Backup Machine Blog
What's happening at Backup Machine? The team will share updates and insights into life inside the machine!
Over the last 3 years, we’ve noticed a huge increase in the number of businesses and individuals who recognise how essential it is to backup all their data; especially their website.
“World Backup Day is a day for people to learn about the increasing role of data in our lives and the importance of regular backups.
This independent initiative to raise awareness about backups and data preservation started out — like most good things on the internet – on reddit by a couple of concerned users.” – World Backup Day
25% Off Backups – For Life!
To celebrate this occasion, for the next week we’re offering a whopping 25% off the cost of any of our backup packages for the lifetime of the package!
Just use the coupon WORLD2013 at checkout to receive this offer. It’s valid until the end of the week. Signup today and get your site protected!
Here at Backup Machine, we’re great fans of the popular, note-taking service Evernote
Unfortunately, their systems have just been compromised…
… leaving the possibility that a criminal group has got a copy of your username and one-way-encrypted password.
So if they’ve used one-way encryption, what’s the problem?
One-way encryption (hashing) is a great idea, and we use it at Backup Machine too.
However, even with a hashed password, it’s possible (with enough time and processing power) to find its original value.
What should I do?
First of all, if you use Evernote – change your password there: http://evernote.com/corp/news/password_reset.php
Hacks like this serve as a reminder for us all to choose a separate password for every service we use.
Your own website’s FTP, SSH and Database passwords are doubly important to protect in this way. You don’t want to have to change all your different passwords in a hurry when you think you’ve had your credentials compromised.
Help, I’m trying to remember too many passwords!
Of course, these days we all use many online services – and some of us have to choose usernames and passwords for our own services as well. How do you keep track of them?
We use password management services such as:
These will not only store your many passwords in an encrypted file, but will help you to generate a new password for each site – ensuring a suitable password complexity, and randomness.
An even better way to protect your services is to use 2-factor authentication. We’ll cover this in more detail in our next blog post.
Fasthosts are a leading hosting provider in the UK. They do not currently offer a customer-accessible backup solution, but don’t worry – we can provide one for you!
It’s quick and simple to take an offsite backup of your Fasthosts website and MySQL database, automatically with Backup Machine.
In order for Backup Machine to backup your website, we require FTP (or SFTP) access to your website’s files.
Log into your Fasthosts Control Panel, then choose the “Hosting” menu. Select the website name you want to back up. This will take you to an overview page for your website, where you can control its FTP details as well as any related databases.
Add FTP Access
Click on the icon marked “FTP” within your website’s overview page.
From this screen you can reset the main (or “Master”) FTP password for your website. If you do not know it already, you will need to specify a new password here and remember it.
This “Master FTP Account” uses your website’s domain name (e.g. mydomain.com) as the FTP username. Backup Machine can use this account, but it would be better to create a special account, just for backing up your files.
Fasthosts provide a guide for adding additional users here: https://help.fasthosts.co.uk/app/answers/detail/a_id/33/kw/add%20FTP%20user
You will need to add a user with access to the root of your website (‘/’) and at least View Files and View Folders permissions.
PLEASE NOTE: You’ll need to wait up to 15 minutes for the FTP username and password to make their way onto Fasthosts’ FTP servers.
While that’s happening, let’s sort out your database too.
Add Database User
From the website overview page in your Fasthosts control panel, you should see a “Databases” icon. Clicking on this icon will show you a list of your databases.
As well as your username and password, you will require the values of “Database Name” and “Server IP Address” from this list.
To add a user (or new database), please refer to Fasthosts’ “MySQL Guide”, available here: https://help.fasthosts.co.uk/app/answers/detail/a_id/42/kw/add%20mysql If you already have a database, jump to the section entitled “Adding users to your database” in this guide.
In Backup Machine
Within your Backup Machine account, click “+ Add Website” on the left-hand side of the screen. Please substitute <domain name> for your website’s domain name (e.g. mywebsite.com) in the following guide:
- Your website address is “www.<domain name>“
- Your FTP server address is “ftp.<domain name>“
- Your FTP username is “<domain name>” unless you added your own user, in which case please use that user’s username.
- Your FTP password is as you specified within the Fasthosts control panel.
Once you have completed the “Add Website” wizard, you can now add your database’s details (if you have one):
Click “Your Websites” from the left-hand menu, then select “<domain name> settings“, or the thumbnail of your site.
From here, click “Add MySQL database”, then choose the ”Connect Directly” option.
- Your database server address is the IP Address you recorded from the list of databases in your Fasthosts control panel
- Your database name, username and password are the ones which you specified in your Fasthosts control panel
It’s always a good idea to have an automated offsite backup, regardless of your hosting provider. We’ll be covering other hosting providers in future. If you would like us to produce a guide for yours, why not get in touch?
We’ve been working hard at Backup Machine to create a new way to backup your website’s database, even when your host doesn’t give you remote access.
