Website Maintenance Information For My Clients Bob Spies, Flying Seal Systems, LLC Updated: 08- Nov- 2015



Similar documents
MONTHLY WEBSITE MAINTENANCE PACKAGES

Tips for Banking Online Safely

Desktop and Laptop Security Policy

ReadySpace Limited Unit J, 16/F Reason Group Tower, Castle PeakRoad, Kwai Chung, N.T.

Nikolay Zaynelov Annual LUG-БГ Meeting nikolay.zaynelov.com

Introduction: 1. Daily 360 Website Scanning for Malware

WordPress Security Scan Configuration

My Secure Backup: How to reduce your backup size

Steps for Basic Configuration

Daylite Server Admin Guide (Dec 09, 2011)

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

Open an attachment and bring down your network?

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

Developing A Successful Patch Management Process

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

Zscaler Cloud Web Gateway Test

Registry Tuner. Software Manual

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

User Guide. Copyright 2003 Networks Associates Technology, Inc. All Rights Reserved.

Keeping Data Safe. Patients, Research Subjects, and You

Setting up a Scheduled task to upload pupil records to ParentPay

Airtel PC Secure Trouble Shooting Guide

Remote Services. Managing Open Systems with Remote Services

Know the Risks. Protect Yourself. Protect Your Business.

MALWAREBYTES PLUGIN DOCUMENTATION

Presentation Objectives

Introduction. PCI DSS Overview

Setting up FileMaker 10 Server

PaperCut Payment Gateway Module - RBS WorldPay Quick Start Guide

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

HOW TO SELECT A BACKUP SERVICE FOR CLOUD APPLICATION DATA JUNE 2012

State of Michigan Data Exchange Gateway. Web-Interface Users Guide

The Evolution of Information Security at Wayne State University

What you can do prevent virus infections on your computer

10 Hidden IT Risks That Might Threaten Your Law Firm

Network Security Policy: Best Practices White Paper

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Contents. McAfee Internet Security 3

AVeS Cloud Security powered by SYMANTEC TM

PCI Compliance. Top 10 Questions & Answers

Advance Malware protection in distribution and manufacturing environments. Rob Dolci, April 2016, copyright aizoon USA.

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

FTP is Free, but Can You Really Afford It?

Best Practices (Top Security Tips)

CLOUD SERVICES (INFRASTRUCTURE) SERVICE TERMS PART C - INFRASTRUCTURE CONTENTS

Hacking the WordpressEcosystem

The Increasing Threat of Malware for Android Devices. 6 Ways Hackers Are Stealing Your Private Data and How to Stop Them

So, why should you have a website for your church? Isn't it just another thing to add to the to-do list? Or will it really be useful?

Security Policies and Procedures The Final Hurdle

Frequently Asked Questions

USM Web Content Management System

Web application security badges

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2

Click on the PLUGINS link in the left menu to view and upgrade your plugins. When the plugin has been upgraded you will see an Updated! message.

PCI Compliance Top 10 Questions and Answers

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

ConnectWise PSA Integration Guide

SecurityMetrics Vision whitepaper

Frequently Asked Questions: Cisco Jabber 9.x for Android

Description of Services for Basic, Intermediate, and Advanced Website Packages

National Cyber Security Month 2015: Daily Security Awareness Tips

Action Steps for Setting Up a Successful Home Web Design Business

Welcome To Advanced Topics in WordPress: Beyond the Bootcamp

Data Management Policies. Sage ERP Online

Security Fort Mac

2011 ithemes Media LLC. All rights reserved in all media. May be shared with copyright and credit left intact.!

BlackBerry Link for Windows. Version: User Guide

PSA INTEGRATION GUIDE

IT Checklist. for Small Business INFORMATION TECHNOLOGY & MANAGEMENT INTRODUCTION CHECKLIST

Risk Assessment Guide

TOTAL DEFENSE MOBILE SECURITY USER S GUIDE

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

Please post bugs on our forum on or us on

Feedback Ferret. Security Incident Response Plan

YOUR TRUSTED PARTNER IN A DIGITAL AGE. A guide to Hiscox Cyber and Data Insurance

ACS Backup and Restore

Web Vulnerability Scanner by Using HTTP Method

Reporting and Incident Management for Firewalls

Malware & Botnets. Botnets

ShareSync from LR Associates Inc. A business-grade file sync and share service that meets the needs of BOTH users and administrators.

How to Use Windows Firewall With User Account Control (UAC)

Backup and Recovery. What Backup, Recovery, and Disaster Recovery Mean to Your SQL Anywhere Databases

What you need to know to keep your computer safe on the Internet

Information Security

Lotus Domino Backup Strategy

No more nuisance phone calls! Internet Control Panel & Weblink Guide

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

Internet security: Shutting the doors to keep hackers off your network

Online Client Portal Client User Guide

W H I T E P A P E R E m b r a c i n g C o n s u m e r i z a t i o n w i t h C o n f i d e n c e

Roger s Cyber Security and Compliance Mini-Guide

Almost 400 million people 1 fall victim to cybercrime every year.

