I'm not a security expert…but I know one.
I'm not a black belt technical support specialist…but I have a couple on staff.
I'm not an expert in hosting technologies…but I have a team who are.
So what do I, the owner of a small hosting company like Niche Simple SEO Hosting, specialize in? Holding hands. Talking people off the ledge. Educating customers about why their busted wordpress template is not (in most cases) a hosting issue, but pilot error.
I specialize in negotiating the crocodile infested waters we call web hosting.
Truth is, I'm the guy with all the responsibility that comes with guarding hundreds of customers business files on a multitude of servers. I'm the guy that monitors my hosting support desk on my iPhone app just so I can sleep a little better because I know that 1000s of hackers are trying to bust down the firewall doors every day.
Luckily, we have our servers in a lock box. And I've got a team that stands in front of the lock box armed with all the combat tools required.
When I read posts on Regina's blog about web hosts being hacked, I really feel for them – the host that is. I assume that the sites are recoverable (we'll talk about that in a minute). But the web host is getting killed by the customers for having lousy security when it really is an up hill battle against hackers and…customers.
The reality is this:
A shared server is like a dangerous neighborhood. It's not safe to go there without weighing the risks.
Even dedicated servers can be hacked, but dozens – sometimes 100s – of customers who don't know FTP from LOL are loading up suspect files, old PHP scripts with proven security holes, and malicious trojans or key loggers without even knowing it.
Just let me say this: If you knew how often your servers were being attacked each day from hackers outside and customers already inside, you'd really worry about your online safety. So, the key is to do what you can to protect yourself.
You DO backup your files, right?
Before I started Niche Simple two years ago, backup was something other people talked about and I didn't do very frequently or well.
Now, I'm obsessed with it…so much so, that I have a dedicated server (yes, I have to pay for them too) that's specifically used to synch my personal backups.
But I don't stop with that. There's more:
1) Make sure your host is doing daily, weekly and monthly backups. I don't know how many times I called the tech guys and said, “Oops, I just deleted a directory…” only to have it restored from yesterday's backup within an hour or so. Usually, the easiest way to handle a hack quickly is to do a restore from the server backup.
2) Make sure you have a complete local backup. Your backup should replicate your server file structure. For example, if you have an html website, be sure that you work from your local copy and load the latest changes by synchronizing via FTP. I personally use Dreamweaver, but there are other tools. Your local copy always contains your latest changes.
3) Do site backups AND database backups. What if you had two years of daily blogging and the server hard drive died along with the dB backup. You could easily restore your site, but your content – remember that two years of content you created – is gone. And with it, the value of your blog. One trick I found was to create a specific e-mail account such as gmail, set your dB to back up daily and send it to the email account. Set your e-mail to delete all e-mail after 2 weeks and bingo, you've got a dB backup for the last two weeks available in case of the emergency.
4) Off site storage is a big part of backup strategy. I use two services for two different reasons.
SugarSync is just an awesome backup and synchronization utility. Install a little app on your computer and it will synch the directories and files you request to your sync account online. It's secure and easy. But the best part is that you can access all your files from any computer or iPhone as long as you have internet connection. Get 2gb of storage for free and then upgrade if you need more. After I researched and tested it, I sprang for the 500gb premium package for $399 a year and now have my entire computer synchronized online. I love it.
The other service is the very popular Dropbox. I use it to communicate on an hourly basis with my outsourced teams. We share files and create shared workspaces. Dropbox is much better for shared working data, but not nearly as thorough and intuitive as SugarSync.
I find that both are essential.
5) And finally, external hard drives are a good last resort. Replicating everything on external hard drives is easy, but risky. When I lose data, it's because I rely on an external hard drive. I currently have 8 sitting on my shelf at home. Six of those are dead. All are less than 3 years old. That tells you how reliable they are – at least for me. But in a pinch, I'll add stuff to an external hard drive just to make sure I'm completely backed up.
What else can you do to protect yourself?
Clean house.
I'm terrible at this. That doesn't mean you should be too!
Delete copies of scripts you're not using, old programs, and anything else that's outlived it's original purpose. Yes, it's tedious to sit in front of the computer and wade through each folder looking for old stuff. But delete a script you're not using, and you're shutting a door that can't swing open any longer for a hacker.
Get to know your hosting provider.
Believe it or not, I have multiple hosting accounts at different companies. (It's called competitive research.) I load them with one or two sites just to monitor the service. I use a free monitoring service from Basic State to stay abreast of up times and compare them to my own Niche Simple accounts.
Monitoring services that measure too frequently can be maddening, so be careful. Basic State checks your site every 15 minutes. That's good. If your site is down more than 15 minutes, you've got hosting issues. It could be a number of things, but a good host will know about the problem long before you or your monitoring service.
If your monitoring service checks your site every minute, you'll get a lot of false reports.
I won't go into it now, but just know that your server resets itself legitimately often each day if you're on shared hosting. For a few seconds your site may “seem” down or slow to respond when in fact, it's just doing what it has to do.
Manned by real human beings…
On one of those other hosting companies that I used (and it's a big one), I discovered my site was flagged at Google as an attack site. That will freak you out if it's never happened before, guaranteed. But getting unflagged is a simple process: Fix the site and resubmit through the webmaster tools.
