Blog

Telephone switchboard operators from the 1950's.

Demystifying DNS

DNS—or Domain Name System—is one of those geeky terms that usually flies above the heads of people who aren’t entrenched in the world of websites and the Internet. Mostly because, for the most part, it’s invisible. It’s one of those crucial pieces of Internet infrastructure that usually just works without you noticing it, let alone thinking about it. But when it doesn’t work, bad things happen, or rather, good things don’t happen, like people finding your website. And if you’re about ready to launch your brand-new website, chances are you’ll have to make some DNS changes in order to get things working.

DNS error screen
Oops.

To explain how DNS works, I’m going to use an increasingly antiquated metaphor: that of a phone book. Just like you have a name, if people want to reach you (by telephone, that is), they need to know your telephone number. Just dialing your name into the phone doesn’t work. When I was a kid, we found out this information by using a telephone book: I would look up the name of my friend, and the book provided the number I could use to call her.

Mr. Burns dialing "SMITHERS" on the telephone.
This won’t work.

DNS works in much the same way. Every website you want to visit has a name, but behind that name is one or more numbers that are the true location of where that name leads to. These numbers are called IP (Internet protocol) addresses, and consist of four groups of numbers that range from 0 to 255 and are separated by dots. (That’s IPv4, the most common standard. There’s also IPv6, but let’s ignore that today.)

So let’s go back to our phone book analogy. Looking up my friend’s phone number was easy since we lived in the same town. But what if I needed to look up somebody who lived in another state? Chances are, I didn’t have that phone book just lying around. I’d either have to call information, or go to the library and hope they had a copy of the appropriate book. And how did the library have it? By sending away to various cities to get them.

And that’s a bit how DNS works, too. There is one place per URL, called the “name server,” on all the Internet that holds the key numbers for any particular name on the Internet. Who the name server for a particular URL is is so important that it’s provided along with other basic information such as the URL’s owner and registration service (or registrar). But then that information propagates to Internet providers (your Verizons, your Comcasts, your Time Warners, etc.) all around the world. Any time there’s a change, the change has to work its way throughout the Internet in a process that could take a little as one hour or as long as five days.

Time to Live

Why the difference in time? Along with the information regarding what URL has what number, the name server also tells other servers around the world how often to check back for new information. This is called the “Time to Live” (or TTL), and the shorter the TTL, the more frequently Internet providers and other servers check back to see if any information has changed.

So when you’re getting ready to launch a website and know you’re going to need to change the DNS, you need to do some planning ahead of time. You can usually change the TTL to something shorter than the default, and so it’s best to do so at least a week ahead of time. Then, when you’re ready to launch, make the change, and once the change has made its way throughout the Internet, you can change it back to the longer TTL value.

Changing the DNS Information

How do you change the DNS? Good question, but there’s no one answer. Often, you manage DNS settings on the same site where you registered your URL. But sometimes, it’s with your web host. Which could be the same provider, or could be different. Sometimes the interface to update your DNS is very simple, but the provider will try and upsell you on a bunch of stuff you don’t need. Other services have complex interfaces that you practically need a computer science degree to edit. In short, if DNS changes are required to launch your site, it’s best to have a professional handle it.


Hopefully I’ve been able to shed a little light on DNS. Have more questions on this or how other parts of the Internet work together, let me know in the comments or send me feedback!

Fall leaves

Hello, Fall

It’s been a wild, crazy, and busy summer here at Taupecat Studios HQ. Which is why, aside from a launch announcement, there’s been precious little traffic on the blog in the past couple of months. But we do have a few things to share about our summer and what’s coming up this fall.

Say Good-bye to Our Intern

We were fortunate this summer to have the services of our intern, Sam, who helped us with content migration, quality control, and site building. (Maybe there was a little nepotism involved in hiring him; he is my son, after all. But hey, it’s not like I’m president of the United States…) Alas, he has to head back to school today, and will be too busy with his homework (hear that, kid?) to help me much more. But I do thank him for all his help over the summer!