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Simple Membership Plugin Setup Documentation

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

ShoutCast v2 - Broadcasting with SAM Broadcaster

Transcription:

Website Maintenance Information For My Clients Bob Spies, Flying Seal Systems, LLC Updated: 08- Nov- 2015 This document has several purposes: To explain what website maintenance is and why it's critical that you do it. To describe the website maintenance service I provide to clients. To explain why I recommend that most clients use my maintenance service rather than attempt to do their own maintenance. To give some pointers to clients who choose to do their own website maintenance. Introduction Routine website maintenance for a WordPress site consists of backups, routine software updates, and security protection and monitoring. I offer a website maintenance service to clients that covers these activities for a relatively small cost. All three of these activities are often short- changed by website owners until something goes wrong. At that point, the results can range from inconvenient (something stops working or your website goes down) to catastrophic (an intruder modifies your website to steal money from your clients). Website maintenance is no different than auto maintenance: you need to perform it routinely to avoid problems. The sections below include some pointers that will hopefully be helpful to those who choose to do their own maintenance. However, they are not intended nor are they sufficient to be a complete reference or how- to guide. Backups Most website hosting companies do not provide adequate backup for your site. The host's backup capability- - if it even exists- - only allows you to restore the entire account to the state it existed in at the time of the backup. Getting the host to do the restore can be problematic. Finally, the quality/integrity of a host backup and/or restore may be an issue. What I Do For My Maintenance Clients For my maintenance clients, I run backups according to a client- specific schedule. I keep ten rotating backups on the site, and once a week download the most recent backup for offline storage (on my own server and on Dropbox). I test the integrity of all downloaded backup archive files. I keep the offline copies for at least 90 days. Website Maintenance Page 1 Updated: 08- Nov- 2015

If a restore is needed, I make a variety of decisions such as which components to restore, automatic or manual, which backup set to use, etc. based on the particulars of the situation. If You're Choosing to Do Your Own Backups You'll need to install backup software. There are free alternatives available, although I don't consider them as safe/reliable as the commercial software I use for my maintenance service clients. Used properly, a backup plugin can be a helpful part of your backup strategy. However, it is only a tool. It requires proper configuration and monitoring. The fact that it's installed on your site does not by itself mean that your site is safely being backed up. When using a backup program: Make sure you understand and correctly set the options, including setting up an appropriate schedule. Make sure your backup strategy includes copies stored in a safe place not on the web server. Make sure you're monitoring that backups are happening when expected. Periodically test the integrity of the backup archive files. (It's best to test the offsite copies, since the transfer process is one place where corruption may occur.) Why I Recommend You Let Me Do It Rather Than Do This Yourself The steps involved in properly setting up backups, making sure they're running when they're supposed to, and validating that the backups created are reliable are time- consuming and require technical expertise. For example, the most reliable way to copy backups from your website to somewhere else is FTP, which isn't particularly user- friendly. When a restore is necessary, analyzing what's needed and the best way to accomplish it can require a fair amount of technical expertise. Performing the necessary monitoring to insure scheduled backups are happening properly is something that's easy to forget to do. I have the necessary technical expertise to deal with the issues that may come up. And since I'm doing this for multiple clients as a business activity, I have a schedule, systems, and procedures in place that make it more likely that all the necessary steps will happen correctly and on time. Routine Software Updates On a WordPress install, the following components get routinely updated: WordPress Core o Major Updates These have version numbers like 4.2, 4.3. Website Maintenance Page 2 Updated: 08- Nov- 2015

o Minor Updates These have version numbers like 4.21, 4.22, etc., and are generally security related. Unlike most other updates, these (a) happen automatically, and (b) are very unlikely to break anything on your site. Theme (controls the site's visual aspects). With most sites I build, there are likely to be a parent theme most commonly Genesis (technically a theme framework) and a child theme, which is where I've done most of the custom work. The parent theme is the one that periodically requires updates. (Updates are occasionally required for child themes too, but this is rarer.) Plugins (3 rd party code that adds additional functionality to the site). There are three reasons for these updates: 1) New features and functionality. 2) Continued compatibility with other software that has been updated (e.g., WordPress core). 3) Resolution of newly discovered security vulnerabilities. Sometimes website owners believe they can forgo updates because they don't need new features and functionality. But that ignores reasons (2) and (3) above. The bottom line is that you need to keep up with updates or risk (a) your website malfunctioning, or (b) even more important, your website becoming infected due to a security vulnerability. With respect to the latter, shortly after a security vulnerability becomes public, malware engines around the world get updated. These systematically and randomly probe websites looking for the vulnerability, and, once it's found, attempt to use it to break in / infect. But even though it's important to keep your website up- to- date, occasionally an update itself will cause your site to fail. It's not possible for an update's author to be able to anticipate all the situations that exist on every website on which it's going to be applied. Nine out of the next ten updates you apply will go fine. The tenth will cause problems for or break your site. So, you need to: a) Always be ready to revert the application of an update. There isn't any "standard" way of doing this; it's a matter of restoring relevant components from a recent- enough backup. b) When it appears that an update is likely to be "high- risk" on your site, test it in a test environment first. Except for the updates that happen automatically, most updates can be applied from your WordPress admin using a "one click" process. Performing the update is a very simple process. What's not so simple is dealing with any problems the update causes. Website Maintenance Page 3 Updated: 08- Nov- 2015

