Website Security & Backup

ContextOutdated software is the primary attack vector for CMS-based sites. When a vulnerability is disclosed in WordPress core, a plugin, or a theme, the disclosure is public — attackers have the exploit details immediately and begin automated scans for sites running the vulnerable version. Update timing is the defense: sites updated within days of a security release are rarely compromised; sites running months-old versions are systematically targeted. WordPress enables automatic background updates for minor security and maintenance releases by default. For plugins: enable auto-updates for those with a strong support history, and manually review major version updates before applying them. Remove deactivated plugins and themes entirely — they remain scannable and exploitable even when switched off.

ContextWordPress's XML-RPC endpoint (/xmlrpc.php) was designed for remote publishing tools and is required by Jetpack for its WordPress.com connection. For sites that use neither, the endpoint should be disabled — it is a frequent target for credential brute force attacks that bypass standard login attempt limiters, because XML-RPC allows bundling hundreds of authentication attempts into a single HTTP request, which many rate limiters do not count correctly. Disable via a plugin (Disable XML-RPC, or the security section of Wordfence or iThemes Security) or by blocking the file in .htaccess: add <Files xmlrpc.php> deny from all </Files> inside the WordPress .htaccess block. If you use Jetpack, leave XML-RPC enabled and rely on Jetpack's built-in brute force protection instead.

ContextA WAF filters malicious requests before they reach the web server, blocking common attack patterns including SQL injection, cross-site scripting (XSS), path traversal, and known exploit signatures. Cloudflare's free tier provides: the Cloudflare Free Managed Ruleset, volumetric DDoS mitigation that absorbs traffic floods capable of taking a shared server offline, a global CDN that also improves page load performance, and SSL certificate management. The free tier is sufficient for most informational sites, portfolios, and small business sites. Implementation: change your domain's nameservers to Cloudflare's — all inbound traffic then passes through Cloudflare before reaching your origin server. The full setup takes approximately 30 minutes.

ContextFile permissions control who can read, write, and execute files on the server. Overly permissive settings — particularly 777, which grants write access to all users — are a significant vulnerability: if an attacker gains code execution anywhere on the server, write permissions elsewhere allow them to inject malicious code into additional files. The correct defaults: 755 for directories (owner can write; group and others can read and traverse), 644 for PHP and HTML files (owner can write; others can only read), 600 for wp-config.php (contains database credentials — should be readable only by the server process user, never web-accessible). Apply via SSH with chmod 600 wp-config.php, or via an FTP client like FileZilla. If you are uncertain, ask your hosting provider's support team to verify permissions.

ContextMost hosting providers now offer free SSL via Let's Encrypt — enable it directly in the hosting control panel. Forcing HTTPS: add a redirect rule in the .htaccess file (Apache servers) or nginx configuration, or use the Really Simple Security (formerly Really Simple SSL) plugin for WordPress, which handles the redirect and fixes most mixed content automatically. After enabling HTTPS, check for mixed content — HTTP resources (images, scripts, stylesheets) loaded on an HTTPS page — using the browser DevTools console (F12, look for 'Mixed Content' warnings) or the Why No Padlock tool. Mixed content strips the secure padlock indicator from the browser and can re-expose data. Verify that the SSL certificate is configured to auto-renew — Let's Encrypt certificates expire every 90 days, and an expired certificate causes an alarming browser error that drives visitors away.

ContextSecurity headers instruct browsers on specific security behaviors. The most impactful: X-Content-Type-Options: nosniff (prevents browsers from MIME-sniffing responses, which reduces cross-site scripting risk), X-Frame-Options: SAMEORIGIN (prevents the page from being embedded in iframes on third-party sites, blocking clickjacking attacks), HTTP Strict Transport Security / HSTS (tells browsers to always request the domain over HTTPS, preventing protocol downgrade attacks), and Content-Security-Policy / CSP (a more complex but powerful header that restricts which scripts and resources the page may load). Cloudflare can inject most of these headers through its Transform Rules without touching server configuration. Without Cloudflare, add them to the .htaccess or nginx config. Verify the result at securityheaders.com.

