My Presentation from WordPress Day at 15NTC in Austin, TX. Basic, beginner information on how to do updates, protect your website from hackers, and set up scheduled offsite backups. Keep your WordPress website up and running with these simple tasks.
18. #15ntc
Update on a staging site.
or
Update behind a “Coming Soon”
screen
or
Update in a low-traffic period.
Update Precautions
19. #15ntc
Restore files from backup
or
Or get last known working version
of plugin from Repository and
reinstall via FTP
Then get help from a pro.
If an update goes wrong
39. March 3, 2015
Clare Parkinson
@clareparkinson
15NTC WordPress Day
Website Maintenance
Any questions?
Editor's Notes
I’m not covering content updates, strategy, or website performance
Somebody has to take care of the basic daily maintenance for your website. It’s like maintaining an engine - if you don’t keep up with the regular maintenance, it’s more trouble and work down the road. Between browsers, plugins, 3rd party APIs, a WordPress website has a lot of moving parts. Things can break. They probably won’t, but it’s good to be prepared.
This is super basic information, but it’s something that a lot of website owners overlook. I’m using examples from my personal experience. There are a lot of different WordPress plugins and services, if you know a great one I haven’t mentioned, please speak up.
The kind of website maintenance I’m talking about is daily upkeep to make sure the website is:
Online and working
Safe from hackers (brute force attacks)
Can be recovered if something goes wrong, with a minimum of drama.
The kind of website maintenance I’m talking about is daily upkeep to make sure the website is:
Online and working
Safe from hackers (brute force attacks)
Can be recovered if something goes wrong, with a minimum of drama.
The kind of website maintenance I’m talking about is daily upkeep to make sure the website is:
Online and working
Safe from hackers (brute force attacks)
Can be recovered if something goes wrong, with a minimum of drama.
Updates to WordPress core, plugins, themes
Security: scans and protection, mostly against brute force attacks.
Backup and recovery. Keep a complete copy of your website in a safe location.
Do all this and you’re good. Relax and focus on your content.
WordPress is free! Sort of.
There’s a tradeoff: money vs time. Pay someone to take care of everything, or develop skills to do it yourself. Using managed Hosting + development services, vs using free plugins. You may still run into problems you can’t handle, but you can minimize their impact on your site.
You can do everything the managed hosts and services do yourself, you just need to know what to do and the tools to do it.
WP Engine: $29/month
Pagely: $64/month
Pressable: $21/month
DreamPress: $20/month
http://wpdevshed.com/managed-wordpress-hosting/
Migrating to managed hosting
Some hosts do it for free
fantasktic.com migrates, starting at $99
Plugins: WP Migrate DB Pro ($99), Duplicator (free, harder)
DIY: FTP, PHPMyAdmin
They can give WP specific advice, help you troubleshoot. Many hosts don’t have specific WordPress experience, so they can’t give you detailed advice when something goes wrong.
Unless you have pagely’s $64/month plan, you still need to do plugin and theme upgrades yourself. But with daily backups, and knowledgeable WP support just in case something goes wrong, doing it yourself is a lot less risky.
If you run into a problem that managed hosting can’t handle, you can hire a pro… WPCurve.com will perform unlimited small tasks for $69/month. Patrick Rauland @bftrick, next up, will discuss.
And if you don’t have the budget for managed hosting, you can perform the same tasks yourself.
Same list as managed WordPress tasks/services, except with plugin and theme updates
Since version 3.7 and above, your WordPress site will update itself when a new minor or security update is released.
wp-config.php or certain plugins can enable auto updates of core, plugin, themes, but I never have.
Immediately! Or as soon as you can. Because - if you change one thing, and something breaks, you know what caused it. When updating, update one thing, test everything, then update the next.
For WooCommerce, follow this order: update WordPress, update theme, update plugins, update WooCommerce extensions, then update WooCommerce itself.
If you don’t login to your site once a week, make sure you get notifications when something needs to be updated. WP Updates Notifier emails you when something needs to be updated. You can enter a techier person’s email. WordFence also sends notifications of available updates.
