Wordpress vs GoDaddy Website Template - Security/Backup Issues

[writeraniac]

As I prepare to create a new writing/editing website, I find myself pondering the pros and cons of a WP site versus a regular website, via GoDaddy's "Website Tonight" program.

I recently attended a webinar that scared the heck out of me regarding Wordpress. I have several WP blogs, but, according to the hosts of the webinar, WP is very vulnerable to attacks and crashes. Although I back-up religiously, apparently the only thing I'm actually backing up is the database. I would lose the theme and plugins should a crash occur. There are many security risks inherent in WP themes, which I was not really aware of before this webinar. Naturally, at the end of the webinar, the hosts were selling a "cloning" program that would back up every single aspect of our site. This is very appealing, but I tend to be skeptical of pitches like this.

Not being a techie, I'm pretty frightened by the prospect of having my new business crash and burn after spending countless hours/days/weeks/months working on it.

My blogs are hosted on Hostgator and they've been pretty good about helping me through some sticky situations (I was hacked a few times and a Tim Thumb code destroyed one of my sites). Of course the other thing about WP is the fact that it requires constant updating and spam removal. I love the ease of setting up WP and, for sure, WP is great for non-techie people.

Sorry to be so long-winded, but I'm now at a crossroad and must decide which way to go. I realize that a premium WP theme might offer some protection. The back-up issue is of concern to me. Are there any themes or plugins that you could recommend that address the security and back-up issues? Any thoughts on the "cloning" concept? Have you heard any feedback on the GoDaddy website program?

I welcome everyone's comments and suggestions, and thank you all in advance for your time.

[Angela Wills]

I can offer some feedback. I teach how to create WordPress websites and so I get questions like this a lot.

You can certainly backup more than just your database by:

- Exporting your posts on a regular basis and saving that file.
- Using FTP or Cpanel File Manager to copy your site files (themes and plugins).

There are also premium plugins you can use to do automatic backups of everything:
- Backup Buddy from iThemes
- Backup Creator

There are also other cloning plugins, I saw another and I can't remember the name of it.

Premium WP Themes from a good company can provide some good support and updates (for security) for your theme, though I'm not sure that they'll actually help with your backup unless it comes with some sort of built-in feature.

Obviously since I teach it I'm keen on WordPress.

Hope that helps

[writeraniac]

Angela:

Thank you so much for the great tips. I had hoped not to get involved with exporting and FTP, but it seems inevitable that I learn some basics. I will thoroughly explore all your suggestions!

Yes, this was VERY helpful!

[cindybidar]

I'll jump in and speak about the vulnerability of WordPress sites to hacking.

Yes, it's vulnerable, but probably not for the reasons you think. It's vulnerable because it's hugely popular, which means there are millions of sites running it, making it a target. It's kind of like Windows being more vulnerable to viruses than macs, simply because few people will bother to write a virus for an operating system that only 5% of the world uses.

WP is also vulnerable because people don't keep their installations updated. That means not just updating WordPress itself, but making sure your plugins, your theme, and even your php installation is current. You also need to be more careful than most people are when it comes to user names and passwords (you wouldn't believe the number of sites I work on that have passwords like "boomer" or "pa55w0rd" ) - and don't use the same password everywhere, please!

Also, don't install WordPress using Fantastico or other "one click" solutions. Doing that names the database wrdp1 (or wrdp2 or wrdp3, etc.) and leaves the table prefix wp_. It also leaves files on your server that are easily discoverable. Hackers know these things and can use the information to target these specific installs.

Finally, you need a decent host. I'm sorry, but GoDaddy is notorious for getting hacked - generally because their php, apache, and other software is so out of date - so if you're going to install WordPress, I certainly wouldn't do it there. They're also not fans of WordPress, in my experience, and will often "blame" WordPress if you ever have a complaint about their hosting speed, uptime, etc.

[writeraniac]

Hi, Cindy:

Thanks for addressing the "vulnerability" issues. I tend to be lax about updating to the latest versions of Wordpress because I fear one of my plugins will then crash my site. I tend to have too many plugins and need to eliminate the non-essential ones. As for user names, I'm afraid I've used some really obvious ones. Not sure how to go about changing those names. I'm pretty good about passwords, but do tend to use the same ones for all my sites. I think I know how to correct that issue.

I do install my sites with Fantastico on Hostgator. I buy my domain from GoDaddy, but host on Hostgator. So, are you saying that I shouldn't use Hostgator's Fantastico program anymore?

I have my work cut out for me. But my new business is extremely important to me and I must get it right from the very start.

Thank you so much!