Sam

WordCamp D.C.

One of the highlights of the summer, undoubtedly, was helping organize the first WordCamp D.C. We had a great turnout of 450 attendees and terrific local speakers along with top WordPress experts from across the country (and one from Europe!). For all those who attended or spoke, a heartfelt thanks, and we’re looking forward to doing this all again next year.

Upcoming WordCamps

D.C. chose to hold its first WordCamp in the middle of summer, but with the arrival of fall, WordCamp season along the East Coast is kicking into high gear. I’ll be speaking about the new CSS Grid specification at WordCamp Philadelphia—October 28-29—and attending WordCamp Rochester (NY) November 18. Other upcoming WordCamps in the region are:

And of course, the big one—WordCamp U.S.—will be in Nashville, Tennessee on December 1-2. We’ll be there (I’ve applied to speak and am waiting to hear back).

3 of the "Tracys" of WordPress

Looking Ahead to Fall

Now that fall is here, it’s time to get back into the groove. We’ve got some more great work lined up for fall, and I spent part of my summer vacation thinking about what kind of blog posts would be truly of value to you, our audience.

Got something your curious about? Confused about WordPress or web technology but didn’t know where to ask? Let me know, and I’ll consider it as a future blog post.

Until then, if you have a WordPress or website need, get in touch! Let’s solve your website problems together.

Virginia Opera

Taupecat Studios Hits a High Note with Virginia Opera

We are thrilled to announce the launch of the completely redesigned and reengineered Virginia Opera website. With our design partner, Jamin Hoyle of Branwellington & Cat, the new website boasts a clean, user-friendly, and responsive user interface, improved navigation, and the bold imagery of Cade Martin photography for the upcoming 2017 – 2018 season.

The previous website, built on Joomla!, was non-responsive and difficult for opera staff to maintain. It was in desperate need of a refresh, especially as season subscriptions neared sale. Jamin’s web designs further built upon the refreshed branding he started when putting together their brochure for the new season, which features Lucia di LammermoorSamson and Delilah, and other passionate operas. Incorporating into the theme of the website is this season’s tagline: “Love that is not madness is not love.”

The new website is also built on WordPress, the powerful and user-friendly content management system that powers an estimated 28% of the world wide web. The site is hosted on Pantheon.

Virginia Opera is our first major-client launch since we started Taupecat Studios this past March, and we’re so excited to help them bring this project to life. With performances in Norfolk, Richmond, and Fairfax, as well as opera education programs throughout the commonwealth, we’re glad to help them bring the beauty and passion of opera to all Virginians.

Virginia Opera Website Before & After

Visit the brand-new Virginia Opera website at https://vaopera.org. Season subscriptions are on sale now.


Have a project that you’re passionate about, but need some help getting it to the web? Contact us, and let us know how we can help!

WordCamp D.C.

Taupecat Studios Is Sponsoring WordCamp D.C.!

Taupecat Studios is proud to announce that we are a micro-sponsor of the first ever WordCamp D.C., running from July 14 through 16, 2017 at the Carnegie Library in downtown Washington, D.C.

WordCamps are great community-lead conferences that focus on any and all things WordPress. Bringing together the top minds about a platform that powers more than a quarter of the Internet, WordCamp D.C. will be three days of intense content on development, design, content marketing, search engine optimization, and more.

Personally, I’m super-excited that this event is finally happening, and happy to be on the organizing team making the whole thing come together. We have an incredible line up of top-notch speakers coming to this event, both locally and from around the U.S. and Europe.

Tickets are only $60 and are now available. The only way we can make tickets so incredibly inexpensive is through the enormous generosity of sponsors, and to that end, we are still seeking a few more to help make this event the best it can possibly be.

I hope you’re looking forward to this event as much as I am, and I hope to see you at the Carnegie Library in July!

About WordCamp D.C.

For more information about WordCamp D.C., visit their website or follow them on Twitter.

