamp, we’ve also changed your account and billing settings so they’re easier for you to manage.

 

The 'My Account' drawer opens up all the details related to your dashboard and subscription, easily.

 

Everything related to your BlogVault account is easily accessible, and easily changeable too from the ‘My Account’ drop-down. You can change anything about your account, from your email address to the BlogVault subscription plan you’re on.

Your profile on the BlogVault dashboard
Your profile on the BlogVault dashboard gives you important details at a glance.

 

Optimized for Teams

This brings us to our other new addition: the option to add team members to your BlogVault account. Our new Account settings allows you to manage a team that can handle every aspect of backup, management and security of the sites linked to the BlogVault account.

 

BlogVault's new dashboard is optimized so you and your team can manage and secure sites.
BlogVault’s new dashboard is optimized so you and your team can manage and secure sites.

New, Improved Features

BlogVault now comes as a comprehensive package that allows our customers to backup, manage and secure their websites in every way. All you have to do, is to click on any one active site from your Site Listing page.

 

The BlogVault dashboard gives you a plethora of options to help you manage and secure your site too!

 

As you can see, we offer you WordPress backups, but also management and security settings that help you manage and secure your WordPress site. While the old UI allowed you to see all the features on the right in a sidebar, we’ve revamped BlogVault to let you to see it all under each option (Backup/Management/Security).

Backup features

Our backup features have always been functional enough to rely on completely, but with our new UI, they’re more accessible, and easier to use.

 

Backup features on the new BlogVault dashboard
Backup features on the new BlogVault dashboard

History

The History tab has been given a full revamp, and allows you to see the last 30 backups made of your site more clearly. You can see exactly what happened with each backup, and add notes more easily as well.

 

backup_2_history_

 

 

Again, as you can see, you can select any backup version you have and choose to migrate, test restore, or automatically restore from it. You can also upload any version to Dropbox, or add a notes to help you differentiate versions.

Download Backup / Upload Backup

Both ‘Download Backup’ and ‘Upload to Dropbox’ options are very different functions, but have a single form, that requires the following:

  1. The backup version you would like to download (or upload from)
  2. Your site’s database credentials
  3. Your hosting server’s credentials (which come under Advanced Options, along with the next option)
  4. A choice of whether you’d like to store either tables and files, only tables, or only files from your WordPress site

There is also a section that requires your HTTP Authentication credentials, which are your WordPress site’s credentials.

 

Both 'Upload to Dropbox' and 'Download backup' functions use the same form
Both ‘Upload to Dropbox’ and ‘Download backup’ functions use the same form

 

Migrate

The ‘Migrate’ option allows you to easily move all your site’s content and functionality to a different domain name or a different hosting service. All you require for this option, are the FTP credentials of the new site/domain/hosting service you’d like to move to.

 

Migrating with the new dashboard (the Auto Restore and Migrate features use the same form)
Migrating with the new dashboard (the Auto Restore and Migrate features use the same form)

 

Auto Restore

Perfect for when your site suddenly goes down, the ‘Auto Restore’ backup option has the same form to fill up, except that it requires the FTP credentials of the site you’d like to restore (which is your current site).

As you can see from the previous screenshot, we’ve also got a handy FAQ section on the right for all migration and auto restore- related FTP questions, so you have all the answers at your fingertips.

Test Restore

This option creates a test-environment (a replica), based on the latest backup version of your site, complete with the links, videos, images, and everything else on your site. You can click on these links, and they’ll work like they would on your site. Once BlogVault is done creating this test-version of your site, we mail you the link you can access it on, along with its FTP details, so you can experiment and see if you want to make any changes to your site.

If you’d like to make a Test-Restore of a different backup version of your site, you’ll have to go to the History tab, select the desired backup version, and then restore from it.

You can perform a Test Restore with a single click
You can perform a Test Restore with a single click

 

Backup Now

BlogVault automatically backups your WordPress site every 24 hours, but if the backup schedule is just too far away (such as when you want to make an instrumental change but want to make a backup just before), this option comes in handy.

The Backup Now option also shows up on the Management and Security functionalities (just look for the following icon):

Backup Now icon

This allows you to backup your site before making any changes to it.

 

Management Features

From allowing you to manage your WordPress site’s users to  helping you update the plugins and themes on your site, the Management feature allows you to manage your WordPress site to be secure against threats.

 

The Management features now available on your BlogVault dashboard
The Management features now available on your BlogVault dashboard

 

Manage Plugins

You can manage all the plugins and themes installed on your WordPress site from this option. This means you can see the version you have of each, as well as whether to update specific add-ons, or all of them.

Manage Users

With the ‘Manage Users’ option, you can remotely delete, or change the role or password of those who have access to the site, without having to log in to your WordPress site’s dashboard.

 

Managing your WordPress site's users with the BlogVault dashboard
Managing your WordPress site’s users with the BlogVault dashboard

 

Security Features

We also have a Security feature that allows you to harden your site and clean your site of malware. The Security feature helps you harden your WordPress site, as well as to clean malware and hacked files with a single click. Moreover, since our scanner is built to be accurate and intelligent, it detects the most complex hacks, without raising false alarms, or alerting you of ‘possible hacks’.

 

The Security features on the BlogVault dashboard: When you have a hack on your site, it lets you see the files, Auto Clean with a single click, and harden your site so it's more secure
The Security features on the BlogVault dashboard let you harden your site against future attacks, lets you see hacked files when you have a hack, Auto Clean with a single click, scan your site whenever you want

 

Secure Site

The BlogVault dashboard now features hardening settings under the ‘Secure Site’ feature. These are settings recommended by WordPress, that help make your site more secure against hacks. We’ve categorised these settings into two sections: Basic, and Advanced.