[cindybidar]

I do install my sites with Fantastico on Hostgator. I buy my domain from GoDaddy, but host on Hostgator. So, are you saying that I shouldn't use Hostgator's Fantastico program anymore?

I have my work cut out for me. But my new business is extremely important to me and I must get it right from the very start.

Thank you so much!

Glad to hear that you're hosing with Hostgator. They're top-notch, but you should definitely not use Hostgator's (or any host's) Fantastico or other automatic installer. It is super easy to install WordPress manually, if you follow the directions they give here: http://codex.wordpress.org/Installin...Minute_Install

Or if you prefer, you can hire a techy to do it for you for not very much money. PM me and I'll do it for you personally if you like.

[MaAnna]

Agree with all that Cindy said. Site security starts with proper installation and that requires manually setting up the database, manual WordPress install where you can select a super secure login and the database table prefix, and then adding code to files in the root directory as well as in the core of WordPress. To that is added one security plugin that puts a deadbolt on the front door.

There are not enough plugins in the world to protect WordPress from the lack of keeping it, themes, and plugins up-to-date, or from folks getting themes and plugins from non-reputable sources that come with malware or hacking code built in right from the start.

My advice, get a geek to install WordPress for you or learn how to do those steps yourself, and learn it from a geek, a real one, not some generic advice on the web. Reason being, all hosts allow different security measures. HostGator is one of the good ones. (I'm on it too.) And they offer the cPanel brand as the control panel, which makes all the secure installation super easy. GoDaddy is one of the worst, and I've removed them from my preferred vendor list for the reasons Cindy cited. In fact, I charge extra to fool with them. (Good for domains, not hosting WordPress).

Also, get a decent theme from a reputable developer that offers support. This is not for security, it's to hedge against it breaking with future WordPress updates.

And my best advice - backup, backup, backup. Here's a zero-obligation, free report with 14 backup solutions, including storage options. Plus, it explains the difference in backing up just the database vs. all the primary files and folders you would need to actually fully restore your site. How to Backup Your WordPress Site

Your primary responsibility as a site owner is to protect your investment. Think of it as being a store owner. Would you leave the front door unlocked and the windows open? Of course not! Then why do it on your site? The more valuable the property is in your store, the more it makes sense to invest in security.

I use BackupBuddy, as do all of my training clients. And I store it remotely on Amazon S3 cloud storage. Just like backing up your computer's data onto an external hard drive, the backup data needs to be kept in a separate location than your hosting space. It costs pennies a month.

Backup is just not a place to go cheap. If you're only backing up the database to save money on storage, you'll have a whale of a time restoring your site. And if you have no backup, you'll turn every color of the rainbow sick if your site goes down.

There is no such thing as a bullet-proof site, just as there is no fully secure store, house, car, or anything else you own. Keep it updated, make it as reasonably secure as you can, back it up fully, and quit worrying about it.

[writeraniac]

Hi, MaAnna (beautiful name!):

Thank you for spending so much time answering my questions. I'm feeling really stupid now! But, I guess I need to swallow the bitter pill of ignorance and "smarten" up quickly.

Your first paragraph makes my head explode. I use Wordpress because I'm such a complete tech-idiot. Fortunately, there are people out there who can help me. But, like so many other people these days, I'm on a tight budget. I know I have to pay for a premium theme and backup plugin, and now I need to get an account with Amazon s3...all of which are mandatory it seems. Unfortunately, to date, I've not made one cent online. Well, I can't risk losing my site (once it's up and running), so I guess I will just have to bite the bullet (or go without eating for a few weeks.

Thank you so much for the free report. I just downloaded it and will read it carefully. I also subscribed to your wonderful blog.

Everyone on this forum is truly amazing (except me, but I'm working on it).

[ChristineCobb]

Looks like everyone has covered the waterfront about backing up and security recommendations. I'll just weigh in on using a proprietary website builder instead of building your website yourself with WordPress, html or something else. Eventually people who want to improve their site and add functionality get fed up with rigid website builders. The problem comes when they want to move to another platform like WordPress. Most of the time this is a copy and paste job and takes hours of work because you can't just export your pages. Just something to think about.

Don't be alarmed and scared away -- just be aware. Then just add backups and updates to your routine. You can also follow WordPress security experts like Regina Smola at WPSecurityLock.com. When things like TimThumb come up, they will be blogging, tweeting and Facebooking about it quickly.

[writeraniac]

Christine:

More great and very wise advice! Thank you so much.

I've definitely seen the folly of even thinking about using anything but Wordpress. I am alarmed and I am scared, but with all the information I've been given, I am not feeling as paralyzed as I was last week. I am motivated to move forward.

Debbie