As I prepare to create a new writing/editing website, I find myself pondering the pros and cons of a WP site versus a regular website, via GoDaddy's "Website Tonight" program.

I recently attended a webinar that scared the heck out of me regarding Wordpress. I have several WP blogs, but, according to the hosts of the webinar, WP is very vulnerable to attacks and crashes. Although I back-up religiously, apparently the only thing I'm actually backing up is the database. I would lose the theme and plugins should a crash occur. There are many security risks inherent in WP themes, which I was not really aware of before this webinar. Naturally, at the end of the webinar, the hosts were selling a "cloning" program that would back up every single aspect of our site. This is very appealing, but I tend to be skeptical of pitches like this.

Not being a techie, I'm pretty frightened by the prospect of having my new business crash and burn after spending countless hours/days/weeks/months working on it.

My blogs are hosted on Hostgator and they've been pretty good about helping me through some sticky situations (I was hacked a few times and a Tim Thumb code destroyed one of my sites). Of course the other thing about WP is the fact that it requires constant updating and spam removal. I love the ease of setting up WP and, for sure, WP is great for non-techie people.

Sorry to be so long-winded, but I'm now at a crossroad and must decide which way to go. I realize that a premium WP theme might offer some protection. The back-up issue is of concern to me. Are there any themes or plugins that you could recommend that address the security and back-up issues? Any thoughts on the "cloning" concept? Have you heard any feedback on the GoDaddy website program?

I welcome everyone's comments and suggestions, and thank you all in advance for your time.:confused:

I can offer some feedback. I teach how to create WordPress websites and so I get questions like this a lot.

You can certainly backup more than just your database by:

- Exporting your posts on a regular basis and saving that file.
- Using FTP or Cpanel File Manager to copy your site files (themes and plugins).

There are also premium plugins you can use to do automatic backups of everything:
- Backup Buddy from iThemes
- Backup Creator

There are also other cloning plugins, I saw another and I can't remember the name of it.

Premium WP Themes from a good company can provide some good support and updates (for security) for your theme, though I'm not sure that they'll actually help with your backup unless it comes with some sort of built-in feature.

Obviously since I teach it I'm keen on WordPress.

Hope that helps :)

I'll jump in and speak about the vulnerability of WordPress sites to hacking. :)

Yes, it's vulnerable, but probably not for the reasons you think. It's vulnerable because it's hugely popular, which means there are millions of sites running it, making it a target. It's kind of like Windows being more vulnerable to viruses than macs, simply because few people will bother to write a virus for an operating system that only 5% of the world uses.

WP is also vulnerable because people don't keep their installations updated. That means not just updating WordPress itself, but making sure your plugins, your theme, and even your php installation is current. You also need to be more careful than most people are when it comes to user names and passwords (you wouldn't believe the number of sites I work on that have passwords like "boomer" or "pa55w0rd" :confused:) - and don't use the same password everywhere, please!

Also, don't install WordPress using Fantastico or other "one click" solutions. Doing that names the database wrdp1 (or wrdp2 or wrdp3, etc.) and leaves the table prefix wp_. It also leaves files on your server that are easily discoverable. Hackers know these things and can use the information to target these specific installs.

Finally, you need a decent host. I'm sorry, but GoDaddy is notorious for getting hacked - generally because their php, apache, and other software is so out of date - so if you're going to install WordPress, I certainly wouldn't do it there. They're also not fans of WordPress, in my experience, and will often "blame" WordPress if you ever have a complaint about their hosting speed, uptime, etc.

Agree with all that Cindy said. Site security starts with proper installation and that requires manually setting up the database, manual WordPress install where you can select a super secure login and the database table prefix, and then adding code to files in the root directory as well as in the core of WordPress. To that is added one security plugin that puts a deadbolt on the front door.

There are not enough plugins in the world to protect WordPress from the lack of keeping it, themes, and plugins up-to-date, or from folks getting themes and plugins from non-reputable sources that come with malware or hacking code built in right from the start.

My advice, get a geek to install WordPress for you or learn how to do those steps yourself, and learn it from a geek, a real one, not some generic advice on the web. Reason being, all hosts allow different security measures. HostGator is one of the good ones. (I'm on it too.) And they offer the cPanel brand as the control panel, which makes all the secure installation super easy. GoDaddy is one of the worst, and I've removed them from my preferred vendor list for the reasons Cindy cited. In fact, I charge extra to fool with them. (Good for domains, not hosting WordPress).

Also, get a decent theme from a reputable developer that offers support. This is not for security, it's to hedge against it breaking with future WordPress updates.

