Home ยป security

Tag: security

Versioned Backups – A form of Insurance

What are version backups and why should your online business care?

Allow me to share a story with you. One morning I get a call for a client of mine. A website they were maintaining had bad been hacked. The service they were providing was not working anymore and they were losing the trust of their customers. They were asking me to fix it for them.

Fixing a hacked website is very difficult and time-consuming and it can mean a lot of downtime. The better option was to restore the site to a previous state when everything was working.

Thankfully this client understood the value of backups so he had one. Took me an hour to restore the backup. And when we checked the site…

Surprise!

It was still looking bad and the browser was still issuing security complaints. Auch!!

It became clear that the hack had happened a more than a week ago, so restoring the most recent backup did us no good.

And here come the versioned backups. Which is a fancy name for backups that go back in time. You don’t have only the latest backups, you have a daily backup for the last 30 days or a weekly backup for the last 10 weeks.

Because we had those I was able to discover when the hack took place and restore the backup before this. Another 2 hours spent, but now the website was working again.

After one more hour, I discovered that one of the plugins installed had a security flaw that had been exploited. I had to disable and delete that plugin or the site would have been hacked again shortly.

Versioned backups are snapshots of your website across time where you keep more than just the last one.

As you can see, this allows you to reach back in time to when “things were working” and restore your data in case of trouble, even if you discover the issue a few days after the fact.

Why should your online business care about versioned backups?

If your website is mostly static and you don’t offer any services online then you don’t need versioned backups. Just an old backup from last year will do the job.

But let’s be honest. Most websites are in fact web-applications. Meaning they are not just static pages. There is content that is updated, products that are promoted, customer lists, fulfilled orders, and invoices. And if you are doing well, these get updated at least once a day. So a backup from last year will help, but you will still lose a lot of your data.

Depending on how you run your online business and the amount of online activity you will have to decide how often to backup and for how long to keep a backup history.

In my experience so far, with small and medium-sized businesses, doing weekly backups and keeping only the last 4 works very well. This means that in the worst-case scenario you can go back a month, and in the best-case scenario you lose a week of your data: new posts, customers and sales.

But I am paranoid and what I usually do is daily backups that I keep for 2 or 3 months.

Lots of backups and a long history sounds good a reassuring. But there is a cost to that in time and resources. Your server needs to work (sometimes hard) to generate the backup, and then you need the storage space to keep al that history. That is why you need to strike a balance between your real business needs and your peace of mind.

The Take-Away

Versioned backups are a good form of insurance because sometimes the ‘latest backup’ is just as bad as the live website.

Website maintenance for WordPress

Gone are the days when you would set up your web pages and you would be done for the next 10 years or so. In today’s world, most websites require some sort of maintenance work and that is especially true for WordPress.

Why is maintenance important?

The number one reason is security. Your site is not alone. It exists in an ecosystem and it is connected with many other systems for it to work and do its job. All of this is in a continuous state of change. Change means that potentially new software problems are introduced that could affect your site. This change also means that new security exploits are discovered that could make your site vulnerable.

Unless you are a security expert and keeping on top of web security issues is your job, it is a daunting task to keep up with all this change. I get it. But that is no reason to just give up on it entirely.

At the very least keep your website components updated (core and plugins) and have good backups in place [link to backups].

The second reason is to continue to be relevant. As the services and business around you evolve, your website needs to evolve to keep up or even to lead the way. So maintenance, in this case, can go from simple website updates to constant incremental improvements so that your users’ experience gets better and better. The most common issue here is that integration points with other services change and without a maintenance plan in place, your site would just stop working at some point.

The third reason is to make sure your website is still functioning properly. You don’t want to hear from your customers that your store is not working. How many sales did you lose before someone took the time to contact you? You don’t want to wait months to discover your most valuable page is broken and so Google dropped it from the search index. The solution here is to have a test plan in place. Once a week you could check your home page, your purchase process, and the signup process and make sure they work. For bigger businesses, an automated test plan may be a better solution.

The Cost of Website maintenance

There is a cost for maintenance. That is time if you need to do it yourself, or money, if you need to hire someone to do it for you.

Instead of thinking just in terms of costs and maybe decide not to do it, ask yourself how much would it cost you in the long run *not* to maintain your website. In that sense, maintenance is a form of insurance that you pay for your peace of mind. It can also be an investment that you make in your business growth.

How to do it?

At the most basic level, you need to keep your software updated. For WordPress, that means updating to the latest stable version, and also updating your plugins. It also means that you delete (not just deactivate) old plugins that you no longer use.

A more intermediate level would also include some database operations to keep lean, optimized and fast.

For more advanced users you may have to hire someone to do this for you constantly: monitor the uptime, make sure that the core business processes are still functioning, check the integration points and update the software as required, optimize for performance and so on.

The Take-Away

Don’t ignore maintenance. When you build a new website make sure you include a budget for it and that you also discuss it with your developer. And if you already have a website, you should also have a maintenance plan in place.

Do you have any “lessons learned” the hard way? I’d love to hear about them in the comments below.