[BreachExchange] Disaster recovery for WordPress sites
Inga Goddijn
inga at riskbasedsecurity.com
Wed Oct 5 19:38:40 EDT 2016
https://www.godaddy.com/garage/webpro/security/disaster-recovery-for-wordpress-sites/
The internet is many things: it’s powerful and ubiquitous, vast and
intelligent. But one thing it’s not: safe. When creating any new WordPress
site, the first thing to think about is what happens if it’s destroyed. Two
words: Disaster recovery.
Cyber threats are ever increasing in number, efficiency and sophistication.
In 2015, zero-day vulnerabilities occurred every week
<https://www.symantec.com/about/newsroom/press-releases/2016/symantec_0411_01>,
and over a million websites were attacked each day. It’s hard to
overestimate the scale of the problem.
If you have a WordPress website, you’re no doubt aware of the terrifying
and bewildering array of malware that’s out to exploit vulnerabilities and
bring you down. The online world is crawling with bugs, worms, viruses,
adware, spyware, ransomware, rootkits, Trojan horses and net bots. These
can infect security holes, take control of our websites and use them to
host bad content or to ‘spamvertise.’ They can spy on us, take sensitive
information and personal records, and harvest customer data. They can hold
us ransom and steal money.
WordPress plugins, extensions and themes
<https://www.godaddy.com/garage/webpro/security/security-tips-plugins-themes-extensions/>are
likewise vulnerable; some might simply be bad from the start. The more you
customised your website, the more at risk it becomes.
Threats come from all directions, and in this dangerous, dog-eat-dog online
world, we’d be foolish not to protect ourselves and prepare for the worst.
The cost of having your WordPress site hijacked or destroyed is immense;
think of the wasted hours and the damage to your reputation, user
confidence and web ranking — and that’s before you include the cost of
stolen data or money.
Start with little wins
A lot of automated threats pick off the weakest first, so taking even the
simplest precautionary steps can make a big difference in the long run.
Here are a few easy ways to secure your site quickly:
*Secure your Login page* and implement strong passwords, two-step
authentication
<https://www.godaddy.com/garage/webpro/security/setting-two-factor-authentication-wordpress/>
and
limited login attempts.
*Keep up-to-date*, getting automated updates on your WordPress core, along
with all themes and plugins (which you should keep to a minimum and
carefully review before installation).
*Install security applications* and web-application firewalls.
*Limit access,* changing file permissions, hiding author usernames and
restricting user access.
*Use .htaccess to protect your most important files* (like your wp-admin
directory and wp-config.php file) and use SSL
<https://www.godaddy.com/garage/webpro/security/wordpress-ssl-for-managed-wordpress/>
to
encrypt data.
*Constantly monitor* using logs to keep track of what’s happening on your
website and files.
Steps like these go a long way to managing the risk and mitigating the
threat.
Embrace backup plugins
With new ways of hacking and new vulnerabilities being discovered all the
time, it’s vital that you have a last line of defense, the ultimate
insurance policy for any kind of catastrophe: *backup plugins. *
Creating regular copies of your website is a vital.
What’s more, backing up your website is quick and easy. Your web host may
provide a backup service (GoDaddy Managed WordPress
<https://www.godaddy.com/websites/wordpress?isc=cardigan> offers daily
backups and one-click site restore, for example), although there are plenty
of good plugins that are more comprehensive and convenient, and most of the
basic versions are free.
When considering which backup to go for, it’s important to choose wisely.
You need something that’s completely trustworthy, but also something that’s
intuitive and has everything you want.
Here’s a checklist of things to look out for in a backup plugin:
1. Reliability
Never take a risk on an unknown backup plugin. You need something solid,
something tried-and tested: a plugin that’s widely used, with excellent
reviews and a top-star rating. Check out the rating
<https://wordpress.org/plugins/search.php?q=backup> before you make your
choice.
2. Cloud storage options
Using an offsite location such as Dropbox, Amazon S3 and Google Drive to
store your backups means your backups remain safe even if your physical
file server is destroyed.
Cloud backups are secure, affordable and simple-to-use.
They also give you anytime, anywhere access.
Astonishingly, some plugins backup to the same server as your website —
avoid these if you want to keep your site safe!
3. Scheduling functions
Choose a plugin with a scheduling function to ensure that your backups take
place automatically, regularly and consistently, with minimal effort on
your part. Plugins like UpdraftPlus <https://updraftplus.com/> enable you
to set up backups to take place daily, weekly or monthly at the time of
your choice. How often you schedule in backups depends on factors like your
website’s size, frequency of updates and daily traffic.
4. Comprehensibility
It’s ideal to have a plugin that can back up not just your website, but all
related files and databases, including those not on WordPress. Some
plugins, like UpdraftPlus, can even import and restore backups that have
been made by other backup plugins.
5. Ease of restoration
Opt for a plugin that makes backup restoration quick and easy. If anything
bad happens to your website, the last thing you need is hassle in making
things good again. Ideally, opt for a plugin that allows you to restore
individual websites and files, too.
6. Security
There’s no point in having a ‘last line of defense’ that isn’t robust
against security threats – backups can also be hacked! A plugin like
UpdraftPlus encrypts your stored data and uses encryption when transporting
your website to cloud storage.
Take some of the sting out of disaster recovery
Once you’ve chosen, installed and setup your WordPress backup plugin,
you’ll barely have to think about backups again. That is, until the day of
disaster, when you can easily restore your shiny, untainted website in a
matter of minutes. The right backup plugin can take much of the sting out
of disaster recovery. There’s nothing like the smug, satisfying feeling
that comes from knowing that your foresight and preparation saved your
WordPress website from disaster.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161005/9ca839b0/attachment.html>
More information about the BreachExchange
mailing list