And my best advice - backup, backup, backup. Here's a zero-obligation, free report with 14 backup solutions, including storage options. Plus, it explains the difference in backing up just the database vs. all the primary files and folders you would need to actually fully restore your site. How to Backup Your WordPress Site (http://www.blogaid.net/how-to-backup-your-wordpress-site-free-report)

Your primary responsibility as a site owner is to protect your investment. Think of it as being a store owner. Would you leave the front door unlocked and the windows open? Of course not! Then why do it on your site? The more valuable the property is in your store, the more it makes sense to invest in security.

I use BackupBuddy, as do all of my training clients. And I store it remotely on Amazon S3 cloud storage. Just like backing up your computer's data onto an external hard drive, the backup data needs to be kept in a separate location than your hosting space. It costs pennies a month.

Backup is just not a place to go cheap. If you're only backing up the database to save money on storage, you'll have a whale of a time restoring your site. And if you have no backup, you'll turn every color of the rainbow sick if your site goes down.

There is no such thing as a bullet-proof site, just as there is no fully secure store, house, car, or anything else you own. Keep it updated, make it as reasonably secure as you can, back it up fully, and quit worrying about it.

Looks like everyone has covered the waterfront about backing up and security recommendations. I'll just weigh in on using a proprietary website builder instead of building your website yourself with WordPress, html or something else. Eventually people who want to improve their site and add functionality get fed up with rigid website builders. The problem comes when they want to move to another platform like WordPress. Most of the time this is a copy and paste job and takes hours of work because you can't just export your pages. Just something to think about.

Don't be alarmed and scared away -- just be aware. Then just add backups and updates to your routine. You can also follow WordPress security experts like Regina Smola at WPSecurityLock.com. When things like TimThumb come up, they will be blogging, tweeting and Facebooking about it quickly.

I just want to say thanks to everyone who's posting comments here. I'm just beginning to learn about website security, so every tidbit of good info helps!

Hackers can mess with your files and put links to other sites within your content or they can install scripts that put malware on your visitors' computers. Some are pranksters and some are more devious. That can happen whether you have WordPress or not. So having regular backups can save you from a lot of work if that happens. And you might not catch it right away, so it is good to not just overwrite one backup in place of another, but to have several different ones saved. That's where a good backup program can be handy because you can just set it up to run automatically.

Backups are important in case something gets corrupted. It's just hardware and software after all. Things happen.

I realize that a premium WP theme might offer some protection. The back-up issue is of concern to me. Are there any themes or plugins that you could recommend that address the security and back-up issues? Any thoughts on the "cloning" concept? Have you heard any feedback on the GoDaddy website program?

Wow, what a great question and awesome feedback!!! I agree with all the security advice from Angela, MaAnna, Cindy, and Christine.

writeraniac, the webinar you attended did a great job of waking you up to the potential threats out there. Everyone needs to be aware that at any moment ANY website (WordPress, Website Tonight, CMS, or html site) can be maliciously attacked and/or destroyed. First and foremost you need to have a clean backup of your website after any changes you've made (added new posts, installed new plugin, tweaked your theme) so you can easily restore it back to normal.

Also take into account that you yourself can add a plugin, script or bad code that can break your site. So backups of both your database and your website files are essential.

For the backup and cloning concept, I'm not sure which product they were selling on the webinar. But I also recommend BackupBuddy, which creates backups of everything, your essential WordPress files and your database. Another neat feature is it will backup any custom folders you created, for example you can include the directory for your downloadable products too. My backups are auto loaded offsite to my AmazonS3 account. So if my hosting server gets compromised then my backups are safely stored in another location. Here's a short post I wrote about BackupBuddy (http://www.wpsecuritylock.com/?p=6385) and a discount code if you're interested.

Regarding premium themes and security, I highly recommend StudioPress (http://www.wpsecuritylock.com/studiopress) Genesis framework. They're security conscious and hired Mark Jaquith, WordPress lead developer, to do a thorough security audit (http://www.wpsecuritylock.com/genesis-security-audit).

In regards to the GoDaddy website program, I have not used it. I personally like to have control of my website without limitations (one of the reasons I self-host WordPress) and programs such as these only allow you to do certain things on your site. Things to consider: Do they do security checks and updates? Is security information readily available? With WordPress, when a security vulnerability is discovered they make patches to close the holes and a notification is displayed on the top section of your WP dashboard.

To help protect yourself from future timthumb vulnerabilities, install the Timthumb Vulnerability Scanner plugin and set it to auto-scan. What's scary is even today there are still premium themes and plugins with outdated versions circulating and still have the backdoor. Two weeks ago I bought a premium theme at ThemeForest and it had version 1.8.1. YIKES! For more information see my post on the Timthumb Vulnerability Scanner (http://www.wpsecuritylock.com/wordpress-security-tip-timthumb-vulnerability-scanner/) plugin.

