By Séan O’Connell
My mother-in-law kindly telephoned to let me know that her granddaughter’s photo website was now a propaganda hub for an Saharan militant group.
Luckily, I had backups. So it only took three days to replace the machete mutilation tips with the angelic photos of smiling little faces.
Then it was on to the other two hacked sites . . .
Those backups saved my sites. But I’d made two other crucial mistakes that allowed the problems to happen in the first place.
Instead of learning from the mistakes you will make, learn from mine. Believe me, I’ve made every mistake below and more.
So Many Mistakes You Could Make
In the case of WordPress, the primary focus of a novice is to set everything up and get things running as soon as possible. In this hurry, there are quite a few things that are ignored which may lead to numerous security vulnerabilities and affect your blog/site in the long run.
When you set up your WordPress site there are a ton of things to do. But if I were to pick the top three most CRUCIAL things you need to get right on any new WordPress site, these would be: backups, updates and security.
You’ll notice there’s nothing specific to WordPress in these three but they are as important for a WordPress website as for any other kind of online technology. These are the serious things that can have dire consequences for your business if they’re overlooked.
Most Common WordPress Mistake #1: You Assume Your Backups Are Being Done
And I’m betting that you aren’t very likely to cheer “yay for backups” when you hear it once more from me; more likely is that you roll your eyes and groan quietly . . .
Mundane, boring, tiresome . . . yes, backups can be all of these things and less! There’s absolutely nothing exciting about them.
But when your website suddenly disappears, becomes completely inaccessible or gets hacked, that humble backup will be the most glorious life-ring you could ever imagine clinging to.
I’ve seen more websites saved thanks to backups than I can remember.
Having a smart, reliable backup procedure in place is the best insurance your business can have for your website. And it’s not just in case you’re hacked.
Modern software is complicated and WordPress is no different. It’s written by lots of different people all over the world. All of those plugins and themes have to somehow work together and, miraculously, they do. Most of the time.
But it does happen — probably more often than you realise — that things don’t work quite as nicely together as you’d hope.
- An update breaks something.
- Or you misconfigure a plugin and now you’re locked out of your site.
- Or you change a setting in the administrator dashboard to see what happens and now all you can see is a blank white screen.
- Or, indeed, as happens more and more often nowadays, your site gets hacked.
In all of these cases that boring little backup will be crucial to easily resurrecting your website.
Without that boring little backup, your site could be gone forever.
Do You Have This Mistaken Belief?
One of the most common WordPress mistakes is to assume your host takes care of your backups.
Most web hosting companies will tell you that they’ll backup your website every night as part of your hosting plan. If you think that means you don’t need to worry about backups then I need to correct you. According to the Terms of Service of most hosting providers, they are not obliged to provide you with working backups; you are explicitly responsible for backing up, testing that backup and restoring it if needed. For more on this you might want to read this post https://wpstrands.com/dont-rely-on-your-hosts-backups/ and think again.
Here’s just a sampling from some famous hosting companies’ terms of service statements:
“You agree to accept as a risk the loss of any and all of your User Content”
“Customers are responsible for their own backups”
“We … do not guarantee the availability or restoration of any lost data”
“We cannot guarantee that a Shared Backup will be available for restore”
“It is your responsibility to backup data of all your content”
“it is your obligation to restore your website”
“. . . no guarantee that the backup will work properly”
“You are solely responsible for keeping a separate backup”
Source — SiteGround, Bluehost, Inmotion, GoDaddy TOS
Do any of these statements leave you feeling confident that you can rely on your host’s backups? Not me.
I’m no legal expert so I’ve no idea how they get away with stating they will backup your data daily while simultaneously stating they don’t guarantee they will back up your data and you have to do it yourself. But that’s exactly what most hosting companies do.
The long and short of it is that you do need to take care of backups yourself. And if your business means anything to you, a sensible backup plan is the first thing you’ll set up before your site goes live.
Thankfully, WordPress makes it all very easy. There are many popular plugins for backing up your website available. These plugins can make a backup of all your site files and of all your site content in the database.
Check the official plugin page for some of the most popular backup plugins. And don’t forget to choose your plugin wisely. LINK https://wpstrands.com/how-to-choose-wordpress-plugin/
A Warning About Backup Plugins
Now, to be honest, I’m not the greatest fan of backup plugins. For most people, just installing a plugin, setting it and forgetting it is enough to remove their backup worries.
Not for me. If we look just a bit deeper into how these backups are done we can see there can be problems using a plugin for such a vital job.
For one thing, they have about a 90% success rate.
Granted, a 10% failure rate doesn’t sound too bad. But that means one in ten of those backups doesn’t go so well.
And if you backup daily, that means there’s a 1 in 10 chance you won’t be able to restore your site to the day you want!
