Website Backups


Steve When is a Backup Not a Backup?

SafeAt Backup Machine we cater for customers from all manner of different hosting companies.  Our aim is to be a universal system for all website owners, disconnected from the company and server systems of their selected hosting providers.  A fail safe in a time of need.

However, one type of website is out of our reach: The “Website Builder” website.

Website builders let you create a website, on your own, through the web.  You know the ones – “Choose your colours, choose your menus and widgets, type your content, etc.”

These systems have incredible appeal – you can often get a good looking website up and running incredibly quickly, and without any technical skills.  But beware!  Unless you have access to your website’s files and database, you are stuck with your provider.  There is usually no effective way for you to move that website elsewhere should you want to or need to.

Recently a customer contacted us regarding one of these sites. They had been told by the website builder company to use “HTTrack Website Copier” to run their backups, should they wish to take a copy themselves.

Do not be fooled!  HTTrack will take a copy of your website in the same way that taking a photo of your car is a copy of your car.  It might look like your car, but none of the controls will work, and you’ll certainly be late for work if you try to use it.

HTTrack will not copy the necessary nuts and bolts to make your website ‘work’.  Your backup might contain a copy of the content of your blog posts, but you won’t be able to post anything new and none of the other dynamic content on your website will work.

If you want to be able to run your website anywhere, you need access to your website’s files and its database.  Without this, you’re stuck with your current provider, and you must make sure you’re satisfied with their backup arrangements.

Steve Getting Away with a Terrible Mistake thanks to Backup Machine!

Have a look at the following Tweets.  Feel sorry for these folks for a while and then ask yourself: If you did this to your site, would everything work out fine?

Overwriting Files

 

We hear these sorts of stories frequently at Backup Machine, although usually there’s a sigh of relief and a huge “Thank you!” in conclusion.  You never know when you’ll be over-tired, distracted, or just unlucky and click the wrong button.  Let us help you make sure you can get away with it!

Steve Words of Wisdom

backup-wisdom

Losing data and not having a backup is like losing your virginity. You can never get it back, no matter how much you might like to.

–T.E. Ronneberg

Steve World Backup Day 2013 – 25% Off All Backup Packages!

World Backup Day 2013Over the last 3 years, we’ve noticed a huge increase in the number of businesses and individuals who recognise how essential it is to backup all their data; especially their website.

“World Backup Day is a day for people to learn about the increasing role of data in our lives and the importance of regular backups.

This independent initiative to raise awareness about backups and data preservation started out — like most good things on the internet – on reddit by a couple of concerned users.” — World Backup Day

25% Off Backups – For Life!

To celebrate this occasion, for the next week we’re offering a whopping 25% off the cost of any of our backup packages for the lifetime of the package!

Just use the coupon WORLD2013 at checkout to receive this offer.  It’s valid until the end of the week.  Signup today and get your site protected!

Steve How to Backup a Fasthosts Website

Fasthosts are a leading hosting provider in the UK.  They do not currently offer a customer-accessible backup solution, but don’t worry – we can provide one for you!

It’s quick and simple to take an offsite backup of your Fasthosts website and MySQL database, automatically with Backup Machine.

In order for Backup Machine to backup your website, we require FTP (or SFTP) access to your website’s files.

Log into your Fasthosts Control Panel, then choose the “Hosting” menu.  Select the website name you want to back up.  This will take you to an overview page for your website, where you can control its FTP details as well as any related databases.

Add FTP Access

Click on the icon marked “FTP” within your website’s overview page.

From this screen you can reset the main (or “Master”) FTP password for your website.  If you do not know it already, you will need to specify a new password here and remember it.

This “Master FTP Account” uses your website’s domain name (e.g. mydomain.com) as the FTP username.  Backup Machine can use this account, but it would be better to create a special account, just for backing up your files.

Fasthosts provide a guide for adding additional users here: https://help.fasthosts.co.uk/app/answers/detail/a_id/33/kw/add%20FTP%20user

You will need to add a user with access to the root of your website (‘/’) and at least View Files and View Folders permissions.

PLEASE NOTE: You’ll need to wait up to 15 minutes for the FTP username and password to make their way onto Fasthosts’ FTP servers.

While that’s happening, let’s sort out your database too.

Add Database User

From the website overview page in your Fasthosts control panel, you should see a “Databases” icon.  Clicking on this icon will show you a list of your databases.

As well as your username and password, you will require the values of “Database Name” and “Server IP Address” from this list.