ContextA backup stored on the same server as the site is lost if the server is compromised by ransomware or account hijacking, or suffers a hardware failure. Backup storage must be logically independent: Amazon S3, Backblaze B2, Google Drive, or Dropbox are all valid destinations. For WordPress: UpdraftPlus (free tier) supports scheduled backups directly to cloud storage destinations and is straightforward to configure. Essential settings: daily backup schedule and a retention window of at least 30 days — infections are often present for weeks before discovery, so a short retention window may contain only infected copies. Both files and the database must be backed up — the database holds all content; the files hold themes, plugins, and media.

ContextThe catastrophic failure mode: a site is compromised, a restore is initiated, the restore fails — due to file corruption, an incomplete transfer, or a PHP timeout during a large database export — and there is no clean copy to fall back to. Prevention requires at least quarterly restore testing: download a backup and restore it to a local development environment (Local by Flywheel, XAMPP) or a staging site. Verify that all pages load, database connections work, and content appears correctly. This is the only way to confirm that a backup is genuinely restorable. Backup corruption most commonly results from interrupted backup processes, files not fully transferred to the remote destination, or PHP memory limits timing out during large database exports.

ContextSecurity scanners check for: modified core files (comparing against known-good WordPress file checksums to detect tampering), backdoors hidden in theme or plugin files, malicious code injections in the database (such as eval() base64 patterns used to obfuscate malware), and plugin or theme versions with disclosed CVEs. For WordPress: Wordfence (free tier) provides scheduled and on-demand file scans with alerts when scheduled scans detect modifications. Sucuri SiteCheck (sitecheck.sucuri.net) provides a free external scan from outside the server. Note that external scanners only see what is returned to the browser — a plugin-based scanner that reads server-side files directly provides more thorough detection. Monthly on-demand scans plus continuous Wordfence monitoring is the recommended baseline.

ContextA disaster recovery plan is a written document — not a mental model — that defines: what events constitute a security incident requiring a formal response (malware detected, site defaced, unauthorized admin login, data breach), who owns the response and how they are reached, the specific investigation steps and how to assess the scope of damage, the restoration procedure (which backup, which environment, verification criteria before going live), communication requirements (notify hosting provider; notify affected users if personal data was accessed), and the post-incident review to close the entry point. The core value is that decisions made in writing during calm are more reliable than decisions improvised under the pressure of an active incident. Most sites have a backup; far fewer have a documented and practiced recovery process.

ContextA site that has been taken offline, defaced, or is silently redirecting visitors to spam pages may go unnoticed by the site owner for hours or days — particularly for lower-traffic sites. Uptime monitoring services poll your site at short intervals and send an email or SMS when the site goes down or returns an unexpected status code. Free options: UptimeRobot monitors up to 50 sites at 5-minute intervals at no cost; Freshping offers 1-minute checks on its free tier. More advanced monitoring can also alert on SSL certificate expiration before the Let's Encrypt renewal window closes and on keyword disappearance from key pages — catching defacements or redirect injections that do not take the site fully offline.

ContextAccess logs record every HTTP request to the server: source IP, requested URL, HTTP status code, and user agent string. Periodic review reveals: repeated 404 errors targeting admin or config file paths (path traversal probing), high volumes of POST requests to wp-login.php or xmlrpc.php (brute force attempts), rapid sequential requests from a single IP (automated scanning), and unusual user agent strings associated with known attack frameworks. Most hosting control panels (cPanel, Plesk) provide log viewer access; SSH access enables more flexible analysis. Cloudflare's analytics dashboard — even on the free tier — shows blocked request counts and traffic anomalies without requiring raw log access. Weekly or monthly review is adequate for most sites; automated analysis tools like GoAccess or AWStats reduce the time investment significantly.