As those of you who know me, I take website security very seriously so that my clients don’t have to. For those of you who aren’t hosting with me, however, I want to call attention this post by Wordfence (a popular WordPress security plugin) outlining the security concerns every website owner should be asking their hosting company.
For those of you who don’t quite understand the lingo used in the article, however … I’m going to do a 5-part series tackling each of these questions in detail so that you can know enough about these things to make the right decisions for your business. Here’s part 4:
How are you backing up my site and how long are backups being retained?
Backups are an important safety net in case something happens to your files or database. I can not tell you how often people thought their hosting company was backing up their site, only to find out that the backup system was woefully inadequate. Actual cases include:
- Client whose site was hacked on iPower, who then offered to restore the most recent backup she had … which was from 2 years ago. (They also restored over the current site and didn’t make a copy first,
so there was no way to recover anything.) - Client who wanted to move her account off Bluehost (after the account was suspended for malware), only to find out Bluehost’s cpanel backups had not been working for months without notification.
- Client whose site was hacked and all uploads folders were removed (with her BackupBuddy backups) … on a host that was not backing up the cpanel.
- Client who let a domain expire on her account, not realizing that the hosting company would close down the account for that domain and remove all the files.
- Client who went to clean up old files in her account, accidentally deleted her custom theme …
and realized there was no backup for it, either on the server or from the designer. ($4k down the drain!) - Client whose database file had become corrupted, and then realized that the backups she had were not backing up her database.
But how many backups should you have? I would recommend you pick at least 2 methods to create redundancy out of the following list:
- Local Backups usually in the form of a plugin like UpdraftPlus or BackupBuddy can back up your site files and database into zip format.
- Local Backups with Offsite Storage with one of the above plugins connected to a storage service like Google Drive, Dropbox or Amazon. Alternatively, you can download a backup to your hard drive or other storage device.
- Cpanel Backups combine your database, site files, settings and e-mail accounts (if you have email on the server) into a single download that can be used to restore the site or move it to another cpanel-based server.
- Offsite Backup Services like VaultPress remotely back up your site and store it on their secure servers.
- Snapshots can be anything from entire servers (in the case of a dedicated server) or just WordPress installations (in the case of a service like WP Engine).
Once you have decided on your (minimum 2!) methods, the key is to make sure that they are actually working. Try downloading one to make sure the files are in there, or even just logging in to make sure they are proceeding as you had expected. Backups are not set it and forget it though — you need to periodically check on them to make sure they are still working!
Or try a fully managed hosting solution where your backups are set up and checked on for you.
A Note About Restoring
The one point I found myself disagreeing with in the article is the part where they say "The fastest way to recover from a hacked website is by restoring a good backup of your site." Why? The thing is, the majority of WordPress attacks that I see are not instant. They involve small tests to see what the script can get away with, like uploading a single file or altering some small piece of data. That modification can sit, undetected by the WordPress administrator, for days or even months before round two comes along and more damage is done. When people simply restore a site and assume everything is good, they have not cleaned the site " they have just restarted the clock on that initial hack, and they will find their account full of malware again soon enough. Restoring from backup can also involved a significant amount of downtime.
The better option in most cases is to move forward, either with a Clean in Place (cleaning the site where it is) or a Clean and Move (taking the safe parts of the current site and putting them into a new install on a new hosting account). Generally these run about the same amount of money, although the Clean and Move has a better chance of staying healthy in the long run. (Many hacks are the result of poor hosting, so moving the healthy parts to better hosting can do wonders.) Cleaning a site while manually relocating it to a safer place is usually the best way to get rid of malware, secure your site, and close all the backdoors that are currently present — without losing any of your content by using an old backup.
If you find yourself current plagued with malware, please contact me with your logins. I am happy to take a look and let you know what your best options are, before your hosting company restores a backup over the current live site and you potentially lose something.
Ready for more?
In the next part of this series, I’ll be talking about SSL and why you should be using https to serve up your site. If you don’t want to miss it, you should sign up for Super Alerts!