Since we launched, we’ve allowed you to backup your database either directly or by using SSH. Even then, sometimes that hasn’t been enough. We’re truly committed to ensuring that everyone can back up their data, so this didn’t stop us searching for alternatives.
Today we’re proud to announce a third backup option: Backup your database through your website.
By using a simple PHP script that you can securely download through our site, we can now backup your database – even when the other options aren’t available to you.
Security at Backup Machine is paramount. As such, all data and database credentials are strongly encrypted when transferred to and from your site. The script itself does not contain a copy of your database password.
Unlike some other inferior technologies, we’ve worked hard to ensure that your data remains safe at all times.
This option is now available to everyone through their Backup Machine account. If you’ve been unable to backup your database in the past, why not give us a go with one of our free accounts?
Last time we looked at password security, so let’s take a look at another set of tools in the criminal’s toolbox – exploits.
What are Exploits?
Exploits are security problems that allow an attacker to do things with your site that you didn’t intend them to. In the real world, picking a lock could be considered an “exploit” as it allows the picker to access something they shouldn’t.
If you run a simple website which only shows the same content over and over again (e.g. it just has html and image files) then you’re relatively safe. Unless an attacker can exploit your web server, then you’re probably out of harm’s way.
However, the moment your website starts doing things with scripts and/or a database, you have to be far more careful. If an attacker can make your scripts do things you weren’t intending, they can potentially do some of the following:
1) Access information on your database which they don’t normally have access to:
Imagine if an attacker got hold of your customer list – this could potentially land you in trouble with data protection agencies. Not to mention the problems with your customer list being spammed.
Or perhaps they download your users’ usernames and passwords? Now, we assume that there isn’t a list of unprotected passwords in your database – but even when encrypted or hashed, recent hacks have demonstrated that even these measures can be overcome.
Again, you shouldn’t be storing credit card information unencrypted, but if a hacker was to get hold of your customers’ credit card details, you could find your bank’s merchant facilities withdrawn.
2) Update files within your website:
An attacker could simple redirect your customers to their own websites. If they were in a malicious mood, they could deface your brand. Or without you even becoming aware, they could illegitimately improve their own search engine rankings by placing back-links within your website.
3) Launch attacks on other servers:
Once your site is hacked, it can become a useful stepping stone to carry out attacks elsewhere on the Internet. If such an attack were ever traced back, it would appear to come from your site, rather than the real culprit’s.
4) Use your website to host illegal material:
I don’t think I really need to describe the sort of files criminals would like to store. Needless to say, you don’t want it associated with your site!
These are just some of the things they can do – but the list is endless.
That said, let’s have a look at some of the things you can do to protect yourself.
Old Versions of Blog, Shopping Cart or CMS Software
The most common threat to your website comes by running old copies of off-the-shelf software (such as the popular blog software: WordPress). Because they are installed on so many websites, they are a very attractive target for hackers. To counteract this problem, these systems are updated frequently to fix security holes.
If you run any downloaded (or pre-installed) software on your site, you must ensure it is up to date, otherwise you could be at risk. This applies to the main piece of software, as well as any plugins you might be using.
If you’re a WordPress user: Log into your admin area (I trust you have read our last post about password security) and make sure you don’t see any alerts asking you to upgrade.
Current vulnerabilities are held on public lists – so if you’re not up to date, it’s fairly trivial for an attacker to exploit your out-of-date website. Here is a list for WordPress:
Free Plugins / Themes
If you’re using any plugins that you downloaded for free from the Internet, make sure that they don’t create security vulnerabilities in your site. Be suspicious! In general, the more popular a plugin, the more likely it’s been scrutinised by someone who knows what to look for – but this is by no means a hard-and-fast rule.
If someone wants to create a back door into a large number of websites, all they have to do is to create a popular ‘free’ plugin – and wait for unwitting website administrators to install it.
Even WordPress themes can create holes in your site’s armour. Be wary.
If in doubt – go without!
Your website runs as a specific user on the server it lives on. It also connects to your database as a specific user. If this database user has the power to drop tables in your database, then so does a hacker that manages to exploit your site. Consider how many database permissions your website really needs – does it really need to be able to alter tables on your database? Probably not.
Security Through Obscurity
If you wrote your own scripts, or someone did it for you, you might think that you’re safer than someone who uses an off-the-shelf piece of software. After all, if a hacker works out how to exploit an old version of WordPress, he can expect to be able to hack many websites in one go.
Now, whilst this might be true, there are a number of very common attacks that apply to a lot of bespoke website scripts.
If this applies to you, make sure you or your developer have a good understanding of common vulnerabilities. Here is a list to get you started:
Much, much more!
We’ll revisit this topic in future, as there is far more to cover. If you have any requests, please let us know in the comments!
Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll! Backup Machine can backup your website for you every day, automatically.