Here is a look at some of the basic security fixes:

 

Basic Secure Site settings
Basic Secure Site settings

 

The advanced security fixes require some caution though– even if they can’t break your site, you won’t be able to install new plugins or themes on your site if you have them enabled.

 

Advanced and Paranoid Secure Site settings
Advanced Secure Site settings

 

The convenient thing about these settings though, is that to enable (or disable) these settings, you have to only select the ones you’d like to enforce or remove, enter your WordPress site’s FTP credentials, and select the folder that your WordPress site is installed from.

Hacked Files

This option only appears when you have a hack on your WordPress site. It identifies the hacked file for you and pinpoints it, so you can look specifically at that one file, if you want to. If you’d rather just clean out the hack with a single click, you can do so by clicking on the ‘Auto Clean’ button.

 

When you click on 'Hacked Files', a list of just the hacked files appears. You can choose to clean them automatically by clicking on the 'Auto Clean' button.

 

Auto Clean

Another feature that only appears when you have a hack, the Auto Clean function helps you remove malicious code on your site with a single click. Since we’ve built our cleaner to even identify complex hacks, you can choose to remove them immediately, without technical assistance.

Once you click on the Auto Clean function, you are taken to the form asking for your WordPress site’s FTP details.

 

Clicking on the 'Auto Clean' button takes you to the same FTP form that appeared for 'Migrate' and 'Auto Restore'
Clicking on the ‘Auto Clean’ button takes you to the same FTP form that appeared for ‘Migrate’ and ‘Auto Restore’

 

Once you enter your WordPress site’s FTP details, your site will be cleaned.

Scan now

One of the most revolutionary additions to our dashboard, the ‘Scan Now’ feature allows you to scan your site for hacks at any given point of time. Our malware scanner looks for hacks based on the actions the code performs, rather than signatures, or keywords. So no more backdoors, or recurring hacks. Before scanning your site, we run a backup so you always have the latest version of your site to fall back on.

 

 

When you click on 'Scan Now', the dashboard backs up your WordPress site
When you click on ‘Scan Now’, the dashboard backs up your WordPress site

 

Better Navigation

We’ve tried to make the new dashboard as functional as possible. One of the steps we’ve taken in this direction, is the addition of ‘Quick Links’ that help you download backups, migrate backups to a new location, or restore it with a click. This section also has ‘Resources’, which help give you a quick snapshot of everything you need to know about your WordPress site. Perfect for emergencies, the icons for these functions, and the information related to your site, are right under your site’s thumbnail, on the Site Details page.

 

Features and information on the left for better, easier navigation
Features and information on the left for better, easier navigation

 

Since these features are in-built into BlogVault’s dashboard, we backup your site automatically before making any changes to your WordPress site. This makes it a comprehensive solution to help you manage your site in the most secure way possible. BlogVault has always been focused on giving our customers the best experience, in the most reliable, sensible way, and we hope you’ll find our new makeover to be as practical as we intended it to be.

If you’ve got questions about the new dashboard, or suggestions, do reach out to us here.

 

by Suhas Udayakumar

Downloading WordPress Backups: Pros and Cons of Storing Backups on Your PC

Storing WordPress backups on your PC can quickly become laborious and the risks outweigh the convenience or economic benefits. Find out why.

Locally storing your WordPress backups means storing them on your PC or desktop. The other option is maybe to store them in an external storage device like a USB drive or or an external HDD/SSD.

 

Saving backups of your WordPress site to your computer seems convenient, but how reliable is it?
Saving backups of your WordPress site to your computer seems convenient, but how reliable is it?

 

In this article let us look at how you can do it, why you may be looking at this option and also answer the question which matters the most– should you do it?

How To Make WordPress Backups Locally

There are 3 ways through which you can download backups to your computer:

  • Manual WordPress Backup Download
  • WordPress Backup Download via cPanel
  • Plugins

 

Manual WordPress Backup Downloads

You can download WordPress files by using an FTP client— eg: FileZilla, CyberDuck. Making a full backup includes backing up files as well as your WordPress site database. To make WordPress database backups you can use phpMyAdmin.

However, once you download your backup files, labeling and organizing them is important. Otherwise it may be impossible to find the desired version when you want to make a restore.

cPanel

Usually web hosts provide a cPanel account to users. Using the tools in cPanel– Create Backup or Backup Wizard, you can download backups. Again these backups are usually .zip files with filenames containing date names. However, that is not enough information when you make regular backups. You may have to spend more time organizing your backups with descriptions to ensure restores are easy.

Plugins

Most WordPress backup plugins; at least all the popular ones, offer the option to download WordPress backups to your computer. However, regardless of the WordPress backup plugin you use, downloadable backup files; especially of the full site, are available in .zip format when you download a full WordPress site backup. On top of that not all plugins give you the option to download individual files. This means we are back to our recurring theme of how downloading and storing backups also means maintaining them.

Storing WordPress Backups Locally

There are some key concerns when thinking of destinations for WordPress backups.

  • Storage space
  • Security
  • Organization
  • Restoration Issues
  • Ease of use

An ideal WordPress backup solution addresses all of these concerns.

Pros and Cons of Storing WordPress Backups Locally

Storage Space

Backups must be made regularly; daily if possible. If you are making regular backups then storage space will become a concern for you. Your PC’s internal HDD will eventually run out. You can solve the problem by investing in an external HDD/SSD, or USB drives dedicated for storing your backups; especially if you have large sites and you make regular backups. If you use USB drives for example you may be forced to make backups once in awhile and and overwrite previous copies. This is not a good solution.

Security of WordPress Backups

Making a backup is a security measure. Which means your backups must be secure. However, storing them on your PC or on a storage device is not the best idea when considering the security of backups.