I don’t know about you, but that’s not a risk I’m prepared to take with my site. https://wpstrands.com/dont-rely-on-your-hosts-backups/#tab-con-9
Secondly, many backup plugins store your backup somewhere on your web server. This means if your server has a problem or is hacked, there’s a good chance you can’t reach or use your backup that’s stored on it. This is why you should opt for a safer and more reliable solution that separates your backups from your website.
And finally, plugins give you the sense that “I’ve added the functionality now so it’s all fine.” But it’s a mistake to think that that’s enough. You need to check regularly that those backups are being done correctly. They need to work without errors and — the vital feature — they need to be able to restore your website. Hands up again if you regularly test your backups like that.
The Best Solution to WordPress Mistake #1
The most reliable backup strategy consists of a separate backup system that stores your website backup in a secure location (preferably multiple locations) away from your web server. It’s called not putting all your eggs in one basket.
You can manually create a backup via cPanel and store it on your own computer.
That’s better. But your computer could be stolen or your drive could fail. Your house could even burn down. I really hope none of these ever happen but sometimes they do. Hope is not a reliable strategy for backups.
You can have your backup emailed to you (if it’s small enough), sent to an FTP server (if you have one) or stored on some cloud storage you own (if you can afford it).
As you can see there are a lot of options and a lot to think about. It might all seem like overkill to someone who owns a smallish website.
This is why there are simple solutions, like using plugins, that will get you up and running now while you think about a longer term strategy. There is never shame in asking so if you need help with that just ask me and I’ll tell you what I know.
Most Common WordPress Mistake #2: Putting Off Updates
I once had three websites hacked on the same day. I couldn’t stop the sites displaying the hackers’ propaganda, I couldn’t update the pages to clean up that propaganda, I couldn’t even log in to my dashboard to see what was going on. I felt helpless, useless and had a knot in my gut because two of these website belonged to clients of mine.
Even with the backups I had it took days to get the sites cleaned up and useable again.
I’d made another of the most common WordPress mistakes — the website software hadn’t been kept up to date. A lot of people still don’t know that installing updates is the single most effective security precaution for their WordPress website.
It was no consolation that I’d previously tried to convince these customers to pay for regular maintenance and that they’d refused. The customers on that hacked server who were being kept up to date hadn’t been hacked at all.
Everyone who owns a modern digital device knows a thing or two about updates. They are annoying, inconvenient and ubiquitous. But they’re extremely important.
Why they’re important / What can happen:
The most common way websites are hacked is through out of date software. So, it stands to reason that the single most effective way to keep your website or device secure LINK is to keep its software up to date. New security problems are being discovered all the time, so it’s important to constantly update and patch that software.
The same is true for your WordPress website. The WordPress team are diligently cond constantly repairing security problems and updating the software to keep pace with changing technology.
These updates come fast and furious — in 2018 there 18 new versions of WordPress released (22 new versions in 2017) and a whopping 59 updates across all the different supported versions of WordPress (113 updates in 2017)! Yep, WordPress is a popular target among hackers.
At a deeper level, there are more updates to look out for. PHP, the programming language that powers WordPress, recently (December 2018) stopped providing updates for older versions of the language. Yet many WordPress websites are still running on a version of PHP that is more than 7 years old! Again, your hosting company will not necessarily make these updates for you. And again, you need to test that all your plugins etc will work on the newer version of the language.
The Solution to WordPress Mistake #2
The solution is simple — keep the software updated. I know putting this into regular practice is not always easy. You need to install the update as soon as possible and you need to test that update works well with all the other bits and pieces of code on your site.
The easiest way to do this would be to automate both the update installation and the testing afterwards. Unfortunately, there’s no simple way to automate this testing just yet. There are so many plugins and themes and so many possible combinations of them on so many possible server configurations that it’s not even possible to calculate all the ways they can interfere with each other.
Plugins to manage updates do exist but I really don’t recommend using them. You have no way of knowing if the update plays well with your site without manually checking it page by page.
The absolute simplest solution is to outsource this as part of a full maintenance subscription for your site.
Most Common WordPress Mistake #3: Not Taking Basic Security Precautions
WordPress has pretty good security built in. But any system is only as strong as its weakest link. And, as has been through for all technology throughout history, WordPress users are the weakest link, not the software itself.
In 1990 some of the most common (English language) passwords included words like password, iloveyou, qwerty and 123456.
Over a decade later, in 2001 the internet was a vastly different place. So you might expect passwords to have evolved as well. Some of the most common passwords in 2001? Password, qwerty, iloveyou and 1234567.
Again, in 2011, password, iloveyou, qwerty and 123456 featured among the most common passwords online.
Fast forward to today; now we’re all much more computer-savvy and aware that hacking is becoming more mainstream. Surely we’ve learned a thing or two about the importance of choosing a strong password? The most common passwords in 2018 include . . . you guessed it: password, 123456, qwerty and iloveyou.
Sigh. It seems Paulo Coelho was right when he said “People never learn anything by being told, they have to find out for themselves.”
