Zen and the Art of Website Maintenance, Part 3: Updates

Congratulations! If you’ve been following this series, then you’ve started a regularly-scheduled backup routine (with validation) and are monitoring your site for security threats. You’re probably feeling more Zen already. But we’re not done yet, grasshopper.

There are only three certainties in life: death, taxes, and software updates. Up-to-date software doesn’t stay that way by itself. It takes awareness and discipline to make sure your web software is kept in tip-top shape.

Why Should I Bother?

“But,” I can hear you say, “my site is working great right now! Why should I bother updating it all the time?” There are a couple of reasons to keep clicking that “Update Now” link:

  • New security risks are discovered. This is the No. 1 reason to make sure you’re updating your core and plugins. (We talked about the concept of a zero day exploit last week.) Fortunately, there are hundreds of volunteers in the WordPress community who are ready to patch and release the new code quickly.
  • “Under the hood” improvements. Sometimes, software is updated to take advantage of new features available in the underlying technology. While generally more true for things like your smart phone apps, this can also apply your web software. For example, a theme might have new front-end code that takes advantage of modern browser capabilities. A complex plugin might work better when its updates are paired with the latest version of PHP (the server-side language upon which WordPress is built). WordPress is backwards-compatible (almost to a fault), but staying more-up-to-date will improve performance all-around.

How Do I Keep Updated?

  • Check the “Updates” section of the admin. You can’t miss it, really. If your site is in need of updates, then this icon, updates icon, will appear in the admin bar along with the number of updates needed. Click on it, and you’ll be able to update your core, plugins, and themes en masse.
  • Always apply WordPress core security patches immediately. You can identify a security update because it will have a third number in its version number (4.7.3, for example). In most cases, WordPress even will apply this update automatically (although there are some cases where it isn’t able to). Also, many web hosts will make sure these updates are applied quickly and automatically as well.
  • Sign up for third-party updates. There are services such as those by ManageWP and iThemes that will email (or otherwise notify you) when you have plugins or other updates available for your site. This is especially helpful if you have multiple WordPress sites that you’re maintaining, each running a different plugin configuration. They’ll even apply the update for you with just a few clicks on a centralized dashboard.

What Happens If My Updates Go Awry?

I can’t promise that it won’t happen. The vast majority of the time, updates go through without a hitch and no one visiting your site is any the wiser. But there have been, on a very few occasions, instances where updates haven’t gone so smoothly. Sometimes it’s because a popular plugin has been taken over by a new, somewhat unscrupulous developer who decided to insert some malicious code. Sometimes, it’s a bug that wasn’t caught in testing, but your set up, unfortunately, has just the right combination of circumstances to manifest the problem. It’s unfortunate and gratefully rare, but not unheard of.

  • Back up early and often. You’ve been keeping backups anyway, right? Make sure you run them just before you apply updates to any plugin or theme, and especially WordPress core itself, so you can roll back quickly if there’s a problem.
  • Keep an eye on the chatter. Monitor Twitter, WordPress news blogs (WP Tavern is a popular one, and WordPress security companies keep their own as well), and keep an eye on the plugin’s support forums. If there’s a problem with a particular release, it’ll be discovered (and publicized) pretty quickly.

Other Things to Keep in Mind

A couple of suggestions on software that harken back to the security we talked about last week:

  • Get your plugins and themes from trusted sources. More often than not, security risks that could compromise your site come from the add-ons you install to enhance its functionality. For that reason, making sure you only install themes and plugins from reputable sources will go a long way in protecting yourself. The WordPress plugin and theme repositories are staffed by dedicated volunteers who pore through the code of submitted themes and plugins, looking for potential risks. You can also download premium (that is, you have to pay for them) plugins and themes from a number of reputable businesses, but be careful; not all premium theme and plugin shops are alike. Some of them are just clearing houses for individual developers, with little or no oversight for code quality and what you end up paying for could be sketchy at best, malicious at worst. Instead, seek some advice and recommendations of a trusted WordPress developer, and they can set you on the path towards high-quality, secure purveyors of themes and plugins that you can trust and who offer regular security updates of their own.
  • Turn off code editing in the admin. WordPress actually allows for site administrators to edit the source code of themes and plugins directly through the admin interface. The reasons for this are archaic and have never been very well explained to me. What we’re left with is that if a bad player somehow does manage to access administrator-level privileges on your website, this feature could cause a whole lot of damage. To turn it off, you want to edit the wp-config.php file on your site and add the line:
    define ( 'DISALLOW_FILE_EDIT', true );
    If you need help, ask a developer or your hosting provider and they might be able to help you.

