WordCamp Phoenix 2013: Backup & Security Lite
There are two goals that you want to achieve with a good backup and security plan. First, reduce your risk of being hacked. Second, have a plan for when you are attacked. There is no security plan that is 100% effective. But with a few key steps, you can set yourself on a path to making yourself less prone to attacks and able to recover should the worst occur.
With security, you want to try and lock everything down and minimize your risk. This means securing the components you use to create and update your website. Specifically, you want to secure your computer, secure your web connection, and secure your WordPress site. Basically, all of the components along that update path.
Securing Your Computer
Keep your computer up to date and running the latest versions of your operating system and your browser. If you can, install an antivirus package to keep your system virus and malware free. This way you’re not the author of your own hack.
Securing Your Connection
Whenever you’re sending your files up to your site. Use safe file transfer mechanisms. Instead of using FTP use SFTP. Alternatively, if you’re a developer use a shell connection for the most secure connection. This is very commonplace now, but all sites should be using an SSL certificate and yours should be up to date. Your administrative access should be available securely as well.
Your web host should be offering SSL, SFTP, and secure shell access for your site. If it’s not, then you may want to consider a different host. Additionally, the host itself should be secure. If you find yourself compromised over and over, and you’re following most of the best practices outlined here, you may want to consider moving hosts. It’s possible the compromise could be coming from within the server infrastructure for which you have no control.
Securing Your WordPress Site
The single most important piece for keeping your site secure is to keep WordPress, your theme, and the plugins you’re using updated. Incremental updates often include security patches and updates to keep things secure. Be careful when you are updating. Be sure to make a backup of your website before you begin an update (more on that later) and if you can, you should perform updates in a staging environment before performing them on a live site.
In 2013 when this presentation was originally given, changing the database prefix was a common recommendation as a way to hide the database from malicious attacks. This practice has fallen out of favor and there is some question as to its overall value.
Use themes from trusted sources. There are a lot of plugins available on the WordPress repository and while all of them go through an approval process they are not all created equally. Or maintained equally. That’s just the repository, there are many vendors and several exploits that can be written into plugins and themes and they are code. Look at reviews and feedback before installing unknown plugins. And if you can, test them on a staging site before you make them live.
Don’t use “admin” as your username. In early versions of WordPress, the first user on a site had the username of “admin” as a default. This made bot attacks easy as half of the credential was a known quantity. WordPress no longer does this, but it’s still an extra precaution worth taking.
Use a strong password or passphrase. Always use a combination of characters, numbers, and symbols. Never repeat passwords for different accounts. Try to avoid real words. Make them long and random. Don’t provide your username and passwords to others. Create a user account for new access so you can remove it easily when it’s no longer needed.
Limit log in attempts on your website. A great additional security feature is to have your website limit logins. This way if malicious actors are trying to force entry into the site, the site will lock them out for a period of time. Some limit login features will also send a notification to you.
Creating a backup is the key ingredient of your recipe to get back to a previous state if the worst happens. Whether this is a malicious attack, a technical glitch, or even an error in an update or deployment, you want a clear path back to full operations.
What Do We Backup
There are two main pieces to WordPress – the database and the files. The database is a MySQL file that stores all of the content for the site. Your posts, pages, and other “data” are stored here. Your files include your theme, plugins, core WordPress components, and your uploaded media files. Both pieces need to be backed up in order to have a complete snapshot of your site.
When and Where Do We Backup
This is going to depend on the purpose and features of your site. If you’re only blogging once a month and that’s the only change on your site, you could get away with backing up once a month. Maybe you have a membership site with a lot of activity and you want to back up every day. Ultimately it’s a question of how much data you’re willing to lose. Additionally, if you’re changing code, adding or removing a plugin, or performing updates you should perform a full backup.
When you create your backups pull it down locally. As an added precaution make a second copy of that backup for redundancy. As a further precaution keep a third copy of the backup offsite in the case of a problem in the real world like fire or flood. Never keep copies of your backups on the same server as your WordPress site. These can be a security vulnerability and if the server goes down this backup is useless.
How Do We Backup
There are many choices. You can manually create backups, use a plugin, use a service, or use specialized hosting that provides backups. There are some pros and cons to each of the methods:
PRO – low cost, confidence in the end result
CON – it’s manual it’s all on you
PRO – minimal cost, some automation
CON – support for the plugin may vary, generally backs up to the server
PRO – little to no work for the user, fully automated, restore option
CON – costly
PRO – fully automated, restore option, cost is included with hosting
CON – hosting cost tends to be higher
No matter what method you use to create a backup make sure you know the process for restoring and schedule some time to test that process.
With these basic steps in place, you’ve created a good starting point for locking down your site. As you grow and have more features you’ll also want to look at some more advanced features especially on the security side. A firewall solution adds complexity, but really provides the kind of security we’d recommend for a site that is a source of revenue. If you have any questions about security or backing up your site reach out to us. We love to work through security hardening issues.