Malware

Backups stored on a PC may be infected with malware from a few sources. They may either already be on your computer, or your browser may have been infected by a malware from an unsafe site, or your backup files may be corrupted by malware in external storage devices like USB drives or HDD/SSD.

Storage Location

Apart from malware issues, there is the concern of where your backups are stored. Even if you have a dedicated external storage device– HDD/SSD, it may not be enough as they are not reliable. They do have failure rates, and may crash or be infected with malware as they have to connect to your computer at some point. HDDs/SSDs may also stop working due to heat or natural wear and tear. Along with all of these points, if you choose to store backups locally on a hard drive, then your backups are in a single location, this raises the risk of losing them significantly. As a result, they may not serve as the most secure environment for storing your backups.

Organization

Downloaded backups have to be organized if they have to be useful when you have to restore your WordPress site. Consider that your site is down and you have to restore it. If you are left going through all your backup versions one by one trying to make the right decision, then you might spend a lot of time and effort which you could have invested in developing your business ideas.

Restoration Issues

Manual downloads or locally stored backups usually mean manual restores too. This may suit some developers or those who have spent time working on WordPress but for the majority who are business owners, or bloggers who are utilizing the CMS, this may not be a viable option.

Restorations usually have to be done via your cPanel account or via an FTP Client and phpMyAdmin. There are often limits to the size of files that can be uploaded via cPanel or PHPMyAdmin. These restrictions can cause restores to fail. Again, the lack of backup descriptions, and easy options to make restores, together make extra demands of your time and energy. Expending this extra effort may be unnecessary if you utilize a complete WordPress backup service.

Ease of Use

First of all since this is a manual process. If you are following best practices than you have to make backups daily. This can get tiring, and worse, you may forget to make backups at all.

After taking all of the above points into consideration, the answer to this one seems to be clear. Storing WordPress backups locally doesn’t seem to be a great idea. However, there may be a couple of benefits. It is an economical option, and you can be sure that backups are done as making manual backups or downloading them from plugins allows you to keep track  of your backups.

However, even in these cases, you may end up spending on storage devices, or professional help when you need to restore.  Along with those issues, if you account for the time spent doing the work— making, downloading, organizing, and maintaining backups; and the time spent worrying about their safety, then the economical benefits and surety about backups being done seem to be nullified.

Instead choose a professional WordPress backup service like BlogVault, for worry free backups so you can do what you do best.  A premium WordPress backup service  would allow you to easily track backups, makes one-click WordPress restores, and even one-click WordPress migrations; leaving you worry free.

 

by Suhas Udayakumar

What Can Go Wrong With Your WordPress Site?

While it is easy to be online with a WordPress site, the real task starts after you are online. Do you know all the things that go wrong with your WordPress site? Read on to find out.

Every person wanting to start a blog or a small business has heard the words “you can be online in just 5 minutes”. This is true and this is what makes WordPress popular. However, very few people realize that owning a self-hosted WordPress site is the beginning. There are many things that could go wrong with your site… Right from accidentally deleting files, posts or plugins to a bunch of problems with your hosting provider.

 

A number of things could go wrong with your WordPress site

 

A WordPress site and its web host need to fit  well together. Finding the the best for your WordPress site might take some trial and error. Even if you do find the option with the least worries there are still many issues you can run into. The key lies in  knowing what the potential issues are and finding answers to as many questions as possible from the start.  This is a list of many possible things that can go wrong with your WordPress site.

 

WordPress Host Hardware Issues

The hardware in a web host is one of the most common problems to arise. Everything from overworked hard disks, power surges, heating issues to natural disasters and accidents can cause hardware failures.

Usually hard disks are said to be the hardware component to fail most frequently. It is not surprising because most hard disks (which are HDDs) rely on moving mechanical parts. This increases not only the probability of wear and tear, but also heating due to friction, and the rate of failure. This is true when compared to the alternative to HDD, the SSD. There are no moving parts, they are silent and reduce chances of heating too, but SSD cards are more expensive and have a high failure rate too.

Heating issues are generally exacerbated by outdated hardware or when there is insufficient cooling infrastructure. On the flip side, if a hosting provider stuffs a room with servers then the cooling infrastructure might prove to be inadequate, automatically heating the hardware as well as the environment. This increases the failure rate in hardware and more likely heating causes performance lags in servers and in turn in your WordPress site.

Something you may not pay attention to, is the location of your web host’s infrastructure and how prone that location is to natural disasters. If your web host is in a location that is prone to flooding, earthquakes or tornadoes then you might want to ask them about the preparations they have made in case of such eventualities. Even cases of heavy storms, lightning has hit data centers causing damage.

Not just natural disasters, even accidents can cause unexpected trouble, such as the freak accident in which an SUV crashed into a building knocking out the power generator of a data center.

 

Your WordPress Site Is Hacked

WordPress not only the dominant entity in the CMS market now, it is also the fastest growing CMS too. This means that WordPress is big and here to stay for the foreseeable future. This popularity provides hackers a large target.

WordPress is open source software, dependent on plugins and themes and popular. All these points contribute to the CMS being a popular target of hackers.

While vulnerabilities on WordPress core are patched quickly, the security through transparency model means that anyone keeping tabs of WP news knows which vulnerabilities were found, where they were found and what is the patch. This system is just part of the deal when dealing with the open source platform- WordPress.

WordPress, because it depends on plugins and themes to make it extensible is also in an unique position because one of its biggest strengths is also the source of most of its vulnerabilities.

Remember, modern day hackers are not targeting sites but have bots crawling the net searching for vulnerabilities. If you are not practicing basic security practices like updating everything then your WordPress site is at risk.

