We are often asked about WordPress security, and while we are not security professionals, we are happy to share some advice. If you need specific advice for your website, please contact a WordPress security expert like Sucuri.
Recommendations
I will start with some recommendations and then move into answering some common questions that come into Photocrati support.
Backup: Files & Database
BackupBuddy is a fantastic WordPress plugin to automate full-site backups. However, there are many free alternatives in the WordPress plugin directory that can also get the job done. For example, WordPress Backup to Dropbox. Keeping regular backups offline is ideal for a WordPress website so it can be restored if something did happen.
- BackupBuddy – Premium plugin with annual subscription. Can backup to FTP, Amazon S3, Dropbox and more
- WordPress Backup to Dropbox – Free with premium upgrades – Can backup to Dropbox only
- VaultPress – Premium plugin with monthly subscription. Service from Automattic, developer of WordPress
Of course, there are many other backup plugins available. If you have one to suggest please comment below.
Database Optimizing
Keeping your WordPess database optimized is one of the ways to keep it running fast and strong. Database optimization can be done through a database tool, however that is not something that should be touched by someone without full understanding of the tool. There is a plugin that can help anyone optimize their database at any time. WP-Optimize is one of the more popular tools of its kind.
Of course, there are many other database optimization plugins available. If you have one to suggest please comment below.
Security: Monitor & Fix
Because of the popularity of WordPress, it is more vulnerable to attack than other content management systems. One of the top security plugins, free in the directory, is Wordfence. Let it monitor and safeguard certain aspects of your site. Some security plugins come with incident actions, where they will log in and fix hacks if they occur.
- WordPress Firewall 2 – Free plugin with limited capability
- Wordfence – Free and premium plans – many free options for monitoring levels
- Sucuri – Premium plans starting at $89 per year. Includes malware cleanup
- VaultPress – The $40 plan comes with security features
Of course, there are many other security plugins available. If you have one to suggest please comment below.
Security: Admin Accounts
The most important thing I can tell you about your admin account(s) is this… Your admin account should not be called “admin”. In fact, it should not be your name. Call it something that no one would ever guess by looking at your website or social profiles. For example, your admin account could be named “RainSnow.” The account that you are using on a regular basis can be your name, but their user role should be less than an admin, like editor.
Hosting: Good, Better, Best
Many hosting companies have multiple options of hosting styles. At Photocrati, we recommend Bluehost for our customers (who do not photograph adult oriented images) because of their highly rated shared hosting platform. What many don’t realize is that Bluehost also offers virtual private server hosting which provides more speed, security and flexibility for websites. Other hosts we like are WP Engine and Synthesis, who provide WordPress specific hosting and are regularly scan for security vulnerabilities.
- SiteGround – A very popular hosting solution, that is proactive when a hack is detected. They offer shared hosting, cloud hosting and more.
- WP Engine & Synthesis – Great option for heavy WordPress users that want the highest security without separate security fees. Both use Sucuri for regular security checks. In addition, both offer built-in daily backups, similar to Apple’s Time Machine. The feature can be very useful if something goes wrong and you want to turn back the clock to the previous day.
Of course, there are many other web hosting solutions available. If you have one to suggest please comment below.
Common Questions
Now I am going to share some common questions we have through Photocrati support.
I’m afraid to update WordPress/plugins because I am worried it will break my site!
Understandable, and you are not alone. My best advice is as follows.
- Keep your backups up to date. If possible, schedule backups to run daily or weekly.
- Whenever a plugin, theme or WordPress has a minor update (i.e., 3.4 to 3.4.1), then update it right away. Typically minor updates contain important bug or security fixes.
- If a plugin, theme or WordPress has a major update (i.e., 3.4 to 3.5), then hold off on updating until developers and other users have put the updates through further live testing. Or if you have access to another WordPress install, duplicate your live site to a “staging site” or “development site” and update there to see if it’s okay to update the live site.
Here is an article I’ve written with more on WordPress updates.
Here is an article discussing how to manually create a secondary (or staging) site or use BackupBuddy to create one.
It is also worth noting that all WP Engine plans come with a staging site feature where you can automatically create a staging site at any time.
Can I revert back to an older version of WP, Theme, Plugin if my site does break?
As mentioned, before updating anything on a live (production) site, create a backup.
To answer the question, it depends on the update. Many times if it is a minor update, then the database is not changed much at all. If that’s the case, then replacing the WordPress files on your server should revert smoothly. If the WordPress update is a major one, then it is likely that reverting back to an older version might break the site. Using a plugin like BackupBuddy (mentioned and linked above) can help reverting to older versions smoothly.
Typically with themes and plugins you can revert at any time, but you will have to speak to the developers of each. With the Photocrati theme, reverting is safe with minor updates. Major updates typically have database changes. The same goes for NextGEN Gallery.
What if my site breaks, and I lose everything? How can I restore my site to a working version?
