Preparing For Utter Interwebs Disaster
Welcome to Day 5 of Reboot Your Blog!
Just about 18 months ago, we moved from the middle-of-nowhere in the California foothills (Georgetown, to be exact) back to the San Francisco Bay Area. Up there, we’d regularly get storms that knocked down trees and power lines and because we lived in a town of only 900 people, we were usually the last place PG&E came to fix.
It wasn’t unusual after a typical winter storm to have us lose electricity (and therefore water too, as water came from a well driven by an electric pump) for 48 hours at a time, and one (horrible!) storm left us without power and water for 6 1/2 days.
My old office “in town,” during a 24 hour outage (and Rory, then 7)
We wouldn’t be in bad shape though – we had a small generator that would power a room or two in the house so I could get online or the kids could watch TV for a little while. We had a woodstove to heat the house so we were toasty warm despite the temperature being well below freezing outside. My truck had 4 wheel drive and we were easily able to plow out of the 2-3 feet of snow in our driveway to head into town (which usually didn’t have power either!).
But it took us about 2 years to get to that point.
During the first big storm when we we lost power for the first time, we realized we didn’t have water only after letting a sink run and run until the spigot coughed dust. That’s when we (city slickers) realized that without electricity, we had no well pump. Without a well pump, we had no water. And without water, you can’t flush the toilets…
We made lots of mistakes as we learned to live in that remote environment. But evenutally, we learned how to prepare for the storms ahead of time.
And I got to thinking about how much this storm and power outage dovetails with today’s Reboot Your Blog post – it’s all about being prepared.
DAY 05 OBJECTIVE
Prepare your sites for disaster!
DAY 05 ASSIGNMENT
Anything can happen. Murphy’s law says that if you’re well prepared, nothing will happen. If you’re not prepared, every calamity imaginable will strike!
Today we’ll safeguard our sites for whatever fiasco the interwebs throws at us.
Backup Your Sites
Your web host might be performing some sort of regular backups of your sites.
Hostgator’s shared hosting performs an automatic backup every Sunday night, and they archive those backups for at least a week. If your site goes down in flames on the 6th day, you’ll lose 6 days of work. That might not be a big deal if you only made one post during that time, but why chance it?
I use Rackspace’s Cloud Sites hosting, and I don’t depend on them a lick for my own backups (although they may provide them).
Fortunately, like most things, if you’re running WordPress then automatic backups are pretty simple.
Use the WP DBManager plugin to automatically backup your core WordPress database information (like your posts!) and email them to you each night. (Have these emails sent to an address that is NOT on the same server as your site – perhaps a Gmail account). Take a peek at my settings for these automatic, emailed backups:
WP DBManager Settings
The thing that’s nice about WP DBManager is that it’ll also allow you to automatically repair or optimize your database, just like you can automatically run backups. Plus, you can run SQL queries and empty/drop tables from it’s interface, instead of having to log in to PHPMyAdmin.
Maintain Security
Most shared hosting and VPS’s are pre-configured with the most common and effective security options. If you have any doubts or concerns, your should get in touch with your hosting provider.
Some VPS’s and dedicated servers are given to you pretty much out-of-the-box. If you find out from your host that this is the case with your server, and that additional security measures should be configured by you, it may be in your best interest to hire a security expert at Odesk to “harden” your server. With a managed hosting solution, like the Cloud Sites product I use, you don’t have to worry about this stuff.
With WordPress, there are some modifications in the way of plugins that you can use to ensure your WordPress installation itself, not just your server, is safe.
[box type="alert" border="full"]Wordpress is a common target of hackers because it’s so widely used. It’s in your best interest to take a couple of extra steps to ensure your installation is safe.[/box]
Firstly, you’ll want to have the most current version of WordPress, with each new version there are numerous security and bugfixes and maintaining the most recent version will protect you in that way. (We discussed this at length during Day 4 of your Reboot Your Blog).
COMMENT SPAM
The Akismit plugin can help protect your blog from comment spam – use it if you’re having a problem in that department. If your niche isn’t personal or embarrassing and your audience is technically savvy or comfortable, you might be able to use Facebook comments, like I am here. This eliminates the need for moderation almost completely – no one wants to leave douchey comments linking back to their Facebook page! The plugin I’m using is Facebook Comments For WordPress.
HACKERS
Also you’ll want to install Secure WordPress and WP Security Scan. Secure WordPress removes some vulnerabilities from your installation automatically, while WP Security Scan checks your site for security holes and makes suggestions for how to fix them. Both are invaluable.