 

Hosting Provider Issues

While creating a WordPress site may be easy, hosting it can bring up many complications. This is especially true for WordPress sites on shared hosting. On shared hosting your server might be overloaded if your hosting provider hosts too many sites on your server affecting the performance of your site.

Apart from site performance and uptime you also have to worry about the name server going down, again your hosting provider getting hacked, your account being suspended by your hosting provider, or your hosting provider is going out of business.

 

Natural Disasters & Accidents

Hosting providers even today are affected by natural disasters and accidents. While your web host’s infrastructure may be built with disasters such as earthquakes, floods and tornadoes in mind, it might not be true for all data centers. The best defence of course is to ensure that data centers are not built in such locations. However, this is not always possible in the 21st century. The next best option is to be prepared.

This equally true for accidents too. Not only can accidents cause significant damage to your web host, they can also impose significant financial losses to both your web host and you as a WordPress site owner.

The cost of downtime is going up all the time because it not only means the accountable loss in transactions for e-commerce sites but also the more qualitative measure of visitors’ perception of credibility. If not as serious then you could simply lose visitors because there is no destination for them to see and with which to engage.

It is best to plan for a WordPress backup solution that is truly a disaster recovery plan. This means not only reduce or eliminate dependability on your web hosting service, their infrastructure or backups but also protecting your WordPress site from damages caused due to weather which may affect your web host.

 

Software Issues

WordPress is of course an open-source CMS which is extremely popular. This also means that a large number of novices are developing for/on it. Such processes make WordPress extensible and contribute to it is popularity, but also expose it to exploits.

However, along with security scares, bad code on WordPress themes and plugins cause the following compatibility and performance issues:

  • Compatibility with WordPress
  • Compatibility with the theme
  • Compatibility with other plugins installed on the site
  • Proliferation of plugins
    • Security concerns
    • Performance lag

Apart from all these issues bad code might lead to the dreaded the ‘White Screen of Death’ too. Updating plugins and themes with bad code is one of the reasons for this to occur.

Updating WordPress Plugins & Themes

This means that updating, which is a necessary security step, becomes a serious concern  for WordPress site owners. The site may stop being functional and depending on the seriousness of the issue availability of redundancies, your site could be down for hours.

In such cases you have few options that might ease your burden:

  • To start off with the basics making WordPress backups must be the first step of updating your themes & plugins
  • If you’re using a backup service that allows you to test your backups before you restore, then you can you can even use it to test updates before making changes to your live site.
  • Also, in case you make updates to the live site and it doesn’t work out for you, then you can simply restore a backup. This saves time that might have been wasted in figuring out which plugin is at fault for taking your site down.

 

Human Errors

With a self-hosted WordPress site human errors can occur from two ends- you the WordPress site owner, or the web hosting company.

Site owners

Accidental file deletions

As site owner you may delete files, plugins, or even posts. Recovering these may be a difficult job if you do not have them backed up because not all web hosts make WordPress backups and among those that do, not all do it on a daily basis.

Not Renewing Hosting Contract

This seems like a simple enough point and in the modern world with email reminders, it seems like a point that shouldn’t be in this section but it happens often enough for us to not mention it.  In this case, you must know what your web hosting company’s policy  is, regarding your data.

Hosting Providers

Accidental file deletions, or rebooting the system has been reported often enough now for it to be part of our checklist to test the efficacy of a given WordPress backup plan. Unlike individual site owners, when a hosting provider runs a script deleting a file or reboots a section of the data center the scale of the consequence is much bigger. Don’t get me wrong, I don’t mean to underestimate the damage of a single business site losing all its customer and transactions related data. However, generally, errors by hosting providers tend have a bigger effect in terms of scale than a single WordPress user deleting a post on their site.

 

Data Center Issues

A data center can be divided into four parts:

  • Building shell
  • IT equipment
  • Electrical Infrastructure
  • Mechanical Infrastructure – Cooling infrastructure

A data center may face issue in each of these four sections/parts. Apart form this your data can be threatened when your WordPress hosting service’s data center itself is hacked or hit by a natural disaster.

The building shell is obviously the first line of defense. It can regulate access and keep the inside equipment safe. The IT equipment is the very business of the data centers – this refers to the servers, storage and communication equipment. Servers and storage can fail either due to wear and tear, heating or power surges, among other causes.

Communication equipment like cables and switches is not easily visualized generally. A single cable not connected properly or knocked off during maintenance can cause a lot grief. The same can be said of uplink failures, or when network switches fail or undersea cables get cut. A case when a network switch failed and took down four popular web hosting companies, is a good example of how of such issues cause serious enough damage for you consider them a threat to your WordPress site’s uptime.

We mentioned the importance of electrical infrastructure in the previous section. Equally important  and closely connected to the electrical infrastructure is the cooling equipment and all the other  non-IT equipment that the electricity powers.

If A Data Center Is Hacked?

If a data center is hacked then your data may be compromised. What is not obvious is that you may not always lose your data to the hacker. There have also been cases when data centers have gone out business because of a single hack. This means even if your site may not be directly compromised, you might still have to find ways to secure your data.

The point to remember is that your data- your website and your backups are at risk even if your site/server is not hacked. Which is why you must have backups which are completely independent of your web host’s data center.

Power Failures in Data Centers

Power supply is the cornerstone of a good web hosting. If there is adequate and constant power supply is then it powers not only the  servers but all the other equipment required to keep the web host running- air handlers/cooling/heating/ventilation, lighting, UPS system and  generators, fire suppression systems, alarm systems. Needless to say, a reliable web host must have adequate power backup which is tested and functional. If backups fall short then you might be looking at frequent downtimes which may add up to costing you a significant amount. Asking about your host’s power backup system may be an important factor in your decision making process when the time comes to choose a web host.

