Wordpress vs GoDaddy Website Template - Security/Backup Issues

[writeraniac]

As I prepare to create a new writing/editing website, I find myself pondering the pros and cons of a WP site versus a regular website, via GoDaddy's "Website Tonight" program.

I recently attended a webinar that scared the heck out of me regarding Wordpress. I have several WP blogs, but, according to the hosts of the webinar, WP is very vulnerable to attacks and crashes. Although I back-up religiously, apparently the only thing I'm actually backing up is the database. I would lose the theme and plugins should a crash occur. There are many security risks inherent in WP themes, which I was not really aware of before this webinar. Naturally, at the end of the webinar, the hosts were selling a "cloning" program that would back up every single aspect of our site. This is very appealing, but I tend to be skeptical of pitches like this.

Not being a techie, I'm pretty frightened by the prospect of having my new business crash and burn after spending countless hours/days/weeks/months working on it.

My blogs are hosted on Hostgator and they've been pretty good about helping me through some sticky situations (I was hacked a few times and a Tim Thumb code destroyed one of my sites). Of course the other thing about WP is the fact that it requires constant updating and spam removal. I love the ease of setting up WP and, for sure, WP is great for non-techie people.

Sorry to be so long-winded, but I'm now at a crossroad and must decide which way to go. I realize that a premium WP theme might offer some protection. The back-up issue is of concern to me. Are there any themes or plugins that you could recommend that address the security and back-up issues? Any thoughts on the "cloning" concept? Have you heard any feedback on the GoDaddy website program?

I welcome everyone's comments and suggestions, and thank you all in advance for your time.

[Angela Wills]

I can offer some feedback. I teach how to create WordPress websites and so I get questions like this a lot.

You can certainly backup more than just your database by:

- Exporting your posts on a regular basis and saving that file.
- Using FTP or Cpanel File Manager to copy your site files (themes and plugins).

There are also premium plugins you can use to do automatic backups of everything:
- Backup Buddy from iThemes
- Backup Creator

There are also other cloning plugins, I saw another and I can't remember the name of it.

Premium WP Themes from a good company can provide some good support and updates (for security) for your theme, though I'm not sure that they'll actually help with your backup unless it comes with some sort of built-in feature.

Obviously since I teach it I'm keen on WordPress.

Hope that helps

[cindybidar]

I'll jump in and speak about the vulnerability of WordPress sites to hacking.

Yes, it's vulnerable, but probably not for the reasons you think. It's vulnerable because it's hugely popular, which means there are millions of sites running it, making it a target. It's kind of like Windows being more vulnerable to viruses than macs, simply because few people will bother to write a virus for an operating system that only 5% of the world uses.

WP is also vulnerable because people don't keep their installations updated. That means not just updating WordPress itself, but making sure your plugins, your theme, and even your php installation is current. You also need to be more careful than most people are when it comes to user names and passwords (you wouldn't believe the number of sites I work on that have passwords like "boomer" or "pa55w0rd" ) - and don't use the same password everywhere, please!

Also, don't install WordPress using Fantastico or other "one click" solutions. Doing that names the database wrdp1 (or wrdp2 or wrdp3, etc.) and leaves the table prefix wp_. It also leaves files on your server that are easily discoverable. Hackers know these things and can use the information to target these specific installs.

Finally, you need a decent host. I'm sorry, but GoDaddy is notorious for getting hacked - generally because their php, apache, and other software is so out of date - so if you're going to install WordPress, I certainly wouldn't do it there. They're also not fans of WordPress, in my experience, and will often "blame" WordPress if you ever have a complaint about their hosting speed, uptime, etc.

[MaAnna]

Agree with all that Cindy said. Site security starts with proper installation and that requires manually setting up the database, manual WordPress install where you can select a super secure login and the database table prefix, and then adding code to files in the root directory as well as in the core of WordPress. To that is added one security plugin that puts a deadbolt on the front door.

There are not enough plugins in the world to protect WordPress from the lack of keeping it, themes, and plugins up-to-date, or from folks getting themes and plugins from non-reputable sources that come with malware or hacking code built in right from the start.

My advice, get a geek to install WordPress for you or learn how to do those steps yourself, and learn it from a geek, a real one, not some generic advice on the web. Reason being, all hosts allow different security measures. HostGator is one of the good ones. (I'm on it too.) And they offer the cPanel brand as the control panel, which makes all the secure installation super easy. GoDaddy is one of the worst, and I've removed them from my preferred vendor list for the reasons Cindy cited. In fact, I charge extra to fool with them. (Good for domains, not hosting WordPress).

Also, get a decent theme from a reputable developer that offers support. This is not for security, it's to hedge against it breaking with future WordPress updates.

And my best advice - backup, backup, backup. Here's a zero-obligation, free report with 14 backup solutions, including storage options. Plus, it explains the difference in backing up just the database vs. all the primary files and folders you would need to actually fully restore your site. How to Backup Your WordPress Site

Your primary responsibility as a site owner is to protect your investment. Think of it as being a store owner. Would you leave the front door unlocked and the windows open? Of course not! Then why do it on your site? The more valuable the property is in your store, the more it makes sense to invest in security.

I use BackupBuddy, as do all of my training clients. And I store it remotely on Amazon S3 cloud storage. Just like backing up your computer's data onto an external hard drive, the backup data needs to be kept in a separate location than your hosting space. It costs pennies a month.

Backup is just not a place to go cheap. If you're only backing up the database to save money on storage, you'll have a whale of a time restoring your site. And if you have no backup, you'll turn every color of the rainbow sick if your site goes down.

