Creating a Website Recovery Plan
It is an unfortunate fact of having a website: websites get broken, hacked and otherwise rendered inoperable. So what do we do about this? The first thing is not to panic. Most people, when confronted with a broken site, panic. While this is understandable, the best thing to stay calm and begin to implement your disaster recovery procedures. You do have those right? If not, you should. The best website recovery plan starts with a good method for protecting, securing and maintaining your web site.
First, let’s talk about keeping our website secure. A major reason that sites are hacked is that the passwords are harvested (through a virus or phishing scam) or broken via brute force methods.
As a site owner, you are typically given a user id and password to log into your cPanel and/or FTP account for the site. This is/password combination is the key to your kingdom and needs to be protected. It goes without saying it should be a strong password; your pet’s name or a favorite sports team will just not cut it. Keep it a good length (at least 8 characters) and use combinations of words you can remember, a password like toastpanerastrabucksaubonpain is easier to remember than 19H@tt3r and will take longer to crack as well. The next step:
Don’t store your passwords in a web browser. It’s tempting because it’s easy, but it’s not secure. Let’s look at how Firefox saves your passwords.
For FTP, many people use FileZilla. Let’s look at how FileZilla stores the passwords in its configuration file:
There it is in plain text: your passwords! Your first line of defense is not having your passwords saved in plain text on your computer. Viruses harvest passwords from programs that save your passwords in plain text. Keep your passwords safe. Now, I am not saying to not use FireFox or FileZilla– just don’t use them to save your passwords. Use a password manager. LastPass (https://lastpass.com/index.php) and 1password (https://agilebits.com/onepassword) are both great programs that store your passwords securely and pass them to your web browser. For a password vault that is not tied to a web browser I use Keepass (http://keepass.com/). This utility runs in a program of its own and passwords can be copied and pasted anywhere: web, ftp etc.
The next place to protect yourself is when you make changes or updates to your website. We all do this in minor ways (adding content by writing posts) and major ways (adding a really cool new plugin to add functionality). If you are doing anything where you think there is the remotest possibility of breaking something (and adding plugins to a WordPress site or changing themes could do this) back up your site first.
Your host may do backups for you. Typically they do it daily, overwriting the previous day’s backup, They may also do a weekly backup (that is saved until the next weekly backup is run) and a monthly backup. This is not a bad strategy as you can always go back to the day before and you will have a weekly and a monthly backup in reserve. You do have to ask yourself if three backups is enough. What if you don’t notice an issue right away? Once a week that good weekly backup gets written over, so what if the problem occurs and you don’t notice until the weekly backup is overwritten? At that point your daily and weekly backups are no good — you would have to rely on the monthly backup to restore from. Is this good enough? Only you can be the judge. If you need more backups than this typical cycle provides, you have options. Ask your host if they can save more backups than the daily/weekly/monthly — some may already do this.
So here is where your own personal backup plan kicks in. As I said before, before any major change (like updating WordPress) back up your site. If you site runs on WordPress you can use a plugin. WP-DB-Backup is a plugin that will backup your database on demand or allow you to set an automated backup schedule. Backup Buddy will backup your entire site (on demand or a set schedule), and VaultPress is a service that will back up your site continuously and store it off site. Both Backup Buddy and VaultPress are premium plugins that have a cost, but can be well worth it if you ever have a problem. If you do not use WordPress, you will need to backup the old fashioned way: FTP your files to your local computer and use phpMyadmin to backup your database. Old fahsioned, manual backup require that you actually remember to do it, so if you can get it automated that is recommended.
Once you have a backup plan, stick to it. Make sure you have always have a recent backup of your site. People have accused me of being a backup nut. I really cannot deny this; you only need to lose a critical file once to learn the lesson of backups.
I also strongly recommend that you make sure that you can access your backups! What happens if the server goes down and your backups are all on the server? Remember to download your backup files or send them off site (Amazon S3 is great for this) for safekeeping.
So now what if the unthinkable happens? S*** happens! A bad update, an honest error when updating your website, and your site goes down. Well, don’t panic, you have a plan. Stay calm and restore from your backup.