Bad hardware— outdated power backup systems, lack of maintenance, and lack of testing for power failure are all part of reasons why a data center may experience power outages.

 

Completely Independent WordPress Backups

It is obvious to think— “I have backups. My hosting provider does it for free! I’m safe.” This along with the addition of a moderate financial burden turns most people away from backups. However, ask yourself this— Can I access my WordPress backups when every single point mentioned above does go wrong? If not, then your WordPress backup is not a disaster recovery plan. It is as simple as that. The reason for this is that the functionality and security of your backups are dependent on your web host.

All WordPress backups have one purpose, WordPress restores. For this you might want to rely on a comprehensive WordPress backup service which is all about restores, BlogVault.

 

by Ruby Paulson

What Do Hackers Gain from Hacking WordPress Sites?

WordPress is a popular target for hackers because every website has something to offer them, and the returns on attacks are high.

 

Hackers gain something from every WordPress site

 

WordPress is the most popular CMS in the world, and a popular target for hackers too. The scale of the problem may make it seem like the hacks occur randomly and for random reasons. In reality, every website has something to offer hackers. The exact nature of the payoff also depends on the intentions of the hackers.

 

Hackers can be grouped into three categories, depending on the purpose behind their attacks:

White-hat hackers usually test a website or a computer system for vulnerabilities. They do not have malicious intent, and disclose vulnerabilities responsibly.

In the WordPress community, white hat hackers are either a part of a web security team, or are developers within the community who contribute by discovering vulnerabilities and helping protect the community against such risks.

Hacktivists, (who are ‘activists’ acting by means of hacking) target websites mostly to bring awareness to socio-political issues, but the means they pursue for these ends are questionable. This is why it’s difficult to categorise what they do. Most of the time, hacktivists deface websites, or publish sensitive information.
Examples for hacktivist defacing websites range from  Anonymous’ hack of the Phillipine Comelec that asks questions, to the defacement of the ISIS website with ads for performance-enhancing drugs. Hacktivists could also publish sensitive information. Examples of such attacks include the  Panama Papers leak, and the hack of the  CIA  and FBI websites that released officers’ personal information and put them in danger.

Since the classification of what hacktivists have to gain, and the means they use to achieve their ends can fall in gray areas, we’re going to exclude hacktivism from this article.

Black-hat hackers, who hack websites indiscriminately, purely because of more ‘materialistic’ gains. They exploit vulnerabilities to their own ends. Any website can be targeted by these hackers, since they are not looking to test a specific system for vulnerabilities, nor do they want to further a socio-political agenda.

 

What Black-hat hackers can gain from hacking websites

Black-hat hackers could gain one of three things from hacking websites:

  • Reputation
  • Access to resources
  • Information

 

Reputation

In terms of technical know-how, and the scale of the reputation they seek, black-hat hackers could be ‘script kiddies’, or ‘experienced hackers’.

‘Script kiddies’ depend on tools to perform hacks. While the scale of the havoc they wreak can vary in degree, they usually hack websites to be accepted, or to gain reputation among their peers. They usually don’t have criminal intent. However, the more they learn, the more they could move towards higher levels of experience and reputation.

Garnering reputation among other black-hat hackers depends not only on the technical know-how they have, but also on the damage they have the ability to wreak independently. This is when/why they move away from readily-available tools, and craft malicious code of their own that can bypass usual security measures on websites.

‘Experienced’ hackers look to earn a more ‘professional’ kind of reputation. You might know that there are black markets for the sale of illegal goods, but there are similar establishments for cybercrime too. One such black market/forum, was Darkode. Hackers have profiles on these websites and are ranked. These hackers look to earn higher ranks so that their ‘customers’ will pay more for their services, and their work will be recognized more.

How high a hacker’s rank is, on cybercrime forums, depends on:

  • The number of sites they’ve hacked.
  • How proficient they’ve been (the difficulty of the hack).
  • The reputation of the sites they’ve hacked.
  • How satisfied their customers are with their ‘service’.

In short, even if  your website has great security, it’s better for them: they get a better ranking if they succeed in hacking your site.

For example, if your site had tight security, and a hacker successfully retrieve contact information of all your customers, they only garner reputation and have no use for the information afterward. They could go ahead and publish it on the cybercrime forum so other hackers could use the information to send spam mail to your users, send them downloadable malicious code, or send them mails crafted for phishing.

 

Access to resources

The resources on your WordPress site include your site’s database, the server it’s hosted on, as well as the users and visitors to your site. Black hat hackers hack your website in order to gain access to these resources. Attackers have a number of ways that they could exploit your site’s resources:

  • They could plant malicious code on your site to do anything they need to do, without the action getting traced back to them. An example of this would be that of hackers planting malicious code on your server to send their spam mail to your site’s visitors. This would not only get your server blacklisted by mail servers, but also could lead to your WordPress site getting blacklisted by search engines (since it has malware).
  • They could use your site to perform Black Hat SEO practices that allow them to hijack your site’s traffic and redirect it to their own websites, or their customers’ websites. A common type of attack on WordPress sites that uses this technique is the WordPress Pharma hack.)
  • They might use malicious code on your site to trick the visitors of your site into downloading malicious software to their computers.
  • Cross-site scripting attacks  could be used to steal cookies from your site’s visitors and use their credentials.
  • They could use your server as a bot in a DDoS attack.
  • They could manipulate your site to trick users into entering sensitive information that could be used for phishing.
  • They could use ‘ransomware’, which is malicious software that doesn’t allow you access to your resources, your website, or important files on your website unless you pay up. Ransomware keeps popping up in tech news because of technology’s progression into the Internet of things (smart home appliances that can be connected to the internet). In the context of websites, ransomware could be used to either lock you out of your site, or encrypt all the data on your website until you meet the hacker’s demands. If you don’t give in to the hacker’s demands, they could keep all the data from your WordPress site to themselves until you do, or worse, delete it all. The only sensible way to protect yourself from such an attack, is to have a reliable WordPress backup solution that has updated backups of your site.