But this has to change.
One of the most effective ways for anyone to to break into your WordPress website is still to use a robot (a program) to endlessly try different combinations of common passwords on your login page.
Your username/password combination is your first line of defence here; don’t make it an easy door to unlock.
The Solution to WordPress Mistake #3
Use sensibly difficult passwords.
For example, instead of your birthday year and month followed by your cat’s name — “111983fluffy” — take a phrase that means something to you and make a password from it. Taking the first letters of the words in “This is a better password for my site” and substituting some of them with numbers could give you a great password like “T1a8PfmS1te!”
Better yet, use a reliable password manager like Lastpass or 1Pass LINKs
Poor User Account Management
This mistake is overlooked by most WordPress users.
I come across many sites where every user who has ever had access to the site has been given the role of administrator. Site owners do this so that that person can do what they need to do on the site without bothering the owner.
The potential problems with this are obvious; the more people with full access to the site, the more chances there are of someone making a mistake that effects everyone, including your customer.
Couple that with the fact that most of these people aren’t trained in the underlying technology and you can see the possibilities for disaster here.
- Delete your default administrator account, admin.
- Only give administrator rights to someone who really needs it, then remove it until they need it again.
Not Tidying Up Unused Plugins and Themes
To add new functionality to your site, you’ll probably try a few different plugins until you find one you like. The rejected plugins are usually left lying around, unused. Deactivating a plugin does NOT remove its entries in the database nor does it remove the code used in the plugin files. The same goes for themes.
Even a plugin you aren’t using on your site can be hacked if the hacker knows about some little security flaw in the code. How do they find these flaws? The same way I do: through sites like the WordPress vulnerability database, of course. It will even email an alert when new problems are found!
- If you don’t use it, remove it. It’s very easy to reinstall something later if you really need it.
Ignoring the hackers
Hacking’s a very real problem, and an ever-increasing one. The more technically inexperienced people who use a popular open source platform like WordPress, the more opportunity for hackers to spread their mischief.
Did you know that most hacking is done by robots mindlessly searching for known security problems in popular software like WordPress? In fact, your website is probably being attacked on a daily basis without you even knowing it. One of my clients recently discovered that 40% of his total site traffic came from automated bots trying to find a way into the site! That’s huge and it would be only a matter of time before they find a way in unless precautions were taken.
What to do? Time to panic?
So what can the average non-security expert do to protect his/her WordPress site against all of this craziness going on around them 24 hours a day? It sounds more than a little bit overwhelming.
Well, the precautions covered in each section above, although simple, will go a long way.
But you need to keep doing them. And you need to never stop doing them. It’s tiresome and time-consuming when you’ve a business to run.
One Solution to Rule Them All
My thinking is that you should never even have to think about all of this stuff. Every time I go out for a ride on my motorbike, I don’t worry if the right mixture of fuel and air is being ignited to make the explosions needed to power the bike. Or even if my gearbox is properly connected to my driveshaft. And I shouldn’t. I leave that stuff up to my mechanic who’s trained in it, who I trust and who checks it properly every year.
Each of the above common WordPress mistakes is quite easily avoided. But add them all up along with the other non-trivial tasks of actually running and building your business! It gets to be quite a lot of work, typically a few hours a week.
And that’s just maintaining things that are running normally. If you actually run into a real problem you can add a few more hours or even days onto that. That’s time you aren’t helping your clients.
You’ll also have noticed that there’s no set-it-and-forget-it solution — all of these are ongoing tasks. That’s why, as with other areas in your business like accounting and administration, it makes sense to outsource this technical babysitting.
It’s Not You . . .
I hear it from a lot of people: “If WordPress is so popular and easy to use, why am I having such problems with it? Why is it causing me so much grief and time?”
Well, first, you aren’t stupid. That’s actually the secret common WordPress mistake #4.
It’s true that WordPress dramatically lowers the barrier to setting up a business online. But that ease of use is also part of the reason for the difficulties WordPress causes.
We now have people who are untrained in technology wrestling with software running on systems that are being updated and changing at an ever-increasing pace. How are you supposed to keep up?
My answer to that is simple: you aren’t.
I’d go so far as to say that you have no business trying to.
Of course there are dozens of posts online listing the most common WordPress mistakes and most likely the above three wouldn’t be in most people’s top three.There are hundreds of trivial little things that you can do wrong!
But I list them because if something goes wrong on your site (e.g. it goes down, it gets hacked, or it just disappears after an update) the consequences of making these above mistakes can be disastrous to your business!
They can mean the difference between being able to fix your problem in half an hour instead of never being able to recover completely. They can mean the difference between your site becoming a porn hub because you were hacked via a simple plugin vulnerability or having a resilient site for years to come.
Now you’re armed with the knowledge, the choice is yours.
Seán O’Connell helps conscious business owners who rely on their WordPress website to avoid technical overwhelm. Find him at wordpressforgood.com