A popular form of malware on computers is known as “ransomware”. This malware will lock up all of your files and encrypt them, and the only way to get them back is to pay a few hundred dollars to get the “key” to unlock them. This kind of nasty malware is now attacking web servers; they encrypt your entire site (which knocks it offline) and demand money for you to get it back.
To make matters worse, some variants of the malware messed up and deleted the key so there is literally no way to unlock it and your only hope is to restore from a backup. You should download a antivirus on your computer and on your phone, you can get antivirus for your phone at Zonealarm mobile Security. In the fight against spammers and hackers for virus removal, things are only getting tougher. Fortunately you (hopefully) have a solid web host that can help defend your site, software like WordPress that constantly puts out updates to stay one step ahead, and a plan in place to help prevent issues (and deal with them if anything goes wrong).
In the case of our basic maintenance plans, we work daily on seven different aspects of protecting client websites. If you’re not handling these items on your website, please make sure that someone is. While we pay for some tools to help our efforts, all of the items on this list can be done for free if you put the time into it.
If you’re curious about how exactly we do it, this post will explain a bit more about each area of that maintenance. We manage well over 100 WordPress websites on a daily basis, and this is how:
1. Core WordPress Updates
A new version of WordPress is released roughly once a month, and many of them contain essential security patches. It’s vital that you stay on top of those updates to make sure you aren’t leaving any holes in your site. The lack of core updates to WordPress is the #1 reason that websites get hacked.
How we do it: We handle core WordPress updates by hand via FTP. We keep a list handy in Google Drive, then add the tasks to Asana when it’s time to go. We prefer to do this manually so we can keep a close eye on sites individually to ensure everything is solid.
2. Plugin Updates
Similarly, most popular plugins are updated once or twice a month. While these often have security patches in them, they also have updates to make sure they work with the latest version of WordPress. If you update WordPress to the newest version but have a plugin that is a year old, you’re asking for trouble.
How we do it: We used InfiniteWP to help with this for a while, but have since moved to ManageWP. This is a more expensive solution, but their new “Orion” product is quite helpful. MainWP and iThemes Sync are two other popular options. Of course, you can certainly update plugins manually if you’d prefer.
3. Google Search Console Monitoring
The Google Search Console (formerly known as Google Webmaster Tools) is the only way that Google will ever notify you about a problem with your site. Make sure you register your site with them so you can be informed of any issues. We covered this in our Meetup a few months ago, and you can view the slides and video here.
How we do it: Just head into Google Search Console and set it up.
4. Daily Backups
Your host likely makes backups of your site, but you can never be too careful. What if something goes wrong on their end? We used to backup all of our client sites weekly, but now we back them all up 1-2 times every day. If something goes wrong (such as the malware example above) you need to be able to quickly restore your site to a functional state.
5. Daily Malware Scans
Malware scanning is another area that we used to execute weekly and now we do every day. While it’s quite rare to see an infection if you keep things secure and updated, it’s essential that you’re aware of issues as soon as possible so you can limit the damage.
How we do it: We used to use the tools inside of InfiniteWP (which were powered by Sucuri and worked well), but we’ve since developed our own solution. Products such as Google Safe Browsing and Spamhaus have solid APIs available, so we use them to help power our private scanner. You can always run a quick scan through the Sucuri SiteCheck to see if they detect any issues.
6. Performance Optimizations
This aspect is more about performance than security, but we work through every site every day to make sure spam comments have been removed, excess post revisions have been removed, and the database is optimized in order to help things run as smoothly as possible.
How we do it: We handle these through ManageWP as well. Outside of that, you can clean spam posts from your site manually from the dashboard (and using Akismet to help), clean post revisions with a plugin such as Better Delete Revision, and optimize your database by following this tutorial using cPanel/phpMyAdmin.
7. 24/7 Monitoring
Lastly, we keep 24/7 monitoring on every site, checking at five minute intervals, so we can be the first to know of any problems. A site going down typically is due to a hiccup with the hosting company and is taken care of automatically, but it’s good to make sure you’re aware of what’s happening so you can take the proper action.
Beyond all of that, you should be using some kind of security plugin on your site. We’re big fans of iThemes Security, but Wordfence and Sucuri are two other popular options. We discussed many of these at a recent Meetup, and you can view those slides and video here.
There is certainly a lot more that should be considered; finding a secure host, using proper passwords, avoid using the “admin” username, and a variety of other things. However, if you stick to working on the list above you should be in pretty good shape.
What tools do you use to help manage your site (or the sites of your clients)?