If you’ve been anywhere near the internet tubes in the last several weeks, you’ve no doubt heard reports of a new wave of malware and viruses targeting WordPress sites. It can be anything from redirecting a url to a spammy site, gathering valuable information, or worst of all, wiping entire sites clean…database and all.
Just chaps my hide.
No one can safeguard your site 100% (and if anyone tells you they can, they’re lying). Trust me, if Amazon and the FBI can get hacked, so can you. However, there are plenty of things to do to drastically reduce your chances of getting hacked.
Here’s a word picture. If a burglar is looking for a quick and easy buck, he starts roaming neighborhoods checking the lock on each front door. Who’s house is going to be burglarized…the one with an unlocked door or the one with not only a locked door, but a ferocious barking dog and a alarm system sign in the front window? Likewise, leaving the front door to your precious website or blog unlocked is an engraved invitation to any scumbag to walk right in and steal you blind.
Its a complex problem with several main players…
- The Scumbags - The hackers who create malware in the first place. (What must it be like to have so much free time on your hands that you can sit around and dream up ways to be more of a scumbag?)
- Hosting Companies – There are zillions of hosting providers out there today. And I would venture to say the vast majority of them are very good. But they can only do so much. Because of the popularity and usability of WordPress (we’ll get to that next), the hosting company only has so much control over your site. And the typical blogger/website owner only pays them to do so much. Most bloggers have shared hosting, where many sites share the same server. Hosting companies aren’t paid to go in and make sure everything is up to date, playing nicely together, well written (code wise), etc.
- WordPress – Though WordPress is the greatest thing since sliced bread, its popularity is also part of its weakness. Because it is so easy to use, more people create websites to share their talents, products, etc. Being “opensource”, programmers and developers can create little pieces of functionality (like Shareaholic, LinkWithin, etc.) to help make your site more awesome. But in doing so, that opens more doors for the Scumbags to get their evil little boney fingers on your site.
- The Blogger/Website Owner – Gosh darn it, I love you all. And its because of you I can make a living. But you have a role to play in this too. My guess is that you probably don’t have a degree in programming and PHP. And you probably don’t have your own IT department that keeps everything nice and buttoned up. Of course you don’t.
So what’s a girl to do? Is there no way to fill in the gap that exists, leaving your site vulnerable?
Not quite. Like I said before, there is plenty you can do…
A few tips for WordPress security…
There are volumes written about “hardening” your WordPress site, and I will quickly add my two cents on the subject.
- Install a backup plugin - This is really the key to WordPress security. If your site does get hacked and you don’t have a backup of your WordPress files and database, then you’re really up a creek. As long as you have a good backup (or 2, or 8), you will most likely be able to recover pretty well from a malicious attack on your site. I use several different backup plugins, but one very simple one is BackUpWordpress. See the tutorial below.
- Keep things up to date - When WordPress and plugin updates come out, run the update. 9 times out of 10 everything works the way it is supposed to, but every once in a while you’ll have a conflict from one plugin with another. The majority of the time, updates are security fixes of potential or known gateways for malware.
- Do a little research - You don’t necessarily have to be a programmer to make some simple adjustments and add some security measures to your site. You just have to put on your thinker, read some tutorials, and learn a few technical terms. SiteGround and Infosec Institute have relatively easy tutorials on how to “harden” your WordPress site. Give it a try…you might surprise yourself.
- Consider a Maintenance Contract - Enter shameless plug… I’ve been offering various forms of maintenance contracts for my clients from the very beginning. They vary from software updates to monthly content and design updates. I know #3 above can be daunting, and most of my maintenance clients don’t have the time, expertise, or desire to deal with what is required to keep their site humming along. So I’ve created a new security maintenance package to specifically fill this gap that leaves your site vulnerable to attacks. Here’s what I include in the maintenance package*:
- WordPress Core Files Updates
- Plugins Updates
- Weekly Backups of WordPress Files and Database
- Security Plugin that Monitors, Prevents and Scans for Malware
- “Harden” Login Credentials (Usernames and Passwords)
- Spam Comment Deletion
- Priority Response/Support if a Problem Arrises
I’ve priced the package as competitively as possible because I know most bloggers and small businesses are on a tight budget and they need to weigh out the costs vs. risks. However, if you determine that your site is worth an extra $240 per year (and is a tax write-off) and that recovering from an attack will start at around $500, its really a small price to pay. (Incidentally, a quick market comparison put similar services at $75-100 per month).
Aaaand, if you sign up by the end of January, I will give you your first month free! Now isn’t that just the cat’s meow?
To sign up and get started, contact me here.
How to use BackUpWordpress to backup your WordPress site
Ok so on to the BackUpWordpress tutorial. If you do nothing else in the way of security for your site, please do this. Backup your entire site. Regularly. I like to use BackUpWordpress because its a) simple b) free and c)reliable. Here’s how to set it up and use it.
1. Go to the Plugins page on your WordPress site. Click Add New and search for “BackUpWordpress”. It should be the first one listed in the search results. If you have trouble finding it, download it here and add it by clicking “Upload” on the same Plugins page.
2. Click ‘Install Now’. Click ‘Activate Plugin’ and ‘Ok’ on the pop up window.
3. Now that the plugin is activated, go to Tools on the right hand side menu. Click ‘Backups’.
4. This page will show your backup settings, schedule and a list of backups made. Click Settings to modify the default settings. (PS. I notice sometimes the pop-up window below doesn’t always load correctly. If you are taken to another page rather than the small pop up window with black background, click the back button and refresh the page until you see the pop-up window and black background as shown below).
5. Set the type of backup you want to do. I suggest doing ‘Both Database & Files’. If you have a huge (several years worth) database or lots of big images installed, you can separate your backups…do a scheduled backup for the database, and a separate one for files (WordPress). Either way, make sure you cover both areas! Select daily, weekly, etc. You can have as many schedules as you want. Unless you add a lot of content every day, a weekly backup should be fine for you. The backup runs at 11:00 p.m. You can leave the number of backups to store at 14, but that’s kind of overkill…I think 5-7 would be more than adequate. Enter your email address (this is important). Every time a backup is made, BackUpWordPress will email you, and if the file is small enough, will attach the backup in the email. Otherwise it will store it on your hosting account.
6. The first time you install the plugin (and any other time you’d like), its a good idea to run a backup manually. Click ‘Run Now’ and it will perform a backup immediately.
7. Finally, remember how I said it was important to include your email address? Well, the one little catch to the plugin (hey, its free afterall…) is that it will only download a backup to your server unless its small enough (under 10mb) to email to you. But what happens if your site gets hacked and wiped out? Your backup will go right along with it. So to remedy that, its very important to download the backups each time you receive the confirmation email. It will look like this. Just click the link, it will take you to the same page under ‘Tools’ as above, and you can quickly and easily download the latest backup and keep it safe and sound on your hard drive until the next backup.
So that’s the basic jist of BackUpWordPress. You can learn more at hmn.md/tools. If you have an questions about the plugin or the maintenance contract, please holler!