Ultimate Security Guide Part 9/9: Backups and Solid Routines

Welcome to our 9-part series of the Ultimate Guide to Protecting Your WordPress Website.

This is Part 9: Backups and Solid Routines

You won’t have to be too technical to do these yourselves and I’ll be here showing you on the screen, step by step how to do it.

Here are a few things you’ll need to prepare before starting:

• WordPress Administrative Area Login URL which is typically in most cases /wp-admin after your domain name
• Your WordPress administrative username
• Your Password

Today I’m going to talk about best practices in terms of backing up your website, and how to build a solid routine to ensure your site is always secured.

WordPress security is always a balancing act between security vs. usability. The more open and easy you make the site to access, the less secure that site becomes.

All this is stated so that we can understand that even if we do everything we need to do to provide better WordPress security, sometimes life happens.

Sometimes a WordPress website is compromised through no fault of yours. (Example: Your WordPress website is on a shared hosting account and ANOTHER WordPress website on the same shared hosting account never updates and thus becomes compromised to the level of the violator gains access to the server… which can then attack other “secure” WordPress websites like yours) So what can be done about this issue?

Regularly Scheduled WordPress Backups

Having regularly scheduled WordPress backups are the best antidote against things happening to your site. Whether the issue is an actual compromised site or just a server issue with faulty hardware, if a backup is available, a WordPress site owner can always restore to a valid, working and secure version of their WordPress site. While we back up minimum once a day, and for most clients 2-3 times a day, we highly recommend you do it at least once a week or before each time you make an update to your website.

One of the biggest common mistakes I’ve seen is that people believe their web hosting provider already has back ups. We have had clients prior to coming to us where they lost their entire website because they thought the web host made back ups… they did, but the issue was that most, if not all of them save the back ups where the website is store. Meaning, if you web host goes down, so does your back up! Be extremely cautious of that. If you run a backup, save it to the cloud, or anywhere that is not on the current server.

Another common mistake is that people only backup the files. A lot of people just use FTP and download all the files on the server, but WordPress is a two part system. There are the files, and there is the database. You need to have both to make WordPress fully functional. So make sure when you back up, you back up both.

Unfortunately, there are no good free plugins out there without significant downsides like having no restore options, etc. Here some some recommended backup plugins you can use to do it on your own if you are not on our support service already:

• Backupbuddy – $80/year.
• VaultPress – $29/month

WordPress Core, Theme, & Plugin Updates

Now that you have things backed up, you need to ensure you do this routinely. Not only back ups, but updates too.
One of the easiest ways to create an unsafe and unsecured WordPress environment is to simply not update the WordPress core or any of the plugins and themes.

Majority of all updates are for security patches and code fixes. So check often!

While our team checks daily for these updates for our clients, you may not have the time to do this. But checking once a week is a must. What has worked for me in the past before I had this service, is that I added a 30 mins recurring tasks in our calendar, so it reminds me to check the WordPress administrative dashboard.

If there is an update, please remember to always backup first in case the update breaks the site which it sometimes does. Whenever there is an update for a plugin or theme, you should also check the changelog by visiting the plugin developer’s website to see what was updated in that version.

If they tell you it’s a major release, or you notice things that will affect some of features on your site, you need to double check your site that it is working properly after updating.

Updating routinely is key

If a WordPress site is out of date, then all the previous WordPress security suggestions are essentially useless.

Thank you for watching, and you now have the tools & resources, to take repeatable actions in order to protect your website.

I hope you’ve enjoyed this 9 part series to securing your website – if you want to get more updates and insights on creating peace of mind for your website, or finding ways to generate more leads to your website, subscribe here.

Looking for previous episodes of the Ultimate Guide to Securing Your WordPress site?

• Part 1: Changing Your Admin Username
• Part 2: Enable Two Factor Authentication
• Part 3: Limit Login Attempts
• Part 4: Disable File Editing via the WordPress Dashboard & Eliminate PHP Error Reporting
• Part 5: Hide Your WordPress Version
• Part 6: Secure Your Site with SSL
• Part 7: Using & Setting up CAPTCHA
  
• Part 8: Security Plugins

If you got any questions or comments, please comment below.