What to Know About WannaCry

You’ve probably heard news reports about “WannaCry,” the near-global ransomware attack on computer systems that holds your data hostage until you pay the attacker $300 in bitcoins. And you’re probably wondering if you should be concerned about your digital life.

Everyone should be concerned about computer safety all the time. Bad actors from criminals to anarchists and even rogue governments are always out there, looking for new ways to exploit technology for financial or political gain. The latest reports have linked WannaCry to a shadowy operation run by North Korean agents.

How Did the WannaCry Attack Happen?

WannaCry uses an exploit in older versions of Microsoft Windows that was discovered by the National Security Agency but about which the NSA did nothing to notify Microsoft. When exploits are discovered by non-governmental organizations, it’s customary for the discoverers to notify the software developer and give them time to address the issue before it goes public. In those situations, a financial “reward” may or may not be offered.

However, it’s become clear that when governments discover serious exploits that could potentially make backdoors into encrypted computers available, they would rather hold onto that information than take any steps that could remediate the situation. But governments aren’t invulnerable to their own leaks and hacks, and this information ended up on WikiLeaks for all the world to see. The fact that the NSA knew about this vulnerability, did nothing to publicize or fix it, and it still found its way to the public only serves to validate Tim Cook’s opinion that “a backdoor for the good guys is a backdoor for the bad guys.”

Is My Website At Risk?

Potentially, but not likely. This particular exploit affects older versions of Microsoft Windows only. While there are still hundreds of thousands (if not millions) of such computer systems out there around the world (including the U.S.), they are not the typical configuration for webservers, which more likely run a variation of the Unix operating system. However, a Windows system does have the capacity to run a WordPress site, and PHP files are just one of the targets of WannaCry’s encryption scheme.

If My Website Isn’t At Risk, Then Why Should I Care?

This incident is one of the most high-profile reminders yet of why it’s important to keep your software—all of it—up-to-date. I’ve written here already about the importance of keeping your WordPress core and plugins up-to-date, but I implore you to not neglect your everyday computers—including your smart phone. Previous attacks have targeted software that powers websites, and the next major website attack is undoubtedly lurking out there, ready to strike at any time.

Should You Go HTTPS?

Yes.

That was easy. But maybe I should elaborate a little…

Stories from the Real World

Two clients in as many months have come to me in a panic. Visitors to their sites were getting all kinds of scary warnings about malware infecting their computers transmitted from their sites. These warnings were actually bogus, meant to scare visitors coming to the sites into downloading something that was nefarious.

What was really going on? A “man-in-the-middle” attack, where malicious traffic was being “injected” into the connection between the visitor and the site, or more probably, between an unencrypted connection between a commonly-used library such as Google Analytics and the visitor. The solution in both cases was fairly simple: force the connections to Google Analytics and other third-party Internet libraries being used on the site to use the secure HTTPS protocol, instead of the insecure HTTP protocol.

I’ve Said It Before…

I written elsewhere in the past about how it’s a good idea for marketers from all corners to go HTTPS-only, and I’m going to beat that drum again here. In both of the above cases, my clients (whose problems affected their legacy sites) could have avoided trouble to begin with by ensuring that their sites were being served over HTTPS. How does that help?

HTTPS does a number of things, but the pertinent one here is that it ensures that the server you’re talking to is verified and not a bad player impersonating a legitimate server. This is why it’s so crucial for banks and other entities where valuable information is being transmitted use HTTPS. But think of your website. Not only could a non-HTTPS server open itself to these kinds of malicious activity, but it can leave your website vulnerable to other hacks.

In my Zen and the Art of Website Maintenance post concerning security a few weeks ago, I mentioned that hackers can monitor traffic that transmits plainly across the Internet, hunting for usernames and passwords. I’m going to reiterate my recommendation here: any system that requires a login, even your WordPress site, should be served over HTTPS in order to encrypt your login information.

Need More Reasons?

