Frequent WordPress backups contribute greatly towards efficient your WordPress restores. The battle is between resource consuming hourly backups and infrequent backups which increase the risk of data loss. Do you know what is the right answer?

The frequency of WordPress backups is a much-discussed topic. At BlogVault we believe that ideally, WordPress sites must be backed up at least once a day. This is a logical idea when you consider that all backups are meant for recovering your site. This means you want to minimize data loss, when you restore your WordPress site.

Daily backups, however, is not a ‘golden frequency’. Different types of sites require backups to be made at different frequencies. Daily backups strike a balance between minimizing data loss and not consuming too many resources of your WordPress site’s servers. Backing up more frequently, however; especially when done inefficiently, may affect your site’s performance. On the other hand, backing up infrequently, like on a weekly/monthly backup schedule may mean that you lose substantial amount of data.

 

How frequently do you backup your WordPress site?

 

WordPress Backup Frequency

 

Why Make Daily Backups?

We mentioned that daily backups ensure that updates to all the posts and pages of your site are saved. WordPress users who manage smaller sites may feel that daily backups are not as important. This may be because the website is not updated with new content. However, we have to remember that WordPress sites are run on plugins and themes which are updated often. Older backups will not contain these updates and restoring them is not very efficient. This can also cause security concerns as plugin and theme updates include security updates too.

 

Restoring from Older WordPress Backups

If older backups are restored, then you may have to go back and update all the plugins, themes and may be even WordPress core. This may not be feasible in case you own multiple sites or have many plugins and and themes on your site.

Also, backups bring up compatibility issues. In case you restore older backups, then you can only test these issues after the site has been restored and the updates are made. However, the more recent the backup, the easier it is to test for functionality. Of course, with a WordPress backup service like BlogVault you can test your backups with a single click.

 

What Type of WordPress Site Do You Have?

 

E-commerce sites & Popular Blogs

While daily backups are a great option, for e-commerce and popular blogs it still may not be enough. For e-commerce sites, it is crucial to track transactions, data on pending orders, and the delivery status of orders with utmost immediacy. For popular blogs, comments and content can be generated very regularly; and this includes news sites. In such cases, real-time backups is the answer.

 

Real-time Backups for WordPress Sites

Backups in real-time are meant to save every change as soon as the changes are made, (or at least as quickly as possible). The concern with this is of course the effect on WordPress site-performance. However, when done right, real-time WordPress backups can be a comprehensive solution.

Real-time backup solutions for WordPress sites track changes and backup only those changes to the site as quickly as possible. Since only the changes are backed up, even large sites with frequent updates and changes can be completely backed up without affecting site performance. However, there are different methods to achieve this result and results vary depending on how effectively your backup plugin does the job.

 

Frequency is Key to Having Secure WordPress Backups

If backups do not allow you to make efficient restores then the point has been missed. Making daily or real-time backups are key to having functional backups which are ready for restores. A WordPress backup service, can allow you to not only automate the frequency of your backups; but also ensure that your backups follow other best practices of WordPress backups as well.

 

Storing WordPress backups on your PC can quickly become laborious and the risks outweigh the convenience or economic benefits. Find out why.

Locally storing your WordPress backups means storing them on your PC or desktop. The other option is maybe to store them in an external storage device like a USB drive or or an external HDD/SSD.

 

Saving backups of your WordPress site to your computer seems convenient, but how reliable is it?
Saving backups of your WordPress site to your computer seems convenient, but how reliable is it?

 

In this article let us look at how you can do it, why you may be looking at this option and also answer the question which matters the most– should you do it?

How To Make WordPress Backups Locally

There are 3 ways through which you can download backups to your computer:

  • Manual WordPress Backup Download
  • WordPress Backup Download via cPanel
  • Plugins

 

Manual WordPress Backup Downloads

You can download WordPress files by using an FTP client— eg: FileZilla, CyberDuck. Making a full backup includes backing up files as well as your WordPress site database. To make WordPress database backups you can use phpMyAdmin.

However, once you download your backup files, labeling and organizing them is important. Otherwise it may be impossible to find the desired version when you want to make a restore.

cPanel

Usually web hosts provide a cPanel account to users. Using the tools in cPanel– Create Backup or Backup Wizard, you can download backups. Again these backups are usually .zip files with filenames containing date names. However, that is not enough information when you make regular backups. You may have to spend more time organizing your backups with descriptions to ensure restores are easy.