One last thing I would recommend is having your site auto-scanned daily for malware. I use Sucuri (http://www.wpsecuritylock.com/sucuri). If you're concerned your site is infected with malware, you can scan it for free here (http://www.wpsecuritylock.com/scanner).

All good advice above here. One other issue I have seen with systems like Website tonight, Yahoo Stores & Volusion is that once you start to actually learn more, and you will have to learn about the 'tech side of things' whether you want to or not in order to sustain a site and be successful online - you will want the control and the freedom to make your site whatever you want it to be the way you want it to be.

Invest in a solid foundation for your site, it is the home of your business online, treat it like you would a physical home - lock the doors and windows, and insure it - meaning do all the things mentioned above - backup, update the theme asap when new releases are available, backup, maintain plugins, backup, only use plugins from WP extend, backup and be careful who you invite to work on it - make sure they're 'licensed & insured' meaning certified with good testimonials. You get the picture about back up right - automate it, it's the only way it will happen as it should as all the others say store it externally I like Amazon S3 - cheap and easy to use?

If you ever come to sell your online business you will find it easier to hand over to a buyer and savvy buyers will use the lack of control as a negotiation negative saying they will need to offset the cost of transferring it - if they believe that's what they need to do as a seller, there's almost nothing you can say to overcome that objection - so being on a 3rd party platform will cost you if you want to sell.

Finally there is a reason the White House, 10 Downing Street (British Govt), New York Times, Martha Stewart Living etc all have their sites/blogs running on WordPress - it works, it makes it easy to update, it helps their content rank better & faster, they just take proper security precautions to protect their sites from hackers.

Hope this helps,
Cheers
Debra

Hardy agreements with Christine, Regina and Debra.

I'm in the middle of a site redesign and starting to run content that will eventually become an archive page for beginners. The first post is an overview of the difference between a manual WordPress install and the 1-click way. It's here (Want to know the difference in security between a manual install of WordPress and the 1-click way? Just scan this post for the red bullet points. http://www.blogaid.net/install-wordpress).

Angela:

Thank you so much for the great tips. I had hoped not to get involved with exporting and FTP, but it seems inevitable that I learn some basics. I will thoroughly explore all your suggestions!

Yes, this was VERY helpful!:)

Hi, Cindy:

Thanks for addressing the "vulnerability" issues. I tend to be lax about updating to the latest versions of Wordpress because I fear one of my plugins will then crash my site. I tend to have too many plugins and need to eliminate the non-essential ones. As for user names, I'm afraid I've used some really obvious ones. Not sure how to go about changing those names. I'm pretty good about passwords, but do tend to use the same ones for all my sites. I think I know how to correct that issue.

I do install my sites with Fantastico on Hostgator. I buy my domain from GoDaddy, but host on Hostgator. So, are you saying that I shouldn't use Hostgator's Fantastico program anymore?

I have my work cut out for me. But my new business is extremely important to me and I must get it right from the very start.

Thank you so much! :)

Hi, MaAnna (beautiful name!):

Thank you for spending so much time answering my questions. I'm feeling really stupid now! But, I guess I need to swallow the bitter pill of ignorance and "smarten" up quickly.

Your first paragraph makes my head explode. I use Wordpress because I'm such a complete tech-idiot. Fortunately, there are people out there who can help me. But, like so many other people these days, I'm on a tight budget. I know I have to pay for a premium theme and backup plugin, and now I need to get an account with Amazon s3...all of which are mandatory it seems. Unfortunately, to date, I've not made one cent online. Well, I can't risk losing my site (once it's up and running), so I guess I will just have to bite the bullet (or go without eating for a few weeks. :)

Thank you so much for the free report. I just downloaded it and will read it carefully. I also subscribed to your wonderful blog.

Everyone on this forum is truly amazing (except me, but I'm working on it). :confused:

Christine:

More great and very wise advice! Thank you so much.

I've definitely seen the folly of even thinking about using anything but Wordpress. I am alarmed and I am scared, but with all the information I've been given, I am not feeling as paralyzed as I was last week. I am motivated to move forward.

Debbie

Hi, Regina:

Yes, the feedback has blown my mind. As a forum newbie, I thought I would be notified by email when someone replied. So I've been waiting for answers. :) Then, I had the "bright" idea of checking the forum itself. Duh! You can't imagine my surprise and delight when I found all these incredible responses. I feel so blessed to have found this forum. Thank you Lynn for directing me here.