There is no such thing as a bullet-proof site, just as there is no fully secure store, house, car, or anything else you own. Keep it updated, make it as reasonably secure as you can, back it up fully, and quit worrying about it.

[ChristineCobb]

Looks like everyone has covered the waterfront about backing up and security recommendations. I'll just weigh in on using a proprietary website builder instead of building your website yourself with WordPress, html or something else. Eventually people who want to improve their site and add functionality get fed up with rigid website builders. The problem comes when they want to move to another platform like WordPress. Most of the time this is a copy and paste job and takes hours of work because you can't just export your pages. Just something to think about.

Don't be alarmed and scared away -- just be aware. Then just add backups and updates to your routine. You can also follow WordPress security experts like Regina Smola at WPSecurityLock.com. When things like TimThumb come up, they will be blogging, tweeting and Facebooking about it quickly.

[Chris2]

I just want to say thanks to everyone who's posting comments here. I'm just beginning to learn about website security, so every tidbit of good info helps!

[ChristineCobb]

Hackers can mess with your files and put links to other sites within your content or they can install scripts that put malware on your visitors' computers. Some are pranksters and some are more devious. That can happen whether you have WordPress or not. So having regular backups can save you from a lot of work if that happens. And you might not catch it right away, so it is good to not just overwrite one backup in place of another, but to have several different ones saved. That's where a good backup program can be handy because you can just set it up to run automatically.

Backups are important in case something gets corrupted. It's just hardware and software after all. Things happen.

[ReginaSmola]

I realize that a premium WP theme might offer some protection. The back-up issue is of concern to me. Are there any themes or plugins that you could recommend that address the security and back-up issues? Any thoughts on the "cloning" concept? Have you heard any feedback on the GoDaddy website program?

Wow, what a great question and awesome feedback!!! I agree with all the security advice from Angela, MaAnna, Cindy, and Christine.

writeraniac, the webinar you attended did a great job of waking you up to the potential threats out there. Everyone needs to be aware that at any moment ANY website (WordPress, Website Tonight, CMS, or html site) can be maliciously attacked and/or destroyed. First and foremost you need to have a clean backup of your website after any changes you've made (added new posts, installed new plugin, tweaked your theme) so you can easily restore it back to normal.

Also take into account that you yourself can add a plugin, script or bad code that can break your site. So backups of both your database and your website files are essential.

For the backup and cloning concept, I'm not sure which product they were selling on the webinar. But I also recommend BackupBuddy, which creates backups of everything, your essential WordPress files and your database. Another neat feature is it will backup any custom folders you created, for example you can include the directory for your downloadable products too. My backups are auto loaded offsite to my AmazonS3 account. So if my hosting server gets compromised then my backups are safely stored in another location. Here's a short post I wrote about BackupBuddy and a discount code if you're interested.

Regarding premium themes and security, I highly recommend StudioPress Genesis framework. They're security conscious and hired Mark Jaquith, WordPress lead developer, to do a thorough security audit.

In regards to the GoDaddy website program, I have not used it. I personally like to have control of my website without limitations (one of the reasons I self-host WordPress) and programs such as these only allow you to do certain things on your site. Things to consider: Do they do security checks and updates? Is security information readily available? With WordPress, when a security vulnerability is discovered they make patches to close the holes and a notification is displayed on the top section of your WP dashboard.

To help protect yourself from future timthumb vulnerabilities, install the Timthumb Vulnerability Scanner plugin and set it to auto-scan. What's scary is even today there are still premium themes and plugins with outdated versions circulating and still have the backdoor. Two weeks ago I bought a premium theme at ThemeForest and it had version 1.8.1. YIKES! For more information see my post on the Timthumb Vulnerability Scanner plugin.

One last thing I would recommend is having your site auto-scanned daily for malware. I use Sucuri. If you're concerned your site is infected with malware, you can scan it for free here.

[DebraLloyd]

All good advice above here. One other issue I have seen with systems like Website tonight, Yahoo Stores & Volusion is that once you start to actually learn more, and you will have to learn about the 'tech side of things' whether you want to or not in order to sustain a site and be successful online - you will want the control and the freedom to make your site whatever you want it to be the way you want it to be.

Invest in a solid foundation for your site, it is the home of your business online, treat it like you would a physical home - lock the doors and windows, and insure it - meaning do all the things mentioned above - backup, update the theme asap when new releases are available, backup, maintain plugins, backup, only use plugins from WP extend, backup and be careful who you invite to work on it - make sure they're 'licensed & insured' meaning certified with good testimonials. You get the picture about back up right - automate it, it's the only way it will happen as it should as all the others say store it externally I like Amazon S3 - cheap and easy to use?

If you ever come to sell your online business you will find it easier to hand over to a buyer and savvy buyers will use the lack of control as a negotiation negative saying they will need to offset the cost of transferring it - if they believe that's what they need to do as a seller, there's almost nothing you can say to overcome that objection - so being on a 3rd party platform will cost you if you want to sell.

Finally there is a reason the White House, 10 Downing Street (British Govt), New York Times, Martha Stewart Living etc all have their sites/blogs running on WordPress - it works, it makes it easy to update, it helps their content rank better & faster, they just take proper security precautions to protect their sites from hackers.

Hope this helps,
Cheers
Debra

[MaAnna]

Hardy agreements with Christine, Regina and Debra.

I'm in the middle of a site redesign and starting to run content that will eventually become an archive page for beginners. The first post is an overview of the difference between a manual WordPress install and the 1-click way. It's here.