Plugins

Most WordPress backup plugins; at least all the popular ones, offer the option to download WordPress backups to your computer. However, regardless of the WordPress backup plugin you use, downloadable backup files; especially of the full site, are available in .zip format when you download a full WordPress site backup. On top of that not all plugins give you the option to download individual files. This means we are back to our recurring theme of how downloading and storing backups also means maintaining them.

Storing WordPress Backups Locally

There are some key concerns when thinking of destinations for WordPress backups.

  • Storage space
  • Security
  • Organization
  • Restoration Issues
  • Ease of use

An ideal WordPress backup solution addresses all of these concerns.

Pros and Cons of Storing WordPress Backups Locally

Storage Space

Backups must be made regularly; daily if possible. If you are making regular backups then storage space will become a concern for you. Your PC’s internal HDD will eventually run out. You can solve the problem by investing in an external HDD/SSD, or USB drives dedicated for storing your backups; especially if you have large sites and you make regular backups. If you use USB drives for example you may be forced to make backups once in awhile and and overwrite previous copies. This is not a good solution.

Security of WordPress Backups

Making a backup is a security measure. Which means your backups must be secure. However, storing them on your PC or on a storage device is not the best idea when considering the security of backups.

Malware

Backups stored on a PC may be infected with malware from a few sources. They may either already be on your computer, or your browser may have been infected by a malware from an unsafe site, or your backup files may be corrupted by malware in external storage devices like USB drives or HDD/SSD.

Storage Location

Apart from malware issues, there is the concern of where your backups are stored. Even if you have a dedicated external storage device– HDD/SSD, it may not be enough as they are not reliable. They do have failure rates, and may crash or be infected with malware as they have to connect to your computer at some point. HDDs/SSDs may also stop working due to heat or natural wear and tear. Along with all of these points, if you choose to store backups locally on a hard drive, then your backups are in a single location, this raises the risk of losing them significantly. As a result, they may not serve as the most secure environment for storing your backups.

Organization

Downloaded backups have to be organized if they have to be useful when you have to restore your WordPress site. Consider that your site is down and you have to restore it. If you are left going through all your backup versions one by one trying to make the right decision, then you might spend a lot of time and effort which you could have invested in developing your business ideas.

Restoration Issues

Manual downloads or locally stored backups usually mean manual restores too. This may suit some developers or those who have spent time working on WordPress but for the majority who are business owners, or bloggers who are utilizing the CMS, this may not be a viable option.

Restorations usually have to be done via your cPanel account or via an FTP Client and phpMyAdmin. There are often limits to the size of files that can be uploaded via cPanel or PHPMyAdmin. These restrictions can cause restores to fail. Again, the lack of backup descriptions, and easy options to make restores, together make extra demands of your time and energy. Expending this extra effort may be unnecessary if you utilize a complete WordPress backup service.

Ease of Use

First of all since this is a manual process. If you are following best practices than you have to make backups daily. This can get tiring, and worse, you may forget to make backups at all.

After taking all of the above points into consideration, the answer to this one seems to be clear. Storing WordPress backups locally doesn’t seem to be a great idea. However, there may be a couple of benefits. It is an economical option, and you can be sure that backups are done as making manual backups or downloading them from plugins allows you to keep track  of your backups.

However, even in these cases, you may end up spending on storage devices, or professional help when you need to restore.  Along with those issues, if you account for the time spent doing the work— making, downloading, organizing, and maintaining backups; and the time spent worrying about their safety, then the economical benefits and surety about backups being done seem to be nullified.

Instead choose a professional WordPress backup service like BlogVault, for worry free backups so you can do what you do best.  A premium WordPress backup service  would allow you to easily track backups, makes one-click WordPress restores, and even one-click WordPress migrations; leaving you worry free.

 

Making WordPress Backup to your Google Drive account may mean that you are choosing convenience over efficiency and security. Here’s why.
 

Uploading WordPress Backups to Google Drive

Google Drive presents a convenient option. To begin with it is accessed with your Google account. No multiple logins. Added to this 15 GB of storage space is free to users.

 

Google Drive seems like the perfect vault to store your WordPress backups in.
Google Drive seems like the perfect vault to store your WordPress backups in.