 

Information

As any website owner knows, information is probably the most important thing on a website. From your site’s data to your visitor’s data, all of the information on your website is unique to you, and is hence valuable.

Hackers could hack your site to retrieve information that belongs to your site’s visitors, such as their personal information(which includes contact information, photos, medical records and other information about their identity), or financial information.

Hackers could use this information in the following ways:

  • They could use it for their own purposes (such as to send spam mail). Sending spam mail from your website’s server could get it blacklisted by search engines, and other mail servers.
  • They could publish sensitive information from your site.
  • They could sell it to others looking for this kind of information.
  • They could also retrieve confidential information from your WordPress site (such as information about your investors), and ask you to pay a ransom to make sure it isn’t published, or sold.

 

Publishing sensitive information

Sensitive information on your website doesn’t have to just be related to the financial information … it could be anything that is specific to just your site, such as the personal information of your site’s users (like their email addresses), that could be used in line with malicious intent (to fulfill a job request, to damage the reputation of the company whose information they publish, to help other hackers send spam).

For example, a hacker could publish your users’ email addresses, to ruin your establishment’s reputation and the trust your customers have in you.

 

Selling sensitive information online

This is another dangerous way hackers target the information on your site.

While some hackers sell personal information of celebrities online (like in the case of Pippa Middleton’s iCloud photos that the hacker attempted to sell), in the past few years, a number of medical websites have been targeted.

This is because social security numbers, medical and healthcare information could prove to be more valuable in terms of identity theft than even financial credentials.

Hackers who sell financial information are in a race against time; they only get the best price for their hard work as long as the credentials are recent, and valid. If the people whose information was stolen, blocked their cards or switched banks, they don’t get paid. However, with identity-theft, the validity of the crime is much longer; and the payoffs for the buyer is considerably higher.

The parties that buy this information could use it to:

  • Create online loan applications
  • Create applications online for credit cards
  • Apply for prescription drugs
  • Create fake IDs

This poses a serious risk for any website, but especially for those that store any sort of user-information.

 

With reasons/aims like these, it’s no wonder that hackers continue to do what they do. They know that there is no such thing as a secure website, so any website can be hacked, and used to any end. The returns for them on hacking websites is high. This is why hackers who seek to obtain information or access to resources on your site make sure to keep their tracks hidden. They do this in order to utilise your site for as long as they can, and make sure to leave backdoors in inconspicuous file so that they can always gain access back to your site.

This is why the best way to stay safe is to have a solid disaster recovery plan in place. The prime element in such a plan, would definitely be a WordPress backup solution like BlogVault that is truly reliable, and an intelligent malware scanner+cleaner, like MalCare, that leaves no malicious code behind.

 

by Ruby Paulson

Common Security Mistakes WordPress Site Owners Make

WordPress has become the most preferred content publishing platform online, and its popularity is continuously growing. For hackers, this means a bigger target with greater payoffs. Are you, as a WordPress site owner committing basic security mistakes that make it easier for them?

 

Common mistakes Website owners make

 

WordPress is the most popular platform to build websites on, and its popularity has only been growing. The CMS has something to offer anyone who has ever wanted to own a website. The WordPress community is supportive, and consists of developers who can build anything in code as well as code-averse site-owners who are given a world of add-ons to make their sites extensible, and more functional.

 

However, maintaining a WordPress site comes with a number of caveats, which are difficult to navigate. The case is worse for new site-owners, since committing a small mistake could knock their site offline, or make it vulnerable to hackers’ attacks.

 

Knowing the common mistakes made, and avoiding them, is key to keeping your WordPress site safer. This is why we’ve come up with a list of the basic security mistakes that WordPress site owners and users make. Are you making any of these mistakes currently?

 

1. Not updating WordPress and its add-ons

Now while the rest of our list talks about mistakes to definitely avoid committing, this issue is a little more complicated. This is why we’ve chosen to get this out of the way right in the beginning.

Everybody talks about keeping WordPress Core and add-ons (themes and plugins) up-to-date, for the sake of security, as well as to add new features to the site. However, you as a WordPress site owner, have one good reason for not doing so– incompatibility.

Your WordPress site could break because of:

Updating WordPress Core

There are two kinds of updates on WordPress Core that keep it up-to-date with the best features, and security measures on the web.

  • Major updates (like 4.5 or 4.6): These add new features and functionality to WordPress.
  • Minor releases like Release 4.5.1 and 4.5.2: These are dedicated to security patches, and bug fixes.

There are a couple of catches with these releases. For one, it can be cumbersome to keep up to date with all of them. Version 4.5, for example, was released on April 12, while 4.5.1 was released 14 days later, and 4.5.2 was released about 10 days after 4.5.1. Secondly, while WordPress Core upgrades are designed to be compatible with all the previous versions; (even the first one), it doesn’t always work out that way. So when WordPress site owners update their WordPress core, their site crashes.

Updating WordPress add-ons (plugins, themes, and widgets)

There a number of problems you could run into while updating WordPress add-ons. Since the developers could be pressed for time or not have the expertise, they can’t make sure that their updates are compatible with every single version of WordPress. As a result, they could be incompatible with previous updates of WordPress Core. Moreover, even add-ons that are coded to be backward compatible might not be developed with other add-ons in mind. Lastly, add-ons’ updates contain significant security patches and bug fixes, which change the way they work and hence cause conflicts. One example of this was the security patch for RevSlider (a premium carousel plugin), that changed the way the plugin worked.