Keep Going

You’re backing up. Great! You’re monitoring your security. Awesome! You’re even making sure that all your core, themes, and plugins are kept up-to-date. Terrific! You’re done, right? Well, we got one more thing. We’ll conclude our series next week when we look at uptime monitoring—what it is and why you need it.

Need Help?

Not everyone feels comfortable preparing their own taxes and that’s okay. Not everyone wants the headaches of making sure all their WordPress core, plugins, and themes stay up-to-date, and that’s okay too. Taupecat Studios can help. We offer monthly maintenance plans to take the tasks of backups, security monitoring, software updates, and uptime monitoring off of your plate so you can focus on your business. Get in touch and let us know how we can help.

Zen and the Art of Website Maintenance, Part 2: Security

Last week, we looked at why a solid backup strategy is so important to the health and well-being of your website. Just like a good homeowner’s insurance policy will restore your belongings and help you rebuild your house in case of theft or fire, backups will allow you to get up and running again as quickly as possible in case something catastrophic happens to your website.

Aside from a good insurance policy, you likely have an alarm system and smoke detectors to prevent problems from becoming severe in the first place. The same holds true for your website. There are a multitude of threats out there, and while it’s impossible to go through and present an exhaustive, comprehensive list of potential security vulnerabilities, this article will show you some of the most common risks and how to mitigate them.

Is WordPress Insecure?

Let’s take on one myth up front: the conception that WordPress is inherently less secure than other website platforms out there. This is simply not true. While admittedly, WordPress has suffered some high-profile security vulnerabilities over its nearly fourteen year existence, so have many systems. It’s the nature of computing. Any popular platform, from Windows to WordPress, is going to attract its fair share of hackers, crackers, and ne’er-do-wells. But there are steps you can take to keep those rogue players from mucking up your little corner of the interwebs.

Brute Force Attacks

Probably the number one type of attack I deal with in managing WordPress sites (and this is true for all administration-based content management systems), is that of brute force attacks. This is an attack in which a hacker attempts to break into your system by trying a number of username and password combinations, attempting to gain access. Often times these are not the efforts of a single individual, banging away at potential access credentials on his or her own, but rather a scripted attack that will automate the attempt from a number of other compromised systems around the globe. Here are some steps to take to prevent them from succeeding:

  • Always use a strong, gibberish password that you don’t use anywhere else. In recent releases, WordPress has helped with this by offering a strong password generator and displaying warnings against overly simplistic and commonly-guessed ones.
  • Never use the username “admin”. Once upon a time, “admin” was WordPress’ default suggestion for the first username that would go into the system. Hackers know this, and know that there are many, many systems out there that still use this username as their all-powerful administrator account, figuring that their chances of success have improved by 50%.
  • Use two-factor authentication. By requiring an extra step, often using an app installed on your smartphone, it becomes impossible to log into your websites admin by username and password alone. Google Authenticator has become the de facto standard for 2FA on a number of online services, and there is a plugin for WordPress that uses it as well. (I’ll have more to say about 2FA and WordPress in an upcoming post.)
  • Always put your admin behind HTTPS. I’ll get deep into HTTPS and its benefits another day, but trust me when I say you should definitely do this. While not strictly a brute force attack strategy, any data that is sent over a non-HTTPS connection is easily readable by anybody who happens to be listening to that traffic. In other words, if you log into your WordPress site over a non-secure HTTP URL, those keys to your administration are going over publicly-accessible wires in plain text. Not good.

Attacks Through Compromised Code

Software is only as secure as its code. Vulnerabilities lurk in poorly-coded themes and plugins, and sometimes even in core itself. Most of the time, these problems aren’t intended to allow hackers in; quite the contrary. But when they’re discovered, word immediately spreads of the vulnerabilities that were found, and the bad guys get to work. Hence the term zero-day exploit.

This is where vigilance is especially important. There are a number of WordPress security services out there that send out newsletters when important vulnerabilities are discovered. Sucuri is one of my favorites, but some other popular ones include iThemes and WordFence. Subscribe to their blogs or follow them on Twitter to be kept up-to-date on the latest happenings in WordPress security. We’ll dive deeper into keeping your software updated in a later post in this series, but monitoring when your plugins and core need to be updated should be part of any comprehensive security monitoring program.