Other scripts you may be running on your server (like vBulletin) could have additional updates or plugins to enhance out-of-the-box security. Ensure you’re running the latest versions of any additional scripts your running on your server as well as any well revered security enhancements that may be available for them.
Maintain Usability
CACHING
Not quite an “utter interwebs disaster,” but a whole buncha traffic all at once can bring your site to it’s knees if it’s too much for your server to handle. You’ll see these problems sometimes when sites hit the #1 position on places like Reddit or during product launches. When Daring Fireball links to a site and it crashes, it’s said that the site is “Fireballed”. There’s simply too much traffic hitting the site all at once, and it fails.
Even if you don’t anticipate this kind of server crashing traffic, the measures below will help your site perform faster and decrease page load times, which your visitors notice and love.
Site speed – or how long it takes your pages to load – is also a ranking factor. This means that a slow site isn’t just a bummer for your visitors, it’ll get in the way of your rankings now too!
No matter what your site is running (PHP, plain old HTML, or a script like WordPress), ensure that any videos you display for your users are NOT served from your own site. Instead, use a third party video hosting service, like YouTube, or a third party storage service, like Amazon S3, to store and stream your videos. You’ll cut down on the bandwith your users consume, prevent server overload, and 99% of the time a video from one of these services will load faster than one loaded from your own server.
If your site is very heavy on images (like a photo gallery) you can use a service like Flickr to host and display your images.
Images used for your site design (like headers) can be stored at Amazon S3 and loaded much faster.
Wordpress users can also install WP Super Cache or w3 Total Cache (my preference). Caching plugins generate static html files from your dynamic WordPress blog. The end result is that your site will load faster and not suffer from server meltdown should a large number of visitors hit it all at once.
BROKEN LINKS
Now is also the time to check your sites for broken links. Check your main navigation bars, sidebars, footer links, etc. to ensure all your links are still active and directing to the proper place.
Wordpress Broken Link Checker will do this for you automatically, scanning your WordPress posts, pages, blogroll and images and notifying you of any broken links.
[hr]
By the end of today, you will have:
[unordered_list style="tick"]
- Configured and began an automatic backup plan with WP DBManager
- Planned for comment spam and how you’ll moderate it (Akismit) or avoid it (Facebook comments)
- Installed Secure WordPress and WP Security Scan to check for security flaws in your sites
- Began using a caching plugin to speed up your sites
- Activated the Broken Link Checker plugin and fixed or unlinked any broken links in your site
[/unordered_list]
Today’s measure will increase the overall security of your server and sites, and should there be a failure somewhere along the line, you’ll have backups to fall back on.
Join us tomorrow for another Reboot Your Blog post, and let me know how you’re doing so far in the comments!
I SO badly need help with backing up WordPress sites to be able to as quickly and easily recover from a site hack or other web disasters.
And, I’ve been working on this for some time now with mixed results – I’m so close but not there yet, please help! – here’s what I’ve got.
DESIRED OUTCOME: the ability to quickly, manually, backup my database file and key WordPress files and be able to restore the site manually as streamlined as possible.
HERE’S WHAT I’VE GOT:
TO BACKUP:
1. FTP download the wp-content file to desktop (or wherever desired).
2. In Bluehost (my hosting company) from the cPanel use phpmyadmin and export the desired wordpress database (.sql) file to desktop.
TO RESTORE:
1. Reinstall WordPress.
2. FTP upload the wp-content file (restores the theme, plugins, etc.)
3. In Bluehost, import the .sql file
So, I took a domain with a wordpress install with a few test posts – nothing important – and tested the procedure.
It’s step 3 in the RESTORE that’s killing me: I couldn’t get the .sql file to import….
Bluehost helped to where I could get it to import – they modified the file so I could upload, but I’m not confident I can modify .sql files properly (I’m not that geeky).
Even after the successful .sql file import, the content of the WordPress site was NOT restored!
I recontacted Bluehost, but their answer is a little too geeky for me to understand…
Can anyone give me a step-by-step procedure to achieve proper backup and restore without going all geeky on me?
It seems like it’s just getting the database file (.sql) to properly get to where it needs to be that I need – and this is critical since that file would contain all the content of posts and pages, correct?
Thanks!
David
@David – My host does that kind of thing for me (restoring backups) should I need it.
When I did that a short while ago. The backup did not connect my sql to a user and password. So I had to look at the wp-config.php file in file manager and see what the name and password should be.
Then I created that user and pass word in my sql setup. This may be what is happening to you.
Michelle:
This is a great series! Thanks for offering it to us.
BTW, I’m sorry to hear of your power outage. By sheer coincidence, 10 minutes before reading your post, I received a call from my mother who tells me that her power has been out since Sunday night. She lives in Rescue, CA (outside of Placerville) which, by the looks of your photo, isn’t too far from where you live.
