Just last week, my good friend, Callahan, who is a therapist and an artist with three WordPress websites, called to tell me, that her three sites had been hacked. Callahan has been diligent about going in regularly to back up and update her websites but she said she kept seeing a notice “Tim Thumb is out of date”. Seeing no way to update Tim Thumb, Callahan assumed that she didn’t need to bother with it.
Uh oh. She was wrong. Tim Thumb, a code library, regularly built into gallery plugins, isn’t used any longer since it was found to be vulnerable to hackers. So, not following up with a warning on her site, and leaving the Tim Thumb code there, could have been the way the hackers got into her sites.
Or, maybe they got in by another sneaky way. Bluehost told Callahan that she actually had four sites on her account. One was a test site that wasn’t live so Callahan wasn’t backing that site up. The hackers could have easily gotten into the site that wasn’t being maintained and then were able to hop right over to infect all of her sites on her account.
How it happened was the least of her worries at this point. Callahan was distraught when Bluehost, took her sites down and told her they would clean the sites and restore them for $200 each. This is when she called me in a panic.
Since Callahan had been doing backups and hadn’t been adding anything to the sites lately, her three sites could be restored from backup files created prior to them being infected with malware. So, the story ended happily, with Callahan’s three websites safe and sound and, the test site has been removed from her account.
Taking Care of a WordPress Website
When you’re responsible for the health and well-being of a WordPress site, here are the steps to take that will help you to protect it and to have it function at its best.
The cornerstone of maintaining a WordPress site is to have and follow a systematic process for creating full backups of your website, which includes the files, and the database. And, as you heard in Callahan’s case, if you have more than one WordPress site on a hosting account, all of the sites need to be maintained in order for them to be safe. These backups are good insurance for you to be able to restore your websites to a point before any type of problem happened.
How often you need to do the backups depends in part on how often the site content is updated. The more frequent that updates/changes are made to a site, the more frequently that site needs to be backed up.
A good rule of thumb is at a minimum to back-up a site that’s infrequently updated, on a monthly basis – at a minimum. Then keep at least 3 months of backups in a file on your computer, or on an inexpensive Amazon S3 file hosting account.
It’s never a good practice to store your site backups on your web hosting account. If the website goes down or gets hacked, anything on the server with your website is also likely to be compromised.
Another problem with storing on your hosting account is that when doing complete backups, your hosting account becomes bloated with these extra files which can cause your site backups to fail from the accumulation of large backup files.
If your web host offers free or inexpensive pro-level backup services, go ahead and sign up for them. There is much peace of mind knowing you have a readily accessible backup that can be easily restored should something go wrong. The backups done by the hosting company are not typically stored on your account so they won’t add to your site’s file size. Continue to do your own backups to protect against the possibility that there may be a failure with your webhost.
We recommend using one of the backup methods below that can be set to automatically create and save your backups on a regular schedule:
Once you have a backup in place, you can update any WordPress versions, themes or plugins that show updates are available. To check for available updates, navigate to your WordPress dashboard, at the top left of the admin bar, under Home, select Updates. If anything needs to be updated, you can choose to do the updates right there. Otherwise, you can do the backups from the Plugins or Themes pages, when you see that anything is out of date.
- Protection and Cleanup from Hacking
Hopefully, by backing up and updating your sites, you will be protected but, if your site has already been hacked, there are two main options to deal with the problem. The first and easiest way to get the site back cleaned and back in business is to restore a backup taken from a date before being infected with the malware.
If restoring a backup isn’t an option for you, Securi can remove the malware and then continue to scan and protect the site for a year for $199. I hope you don’t have to call them with an emergency but they are a company you can trust.
Thankfully, Callahan had been doing the right thing backing up her sites. By restoring her three backups she was able to save herself a pile of money.