 

You can simply choose among the many plugins which allow you to upload your WordPress backups to Google Drive. UpdraftPlus, BackupGuard, and WP Database Backup are all example of plugins in the WordPress repository which allow you to do just this. However keep in mind in some cases, you may have to pay for an add-on to add Google Drive to your list of backup destinations.
 

Setting Up Google Drive with Your WordPress Backup Plugin

This process may take some steps to get through, but if you follow the documentation of the respective plugins it will be easy. However, the point to keep in mind is that setting up your Drive account with your backup plugins generally means that the plugin stores a ‘client ID’ and ‘client secret’ to your Drive account. This is how the plugin can upload backups to your Drive account. However, this can be a double-edged sword.
 

WordPress Backups to Google Drive: Pros & Cons

Google Drive gives users 15 GB of free storage space. This may prove sufficient if your site is not  large. The economic benefits from using a free plugin and having free storage space cannot be discounted without consideration. Along with this, you can gain access to your Drive account with your Google credentials; no extra logins required.

However, the very same advantages have another face when viewed from the perspective of control, efficiency, and security.
 

WordPress Restores from Google Drive

All backups are about restores. This means making restores must be easy and it must give full control. Backup files uploaded to Google Drive by plugins may not allow for this. It is true that with plugins like UpdraftPlus you can restore directly from your WordPress admin dashboard. However, this may not be enough.

Backups uploaded to Drive are usually in .zip folder; and that makes it very hard for you to find and restore individual files. This is, if your plugin allows for restoration of individual files; which is not always the case.

Restoring individual files has its benefits. Large sites take time to restore. This means more downtime. In other cases your hosting service may limit the time for each action. This is true of most cases, and in such cases your website may have to be manually restored. This is not a burden your business needs.  On the other hand, restoring individual files means that you can avoid all these complications and not suffer the cost from unnecessary downtime. With each passing day this cost continues to increase. For this reason, having more granular control over your backups and restores is important.
 

Are your Backups Secure in Your Google Drive Account?

The other point to consider is that your backups may be vulnerable because a single set of login credentials gives you access to all your accounts. If that is compromised then your backups may be compromised too. The other way is that if your WordPress site is hacked, then that may lead the hackers to your backups since your plugin stored the ‘client ID’ and ‘client secret’ to Drive account.
 

WordPress Backup to Google Drive: Storage Space Issues

In the case that your Google Drive account runs out of space, how will your plugin continue to make backups? You may want to know if you’ll get notifications from the developers of the  backup plugin you use. If this is not the case, then you may not have backups to make restore; which is when you need them the most

While convenience is one factor, uploading your WordPress backups to your Google Drive account may not allow you to practice WordPress backup best practices.
 

No Backup Descriptions

Now let us say that you are following good login practices, using smart passphrases, and following the basic security practices well. You also don’t mind making manual restores. In such a case you may be okay with a plugin which uploads your WordPress backups to your Google Drive account. While this not advisable from a security standpoint, you may still have to contend with another issue– backup descriptions.

As mentioned plugins usually upload your WordPress files in .zip files. The file names may have the date and time when the backups were made but not much else. When you want to manually restore a file you may want a description of what has changed from one backup version to the next. Without this, you may spend a considerable amount of time sifting through files, or spend time organizing backups in your Drive. Either way, you have to invest a considerable amount time and labor.

Tip:
When backing up to Google Drive, ensure that you label the downloaded backups in an organized manner, so you can categorize and differentiate backups. This will be helpful when you have to restore your site.
 

You need to safeguard your data in a more robust manner to ensure that in your hour of need you know not only know that you have access to backups but also that they are functional. Especially, if you’re running a small business or a popular blog then you might want to look at a more complete WordPress backup solution and continue making WordPress backup to Google Drive only as an additional step.

WordPress website owners are always cautioned to keep their installations of WordPress, plugins and themes up to date. But when a plugin hasn’t been maintained or updated from the developer’s end, potential exploits threaten everyone who has it installed.

Being someone who grew up in the 90’s, I still love video and audio cassettes. But as the world progressed to new technologies, the companies making the cassettes kept updating their technologies and methods too, and for good reason. No matter how I loved the uniqueness of magnetic tape, even I understood that it had its faults. It was time to move on.