If protecting your website and its visitors isn’t motivation enough to go HTTPS, how about performance? HTTPS is a requirement to support the latest, fastest versions of the protocol that makes up the World Wide Web. Without it, your site’s performance will suffer, and so will your conversions.

Search rankings are another reason to go HTTPS, as Google uses sites served over a secure protocol as a factor in its website rankings. It’s only a small percentage of the formula, but why let possible Google juice go to waste?

You’ve Convinced Me, but Now What?

It used to be that going HTTPS was a costly, uber-technical process. While it still requires technical know-how to take advantage of the performance benefits HTTPS can provide, the monetary cost has dropped down to zero. Let’s Encrypt, an initiative by the Internet Security Research Group makes HTTPS free and readily available for everybody, large and small, profit and non-profit. There’s even a WordPress plugin to make the process as painless as possible.


Hopefully I’ve persuaded you that the time to go HTTPS is now, no matter what the nature of your website. Are you ready to make the switch, but need some guidance to get you there? We can help.

Zen and the Art of Website Maintenance, Part 4: Uptime

Backups? Check. Security? Check. Updates? Check. We’ve achieved website Zen, right?

Almost. How can we sure that our site is healthy and running strong right now? Right. this. minute?

Uptime monitoring is the process by which an automated service continually checks to make sure our website is up and running, before a potential (and potentially lost) customer discovers it for herself. This last article in our Zen and the Art of Website Maintenance series is ostensibly about uptime, but in actually, it’s about webhosting in general. How do you know what you need? And how can you tell if the hosting provider you’re considering is reliable?

Number 9… Number 9

There are a slew of webhosts out there, from cheap, few-bucks-a-month options to hundreds-per-month webhosting Goliaths. While different hosts offer different bells and whistles (which we’ll get into further on in this post), reliability is often a determining factor in choosing a host.

In webhosting circles, reliability is measured in terms of nines. How many nines a provider has indicates their reliability. If your website is up 99% of the time, then it’s down 3.65 days out of the year. Yuck. However, add a couple of nines onto that number so that you’re up 99.99% of the time, then your website will only be down, on average, less than one hour per year.

As WordPress expert Chris Lema once put it, there’s no such thing as 100% uptime, not at any price you’re willing to pay. So the price of your webhosting is going to be driven, ultimately, by how many nines you can afford. Many webhosts are willing to guarantee 99.9% uptime, and may in actuality achieve greater than that, but more nines will start to cost you.

If something seems to good to be true, it probably is, right? That’s as true for hosting as it is anything else. Pay $4/month for a hosting provider, and you really have no room to complain when your site fails for minutes, or hours, at a time. If your business depends on your website to be up and running, that’s serious trouble. And likely, your hosting provider won’t tell you when your site is actually down; you’ll have to find that out for yourself.

Kinds of Hosting

Shared server hosting is by far the most popular form of webhosting out there, especially amongst small businesses and personal bloggers. One webserver powers dozens or more independent websites, usually in an environment where the owners of those websites have no idea who else is on that host. Sound a little problematic? It can be. If one of your webhosting “neighbors” installs a resource-hungry plugin or leaves his site vulnerable to attack, your site might suffer the consequences in terms of a sluggish site or hacking attempt.

Virtual Private Servers (VPS) operate on a similar concept, but with a significant difference: one physical machine can house dozens of “virtual” machines, each sandboxed in such a way so as one neighbor’s bad habits can’t affect his neighbors’ sites. That’s because each virtual server is allocated its own share of resources that the others can’t touch. Usually, this option offers the best balance of economy and reliability.

Dedicated servers are what they sound like: you have your physical machine that houses only your site, and no one else’s. This is great for large ecommerce sites and other complex and high-volume web applications, but is usually overkill for small businesses, not to mention the most expensive option most webhosts offer.

