Backups – The Forgotten Website Security Pillar
I travel a lot (a lot might actually be an understatement these days), but the travel always revolves around a couple common threads – namely website security education and awareness. In these travels, regardless of the community I am engaging with, there are always common questions like, “How important is it to proactively protect my environment,” or, “How can I fix my environment after it’s been hacked?” Of course, those are really important questions, and as the CEO of a company that meets those needs, I’m more than happy to answer those big questions. But as I’ve traveled the country and answered those questions, I’ve noticed a fundamental lack of understanding of a more basic security need: backups, specifically how backups fit into the security spectrum.
It’s very easy to get bogged down in the minutiae that makes up your website’s security, but as with everything, having a great foundation will provide the security required when everything else fails.
Backups – Your Safety Net!!
Everyone has a car (metaphorically speaking) and every car has a spare tire. Those spare tires are often nothing more than an adornment you’ve forgotten about, hidden in some obscure cavity of your trunk or strapped to the under belly of your vehicle. That tire allows you to operate freely and drive without fear, knowing that when all hell breaks loose—like when that nail causes a slow leak or your tire blows out– you will have a safety net that allows you to get to your destination.
Think of backups the same way! They are your safety net for when it rains and you have no umbrella.
Having all the tools in place to protect your website from hackers or to detect if a hacker has gained entry will do you very little good if the attacker creates a worst-case scenario by doing any of the following:
1. Overwrites your files
2. Runs rm –rf
3. Right clicks and presses Delete
Not even companies like my own have devised a way to undo the worst-case scenario. Once the files are overwritten, or deleted, there is no going back. This was the case in this past week’s giant cluster of an issue.
Backups aren’t meant as your sole security measure and there are a lot of reasons for it. The first and most simple reason is that a backup simply reverts your site content back to what it was like whenever you last made a backup, meaning that any content uploaded in the meantime will be lost. Second, it doesn’t fix the problem or keep you from getting reinfected (sometimes in minutes). Of course, that’s why we’ll always recommend proactively protecting your website so that you don’t get hacked in the first place.
With all of that said, a backup still serves a hugely important function. When all else fails or everything is broken, it gives you your site back. Here are the requirements I’d have when looking for a backup for my own sites.
- Look for a service based backup solution. There are many backup solutions that are tools that will allow you to back your files to a desired location. This will work for some, but won’t for others. The reality is many of you give very little thought to space and will often leverage existing space (i.e., your web server) to save the backups. It’s important to know that this defeats the purpose of the backup because the first thing an attacker will delete when they log into your environment are those little zip files that read: backup_xxxx.zip
- If you prefer a backup tool, great, but try using a third-party provider (i.e., Dropbox, box…) that allows you to keep the backups in a safe, remote location.
- Keep in mind the frequency of your backups. If you generate a lot of content, then create a backup schedule that matches that need, or you will run the risk of losing the content. If you update less frequently, then just ratchet the cadence of your backups down.
- If you run some of the more popular CMS applications like WordPress, Joomla, Drupal or the like, then consider backing up only key files (i.e., themes, plugins, extensions, etc…). Often backing up core directories like wp-admin, wp-includes, administrator, includes, and others will be unnecessary. All CMS applications are different, so consult your development staff as they might have made core configurations that could cause issues if not backed up.
- If you use premium themes, templates, extensions, plugins, or the like, then keep a fresh copy backed up in a safe location. This is very different than the normal backups discussed above. This is just a clean copy of the original install; you never know when you’ll need it. Trust me when I say that your security and development team will thank you.
Many of these items might appear to be common sense, and many are, but we continuously harp on them. We do that because it’s easier than ever for people to create a website, but oftentimes they do so not knowing the security basics that can save them when the worst happens. If you’re a client, backups are available on your dashboard. If you have any questions, we’ll be happy to assist.
If you’re not a client, inquire within your respective community. There are various sources that will make backups available to you at a low cost. The first source to check is your host. Many will offer you, at a minimum, 24-hour backup service. It’s not ideal, but again, life rafts never are. You just know that when all goes wrong, you’ll be really happy that you have the life raft.