Having your website hacked can be a devastating experience, and unfortunately for you, hijacked websites can be very useful tools for criminals. Hackers may want to use your site to propagate viruses, steal your customers’ information, or commit other crimes – and it’s not as far fetched as you might hope or think.
In this “Protecting your website” series, I’ll be taking you through the ways that you can protect your site. This week we’ll focus on password security.
Your FTP and/or SSH credentials are the keys to your kingdom. Guard them well!
Have you ever used the same password for more than one site?
If we look back over just the last couple of months, the volume of passwords that have been stolen from sites such as LinkedIn, Gizmodo, Yahoo! and others is huge. Use the same password on more than one site, and you’ve hurt yourself more than you can imagine.
Of course, choosing a different password for every different site is not an easy thing to do by yourself. Eventually you’ll find yourself writing the passwords down and this is clearly not a great idea!
Fortunately there is a solution: Sign up for a service such as LastPass which can be used to generate passwords for every site you visit, and store them in an encrypted file.
Stealing passwords with a virus
Unfortunately there are several other ways an attacker can steal your password. A common way is by using a virus, which can read your keystrokes as you unwittingly type your password in. Other viruses can look at the information your computer keeps to ‘remember’ your passwords, so you don’t have to re-type them.
To protect yourself against these problems, always:
1) Ensure you run up-to-date virus scanning software. If you’re running Windows, you could download Microsoft Security Essentials or AVG, which are both free and will protect you well. If you’re running on a Mac – don’t be complacent. Macs have now become popular enough to be legitimate targets for viruses.
2) Be wary of logging into your site on someone else’s computer. Not sure what’s been downloaded in the past? Using a computer owned by someone who’s not particularly clued up? It’s probably best to steer clear!
3) Change your password frequently. Especially if you’ve had the misfortune to avoid the advice in (1) and (2)! If your password is out of date before an attacker has a chance to use it – you’re winning again.
4) If you’re running an old copy of the Internet Explorer browser, upgrade it now. There are a number of attacks that are specifically targeted at Microsoft’s infamously insecure old browser versions. Better yet, download the most secure browser available – Google Chrome.
Stealing passwords by sniffing
FTP does not protect your username or password when you access your website’s files. If an attacker has control over any of the machines inbetween your computer and your server, they can see your username and password floating past. This eavesdropping activity is known as ‘packet sniffing’, and is a relatively trivial exercise.
Have you ever sent passwords in an e-mail? Again, it’s very easy to read e-mails as they fly around the Internet.
Think of it as sending a postcard with your secret information in plain sight as it goes through the sorting office.
To avoid this, wherever possible, use SFTP rather than FTP to connect to your site. SFTP uses SSH to communicate, which is secure (as the name “Secure SHell” suggests). And never send passwords around in an e-mail!
Brute force attacks
Even if you manage to avoid your password being stolen, another way hackers can get into your site is through an attack known as ‘brute force’. Such an attack typically involves cycling through a list of possible words (such as a dictionary) until the attacker is let in.
To protect yourself against this form of attack, make certain you choose a ‘strong’ password. Conventionally, a strong password is never just a single word that could be found in a dictionary or book of names.
Mix up your password with symbols and numbers.
Remember that LastPass site I mentioned before? It’ll generate you a strong password with a click of the mouse, and remember it for you.
Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll! Backup Machine can backup your website for you every day, automatically.
How do you know if you’re ready to launch your new website? What do you need to check?
Go to Launchlist and check off everything you should have done!
Of course, we know you’ve got your backups sorted already, right?
Backup Machine uses a unique incremental backup system that keeps track of changes to your website’s files. We use this to only backup those files that have changed since the last time (saving you bandwidth and server load).
You have always been able to see these changed files through your Backup Machine control panel – but now we’ll also give you a heads-up of the files that have changed via e-mail.
Some of our customers have been using this feature to keep track of changes to their site, and spot possible malicious activity. We hope you find it useful too! You can never be too careful with your precious data.
To turn on this feature, visit your “Account Settings”, and select “Notifications” then “Include Extended Information”.
Here’s an interesting video about how Toy Story 2 was almost lost by a Pixar employee accidentally wiping the server that it was stored on. They suffered a common problem: they backed up the data, but the backup had stopped working for a month.
Whether you’re working on a movie, a website or any other document, there are lessons to be learned from Pixar’s mistakes!
It’s pretty clear that we think backing up your files is vitally important. In our minds, every day is website backup day, but today is a very special day for the backup world … it’s a day all about celebrating backups in general!
We really support what the guys at World Backup Day are doing. There are two sides to it. For example, a close friend of our team recently lost all of his family photos due to a hard drive failure and we’ve seen and we’ve all heard the horror stories involved in companies closing down because they lost all their data.
So, even if you’ve never backed up before, World Backup Day (March 31st) is the day to make a change. Burn those photos to DVD (and put them somewhere safe!), add some files to Dropbox and definitely, without fail back up your website!