Aside from those general, mostly structural categories of hosting, some webhosting providers offer different degrees of specialization in the types of websites they cater to. WordPress managed hosting, for instance, is a subset of hosting that is specifically geared towards (you guessed it) WordPress sites. They will often manage at least the core software, and may provide their own caching and/or backup mechanisms included in their plans. Compare these sites carefully, because different hosts will provide a different array of included services.

Lastly, there are boutique hosting providers out there that often provide hosting for a very particular specialty. While not as cheap as the mass market, bare bones providers, boutique hosts often can provide a level of personal service that The Big Guys™ can’t.

“Give Me a Ping, Vasily”

So we really came here to talk about uptime monitoring. Services like Jetpack and Pingdom will continually monitor your site to make sure it’s responding. These checks (also called “pings”) occur in frequencies of every few minutes, and will usually originate from servers all over the world in case there’s a bad connection somewhere down the line that causes the check to fail, rather than your website being down. Once it’s determined that it is actually your website that is down, the service will notify you through a variety of possible means: email, text, push notification from an app, or even Twitter.

However, once you discover that your site is down, the impetus is on you to work with your hosting provider to figure out why. Is it a failure of their equipment, or are you (or one of your shared hosting neighbors) the victim of a denial of service attack? Uptime monitoring only lets you know that there is a problem, not what that problem might be.

As with hosting, what you get will often depend on what you pay. Free services, such as Jetpack, will only ping your site once every five minutes, and will only notify you via email. Pingdom, on the other hand, will ping your site once per minute, and offers a greater choice in notification options. However, their service will cost you at least $100/year.

What Goes Up Should Stay Up

Let vigilance be your watch word. Just as you need to be sure you’re doing all the other things to keep your website working for you—backups, good security habits, upgrades—you should be monitoring your site’s availability at all times. At the very least, you want to know if your website is down before your customers do.


Need Help?

Have a website, but need someone to help you keep an eye on it? Taupecat Studios can help. We offer monthly maintenance plans to take the tasks of backups, security monitoring, software updates, and uptime monitoring off of your plate so you can focus on your business. Get in touch and let us know how we can help.

Zen and the Art of Website Maintenance, Part 3: Updates

Congratulations! If you’ve been following this series, then you’ve started a regularly-scheduled backup routine (with validation) and are monitoring your site for security threats. You’re probably feeling more Zen already. But we’re not done yet, grasshopper.

There are only three certainties in life: death, taxes, and software updates. Up-to-date software doesn’t stay that way by itself. It takes awareness and discipline to make sure your web software is kept in tip-top shape.

Why Should I Bother?

“But,” I can hear you say, “my site is working great right now! Why should I bother updating it all the time?” There are a couple of reasons to keep clicking that “Update Now” link:

  • New security risks are discovered. This is the No. 1 reason to make sure you’re updating your core and plugins. (We talked about the concept of a zero day exploit last week.) Fortunately, there are hundreds of volunteers in the WordPress community who are ready to patch and release the new code quickly.
  • “Under the hood” improvements. Sometimes, software is updated to take advantage of new features available in the underlying technology. While generally more true for things like your smart phone apps, this can also apply your web software. For example, a theme might have new front-end code that takes advantage of modern browser capabilities. A complex plugin might work better when its updates are paired with the latest version of PHP (the server-side language upon which WordPress is built). WordPress is backwards-compatible (almost to a fault), but staying more-up-to-date will improve performance all-around.

How Do I Keep Updated?

  • Check the “Updates” section of the admin. You can’t miss it, really. If your site is in need of updates, then this icon, updates icon, will appear in the admin bar along with the number of updates needed. Click on it, and you’ll be able to update your core, plugins, and themes en masse.
  • Always apply WordPress core security patches immediately. You can identify a security update because it will have a third number in its version number (4.7.3, for example). In most cases, WordPress even will apply this update automatically (although there are some cases where it isn’t able to). Also, many web hosts will make sure these updates are applied quickly and automatically as well.
  • Sign up for third-party updates. There are services such as those by ManageWP and iThemes that will email (or otherwise notify you) when you have plugins or other updates available for your site. This is especially helpful if you have multiple WordPress sites that you’re maintaining, each running a different plugin configuration. They’ll even apply the update for you with just a few clicks on a centralized dashboard.