 

The charm of old cassettes lingers

 

Most of the time, WordPress works in the same way too. The minute a problem is identified, developers work to release a fix for it, whether it’s an add-on or something on WordPress core.

This is why almost every piece of advice on the internet about ‘security practices for WordPress’ always first mentions that WordPress site users have to update every element on their site.

But what does one do when the technology itself isn’t updated, and after a vulnerability has been reported? The possibilities this opens up to hackers, are endless, which makes this a particularly alarming situation.

What makes it worse, is the fact that not many novice WordPress site owners know what to do when a plugin/theme/widget hasn’t been updated from the developer’s side. This became the most relevant, when El Rincón de Zerial’s security blog reported a cross-site scripting vulnerability in W3 Total Cache, at the end of September.

About W3 Total Cache

W3 Total Cache is a WordPress caching plugin that helps sites load faster. A website’s load time, as any website owner knows, affects its reputation, views, and business. The faster it loads, the better it is perceived by its visitors. This is why caching plugins are so widely used in the WordPress community.

W3 Total Cache in particular, had over 1 million active installs when the vulnerability was declared.

 

A screenshot of W3Total Cache from https://www.w3-edge.com
A screenshot of W3Total Cache from the W3 Edge website

 

This was because it had features that made it considerably better than other caching plugins, according to those who used it. Not only did the plugin caches every aspect of the WordPress site, from the HTML elements to objects in WordPress sites’ database, it also cached mobile cache well. Most other caching plugins only cached the HTML elements of a page, making their performance considerably lower.

The plugin, according to its page on the WordPress.org repository, has been used and trusted by companies websites AT&T, mashable.com, and pearsonified.com, amongst others.

About W3 Total Cache’s vulnerability

When the XSS vulnerability was reported, users of the plugin had already been complaining about support-related issues for six months, and had received no response  from the team that had developed it.

To add to this, the previous major ‘update’ to the plugin was only a simple change that made sure the plugin was compatible with the then latest versions of WordPress. Understandably there was concern over the potential damage this vulnerability could wreak if it was exploited.

But this wasn’t the first time the plugin had displayed vulnerabilities. Just as with any other plugin, W3 Total Cache had its share of loopholes, that were sometimes exploited, as with the case of other caching plugins like WP Super Cache too.

The good news

The silver lining in this situation, was the fact that the original developers of the plugin released an update six days after the vulnerability was disclosed. And not only did the update feature a patch for not just this exploitable loophole, but also another four more that were disclosed by SecuPress. Moreover, it also introduced a number of new features.

The bad news

However, a number of users of the W3 Total Cache who updated their versions of the plugin have reported that it breaks their sites, or renders some features useless.

What to do in case of an outdated plugin

This brings us to the most important course of action. When faced with a plugin or theme that is obviously out of date:

  1. Disable the plugin/theme until an update addressing the vulnerability has been released
  2. If it’s not a premium plugin or theme, follow its support forum on WordPress.org
  3. If an update with the patch for the vulnerability takes more than 48 hours to come through since the vulnerability is announced, try and contact the developer informing them about the vulnerability and quoting your sources.
  4. In the meanwhile, try and find alternatives that are compatible with your site in order to keep your site fully functional.
  5. If the update takes more than a month to come through, you could ask the community if someone would like to adopt the theme/plugin. Obviously this procedure has steps that you will have to follow, after communicating the problem to both, the WordPress team, and the community.

This is why it’s important to always have a backup plan: you never know when a plugin is going to stop being updated.

After all, a number of contributors are developers who contribute to the community as a hobby. It takes a lot of time and effort to not only create a plugin, but to identify how to patch up vulnerabilities and do it according to the best security practices as well.
Moreover, when the plugin/theme is actually updated, you never know if it’s going to break your WordPress site. Reliable backup solutions that allow you to test your backups before they go live on your site, are not just an option in such cases… they’re a necessity.

 

In an earlier article, we spoke about password protecting wp-login.php with HTTP authentication. There, we came up with this amazing analogy that if your WordPress were a house, HTTP authentication would be a fence to it. Now, imagine deploying a guard at your fence door to further secure your house (your WordPress site). This guard would check the ID (read IP address) of every visitor and allow (or deny) a selected few.

