I travel a lot (might actually be an understatement these days), but the travel always revolves around a couple of common threads – website security education and awareness. In these travels, regardless of whether I’m speaking with a WordPress, Joomla, Drupal, or any other community, there are always common questions like – “How important is it to proactively protect my environment?” or, “How can I fix my environment after it’s been hacked?” Of course, those are really important questions, and as the CEO of a company that meets those needs, I’m more than happy to answer. But as I’ve traveled the country to do just that, I’ve noticed a fundamental lack of understanding on the basic security need, backups. Specifically, how backups fit into the security spectrum.
It’s very easy to get bogged down in the minutiae that makes up your website’s security, but as with everything, having a great foundation will provide the security required when everything else fails.
Backups – Your Safety Net!
Every car has a spare tire. Those spare tires are often nothing more than an adornment you’ve forgotten about, hidden in some obscure cavity of your trunk or strapped to the underbelly of your vehicle. That tire allows you to operate freely and drive without fear, knowing that when all hell breaks loose — a nail causes a slow leak or your tire blows out – you have a safety net.
Think of backups the same way! They are your safety net for when your website breaks and you have no idea how to fix it.
Having all the tools in place to protect your website from hackers, or to detect if a hacker has gained entry, will do you very little good if the attacker creates a worst-case scenario by doing any of the following:
- Overwrites your files
- Runs rm –rf
- Right clicks and presses Delete
Not even companies like my own have devised a way to undo the worst-case scenario. Once the files are overwritten, or deleted, there is no going back. This was the case in this past week’s giant cluster of an issue.
Backups aren’t meant as your sole security measure and there are a lot of reasons for it. The first one is that a backup simply reverts your site content to what it was like whenever you last made a backup, meaning that any content uploaded in the meantime will be lost. Second, it doesn’t fix the problem or keep you from getting reinfected (sometimes in minutes). Of course, that’s why we’ll always recommend proactively protecting your website so that you don’t get hacked in the first place.
With all of that said, a backup still serves a hugely important function. When all else fails or everything is broken, it gives you your site back. Here are the requirements I’ve used for my own sites when looking for backup solutions:
- Look for a service-based backup solution. There are many backup solutions or tools that will allow you to backup your files to a desired location. This will work for some, but not for others. The reality is many of you give very little thought to space and will often leverage existing space (i.e., your web server) to save the backups. It’s important to know that this defeats the purpose of the backup because the first thing an attacker will delete when they log into your environment are those little zip files that read: backup_xxxx.zip
- If you prefer a backup tool, great, try using a third-party provider (i.e., Dropbox, Box) that allows you to keep the backups in a safe, remote location.
- Keep in mind the frequency of your backups. If you generate a lot of content, then create a backup schedule that matches that need or you will run the risk of losing the content. If you update less frequently, ratchet the cadence of your backups down.
- If you run some of the more popular CMS applications like WordPress, Joomla, Drupal or the like, then consider backing up only key files (i.e., themes, plugins, extensions, etc…). Often backing up core directories like wp-admin, wp-includes, administrator, includes, and others will be unnecessary. All CMS applications are different, so consult your development staff as they might have made core configurations that could cause issues if not backed up.
- If you use premium themes, templates, extensions, plugins, or the like, then keep a fresh copy backed up in a safe location. This is very different than the normal backups discussed above. This is just a clean copy of the original install. You never know when you’ll need it. Trust me when I say that your security and development team will thank you.
Many of these items might appear to be common sense, and many are, but we continuously harp on them. We do that because it’s easier than ever for people to create a website, but oftentimes they do so not knowing the security basics that can save them when the worst happens. If you’re a client, backups are available on your dashboard. If you have any questions, we’ll be happy to assist.
If you’re not a client, inquire within your respective community. There are various sources that will make backups available to you at a low cost. The first source to check is your host. Many will offer you, at minimum, a 24-hour backup service. It’s not ideal, but again, life rafts never are. You just know that when all goes wrong, you’ll be really happy that you have that life raft.