What Happens If My Updates Go Awry?

I can’t promise that it won’t happen. The vast majority of the time, updates go through without a hitch and no one visiting your site is any the wiser. But there have been, on a very few occasions, instances where updates haven’t gone so smoothly. Sometimes it’s because a popular plugin has been taken over by a new, somewhat unscrupulous developer who decided to insert some malicious code. Sometimes, it’s a bug that wasn’t caught in testing, but your set up, unfortunately, has just the right combination of circumstances to manifest the problem. It’s unfortunate and gratefully rare, but not unheard of.

  • Back up early and often. You’ve been keeping backups anyway, right? Make sure you run them just before you apply updates to any plugin or theme, and especially WordPress core itself, so you can roll back quickly if there’s a problem.
  • Keep an eye on the chatter. Monitor Twitter, WordPress news blogs (WP Tavern is a popular one, and WordPress security companies keep their own as well), and keep an eye on the plugin’s support forums. If there’s a problem with a particular release, it’ll be discovered (and publicized) pretty quickly.

Other Things to Keep in Mind

A couple of suggestions on software that harken back to the security we talked about last week:

  • Get your plugins and themes from trusted sources. More often than not, security risks that could compromise your site come from the add-ons you install to enhance its functionality. For that reason, making sure you only install themes and plugins from reputable sources will go a long way in protecting yourself. The WordPress plugin and theme repositories are staffed by dedicated volunteers who pore through the code of submitted themes and plugins, looking for potential risks. You can also download premium (that is, you have to pay for them) plugins and themes from a number of reputable businesses, but be careful; not all premium theme and plugin shops are alike. Some of them are just clearing houses for individual developers, with little or no oversight for code quality and what you end up paying for could be sketchy at best, malicious at worst. Instead, seek some advice and recommendations of a trusted WordPress developer, and they can set you on the path towards high-quality, secure purveyors of themes and plugins that you can trust and who offer regular security updates of their own.
  • Turn off code editing in the admin. WordPress actually allows for site administrators to edit the source code of themes and plugins directly through the admin interface. The reasons for this are archaic and have never been very well explained to me. What we’re left with is that if a bad player somehow does manage to access administrator-level privileges on your website, this feature could cause a whole lot of damage. To turn it off, you want to edit the wp-config.php file on your site and add the line:
    define ( 'DISALLOW_FILE_EDIT', true );
    If you need help, ask a developer or your hosting provider and they might be able to help you.

Keep Going

You’re backing up. Great! You’re monitoring your security. Awesome! You’re even making sure that all your core, themes, and plugins are kept up-to-date. Terrific! You’re done, right? Well, we got one more thing. We’ll conclude our series next week when we look at uptime monitoring—what it is and why you need it.


Need Help?

Not everyone feels comfortable preparing their own taxes and that’s okay. Not everyone wants the headaches of making sure all their WordPress core, plugins, and themes stay up-to-date, and that’s okay too. Taupecat Studios can help. We offer monthly maintenance plans to take the tasks of backups, security monitoring, software updates, and uptime monitoring off of your plate so you can focus on your business. Get in touch and let us know how we can help.

Zen and the Art of Website Maintenance, Part 2: Security

Last week, we looked at why a solid backup strategy is so important to the health and well-being of your website. Just like a good homeowner’s insurance policy will restore your belongings and help you rebuild your house in case of theft or fire, backups will allow you to get up and running again as quickly as possible in case something catastrophic happens to your website.

Aside from a good insurance policy, you likely have an alarm system and smoke detectors to prevent problems from becoming severe in the first place. The same holds true for your website. There are a multitude of threats out there, and while it’s impossible to go through and present an exhaustive, comprehensive list of potential security vulnerabilities, this article will show you some of the most common risks and how to mitigate them.