Install a Good Security Monitoring Plugin (or Two, or Three…)

I already talked about Sucuri, iTheme, and WordFence; all three of those services offer free plugins on the WordPress plugin repository that let you monitor the security of your site without requiring a monthly subscription fee. These plugins will offer recommendations on how to “harden” your website; that is, easy steps you can take to make your WordPress a less vulnerable target. They will also log login attempts, and notify you if they suspect a brute force attack is in the works. All three of those services also offer paid services that include firewalls and other advanced security features. Compare their plans and find the one that matches your needs with your price point, but keep in mind: A good security service is worth its price in terms of saving your website after a hack.

Screenshot of Sucuri Scanner administration.
Sucuri Scanner comes with site hardening recommendations, activity notifications, and other features to help keep your WordPress site secure.

There are a number of other plugins you can install that will help you monitor what’s going on with your site when you’re not looking. Limit Login Attempts is an extremely popular plugin that will block out login access to your website after three failed attempts from a particular URL in a short time frame. Such patterns of failed attempts are classic signs that your site is under a brute force attack. (The WordPress plugin repository warns that this plugin hasn’t been updated in over two years, but it’s okay to go ahead and install it anyway.)

Security in an Insecure World

Forewarned is forearmed, and the recommendations in this post are just the tip of the iceberg in securing your WordPress website. In my next post, we’ll look at the best way to manage core, plugin, and theme updates: a vital step in keeping your WordPress site secure and healthy.

Need Help?

Just like most people call in an expert to install their home security system, you don’t have to maintain your WordPress website all on your own. Taupecat Studios can help. We offer monthly maintenance plans to take the tasks of backups, security monitoring, software updates, and uptime monitoring off of your plate so you can focus on your business. Get in touch and let us know how we can help.

Photograph of stacked stones in a rock garden

Zen and the Art of Website Maintenance, Part 1: Backups

Websites are not “set it and forget it” affairs. You need to put in a little effort in order to keep your web presence humming along like a well-oiled machine. Just like you take your car to get its regular, 3,000 mile maintenance to keep it running smoothly, websites require a number of maintenance tasks—performed on a regular basis—to keep them running strong and contributing to your business’ bottom line.

In this blog series, I’ll show you all of the maintenance tasks that are necessary to help prevent disaster from striking, and to help you recover as quickly as possible if disaster does strike. Taken together, these steps will give you piece of mind that your website will be able to weather any storm that comes along. They may not help you achieve a feeling of inner calm, but they can take one source of worry off your plate.

Why Back Up?

Just like your car comes with a spare tire in case of a blowout along the highway, you need to have a spare copy of your website available. There are a myriad of reasons you might need to restore your website from a backup quickly: Your web hosting provider suddenly goes under; Your site gets defaced by an external attack; A corrupted database chews up your data. When disaster strikes, a good back up can be the difference between getting your website back online in a matter of minutes, or a matter of days.

What to Back Up

A WordPress site is made up of three major components: the files that make up the core WordPress platform, themes, and plugins; the files that are uploaded into the media library; and the database where the content and settings are stored. The core software, themes, and plugins are likely easily recovered from their sources—either from the WordPress.org repository or your developer who has kept any custom work in a revision control system like Git. But the other two pieces—the database and media uploads—are not so easily recovered.

A good backup solution will take a snapshot of your database and media files on a daily basis, and a complete end-to-end backup of every file in your website on a weekly basis. A number of popular WordPress solutions exist which will perform these backups and allow you to download them to an on-premises hard drive. For an extra measure of safety, many will even store the backups directly to a cloud service like Dropbox, Google Drive, or Amazon Web Services to protect you from theft, fire, or other physical threats that come with storing your backups on-premises.

Backup Validity

But backing up is only half the battle. You need to make sure your backups are valid—that is, your backups are saving what you need them to save, and that you can recover them if (and when) you need to. For that, periodic testing of your backup system is a good idea, because you don’t want to discover after a problem that your backups aren’t adequate to restore your site in a timely manner.

Lastly, you want to keep your backups for a period of time, and rotate through them at prescribed intervals. That way, if you discover that your website has been hacked, you can go back and find the last clean copy from before the attack occurred. Many times, security violations aren’t discovered until long after they have occurred (more on that in a later post), so having only one round of backups at any given times means that whatever malicious code was used to compromise your website may still be lurking in your backups, ready to strike again after you restore your data.

Beyond the Backup

In the next post in this series, we’ll look into possible security risks your WordPress site can be exposed to, and how to defend against them.

Need Help?

