We are back with your WordPress Security Experts Roundtable. In this article, we will discuss backups and updates of your WordPress website.
Remember, our first article with our WordPress Security Expert was “Preventing compromises for your WordPress website.”
How often should I update? What should my process be to test after updates? Update a few sites first before updating them all? What is your advice?
According to our experts, here are 6 important things to remember:
- Security updates ASAP.
- Automation to check sites.
- Update busy and problem sites first.
- Keep and test your updates.
- Use a staging site to update mission critical sites.
- Changelog can help you make decisions.
Robert Rowley, Patchstack
“Update as frequently as possible,” according to Rowley, and always update those security updates immediately. He points out that you can use automation to check if sites have broken due to updates.
“You should update as frequently as possible and if it is a security update, immediately! Checking for sites breaking can be automated, program a bot or script a tool that runs through site check tests.“
Chris Bourne, Website Managed
Bourne believes updates in delaying 7 days for minor updates except for those security updates. He also gives advice on which sites to check first.
“Delay updates for 7 days except for known security updates. Select a handful of busy sites to check for update issues. Update the problem sites first; they are the ones that drive you nuts.”
Kathy Zant, StellarWP
Zant points out the difference in types of websites affecting how you approach your updates. Be sure to keep backups and to check them. You can keep an up-to-date staging site for those more business important sites to test and evaluate updates.
“The answer really depends on the type of site. If it’s just your blog with minimal plugins and a regular backup, update away. If it’s a mission-critical, lose-money-every-minute you’re down-type-of-site, then ensure you have an up-to-date staging server with a parallel environment to your production server and test your updates there before updating on the production site.
“Backups first, and of course make sure you’re testing your backups regularly. Start with the minimal updates (point releases) and ensure they’re updated before updating major releases.
“Start with plugins first, then themes, then core.”
Edward O’Rourke, Jupiter Multimedia LLC
O’Rourke also believes in having a current backup. Always keep sites updated because of security. According to O’Rourke, test your updates on your staging site first.
“Rule 1 always have a current backup.
“Rule 2 always update as they are available, especially if it relates to security. With all the WordPress sites I manage, updates are applied as they become available. We have a strict backup and staging policy. Prior to updates, the site is backed up and a staging site is created on the fly.
“The staging site is updated and tested. If all works fine, the live site is updated. If there is any issue, we either resolve it ourselves or work with the developer of the plugin or theme. Order of updates can be important at times so our method is plugins first, theme next and then WordPress core.”
Erikas Vainoras, Hostinger
As our other experts, Vainoras believes updates are important because they patch vulnerabilities. He points out that reading changelogs may help you make determinations on the importance of the update.
“Updates are one of the most important aspects of cyber security. Every time a vulnerability occurs, software providers patch it and release a new update. It is recommended to keep your software/plugins up to date at all times.
“However, there might be occasions when it is not possible to update immediately due to various circumstances. In such cases, reading the changelog that comes with an update can help to determine whether it is required to urgently update or if it just covers minor fixes that have no real security impact, so the update process can be postponed to a more convenient time. After the update is done, reviewing log files is a good idea to make sure everything runs smoothly and without errors.
“My advice would be to update your systems as soon as the update is released. If it is not possible, find out what was patched with the update, minor fixes can be postponed. However, if it is security related, it has to be done right away for all impacted systems.”
What makes a good backup plugin? Should I use a plugin or backup at the server level?
Which should you use, a backup plugin or backup from the server? That depends on who you ask. Rowley and O’Rourke prefer to let the server handle the backups. Bourne, Zant and Vainoras believe in having both. All believe it is necessary to have backups and to be able to use them to save downtime in the event of a compromise.
Robert Rowley, Patchstack
“I prefer backups to be managed by the server itself. Almost every host supports this and with minimal effort, you can have the backups stored off-site as well. So, check with your host and to cover all of your bases, make sure you collect a copy for yourself on a regular schedule (or before any major updates.)”
Chris Bourne, Website Managed
“Both, backup at website level and several server levels. This helps when one backup system hasn’t been working and wasn’t detected as faulty yet.”
Kathy Zant, StellarWP
A good and easy backup plugin is one you actually use! Test backups. Document your backup process.
“A good backup plugin is the one you’ll use! Choose something that’s easy and copies your backups off the server to a secure location. Test your backups every so often to ensure that they are usable and backing up all of the right things. Make sure your restore process is documented.
“A good backup and documented process, combined with intrusion detection, can mean the difference between recovering from a hack within minutes or days.”
Edward O’Rourke, Jupiter Multimedia LLC
Prefers server-level backups
I simply don’t really like any backup plugins based on PHP because I find that to be extra bloat and load on a site that just isn’t needed. Edward O’Rourke
Use your server for backups according to O’Rourke. He is not in favor of PHP plugins because it is an unnecessary bloat on the website.
“Don’t use additional PHP based plugins for anything your server should be handling. It makes no sense to me to use a PHP plugin that will consume more resources to do something the server is more than capable of doing with far less impact on resources.
“My backup plan is 1 daily database backup, 2 weekly backups and 2 monthly backups. This is all handled at server level. Additionally, a backup is created immediately prior to any upgrades. I simply don’t really like any backup plugins based on PHP because I find that to be extra bloat and load on a site that just isn’t needed.”
Erikas Vainoras, Hostinger
“Backups are an essential part of any website, there are hundreds of choices for backup plugins, and the main feature of a good plugin should be the ability to store backups remotely, so in case of an emergency in a local environment, it does not get compromised.
“Backups should also be up to date at all times and easily restorable. Depending on the website’s environment and development process, real-time backup might be a necessary feature to have.
“There is no such thing as too many backups; it might be the key to keeping your business online, so having both a plugin and a server-level backup can help ease your mind!”
Wrapping it up
Backups and updates are a key part of the security process.
Both are needed!
Most updates are security-related, patches for vulnerabilities, so they should be updated immediately. Make sure you keep backups and test them. You can use a backup plugin, backups at the server level or both.
It’s helpful to have both types of backups in case one is faulty. Backups and updates are vital in reducing any downtime. Be sure to document your process.
What tips do you have? Let us know in the MainWP Users Facebook Group.