Is WordPress Insecure?

Let’s take on one myth up front: the conception that WordPress is inherently less secure than other website platforms out there. This is simply not true. While admittedly, WordPress has suffered some high-profile security vulnerabilities over its nearly fourteen year existence, so have many systems. It’s the nature of computing. Any popular platform, from Windows to WordPress, is going to attract its fair share of hackers, crackers, and ne’er-do-wells. But there are steps you can take to keep those rogue players from mucking up your little corner of the interwebs.

Brute Force Attacks

Probably the number one type of attack I deal with in managing WordPress sites (and this is true for all administration-based content management systems), is that of brute force attacks. This is an attack in which a hacker attempts to break into your system by trying a number of username and password combinations, attempting to gain access. Often times these are not the efforts of a single individual, banging away at potential access credentials on his or her own, but rather a scripted attack that will automate the attempt from a number of other compromised systems around the globe. Here are some steps to take to prevent them from succeeding:

  • Always use a strong, gibberish password that you don’t use anywhere else. In recent releases, WordPress has helped with this by offering a strong password generator and displaying warnings against overly simplistic and commonly-guessed ones.
  • Never use the username “admin”. Once upon a time, “admin” was WordPress’ default suggestion for the first username that would go into the system. Hackers know this, and know that there are many, many systems out there that still use this username as their all-powerful administrator account, figuring that their chances of success have improved by 50%.
  • Use two-factor authentication. By requiring an extra step, often using an app installed on your smartphone, it becomes impossible to log into your websites admin by username and password alone. Google Authenticator has become the de facto standard for 2FA on a number of online services, and there is a plugin for WordPress that uses it as well. (I’ll have more to say about 2FA and WordPress in an upcoming post.)
  • Always put your admin behind HTTPS. I’ll get deep into HTTPS and its benefits another day, but trust me when I say you should definitely do this. While not strictly a brute force attack strategy, any data that is sent over a non-HTTPS connection is easily readable by anybody who happens to be listening to that traffic. In other words, if you log into your WordPress site over a non-secure HTTP URL, those keys to your administration are going over publicly-accessible wires in plain text. Not good.

Attacks Through Compromised Code

Software is only as secure as its code. Vulnerabilities lurk in poorly-coded themes and plugins, and sometimes even in core itself. Most of the time, these problems aren’t intended to allow hackers in; quite the contrary. But when they’re discovered, word immediately spreads of the vulnerabilities that were found, and the bad guys get to work. Hence the term zero-day exploit.

This is where vigilance is especially important. There are a number of WordPress security services out there that send out newsletters when important vulnerabilities are discovered. Sucuri is one of my favorites, but some other popular ones include iThemes and WordFence. Subscribe to their blogs or follow them on Twitter to be kept up-to-date on the latest happenings in WordPress security. We’ll dive deeper into keeping your software updated in a later post in this series, but monitoring when your plugins and core need to be updated should be part of any comprehensive security monitoring program.

Install a Good Security Monitoring Plugin (or Two, or Three…)

I already talked about Sucuri, iTheme, and WordFence; all three of those services offer free plugins on the WordPress plugin repository that let you monitor the security of your site without requiring a monthly subscription fee. These plugins will offer recommendations on how to “harden” your website; that is, easy steps you can take to make your WordPress a less vulnerable target. They will also log login attempts, and notify you if they suspect a brute force attack is in the works. All three of those services also offer paid services that include firewalls and other advanced security features. Compare their plans and find the one that matches your needs with your price point, but keep in mind: A good security service is worth its price in terms of saving your website after a hack.

Screenshot of Sucuri Scanner administration.
Sucuri Scanner comes with site hardening recommendations, activity notifications, and other features to help keep your WordPress site secure.