Hope your power comes back on soon. You’re right: preparation is the key!
Thanks again,
Scott
@Scott – Rescue about 25 minutes below us – we’re in Georgetown. Our power came back about 11pm last night – hoping your mom’s comes back ASAP!
Thank you for these helpful tips and tools. I’ve implemented all as per your well laid out instructions. Look forward to tomorrows lesson
PS: Pleased to hear your power is back on!
@Michelle – you’re right, so does my hosting service, but they tell me they’ll take days to restore the site. That makes me nervous, if I had a money-making site, I wouldn’t want it down for days… I should get a hostgator account like you have in addition to my bluehost account…
Anyway, I spent all day on this, and I tested and retested and re-retested until I was able to expediently – and confidently – restore a destroyed WordPress site.
For those who may care to benefit from my full days’ work, here’s the step-by-step procedure I came up with.
Best,
David
PS: yes, I’m the “raising penguins” guy… ;-D
———–
BACK UP PROCEDURE:
1. Install wp-dbmanager plugin and configure; you will have to move and rename a file htaccess.txt to .htaccess, a nag screen in WordPress will tell you exactly what to do.
2. Create a backup of the .sql database using this plugin (it’s all pretty self-explanatory in the plugin – after install look below “settings” for a new DATABASE option to click on – it’s the second option, “BACKUP DB” > scroll to the bottom and click on the BACKUP button).
3. Now go to the next option under that one you just used, it’s labeled “MANAGE BACKUP DB”, and download the backup you just created by selecting the radio button, and then clicking DOWNLOAD; save it somewhere you’ll remember and find easily.
4. Using FTP client of choice, download your wp-content folder somewhere you’ll remember and find easily.
RESTORE PROCEDURE IN CASE OF HACKING ETC.
1. At your hosting cPanel, do an uninstall of the WordPress install for that domain (in Bluehost, it’s in the Simple Scripts area > My Installs
2. In FTP client delete all files in the domain’s root directory folder, and as for a totally clean start, also delete the actual domain root directory folder; this may have to be done in your hosting service’s FTP client under the public_html.
3. Make a fresh domain root directory folder for the site in public_html.
4. Install WordPress via hosting service cPanel.
5. Then in “my installs” under Simple Scripts, click on “Advanced” to see the file path (that “file path” terminology may not be spot on, but for example, it will tell you the WordPress install “number” – such as “something_wrd6″ or “something_wp04″.
6. At cPanel, choose “phpmyadmin” > choose the “something_wp#” (what you found in step 5) – it will appear on the left – BE SURE TO CHOOSE THE RIGHT ONE!
7. Near the top click on the IMPORT tab/link > use browse button to locate the .sql file you created and backed up using the WordPress DB backup plugin > then click the GO button at the bottom right.
RESULT:
This restores your WordPress website to it’s previous condition, with all settings, posts, categories, comments etc. in place. Now you can go to your backup file wp-content and FTP upload desired themes, plugins, etc.
IMPORTANT NOTE:
After you import your .sql file, you will NOT login to your site http://www.yoursite.com/wp-admin with the new password provided in your fresh Simple Scripts install – you will login with the password you always used, or at least the one you used when you created the backup of your .sql file.
ALSO IMPORTANT:
The order in which you restore is pretty critical; e.g., you CAN’T install new WordPress version, log into your WordPress dashboard, and then import your .sql file.
Love the view. It looks peaceful. Too humid over here in mid Texas.
I am on your list following your 31day makeover, and THANK YOU for posting these articles.
Another good thing to do is changing the current “WP Prefix Table” to prevent sql injection attempts.
After viewing an exhausting tutorial through google, I was finally able to get it done correctly through my scary host gator PHPadmin. I know squat about wordpress, so I feel pretty good now.
Oh, and Login Lockdown to prevent brute force attempts by lame people with nothing to do.
http://wordpress.org/extend/plugins/login-lockdown/
I hope you don’t mind me posting all this Michelle, it’s fresh in my head right now…
With the trouble I have been having lately with wordpress plugins and now to hear about how prepared you have to be in the event of a server failure I am beginning to wonder if it is all worth the while to market on the internet.
Between trying to figure how the internet works and just to find out now it is changing again to figuring how to get plugins to work on my blog and finally to create my own website I have wasted 2 years yes that is wright 2 bloody years.I guess that is the route you have to take when you are living on close to street wages.
So I guess I have some soul searching to do and make which may be some new decision on marketing.
Kenneth
Thanks Michelle, excellent advice (especially for new blogger!)