As a result, updating even just one plugins could cause your site to break. If compatibility issues between WordPress Core and an add-on are a concern, the safest route to take, would be to ask the plugin developer to release an update for the plugin, while also looking for alternatives that work with your other add-ons.

The key to keeping your WordPress site secure, is to update every part of your WordPress site. The consequences to your site, its data, and your site’s visitors are all too great to not update.

 

2. Buying/using bad add-ons

As mentioned, WordPress add-ons don’t necessarily have the stringent code quality or security measures in place that WordPress Core does.This is why it’s important for WordPress users and site owners to pay attention to pick a good theme/plugin. Every good add-on has one basic characteristic– it has has good code. But even if you don’t know how to judge the code of a theme/plugin, there are a few characteristics which you spot:

  1. They’re available via a reputed source: This means they’re on the WordPress.org repository, or with well-known theme/plugin seller, like Themeforest, Elegant themes, etc. Just as with material goods, buyers should be wary of a premium theme being available on a questionable website at a huge discount.
  2. They have good reviews and ratings from genuine, long-time users.
  3. They’ve stood the test of time: The longer a theme or plugin has been available, the more bug fixes and security updates they should have.
  4. They get updated often and have been recently updated (in the past 2 months) from the developer’s side

Installing a bad theme/plugin could have a number of consequences for your site, whether in a way that affects function (such as slowing down your site), or in a malicious way, such as sending spam mail on your site’s behalf. Apart from all this, having an add-on with malicious code on your site causes search engines to mark your site as malicious, and hence blacklisted.

 

3. Using bad login practices

There are a number of simple login mistakes that WordPress site owners make, from sticking with easy to guess credentials, to staying logged in on their sites. This makes it easier for hackers, who usually use bots (just like search engine crawler bots), to look for websites with vulnerabilities.

Sticking with the default username (admin) reduces the time bots need to crack your login credentials, by 50%. Combining that with the use of a weak password only makes attacks on the login page (like a Brute Force attack, or a Dictionary attack) that much easier. Once the bots crack your login credentials, the hacker can login as you, and legitimately perform admin-level functions. This is why it’s important to enforce good login practices, and secure your WordPress login page. A couple of other simple ways (and there are more ways) to protect your login page are renaming the administrator account to reflect a different username. WordPress site owners have to look out for legitimate ways to harden their login page though– some widely recommended practices such as  moving your login page to a custom URL, are unnecessary, and can ruin your site’s user experience.

 

4. Making every contributor to the site an ‘administrator’

WordPress sites have different system users with different levels of access, in order to give the site owner the power to assign responsibilities to different users. This also serves as a way to give those with fewer responsibilities, the access to only specific areas they need access to. This principle (known as the Principle of Least Privilege), is one of the basic elements of security on any system.

WordPress has five different user roles:

  1. Super admin or Admin: Has full control over add-ons, content, files, and users on the site. (Super admin is someone who has Admin access over multiple sites, and controls the network administration for those sites too).
  2. Editor: Has full control over content and files, can publish anyone’s content, and is allowed to add script tags for formatting.
  3. Author: Can only create, modify, publish and delete their content.
  4. Contributor: Can only read, edit and delete content. No publication rights.
  5. Subscriber: Can only read content. No other rights

So say you run a successful news website or a blog with a regular guest blogger contributing once a month… You would best assign the guest blogger the role of  ‘Contributor’ or ‘Author’.

Assigning the ‘Admin’ role instead, however, will put your WordPress site at a greater risk. Just imagine what would happen if they deleted a post by another author, a plugin or even an Editor by mistake!

Giving users unrestricted access could also allow hackers to exploit your site more easily. A good example of this kind of damage, was how TechCrunch got hacked by OurMine, a commercial security group that hacks accounts to publicize their services. The site was hacked using one of its contributors’ accounts.

 

5. Being a hoarder

Keeping old add-ons and users presents a number of opportunities to hackers. As a site-owner, it is only natural to experiment with plugins and themes. In the process though, it is easy to forget about unused add-ons in your site’s repository. However, since you no longer use them, you also don’t update them. This opens up your site to a number of exploits.

Forgetting to delete old users (especially contributors) long after they’re gone, allows hackers access your site legitimately after a previous hack (like a Brute Force attack). This is one of the ways WordPress site owners are hacked for a long time without even knowing about it.

 

6. Not checking past uploads

Similar to hoarding add-ons and users, WordPress site owners also fall in the trap of never cleaning out their Media Library, the uploads folder, or the includes folder.

Hackers know this too. This is why they could easily upload a hack-file that looks like an image, and execute a hack later. This is how a number of exploits on the TimThumb vulnerability were carried out.

This method could also be used to create a backdoor. So even if malicious code is removed, and the WordPress site is kept up to date, it will still be susceptible to hacks.

 

7. Not having a reliable backup solution to depend on

Having a backup solution for your WordPress site is paramount to security. Not only does having a clean backup of your WordPress site make it easier to restore your site in case of a hack or blacklisting, it also allows you to scan your site’s code for irregularities and fire-fight more efficiently. However, most WordPress site owners don’t realize that the solutions they’re relying on are not dependable, until it’s too late. Backups must be the perfect disaster recovery solution, so they should be fool-proof, and adhere to the best WordPress security practices. Not only should they be independent of the WordPress hosting service, but they should be independent of your site, be stored in multiple locations, and have both: WordPress files and database encrypted and backed up.

If your site encounters a problem caused by anything as disastrous as your hosting provider being hacked to the deletion of files, not having a good backup plan would lead to your site experiencing a long downtime or worse.