This is where a backup tool comes in. Of all the backup plugins available, BackupBuddy has the easiest for restoring a WordPress website. Another option is going with a host that supplies backups on a daily or weekly basis (as mentioned above).
How do I do a full backup of my site before upgrading?
Most backup plugins will do a full backup with all the files on the server. However, not all of them can or will backup your database, which is also extremely important. When deciding on a backup plugin, make sure that the one you decide on offers database backup as well. Many times these plugins also have a one-click solution to perform the backup. My upgrading workflow includes:
- Manually click the backup button to get it going
- Wait until the backup is complete and confirmed
- Perform the upgrades
How do I know if the new version will fix my issue?
Take a look at the changelog that comes with themes or plugins. Each plugin in the WordPress directory should have an included changelog. For example, here is a link to NextGEN Gallery’s changelog page in the WordPress directory. Many themes, like Photocrati, publish a blog article with the changes, in addition to including a changelog file within the theme’s ZIP. Here is a link to the Photocrati changelog archive.
In a changelog, developers include what is new, what was fixed and what was changed. Before doing an update, look at the changelog to see if it addresses your issue. If so, check the issue after updating.
If you are not seeing the change fixed, verify that you do not have caching activated on your website or server because that will delay the changes from being live. We find that many WordPress users are using plugins like WP SuperCache or W3 Total Cache. Both can be very effective for speeding up your website. However, they both take a lot of time for the cache to clear and updates to show.
Clear cache and then deactivate the plugins to see changes on your live site. Then reactivate when complete.
If your issue was addressed in the changelog, but you continue to see the issue after updating, then contact the developer.
I’m worried about being hacked, how can I protect my site?
Pick one security plugin and keep it active and monitoring your website. I personally recommend Wordfence due to its many options and levels of security. In addition, their premium plans are not too expensive if added security is needed. I also host with WP Engine, so I know that my site will regularly be scanned by Sucuri thanks to the relationship between the companies. Between my host, their security measures and Wordfence, I feel comfortable with my website.
For more security tips, please visit my article, Secure Your WordPress Website (Do It).
Oh no! My site got hacked, how can I fix it?
If you want to handle the hack on your own, It’s best to wipe your server clean and restore to a backup that is clean from hacks. Before doing so, try to figure out how the hacker got in and what was vulnerable. Keep in mind that if you run on shared host, like Bluehost or Dreamhost’s starter plan, that your website is vulnerable to attack if someone else on the same server gets hacked.
My personal recommendation is to hire a company like Sucuri to fix your hack. Being that Sucuri handles WordPress security on a daily basis, it is likely they can identify and fix the problem fairly quick.
My site is so slow, what can I do to help speed things up?
There are many things you can do to speed up your website. The list below will cover a few of the things you can do, that can make obvious improvements.
- Go with a better hosting option, not necessarily the provider. For example, a VPS (virtual private server) will push your website out to a visitor faster than a shared host.
- Reduce the amount of front-end plugins that are running on your website. For example, if you have Facebook or Disqus comments live on your website, and not many people are commenting, then remove them. Try to only keep plugins on your website that are used on a regular basis or are crucial to the function and security of your site.
- Do not use multiple security or caching plugins. Doing so can cause conflicts and actually slow down or break your website.
- Keep your database optimized (mentioned above)
What plugins do you suggest to help speed up my site?
As mentioned above, WP Optimize is a great plugin for keeping your database clean and optimized. If you would like to see which plugins are affecting page speed, there is a great plugin that tests the front end of your website. Download P3 Plugin Performance Profiler and give it a try. The results will show you WordPress, theme and plugin load speed. Of course, there will be things that you cannot remove, so the plugin is best for identifying plugins that are slowing down your site. I ran this on my own website and found one plugin causing a major drain on my page speed. See the results and how I used P3 to speed up WordPress.
Conclusion
If you have any other advice or suggestions for the Photocrati and NextGEN Gallery community, or anyone who stumbled upon this article then please comment below to share.
Thanks for reading,
Scott
CptChaos
7 Mar 2013Some of the free plugins to improve the security (Bulletproof Security & WordPress Firewall 2) haven’t been updated in two years.
It’s strongly advisable to use rather relativly new plugins instead of old plugins not being maintained for two years.
Scott
7 Mar 2013Wordfence is a new one out there and has a great rep. Sucuri also has a plugin. Thanks for the comment!
Lorenzo
25 Mar 2013Here is a suggestion for speeding up a WordPress site: run a lean site with a minimum amount of plugins.
As you mentioned, the P3 Profiler plugin can show you the plugins that are slow on your site. You can then decide whether to deactivate these slow plugins or replace them with faster alternatives.
BTW: Try the Duplicator plugin for backing up and migrating a WordPress site. Its also available from the WordPress plugins directory.
Nishant
10 Apr 2013I found blogvault as a better alternative to backup buddy. I use it on my sites. It was the plugin I resorted to every time an update failed, or a hack took place. It was easier to restore and do the clean up act.
Cheers!
Nishant