IP address

In this article, we’ll teach you how to provide restricted access through the fence door to only select IP addresses. Of course, for this to work, your internet connection needs to have a static IP address first. If you aren’t sure what your IP address is, you can always Google ‘IP address’.

How to Restrict Access by IP to your wp-admin Directory

To begin with, download the .htaccess file from your wp-admin directory using a third-party FTP client like FileZilla. In case there isn’t already an .htaccess file in your wp-admin directory, go ahead and create a new one. Then, add the following lines at the end of your .htaccess file:

order deny,allow
allow from your.IP.address
deny from all

The above directive allows only a single IP address to access your admin dashboard. This will apply in case you solely access your WordPress dashboard from a single location. In the given example, you need to mention your IP address in place of ‘your.IP.address’.

Now, if you access your dashboard from multiple locations, you’ll need to list out all those IP addresses in the directive. For this, you’ll need to mention individual IP addresses in individual ‘allow from’ lines as shown below:

order deny,allow
allow from your.IP.address.1
allow from your.IP.address.2
allow from your.IP.address.3
deny from all

Blocking Specific IP Addresses

It has been seen that a large number of attacks come from specific regions or set of IPs. To block these culprits at the htaccess level itself, you can include the following syntax in your .htaccess file:

order deny,allow
deny from IP.address.1
deny from IP.address.2
allow from all

Mention the IP addresses you wish to blacklist in place of ‘IP.address.1’ and ‘IP.address.2’. If the blocked IP addresses try to access your dashboard, they’ll get a default ‘403 Forbidden’ error message.

403 error ip address ban

Once you’re done, save the changes and upload the .htaccess file back to the wp-admin directory. In case you make such a change to the .htaccess file in the root directory of your WordPress, all website visitors, apart from you, will receive the ‘403 Forbidden’ error message. Therefore, be sure to make the changes to the .htaccess file in the wp-admin directory of your WordPress alone.

Fixing the Admin Ajax Issue

Limiting access to WordPress wp-admin using IP address tends to break the front-end Ajax functionality. Therefore, if any of your plugins use Ajax in the front end, add the following code to the .htaccess file in your wp-admin directory for fixing the Ajax issue:

<Files admin-ajax.php>
order allow,deny
allow from all
satisfy any
</Files>

For increased security, it is always advisable to use the method discussed above for limiting access via IP address in conjunction with password protection. Also, your IP address will change if you change your internet service provider. So don’t forget to update your .htaccess file in such a case.

The WordPress admin dashboard can only be accessed by entering in your username and login password. It is good practice to use a strong login password at all times, as this makes it difficult for bots and hackers to break into your admin dashboard. However, the internet has never been a very safe place, and no amount of security is ever enough. Therefore, it’s always good to have as many layers of security as (sanely) possible, to keep hackers at bay.

Password Protect

While login credentials are a robust security measure at the WordPress application level, we can add further security using HTTP Basic Authentication (BA). HTTP BA is the simplest technique for enforcing selective restriction of access to your web resources, making it a system level security. But well, enough nitty-gritty for now, lets try to understand this with a simple analogy. Imagine your WordPress site to be a house. Although the house’s main door (read login credentials) is a vital part of security, it may not be enough, and you might want to add a fence around your house as an additional security measure. HTTP authentication is one such ‘fence’ for the protection of your WordPress site. Anyone who wants to enter your admin dashboard will first need to go through the HTTP authentication (your fence) and then enter in their login credentials (your main door).

To secure your WordPress site with HTTP authentication, you need to first generate a .htpasswd file, where you’ll list all authorised usernames and their respective encrypted passwords. Following our analogy, think of this as setting up a door to your fence. One can leverage .htpasswd only on an Apache server, since .htpasswd is an Apache password file. Good news is, Apache is the most commonly used web server software worldwide. This makes it highly probable that your site is running on Apache.

Creating a .htpasswd File

You can use the htpasswd command line tool to create a new .htpasswd file. In your command line, use the following code:

htpasswd -c .htpasswd harini

Here, ‘-c’ stands for ‘create’ and should only be used while creating a new .htpasswd file. ‘harini’ is a case-sensitive username for our HTTP BA. On hitting enter, you’ll be prompted to enter the password you would like to use. By default, the htpasswd tool encrypts your password using MD5.

htpasswd 01

In the case that you already have an existing .htpasswd file, and would just like to add a new username to it, you should use the following command line:

htpasswd .htpasswd rahul

htpasswd 02

Note that you don’t have to use the ‘-c’ switch in this command, since you don’t have to create a new htpasswd file here.