Just like most people don’t change their own oil, you don’t have to maintain your WordPress website all on your own. Taupecat Studios can help. We offer monthly maintenance plans to take the tasks of backups, security monitoring, software updates, and uptime monitoring off of your plate so you can focus on your business. Get in touch and let us know how we can help.

A collage of photos from the Women in Tech Summit DC

Women in Tech Summit DC Round Up

Last week I attended the second annual Women in Tech Summit DC at the Washington Post Live facility. It was an incredible event full of networking, insights, and encouragement for women in DC’s terrific tech community. Being in a room with over two hundred other women in technology, like-minded yet from all differnet experiences and backgrounds, was an incredible experience.

Listening to such amazing speakers as Kelly Hoey and Elizabeth Lindsey, as well as a variety of panels on topics like being a woman tech entrepreneur (certainly timely for me) and staying a woman in tech gave me a lot of pearls of wisdom for me to digest as I reinvigorate my career as a brand-new agency owner. Here are a few of the best to share:

Kelly Hoey, Keynote Speaker and author of Build Your Dream Network

Networking consists of activity, relationships, and a starting point. It’s not just handing out business cards at a cocktail party; networking is “every single human interaction.”

Tiny micro-actions lead to big outcomes.

Your networking should be amphibious, consisting of both online and offline activity.

You need to be on social media, because even if you’re not on social media, you can’t make assumptions on where people are aggregating.

Especially when you’re trying to build your reputation as a technology expert, being quoted by traditional media is hugely powerful. Think to yourself, are you sharing your point of view?

Also, be sure to personalize your LinkedIn connection requests. Do the work for the people you’re trying to make connections with by reminding them where you met.

Think of what your goal is. What are you trying to achieve, and who are the people who can help you?

Finally, own your accomplishments. If you’ve done it, own it, and if someone compliments you on it, say “Thank you.” This is something I’ve heard before and taken to heart. So many times, women try and deflect credit for the things they’ve achieved, saying it wasn’t a big deal or they didn’t have a big part in it. But even if you were a part of the team, take credit for that work, along with passing credit to your teammates.

Staying a Woman in Tech and Tips, Tricks & Insights to Build Your Identity as a Technical Leader

These were great discussions with a few key pieces of advice:

Make yourself the technologist you want the industry to be. Awesome sentiment.

Every ninety days, do a passion check; check the pulse of your career and make sure you’re still on the path of doing what you love.

Ideas, Money, People: What We Learned as Female Entrepreneurs

One problem I have with the tech industry today is that entrepreneurship seems to be all about products, and not so much about agencies like the one I’ve started. Nevertheless, there were lessons to be learned here as well:

“More than the idea, people believe and support you.”

“Life unfolds in accordance with your bravery.”

“If you see a need, fill a need.”

Elizabeth Lindsey, Keynote Speaker

The final speaker was Elizabeth Lindsey of ByteBack, who showed a statistic that others had pointed out earlier in the day. Men apply for jobs when they have 60% of the qualifications; women apply when they have 100%. That says a lot about women and their confidence in finding work in the technology world. This is an eye-opener, but I see it in myself in the positions I’ve applied to throughout my career.

She also quoted Mindy Kaling: “Work hard, know your shit, show your shit, and then feel entitled.” This comes back to something I’ve said in the past, own what you know. Don’t be afraid to take ownership of the things that you’re an expert on.

What have you accomplished? Get loud and proud.

Work in places who accept us for who we are.

These are the kinds of lessons I want to bring into Taupecat Studios. As I work to get this small agency off the ground, I’ll be looking for those opportunities to support the people I know are passionate about what they do, who can take ownership of their skills, and who will contribute to a shared goal. And all the while, I’ll know that there’s a great tech community, of both men and women, who’ll have my back along the way.

Hello, World

Welcome to Taupecat Studios, the brand-new digital agency with a long history of success.

I’m Tracy Rotton, Founder and Principal. With over twenty years of web development experience under my belt, I felt the time was right to branch out on my own as an independent developer. So I started Taupecat Studios to bring my expertise to a new audience. We’re a small operation right now, but we have big plans for the future.

In the meantime, let us know what you need. Are you an agency, looking for help to crunch out a tight deadline? A small business looking for someone to make sure their WordPress website gets the care it deserves? Or are you looking for the whole package: an end-to-end digital marketing solution, but don’t know where to begin?

We can help. Think of us as the Winston Wolfe for your website: We solve problems. What can we solve for you?

(And if you want to get to know a little more about me, you can head over to my personal site and take a peek at my past experience.)