I’d say that this is more than a great advice Dinus. I had two “power seo blogs” that used to get me top rankings for almost any keyword in Google in just hours. I build hundreds of backlinks to these blogs since 2006… and the two got hacked!
And poor me without backups to reinstall them.
anyway, I started over, and my new blogs are pretty powerful now. But today, I receive backups directly in my inbox. There is a plugin to do this.
Thank you.
Franck
the Body Guard marketer
@ Mike: I spent well over full 2 very frustrating days working and working until I got to the point where I could backup and restore a WordPress site confidently, and I detailed those steps right here on this blog – would you care to email me (or post here) the step-by-step of how to “change the current “WP Prefix Table” to prevent sql injection attempts” – I’d really appreciate it – my email is davidportney@gmail.com.
@ Kenneth Young: there’s no doubt that there’s a huge mountain (@michelle – you’re welcome!)
to climb when it comes to internet marketing, and so far, frankly, Michelle is the one I’ve found who dishes out the content that’s actually straight to the point, all meat and no fluff. Yes, there’s a LOT to know, and things change – and you’re right that you’ll have to decide if this whole internet marketing thing is for you. Although the learning curve can be steep and there’s many things to know if you do it all yourself as I do (I don’t outsource… YET!) 
but if overall you enjoy it despite the many frustrations and road blocks that you encounter, then you’re on the right track. Learning to play guitar is very frustrating too, and there’s never a “real end” to learning and developing, but if you quit, you’ll never reap the benefits; playing guitar is fun!–and internet marketing can be too. One more thing: I’ve spent waaay more time and money than you have and not achieved a livable income from it, but I’m keeping at it; you’ll have to decide for yourself if you can stick it out and keep going. Personally, I wouldn’t advise trying to make a living at IM as your sole option for income (that’s just MY opinion!-after all, you may do better than I do and make a lot of money soon). Okay, that’s enough from me!
David
WHEW! You’ve had me busy checking to see if all that is done! One question; I installed the WP DBManager plugin (I had another one installed) but it’s returning an error message telling me that my backup could be public and to move a file from here to there… for the life of me I cannot find that file in my Hostgator file manager! Grrrrrr Any ideas?
Thanks for the tip on the Broke Link Checker. I was amazed how many broken links it found. As a site gets older it’s easy to forget that you need to keep on top of older posts too.
Agree with Marc, the BLC tip is invaluable. It found an embarrassing number of defective links on my site.
Thanks for all these great tips. Site security is always evolving and keeping up can be draining. Nice to know there are effective tools for it.
Hello Michelle,
If you don’t mind, I’d like to chime in here with a couple of additional suggestions:
1) For backups, consider using XCloner which is a WordPress plug-in that not only backs up the WordPress database, but also the entire WordPress installation – all of the files, plug-ins, and your theme. To use this plug-in, search for XCloner in the WordPress plug-in directory, and install as you would any other plug-in. You will need to manually create a folder within your WordPress folder called “administrator” and another folder inside that one, called “backups.” This is an awesome, free alternative to another popular paid plug-in called BackupBuddy.
2) Another plug-in I recently discovered is a great addition to the arsenal of tools we need to avoid the ravages of hackers. It’s called “Bad Behavior,” and once again you can find it by searching the WordPress plug-in directory. This plug-in uses several ninja tricks to determine whether or not a visitor to your site is a bot. A good deal of comment spam and denial of service attacks originate from bots, and this plug-in can literally stop them before they even load your website or query the WordPress database. Although you still need additional spam controls for the occasional comment spam that might squeak through, I personally have seen comment spam drop to inconsequential levels after loading this plug-in, AND the plug-in author notes that this plug-in may be instrumental in significantly reducing the traffic load on your Web server, possibly avoiding bandwidth throttling or out right account suspension in cases where malware traffic to your site comes to the attention of your web host.
3) A third alternative to WordPress caching plug-ins is “Quick Cache.” There are but a few worthwhile caching plug-ins for WordPress, and you’ve already mentioned the first two. Quick Cache is the caching plug-in I settled on because, even though I am a web developer, the blizzard of options provided by other caching programs just leaves me scratching my head. Quick Cache simply installs, and although you may have to turn it on, beyond that you really don’t have to do anything else. It is running fine on my sites, and has not interfered with any administrative for development task.
I hope I have not overstepped my bounds in making these additional suggestions.
I’m still stuck back on ‘Cull the Herd!! HELP! Too many I want to keep and not much difference amongst them re traffic or money making. Most of my sites have not been focussed on money making yet. Too many “yellow ” sites. Not sure what to do??