There are a number of other plugins you can install that will help you monitor what’s going on with your site when you’re not looking. Limit Login Attempts is an extremely popular plugin that will block out login access to your website after three failed attempts from a particular URL in a short time frame. Such patterns of failed attempts are classic signs that your site is under a brute force attack. (The WordPress plugin repository warns that this plugin hasn’t been updated in over two years, but it’s okay to go ahead and install it anyway.)

Security in an Insecure World

Forewarned is forearmed, and the recommendations in this post are just the tip of the iceberg in securing your WordPress website. In my next post, we’ll look at the best way to manage core, plugin, and theme updates: a vital step in keeping your WordPress site secure and healthy.


Need Help?

Just like most people call in an expert to install their home security system, you don’t have to maintain your WordPress website all on your own. Taupecat Studios can help. We offer monthly maintenance plans to take the tasks of backups, security monitoring, software updates, and uptime monitoring off of your plate so you can focus on your business. Get in touch and let us know how we can help.

Photograph of stacked stones in a rock garden

Zen and the Art of Website Maintenance, Part 1: Backups

Websites are not “set it and forget it” affairs. You need to put in a little effort in order to keep your web presence humming along like a well-oiled machine. Just like you take your car to get its regular, 3,000 mile maintenance to keep it running smoothly, websites require a number of maintenance tasks—performed on a regular basis—to keep them running strong and contributing to your business’ bottom line.

In this blog series, I’ll show you all of the maintenance tasks that are necessary to help prevent disaster from striking, and to help you recover as quickly as possible if disaster does strike. Taken together, these steps will give you piece of mind that your website will be able to weather any storm that comes along. They may not help you achieve a feeling of inner calm, but they can take one source of worry off your plate.

Why Back Up?

Just like your car comes with a spare tire in case of a blowout along the highway, you need to have a spare copy of your website available. There are a myriad of reasons you might need to restore your website from a backup quickly: Your web hosting provider suddenly goes under; Your site gets defaced by an external attack; A corrupted database chews up your data. When disaster strikes, a good back up can be the difference between getting your website back online in a matter of minutes, or a matter of days.

What to Back Up

A WordPress site is made up of three major components: the files that make up the core WordPress platform, themes, and plugins; the files that are uploaded into the media library; and the database where the content and settings are stored. The core software, themes, and plugins are likely easily recovered from their sources—either from the WordPress.org repository or your developer who has kept any custom work in a revision control system like Git. But the other two pieces—the database and media uploads—are not so easily recovered.

A good backup solution will take a snapshot of your database and media files on a daily basis, and a complete end-to-end backup of every file in your website on a weekly basis. A number of popular WordPress solutions exist which will perform these backups and allow you to download them to an on-premises hard drive. For an extra measure of safety, many will even store the backups directly to a cloud service like Dropbox, Google Drive, or Amazon Web Services to protect you from theft, fire, or other physical threats that come with storing your backups on-premises.

Backup Validity

But backing up is only half the battle. You need to make sure your backups are valid—that is, your backups are saving what you need them to save, and that you can recover them if (and when) you need to. For that, periodic testing of your backup system is a good idea, because you don’t want to discover after a problem that your backups aren’t adequate to restore your site in a timely manner.

Lastly, you want to keep your backups for a period of time, and rotate through them at prescribed intervals. That way, if you discover that your website has been hacked, you can go back and find the last clean copy from before the attack occurred. Many times, security violations aren’t discovered until long after they have occurred (more on that in a later post), so having only one round of backups at any given times means that whatever malicious code was used to compromise your website may still be lurking in your backups, ready to strike again after you restore your data.

Beyond the Backup

In the next post in this series, we’ll look into possible security risks your WordPress site can be exposed to, and how to defend against them.


Need Help?

Just like most people don’t change their own oil, you don’t have to maintain your WordPress website all on your own. Taupecat Studios can help. We offer monthly maintenance plans to take the tasks of backups, security monitoring, software updates, and uptime monitoring off of your plate so you can focus on your business. Get in touch and let us know how we can help.