Ask any of my blog coaching clients: I am CRAZY about blog security and backups. I won’t touch a line of code, update a plugin, make any structural changes to their sites or even log in as a user unless they assure me that they are fully backed up — database and files — and have access to their website files in case of disaster.
It’s not that I think I would ever knowingly cause problems. I have broken my own websites more times than I can count, and because of that, I can fix just about anything. Update a plugin and get a white screen of death? Log into cPanel and deactivate the broken file. Add a stray tag to a stylesheet and lose all access to the website? Log into cPanel and upload a clean copy of the CSS file. You name it, I can basically navigate a fix.
Even so, I pay — and happily so — for backups on almost all of my personal websites. The idea of losing more than seven years of blogging work, including sites that bring in revenue, is just too scary. And the idea of losing years of blogging work for someone else is downright terrifying.
And I’ve never been more thankful for these backups than when hackers in Turkey broke into my hosting account and deleted all of my files.
How to Back Up and Restore Your Blogs if You Get Hacked
KatyWidrick.com. BugChild.com. MakeMediaOver.com. StarStrukByLife.com (my mom’s website, which I host and maintain for her). NightHops.com (my husband’s former beer blog, which has not been updated for years but was left up for the archives).
Five websites. Gone in about five seconds.
All deleted and replaced by the hacker with a new domain, new files, redirection from all of my websites to their bogus e-commerce website, a new FTP account, etc. Essentially, the hacker took over my account and wiped out all of my work and replaced it with his/hers.
It was devastating. My first step was to ask my host — HostGator — for help, but that led to several dead ends. Various customer service agents pointed me toward tutorials that would help me delete the hacker’s work, change my password and re-install WordPress but didn’t have much additional advice on ensuring that a future hack wouldn’t happen.
In addition, their courtesy backups, which were supposed to happen weekly, had NOT happened because I didn’t have enough disk space on my account. I’d never been notified about this, so I had no idea that for months, these backups had failed.
Thankfully, I’ve been backing up KW, BC and SS via VaultPress for years. VaultPress, which I pay full price for and get nothing for recommending, is a plugin that you install on your website and for $5-15/month/site, get either daily or keystroke backups for everything on your blog (the database, which includes posts, pages, etc. and the files, which include uploaded images, plugins, themes, etc.).
VaultPress has a one-click restore button, which means that as long as you’ve connected your site via FTP, SSH or other options, you can immediately put your site or sites back together.
So, to get my three main sites back online, I had to:
- Delete all traces of the hacker — change my hosting password, delete his files, delete his FTP accounts, etc. and remove all redirection so than instead of my sites pointing toward the bogus site, they instead led to parked domain messages.
- Recreate my account, with a primary domain and add-on domains (I have an upgraded hosting account that allows me to have multiple websites under my plan).
- Re-install WordPress on all of my domains.
- Re-install the VaultPress plugin on all of my domains.
- Click the restore buttons and get all of my saved blog content back where it was supposed to be.
Each site took a different amount of time to load, based on the number of files and the size of the database, but the longest one was about an hour.
Sadly, I lost MakeMediaOver.com, which I’d never backed up via VaultPress, and NightHops.com, which I’d backed up previously but had stopped paying for via VaultPress when Lucas stopped blogging (I have not yet asked VaultPress if it keeps old backups, even for inactive accounts, but I’m going to look into it just in case). I’ve since rebuilt MMO on a new theme, with new content, etc., but it took hours and has convinced me that moving forward, it’s worth $5 a month to add to my backup list. For now, we’re OK letting NightHops stay dark, but I’ve been able to save the domain and I now have control of the site, so rebuilding can happen at any time.
What are the takeaways for you?
Three Steps Toward Blog Security
- Be careful with passwords. I have no idea how the hackers got into my HostGator account, but when they did, they used a fairly common password of mine AND had access to my billing information (which was not ever really unprotected, since I use PayPal on that site and that has its own layer of security), my personal info, etc. I’ve since started using 1Password to randomly generate passwords and logins for all of my websites.
- Make sure — doubly sure — that your sites are fully backed up. Most hosts do offer courtesy backups, but as I found out, my backups were not actually happening. Even if they had happened, I would have either had to manually restore my websites (even as an advanced blogger, this would have been a challenge for me) or pay my host to do it. If you do rely on your hosting service, find out HOW and HOW OFTEN your sites are backed up, and be sure that it includes everything you’ll need for a restore. Often, a database is backed up but not the files, and that really won’t do you much good (you’d have your writing but no themes, no plugins, no uploaded photos, etc.). Some hosts offer a paid backup service but for the money and ease of restoration, I highly recommend VaultPress.
- If something bad does happen, know what steps to take to fix your site. If it’s with VaultPress, make sure you know how to give the platform access to your site (via FTP, SSH, etc.) so that the restore will work. If it’s not, be sure that you know how to log into your site via cPanel or FTP, so you can make the updates manually.
Best of luck and be safe!