Backups – The Forgotten Website Security Pillar

I travel a lot (might actually be an understatement these days), but the travel always revolves around a couple of common threads – website security education and awareness. In these travels, regardless of whether I’m speaking with a WordPress, Joomla, Drupal, or any other community, there are always common questions like – “How important is it to proactively protect my environment?” or, “How can I fix my environment after it’s been hacked?” Of course, those are really important questions, and as the CEO of a company that meets those needs, I’m more than happy to answer. But as I’ve traveled the country to do just that, I’ve noticed a fundamental lack of understanding on the basic security need, backups. Specifically, how backups fit into the security spectrum.

It’s very easy to get bogged down in the minutiae that makes up your website’s security, but as with everything, having a great foundation will provide the security required when everything else fails.

Backups – Your Safety Net!

Every car has a spare tire. Those spare tires are often nothing more than an adornment you’ve forgotten about, hidden in some obscure cavity of your trunk or strapped to the underbelly of your vehicle. That tire allows you to operate freely and drive without fear, knowing that when all hell breaks loose — a nail causes a slow leak or your tire blows out – you have a safety net.

Think of backups the same way! They are your safety net for when your website breaks and you have no idea how to fix it.

Having all the tools in place to protect your website from hackers, or to detect if a hacker has gained entry, will do you very little good if the attacker creates a worst-case scenario by doing any of the following:

  • Overwrites your files
  • Runs rm –rf
  • Right clicks and presses Delete

Not even companies like my own have devised a way to undo the worst-case scenario. Once the files are overwritten, or deleted, there is no going back. This was the case in this past week’s giant cluster of an issue.

Backup Considerations

Backups aren’t meant as your sole security measure and there are a lot of reasons for it. The first one is that a backup simply reverts your site content to what it was like whenever you last made a backup, meaning that any content uploaded in the meantime will be lost. Second, it doesn’t fix the problem or keep you from getting reinfected (sometimes in minutes). Of course, that’s why we’ll always recommend proactively protecting your website so that you don’t get hacked in the first place.

With all of that said, a backup still serves a hugely important function. When all else fails or everything is broken, it gives you your site back. Here are the requirements I’ve used for my own sites when looking for backup solutions:

  1. Look for a service-based backup solution. There are many backup solutions or tools that will allow you to backup your files to a desired location. This will work for some, but not for others. The reality is many of you give very little thought to space and will often leverage existing space (i.e., your web server) to save the backups. It’s important to know that this defeats the purpose of the backup because the first thing an attacker will delete when they log into your environment are those little zip files that read: backup_xxxx.zip
  2. If you prefer a backup tool, great, try using a third-party provider (i.e., Dropbox, Box) that allows you to keep the backups in a safe, remote location.
  3. Keep in mind the frequency of your backups. If you generate a lot of content, then create a backup schedule that matches that need or you will run the risk of losing the content. If you update less frequently, ratchet the cadence of your backups down.
  4. If you run some of the more popular CMS applications like WordPress, Joomla, Drupal or the like, then consider backing up only key files (i.e., themes, plugins, extensions, etc…). Often backing up core directories like wp-admin, wp-includes, administrator, includes, and others will be unnecessary. All CMS applications are different, so consult your development staff as they might have made core configurations that could cause issues if not backed up.
  5. If you use premium themes, templates, extensions, plugins, or the like, then keep a fresh copy backed up in a safe location. This is very different than the normal backups discussed above. This is just a clean copy of the original install. You never know when you’ll need it. Trust me when I say that your security and development team will thank you.

Many of these items might appear to be common sense, and many are, but we continuously harp on them. We do that because it’s easier than ever for people to create a website, but oftentimes they do so not knowing the security basics that can save them when the worst happens. If you’re a client, backups are available on your dashboard. If you have any questions, we’ll be happy to assist.

If you’re not a client, inquire within your respective community. There are various sources that will make backups available to you at a low cost. The first source to check is your host. Many will offer you, at minimum, a 24-hour backup service. It’s not ideal, but again, life rafts never are. You just know that when all goes wrong, you’ll be really happy that you have that life raft.

1 comment
  1. For some reason I can not login using disqus, I have to go to disqus and code the url so I can comment. UGH!

    Anyway… Backups are so vital, I can not believe that people do not take them seriously.
    Two major issues come to mind that we were presented with.

    ONE
    Client contacted us and wanted to move to our company. Their old developer simply put their site in a host and handed over the keys, giving all responsibility to the client who naturally did not know how to properly use the hosting system. They were subsequently hacked and when they contacted the host, they were told that no backups had been setup on their account. They contacted the developer who informed them that the client is responsible for all coding updates, hosting environment updates and configuration!
    They lost everything.

    We do not hand over the keys to our clients. We do not provide them with full access to their hosting account because for our clients, it is simply not needed and doing so is a security risk as they can alter settings that that they are unfamiliar with. We manage the updating and day to day running of every aspect except the content.

    TWO
    Another client had a dedicated server with their old developer. The server had major stability issues and was restarting 16+ times per day. The host should have been emailing the client to notify them using automatically triggered emails, but that failed and no emails were sent. By the time they were aware that there was an issue, the server would not turn on. The hard drive had failed. While the data was recovered from the hard drive, it was not all present and the items that were present were corrupted. Guess where the backups were stored? Yup, on that same hard drive!

    In closing, I think it is also vital to ensure that you do not overwrite old backups. If you do suffer a hard drive failure, it could come on slowly, corrupting some files and increasing. If you overwrite your backups, you are backing up corrupted data which would not be easy to restore when you find that you have an issue.

    This happened to ma.gnolia.com which suffered database corruption, hard drive failure and all backups contained corrupted data. Little did they know that the backups were backing up corrupted information

Comments are closed.

You May Also Like