A typical htpasswd file looks like this: ‘username:encrypted_password’. For instance, a sample .htpasswd file that contains users harini and rahul would look like:

sample .htpasswd file

If you aren’t able to get your hands on the htpasswd tool, you can easily generate your .htpasswd entry (username-encrypted password pair) using this htpasswd generator.

Now that you’ve successfully created the .htpasswd file, you have a lot of flexibility over where to place it, however it is advisable to store it in a directory that can’t be accessed directly through the web. One such good location would be one level above the WordPress install directory. This will ensure that your Apache password file remains secure, even if your web server software were to get corrupted.

Password Protecting wp-login.php

With the .htpasswd file ready and stored in a safe position, you can now go on to restrict access to your wp-login.php file. For this, you’ll need to specify the following things in your .htaccess file:

  • what file to restrict?
  • where to get HTTP BA credentials from?

Assuming .htaccess file is at WordPress install directory level, adding the following lines of code in the file will do this for us:

<Files wp-login.php>
AuthUserFile /path/to/.htpasswd
AuthName "Private access"
AuthType Basic
require valid-user
</Files>

Here, you need to focus on the following two lines:

AuthUserFile /path/to/.htpasswd: Make sure you provide the correct path to your .htpasswd file in place of ‘/path/to/.htpasswd’.

require valid-user: The ‘valid-user’ keyword tells Apache to provide any user mentioned in the .htpasswd file with access to the wp-login.php file. In case you want to grant selective access to the file, instead of using ‘valid-user’, you can just mention the usernames you’ll like to provide access to. For example, if there are three usernames mentioned in the .htpasswd file, out of which you want to grant access to only two users, say user01 and user02, and not to user03, you’ll use the following require directive:

require user user01 user02

Once you’re done, save the file and upload it to the directory that contains the wp-login.php file. Now, the next time you try to login to your WordPress dashboard, you will find your browser prompting for authentication even before the admin-login screen is loaded, just like the fence we discussed.

http authentication protect wp-login.php

As an avid reader of books and various articles both in newspapers and online I have always had the urge to test my writing skills. The usage of jargons and the blend of sophisticated words that the authors achieved with their articles always enticed me. I wanted to start with a blog of my own and so went about researching the requirements to start a blog and the whats and hows of blogging. After talking to several blogging enthusiasts I came to know that blogspot.com or bloggers.com are the different websites that break the entry barrier for an individual to blogging. Though I don’t understand much about the technicalities that go behind building a blog and making it attractive for users to read I realised bloggers.com or blogspot.com are not much help in terms of their GUI, themes and plug-in support etc. I turned to my friend Akshat Choudhary for help and he suggested I go for WordPress based blogs which with a very intelligently designed code enhance the look and feel of your website.
I had to know what WordPress will do for me and so followed up on it. I went through the book ‘WordPress for Dummies’ by Lisa Sabin-Wilson for a start and then supported the knowledge by going through articles on the web. I started with WordPress tutorials on WordPress.org and then went through different articles posted on wp.tutsplus.com and elitebydesign.com. For a person who is passionate about blogging and wants to maintain an online diary WordPress will provide the best interface through which you could connect to your readers. Today, WordPress is the largest self-hosted blogging tool in the world being used by millions of websites with tens of millions of views everyday. The best thing about WordPress is that it is an Open Source project which can be used by anyone over the web which means you can use it for anything be it your personal diary, your travel accounts or your views on any subject for that matter. Some of the features offered by WordPress are private and password protected posts, easy importing, installation and upgrades, a full themes system, multiple authors, spam protection and intelligent text formatting. So, ‘WordPress is only limited by your imagination’.

An Introduction to WordPress

Now that your blog is ready you would want to ensure its longevity, right? Malware, spam and crashes are the nighmares of any successful blogger but with blogVault.net which backs and secures your WordPress site you can put your worries aside. It not only says it backs your blog but also shows where your blog has been backed and secured through its unique Test-Restore feature.
If you are already using WordPress back it with blogVault and if you are gonna start blogging with WordPress back it with blogVault – The best solution for the security and backup of your WordPress site.