Make sure you have a backup. These apply mostly to themes and plugins, not WP itself. WordPress core updates are usually totally ok, but take precautions if you have a new site you’ve never updated before, or if you have functionality (e.g. a theme or plugin) on your site since you last updated WordPress. Usually everything will be fine, sometimes something could break.
Make sure you have a backup! More about backups soon.
WordPress sites are constantly under attack, just because WordPress is a big target. 20% of top 2 million websites on the internet are on a WordPress platform. These aren’t Anyonymous or North Korea, these are just simple brute force attacks by bots. They’re spammers or pranksters.
This was my friend’s personal professional website. It got hacked by someone, and she called me for help.
Reduce or eliminate vulnerabilities on your website with some simple steps that can be done for free.
Brute force attacks are bots (scripts) that look for WP sites and then just try to guess the username and password. They have a big list of possible passwords - a dictionary, and maybe a list of 100 common passwords - and just try to login in, thousands of times.
Brute force attacks try to log in hundreds of times in a minute. It’s very obvious to the server when this happens; humans don’t do that. Install a plugin that will block an IP after a certain number of failed login attempts. I like WordFence. It’s free and you can set it and forget it. Just install it, activate it, and you don’t even need to mess with the settings.
Sometimes you’re not even sure if you’ve been hacked, your site just looks weird or broken. Install a plugin that creates a log of all user activity. Check your user activity log for suspicious activity, like someone creating a new admin account. This log will give you information you can use to figure out how hackers are getting in, or you can give this info to a developer or tech support.
Be aware of current threats and vulnerabilities in WordPress, themes, and plugins. Sign up for emails from WordFence or follow their blog: http://www.wordfence.com/blog/. They’ll tell you what the danger is and what to do about it.
Delete everything you’re not using. Themes, plugins, users, old websites on the server. Any unattended WordPress site is vulnerable. If hackers get into one WP site they can get into another on the same server.
Sometimes, thing just go wrong. Could be a bad plugin update, hackers, or something beyond your control.
Rather than spending time tracking down the specific problem, the easiest thing to do is delete everything and restore your site from a backup. Delete WordPress, get the backup (your most recent working copy), and just recreate the site from scratch in an uncorrupted state.
When my friend got hacked, she had no backup. I spent 4 hours getting back into her site and cleaning up the hack.
Some hosts - large companies with good reputations - only take backups once every two weeks! And even the backup is free and available, you might have to submit a request or open a support ticket and wait. Or you may have lost access to your host account, and you need to track down the password or email a former employee, and meanwhile your site is down. http://www.iwmf.org/ was hacked in september 2014, took 36 hours to fix. It should only take 3 hours to get a broken website back online.
Schedule backups, save to server.
UpdraftPlus and WordPress Backup to DropBox both copy to remote storage.
WPB2DB - better scheduling, only dropbox for remote storage.
UpdraftPlus more options for remote storage, limited scheduling
BackWPup Free - remote backup options are free except for Google Drive, need to pay for that.
BackUpWordPress
ALSO
BackupBuddy, normally $80/year, is free if you can prove you’re a nonprofit.
You don’t need to back up WordPress core, just the files that make your site unique. They’re all in the wp-content directory. Most backup plugins have options to include/exclude directories, so make sure you include these.
How frequently is your website updated?
How much media do you have?
How much work can you afford to lose?
All the free plugins I listed can be configured to these schedules. Figure out which one works for your website.
Sometimes REALLY bad things happen. Your hosts data center catches fire. Earthquake. etc. Make sure whatever plugin you’re using is configured to copy your backup to a safe location in the cloud, e.g. DropBox, Drive, Amazon Web Services, etc.
WordPress Managed hosting provides a one-click “restore” button, as do many paid backup plugins. For most free backups, you’ll need to do the restoration yourself, manually.
Not much. Your website should be safe - even if there’s a major natural disaster in your host’s datacenter, your site can be recreated from your offsite backup.