 

The mistakes listed in this article are basic, and yet widely committed by WordPress site owners. Keeping your WordPress site secure lies not in being sure of impenetrability (because there is no such thing as a perfectly secure site), but in making it harder for hackers to achieve their target.

 

If you commit, or have committed any of these simple mistakes in the past, the best way to ensure that there is no malicious code on your site, would be to invest in an intelligent auto hack cleaner for WordPress sites, like MalCare.

 

by Suhas Udayakumar

Does Your WordPress Host Address These Data Center Pain Points Effectively?

A data center is a complex entity in WordPress hosting. Do you know the different parts of a data center, what can go wrong in each of those parts, and how it can affect your WordPress site? Find out.

Many factors in different parts of a data center and its operations affect the performance of your WordPress sites. This could be due to a number of factors from simple hardware failures, to a breakdown in power supply.

Different parts of a data center and its operations affect the performance of WordPress sites

Breaking a data center down broadly will help us to understand these issues, and what can go wrong, in a clear manner.

Parts Of A Data Center

  • Building Shell
  • IT Equipment
  • Electrical Infrastructure
  • Mechanical/Cooling Infrastructure

Operational & Other Issues

  • Human Errors
  • Hacks
  • Natural Disasters & Accident

What Can Go Wrong In Different Parts Of A Data Center?

Building Shell

Generally, little thought is given to the structure which houses the servers and all its accompanying equipment because its layout and design is the first line of defence against any errors. Right from setting up the perimeter as well as the first line of defence, to determining the amount of equipment that can reasonable be stocked in any place the layout of the building is the definitive factor.

The building and how the layout is designed within it can also effectively implement access control protection in the form of magnetic strip cards, registry, etc. These points are crucial to ensuring that your WordPress site is secure.

Access control must be a concern for WordPress site owners looking for hosting services. Otherwise, slip-ups like the one that occurred at Joyent (the case when an operator error rebooted the entire section of compute nodes simultaneously), will be a serious issue with which to contend.

Mistakes are bound to happen even when all the checks are in place because there will human, software or hardware errors. It is just that there are ways to reduce the frequency of such errors. However, you cannot always plan for accidents.

A driver in an SUV fell unconscious, and the vehicle accelerated towards the end of the road, hit curb going aerial and damaged the wall of building knocking out the generator inside it. The building was owned by Rackspace and as result of the accident clients had to experience hours of unexpected downtime.

IT Equipment

 

This refers to

  • Servers
  • Storage
  • Communications equipment

Servers

A host of hardware, software  and operational issues can cause server failures. Hardware issues usually occur due to overheating, power surges and physical damage caused due to accidents or natural disasters. Software issues occur overtime if there is lack of maintenance or due to malware or viruses. Even if the equipment is not completely damaged such issues can cause your site to lag, delay your site load times, or your site pages may not load at all.

Storage

Hard disks have failure rates and along with heat, natural wear and tear, and power surges all lead to failure. This is true of all hardware equipment in data centers.

Communication Equipment

Communication equipment like a network switch failing can cause serious outages even though it is not an aspect of web hosting we pay much attention to.

Web hosting businesses are facing increasing demands to remain competitive and keep the prices down. At the same time there is consolidation with a single company owning many brands of web hosting under it. So, downtime from a network switch failure can have a ripple effect, and can affect multiple hosts at the same time.

It is best to diversify your backups in multiple locations to avoid being caught by surprise when facing such situations.

Electrical Infrastructure

While the IT equipment represents the business of the data center, electrical infrastructure is what allows it function. Electrical infrastructure refers to the power supply and power backup equipment. Much of the claims that data centers make regarding uptimes and site performance depend on uninterrupted power supply. This means having effective and adequate power backups is crucial.

For a WordPress site owner, this information could help decide the hosting service to host their site on.

Power failures occur when the backup equipment is not tested- if the batteries are functioning and charged, if the power backup system kicks in immediately, etc. Otherwise sites might go down unexpectedly leading to losses.

Mechanical Infrastructure

Mechanical infrastructure helps regulate the temperature and this plays a crucial role in site performance and determines how dependable your hosting service is. Unregulated temperature can have serious impact on your site performance.

Rise in temperature can also occur when too many sites are hosted on servers. This overworks the cooling equipment in the data center, and as a result fans may fail and exacerbate the problem.

Asking your web host about the access control, power backup and and cooling they have could be crucial to know the estimating site’s uptime and performance; especially if you have large site with many media files.

WordPress Backups Are A Necessity

Apart from this WordPress hosting services face the usual problem of hacking. In this case even if the vulnerability exploited was not on your site but your data center is hacked affecting your site, then you could not only lose your site but your WordPress backups as well as any personal/sensitive information which may be stored on your site. Sometime such losses are irreparable. Not simply because of the impact of the hack which itself may be severe but hacks have forced data centers our of business entirely. In such cases you may not be able to recover your data at all.

While there are many specialized WordPress hosting services available and the number is growing, it is important that you ensure that your site’s backups are not stored on web host’s servers or equipment. That way you can access your backup even in the case of any such failure. This is simply a good way to make WordPress backups and increase redundancy.

WordPress backups are not a luxury but a necessity. While hosting service have gotten more efficient demand and competition has also grown. This especially true for WordPress hosting. With growth of WordPress the number of hackers targeting the platform has also grown. Added to these familiar threats, data centers continue to be affected by natural disasters and accidents.

It may be important to know where the data centers of your WordPress hosting service are located and how prone those locations are to natural disasters. In such cases you may also want to ask your hosting service the kind of preparations they have in place in case of such eventualities.

Now that you know broadly all the pain points of a data center and how it can affect your site, opt for a WordPress backup service like BlogVault which secures your backups and diversifies their location effectively. After all redundancies are useless if they are exposed to the same danger to which your WordPress site is exposed.