Regina, thank you for providing me with so many great recommendations. How can I ever thank you enough? I've been in terror over creating another website/blog. I'm calming down now that I know I'll be armed with the right tools to combat some of the vulnerability issues. I do realize that nothing is completely safe, but at least I will be able to minimize the risks.

I feel like I've just had a crash (no pun intended) course on Wordpress security, and I am so very grateful to everyone in the forum.

I've subscribed to your newsletter, Regina, and will be buying BackupBuddy through your link as soon as possible.

Gratefully yours,

Writeraniac (Debbie)

Hi, Debra:

Thanks for addressing the website template issue. You've brought up several important issues and I'm convinced that Wordpress is the best way for me to go. Yes, it requires a lot of maintenance and updating, but it also offers great flexibility. I can see where the pros far outweigh the cons.

Just one question for you: Do you think I should backup my site on a regular basis? ;) Just kidding! I always back up daily, but am now horrified to realize that I was only backing up my database. All in all, I would say I've been EXTREMELY lucky to have had five blogs that have not crashed in the four years I've had them. Whew! Lesson learned, I'm saving my pennies to buy BackupBuddy ASAP.

Thanks again for all your great advice!

Best regards,

Deb

I just want to thank everyone again for all your great replies. You've been incredibly generous with your time. You've provided me with solid information, recommendations, freebies, leads, and sound advice.

I'm a writer, but words truly fail me at this time.

Warm regards to all,

Deb:)

Hi Debbie,
Once you get into the swing of it and a routine it's really not that much work to maintain word press and it's no different no matter what system you are on it still needs to be done.

One thing I would suggest is to get LastPass to manage your passwords - its FREE and brilliant - will make your life so much easier and you only have to remember ONE password which is your primary to access LastPass - hence the name the last password you'll ever need to remember.

Cheers,
Debra

Hi, Debra:

Thanks for the recommendation! Am I being paranoid for worrying about LastPass being compromised and then losing all my passwords to some hacker? Nothing is fool-proof, for sure. I'm just a nervous Nelly these days. :rolleyes: Guess that's because my new business is do-or-die time for me and I'm trying to cross all my "t's" and dot all my "i's" prior to installing the new site.

One question regarding LastPass: What happens when you want to access your sites from a public computer? Does that create another vulnerability issue? (Okay, that's two questions.)

Thanks again for the great suggestion!

Warm regards,

Debbie

I just want to thank everyone again for all your great replies. You've been incredibly generous with your time. You've provided me with solid information, recommendations, freebies, leads, and sound advice.

I'm a writer, but words truly fail me at this time.

Warm regards to all,

Deb:)

They're awesome, aren't they? :) So glad you joined us here on the forum.

Feel free to hop on ANYtime you have a question!

I do install my sites with Fantastico on Hostgator. I buy my domain from GoDaddy, but host on Hostgator. So, are you saying that I shouldn't use Hostgator's Fantastico program anymore?

I have my work cut out for me. But my new business is extremely important to me and I must get it right from the very start.

Thank you so much! :)

Glad to hear that you're hosing with Hostgator. They're top-notch, but you should definitely not use Hostgator's (or any host's) Fantastico or other automatic installer. It is super easy to install WordPress manually, if you follow the directions they give here: http://codex.wordpress.org/Installing_WordPress#Famous_5-Minute_Install

Or if you prefer, you can hire a techy to do it for you for not very much money. PM me and I'll do it for you personally if you like.

Hi Deb,

You're very welcome.

To make sure you receive reply notifications, visit http://www.clicknewz.com/members/profile.php?do=editoptions and make sure that Default Thread Subscription Mode is set to Instantly, using email and hit "Save Changes" at the bottom.

That should keep you in the loop.

Hey Debbie,
That's a very good question and one that stopped me from using a password manager for way longer than it should have, so I understand your concerns for sure. The one thing I began to realize was that it's impossible to create 'strong and secure' passwords and recall them without keeping them written down or stored somewhere and that actually puts you at more risk than anything else. The thing that threw me over the top was when I learned two people on my most respected list - Liz Jamieson (web developer) and Regina Smola (WP security expert) recommend and use it themselves. I figure if they feel it's secure enough for them then I'll be just fine.

The basic LastPass is FREE, but you can subscribe to the premium version which gives you mobile access. You can always login to your account from a public computer but you will need to login to your personal 'vault' and you have options to make that a safe process too.

There are a couple of 'tricks' I've learned to setting up and organizing the records for Last Pass so I'll look to write a post to cover those and stick it up on NGBT in the next few days - follow me on Twitter or sign up for the NextGenNews at the site and you won't miss it.

Cheers,
Debra