The WordPress Update Service is designed to keep a website up-to-date and backed up.
Security against WordPress hackers isn’t a guarantee and it’s a multi-layered approach. You have to cover all the bases to make sure you have the best opportunity of recovering your WordPress website if the event happens.
Why is a WordPress Update Service needed?
Websites get hacked regardless how big you are. Yahoo, Linkedin, Sony and Tesco have all been hacked. I dealt with 6 hacked websites in 2016. WordPress powers around 30% of all the websites on the internet, so it makes an easy target. The majority of WordPress websites have third party plugins to extend the functionality of the content management system.
This is not unusual but the more functionality added, the more opportunity that hackers can get in. In addition many WordPress websites are hosted on commodity hosting suppliers that have differing standards of setup. Even WordPres itself has vulnerabilities that hackers take advantage of.
Case Study #1 – Jan 2017:
A firm of solicitors had their website compromised. Hackers altered files on WordPress installing backdoor programs, so they can access the hosting account at will. They also altered template files to include spamvertising links promoting ‘essay writing services’. They also have their company email hosted on the same hosting account.
They relied on backups being available from their webhost (Domain Monster). Four days later I still don’t have a backup of their website, which is also still down. They are reliant on the hosting provider supplying the backup. The client wants to keep the website as it was, so this involves a clean up operation removing infected files and re-installing on clean hosting, they are on my daily rate. Additionally they have become blacklisted, meaning they have experienced email deliveribility issues because their domain name is blacklisted. Client is considering email migration.
Case Study #2 Sept 2016:
An ecommerce website is using OpenCart, a popular ecommerce system. Misconfiguration and outdated versions of the software resulted in store getting compromised and the same situation above occured – backdoors etc. The site was converted to WordPress and took two weeks to get onto new hosting.
Case Study #3 Feb 2017:
Charity WordPress website on misconfigured webhosting, WordPress/plugins were up-to-date. Site got hacked with backdoors and spam links in content possibly due to a previous historical attempt. Clean up and migration took two days. The discovered hack was a defacement due to an out-of-date WordPress version.
Cast Study #4 August 2016:
WordPress/Woocommerce website (payment functionality disabled) built cheaply by a developer in Thailand on GoDaddy hosting. Site was hacked. Had more than 28 plugins installed. Job is on-going.
Why is a WordPress Update Service important?
If a site gets hacked the following things might occur:
- If you search for your website/company name on Google, it will appear number one but will be flagged as hacked. Example:
- Email deliverability & blacklists. I would consider email more important than a website as it’s an essential business tool, a bit like a telephone or fax machine. If your domain name (e.g. your website) gets on a blacklist, this will effect a recipient receiving an email from your company. The servers of a recipient you send an email to might be employing a blacklist therefore bouncing your email.
- Google Webmaster Tools actively monitors the WordPress version running on a website and will send the webmaster an email if it is out-of-date.
- Brand damage, defacements etc etc.
What the WordPress Update Service involves
There are two issues this solves:
- Making sure the software that runs the website is up-to-date
- In the event a compromise occurs, there are sufficient backups avaiable to restore the site
Software means WordPress Core, as made available for download at wordpress.org and any plugins used on the site, whether free or premium.
I generally, when a notification of an update is available, leave it for a few days especially immediately after a WordPress core update. I usually find that plugins are reactive – they update after a wordpress core has updated. Sometimes a plugin will update twice in as many days after a core update. It makes sense to wait for the developers of the plugin to correct their code before updating. It reduces the amount of work I have to do. Updates are timely but not slack.
The high performance hosting has 15 backups taken daily built-in, so at most you’ll have 15 days in the past of backups to restore from. Restoring from one of these backups takes about 20 minutes. Additionally I take a files and database backup of a website every week, for 5 weeks, to remote Google Drive storage as a compressed zip file. After the 5th week, backups then start overwriting. So at any one time you will have 5 backups of a website for the last 5 weeks stored on remote storage. The frequency of these additional remote backups can be defined by you. So you may want a backup a month for 6 months.
Can’t we do it ourselves?
Yes you can. You’ll need to remember to take a files and database backup every so often and login to WordPress to make sure each plugin and wordpress are up-to-date. In reality though this never happens when business owners are in charge and things will quickly be pushed aside alongside more important business tasks.
How do you know this is happening? Isn’t it just a scare tactic to make me part with more money?
The image below is from logging software on my site. It logs multiple events on a WordPress website. You can see that in the last four hours i’ve had at least 7 attempts by someone trying to login to my WordPress website in the last 4 hours.
Our webhost backups our website, can’t we rely on them?
If you want, but I wouldn’t recommend it for the following reasons:
- Different webhosts have differing policies on backups, check their small print to understand how, when and where backups are taken.
- They may not backup all of WordPress’ files, especially the wp-content folder, which is traditionally populated by the owner of the website (you)
- How do you get access to a backup and how long will it take to get the backup files? See Cast Study #1 above.
- Where are the backups stored? On the same account your WordPress website is stored? Not ideal.
- What if your webhost gets compromised? How do you get to your backup? What if they have a structural failure, like a corrupted hard drive on their server or a power outage, is your backup safe?
Is this an insurance/guarantee we won’t get hacked?
Absolutely not. I tell my SEO clients that want to get up on Google that I have techniques that have shown good results in the past, but I can’t guarantee it stil works. I don’t know Google’s algorithm, if I did surely others would also know it and not everyone can be number one.
Hacking is the same. I don’t control the hackers and therefore I don’t know what they are up to. All I can do is employ mechanisms that reduce the opportunity to get hacked and afford a better result if hacked of restoring the site to normal operation.
Note that I don’t offer this service to websites that are hosted on third party servers. You need to be using my hosting in order to take this service out.