But after signing in through the live chat client to discuss the hack, my chat rep responded by putting a long disclaimer in the response box that basically said, “Hacks on your site are your problem. We don't help in any way and are not responsible. You have to fix it. Go away…”
Well, they didn't really say that last part, but that's exactly what I did.
I moved the site to another host after I cleaned the files. And when we set up our support at Niche Simple, one of the keys was to make sure we had a staff who could help people fix problems – if if they were self-inflicted.
Finally, check your sites.
This is really important. If, like me, you have a lot of sites, access them regularly just to see if everything appears right. I have some clients who've discovered that a site was compromised when they visited for the first time in months. It's like real estate investing; it's important to do a drive by occasionally.
If you'd like to know more about Niche Simple SEO Hosting and why you must include SEO Hosting to any online strategy, go to the accounts page to understand how to leverage the power of multiple servers and multiple IP addresses.
Great post David!
Love the “crocodile infested waters we call web hosting” analogy.
I see so many people “jump in the water” when they quickly put up a website now weighing the pros and cons. They often get bit or eaten alive! Thanks for sharing the importance and risks of website hosting.
You got my vote! Backups of backups!
I haven’t heard of SugarSync and Dropbox before. I’m certainly going to check them out.
I’m really interested in learning more from you about leveraging the power of multiple servers and multiple IP addresses. I’m ready to take that step.
Thanks again David for sharing these great tips!
Ohhh, Regina! You must have Dropbox to work with your clients – extremely easy and free for the first 2 gbs and that’s a lot.
SugarSync is a set it and forget it backup service. It’s really simple. And accessible from anywhere there’s a computer – not even your own…
And alligators? I find myself standing on rocks poking them with a long stick all day long 🙂
d
Wow! Great info. I back my stuff up but not to the extent you’re suggesting. Good reminders. Thanks, David.
Hey MaryJo,
You know what they say: twice fooled, shame on me… Well, I can’t tell you how much great content i’ve lost over the years. I got really serious about back up when I lost a hard drive that took with it about 3 months of scanning and color correcting 5,000 high-quality digital pictures for my stock photo company!
That hurt.
dp
Hi David and welcome!
Thanks for the reminders. I tend to be a bit lax in this area. Having a separate email for the backups to go to is a fantastic idea! Looks like you’ll be a great asset to WP Security Lock and I look forward to seeing more.
Guess I should get off my butt and get that email account for my backups, or maybe I stay seated, typing while standing makes my back ache.
Yep – the email thing is interesting. It’s a tip one of my tech guys who help with hosting support taught me. If you send a daily db backup to a gmail account specifically for this, you really only have to spot check that account to make sure its working. Otherwise, it’s just there when you need it.
d
David – Excellent information. Thinking I was being very smart, I purchased a 1T exterior hard drive and carefully downloaded all of my files to protect them – Well long story shortened – I packed it up to travel with me for an extended trip and in the process it got “banged” around and refused to work anymore. Luckily a local “forensic” expert rescued my files – Major relief as this is my business – Well my replacement, new exterior hard drive also suffered a break down – The Cat who supervises me working by sleeping on my desk took a leap, snagged the cord and the hard drive dropped to the floor 🙁 Needless to say it was not happy and again I thought I had lost all my files – I now use Carbonite to back up on line as well as using my exterior hard drive. The pain of loosing my history of files was not worth the stress. I will back up religiously – and therefore be able to reinstall if my files get hacked …. Thanks for all your excellent tips.
– Terry Loving
Yep – external hard drives are like paychecks to me. False security. If I get used to getting a paycheck as an employee, then it’s really hard when someone pulls the plug. That’s why I’ve been self-employed for 20 years.
External hard drives make me think I’ve backed up. Until something like the cat happens, then it’s an illusion.
d
Thanks for a post chock full of so much info, glad to hear you drive home the absolute importance of backing up. I always meant to be good at this and even went so far as to have the tools in place, problem is the tools only work if you use them. I became a dedicated and obsessed “backer upper” the day I had to listen to my inconsolable daughter weeping after having lost a huge research paper that she had put untold hours of work into. We had been attacked by a planted virus that she activated when she responded to a false security threat warning. The bad news was our computer totally froze and it’s entire memory was wiped out, ultimately needed to be reformatted. The good news… it was a relatively cheap lesson for my household, even my youngest is now and ardent “backer-upper” AND no-one clicks on no-thing without clearing it through.
Can’t wait to dig into the software suggestions. Thanks again! Make It A Great Day! Paula
Listen, I’m terrible at scheduling anything repetitive. That’s why I chose an offline backup service like SugarSync. Turn it on, leave it and it backs up immediately while I’m creating documents. (Sometimes it can cause a little confusion because it backs up so fast, but if you leave it alone, it figures out what you’re doing on its own and fixes it.)
I don’t mind paying for the service because it’s like having an employee who sits there and backs up everything I do. I have the 500 GB back up option for $400 a year. Peace of mind is worth at least that much to me.
Oh, by the way, I have 4 external, redundant and mirrored 1tb hard drives at home too.
Yes, I’m paranoid 🙂
d
Happy Birthday David! Hope you have a fantastic day.
Hey David I can relate, trust me I can relate.
Your experiences with external hard drives is the very reason I use NOTHING BUT RAID backup arrays now, heck the price on a good RAID 5 BOX is below $500 now.
Haven’t had a issue with external drive back ups since.
Keep up the good work.
Roy