What I Do For My Maintenance Clients I use my knowledge of the updates waiting to be applied to determine the level of risk associated with each. I make sure there is a backup available in case an update causes problems. In the rare event that an update process fails, I clean up the damage and apply the update manually. If I judge there is enough risk to merit it, I first test the update in a test environment. If an update causes problems, I fix them and/or revert to backup. If necessary, I analyze the source of the problems and make changes to the client's setup so the update can be applied. If it appears that the update itself is defective, I work with the vendor if necessary and wait for a fixed version. If applying the update requires extensive changes to a client's site, there is the possibility there might be chargeable time involved. I would always clear this with the client first. To date this has been an extremely rare occurrence. If You're Choosing to Do Your Own Routine Updates Make sure you have a current backup before performing the update. Install one update at a time. That way, if something goes wrong, you'll know which update was responsible. Unless the notes associated with an update say it fixes a critical security vulnerability, consider waiting a week after it comes out before installing it. That gives time for an update- to- the- update to be issued if any significant problems with it are found. Consider learning how to create and use a test environment. Most hosting plans allow this for no additional cost. However, it can be quite complex technically. Why I Recommend You Let Me Handle Updates Rather Than Doing It Yourself The main reason is that if something goes wrong, I'm in a position to deal with it immediately so your site isn't down or compromised. Also, I'm generally familiar with what's going on with current updates. I'm therefore probably going to know how much likelihood there is of a particular update creating problems. Website Maintenance Page 4 Updated: 08- Nov- 2015

Security Protection and Monitoring The web has become a more dangerous place in the last couple of years, both in terms of the number and sophistication of attacks on websites. Whereas a few years back the concern was primarily lone hackers looking to do malicious mischief, now the major concern is automated attack engines with an objective of theft. Today's attack may consist of the quiet installation of code on your site designed to infect your visitor's PC's or get them to reveal their credit card information. Often organized crime is involved. What You Need To Do Regardless of Who Does Your Maintenance Don't create a site admin user id that contains either the word "admin" or the name of your website. Use secure passwords. WordPress can now auto- generate passwords that are extremely secure. Don't access your site admin over public wifi unless your site uses https or you're using a VPN. (Neither of these is normally the case.) Don't access your email over public wifi unless you know you are using a secured connection. What I Do For My Maintenance Clients I install the Wordfence security plugin, and use it in several ways beyond its default protection: I configure it to freeze out bot attacks on your site. Wordfence notifies me of various conditions identified as a result of its daily scan. This includes differences from repository versions in core WordPress, themes, and plugins. (These settings are more aggressive than the defaults.) I review any alerts and determine whether there's a problem. Wordfence notifies me of all logins on your site by users with administrator privileges. I review the user name and location they're logging in from to look for anomalies. (This helped me to catch a dangerous break- in on one client's site almost immediately.) Why I Recommend You Let Me Do It Rather Than Do This Yourself Wordfence regularly identifies potential anomalies that are probably insignificant but could indicate an infection. A typical example: I received a notification that some files on a plugin at one of the sites I support now differed from the repository version. Upon investigating, I discovered code differences existed in a couple of different files. The differences didn't look like an infection, but there were enough changes that I wasn't totally confident of this. (Sometimes what gets inserted is a call to a different file with the actual Website Maintenance Page 5 Updated: 08- Nov- 2015

malware that could be easy to miss.) So I compared the two files against a backup from several days prior and discovered there were no changes from that date. I could now be confident that the source of the problem was a "quiet" update by the plugin's author. This happens frequently when an author decides to update the code in the current release without giving it a new version number and thus triggering updates. Because of the potential for this to create false positives, Wordfence leaves theme and plugin scanning turned off by default. But for a technical person who knows how to evaluate the alerts, these scans can be important; in fact, they were part of how in another case I was able to quickly catch an infection of a client's site that could have been catastrophic. Website Maintenance Page 6 Updated: 08- Nov- 2015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information