To add a user (or new database), please refer to Fasthosts’ “MySQL Guide”, available here: https://help.fasthosts.co.uk/app/answers/detail/a_id/42/kw/add%20mysql If you already have a database, jump to the section entitled “Adding users to your database” in this guide.

In Backup Machine

Within your Backup Machine account, click “+ Add Website” on the left-hand side of the screen.  Please substitute <domain name> for your website’s domain name (e.g. mywebsite.com) in the following guide:

  • Your website address is “www.<domain name>
  • Your FTP server address is “ftp.<domain name>
  • Your FTP username is “<domain name>” unless you added your own user, in which case please use that user’s username.
  • Your FTP password is as you specified within the Fasthosts control panel.

Once you have completed the “Add Website” wizard, you can now add your database’s details (if you have one):

Click “Your Websites” from the left-hand menu, then select “<domain name> settings“, or the thumbnail of your site.

From here, click “Add MySQL database”, then choose the “Connect Directly” option.

  • Your database server address is the IP Address you recorded from the list of databases in your Fasthosts control panel
  • Your database name, username and password are the ones which you specified in your Fasthosts control panel

Conclusion

It’s always a good idea to have an automated offsite backup, regardless of your hosting provider.  We’ll be covering other hosting providers in future.  If you would like us to produce a guide for yours, why not get in touch?

Steve Protecting Your Website #2 – Script Exploits

Last time we looked at password security, so let’s take a look at another set of tools in the criminal’s toolbox – exploits.

What are Exploits?

Open Padlock

Exploits are security problems that allow an attacker to do things with your site that you didn’t intend them to. In the real world, picking a lock could be considered an “exploit” as it allows the picker to access something they shouldn’t.

If you run a simple website which only shows the same content over and over again (e.g. it just has html and image files) then you’re relatively safe. Unless an attacker can exploit your web server, then you’re probably out of harm’s way.

However, the moment your website starts doing things with scripts and/or a database, you have to be far more careful. If an attacker can make your scripts do things you weren’t intending, they can potentially do some of the following:

1) Access information on your database which they don’t normally have access to:

Imagine if an attacker got hold of your customer list – this could potentially land you in trouble with data protection agencies. Not to mention the problems with your customer list being spammed.

Or perhaps they download your users’ usernames and passwords?  Now, we assume that there isn’t a list of unprotected passwords in your database – but even when encrypted or hashed, recent hacks have demonstrated that even these measures can be overcome.

Again, you shouldn’t be storing credit card information unencrypted, but if a hacker was to get hold of your customers’ credit card details, you could find your bank’s merchant facilities withdrawn.

2) Update files within your website:

An attacker could simple redirect your customers to their own websites.  If they were in a malicious mood, they could deface your brand.  Or without you even becoming aware, they could illegitimately improve their own search engine rankings by placing back-links  within your website.

3) Launch attacks on other servers:

Once your site is hacked, it can become a useful stepping stone to carry out attacks elsewhere on the Internet. If such an attack were ever traced back, it would appear to come from your site, rather than the real culprit’s.

4) Use your website to host illegal material:

I don’t think I really need to describe the sort of files criminals would like to store.  Needless to say, you don’t want it associated with your site!

These are just some of the things they can do – but the list is endless.

That said, let’s have a look at some of the things you can do to protect yourself.

Old Versions of Blog, Shopping Cart or CMS Software

Wordpress Upgrade Box

The most common threat to your website comes by running old copies of off-the-shelf software (such as the popular blog software: WordPress). Because they are installed on so many websites, they are a very attractive target for hackers. To counteract this problem, these systems are updated frequently to fix security holes.

If you run any downloaded (or pre-installed) software on your site, you must ensure it is up to date, otherwise you could be at risk. This applies to the main piece of software, as well as any plugins you might be using.

If you’re a WordPress user: Log into your admin area (I trust you have read our last post about password security) and make sure you don’t see any alerts asking you to upgrade.

Current vulnerabilities are held on public lists – so if you’re not up to date, it’s fairly trivial for an attacker to exploit your out-of-date website.  Here is a list for WordPress:

http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/Wordpress-Wordpress.html

Free Plugins / Themes

If you’re using any plugins that you downloaded for free from the Internet, make sure that they don’t create security vulnerabilities in your site. Be suspicious! In general, the more popular a plugin, the more likely it’s been scrutinised by someone who knows what to look for – but this is by no means a hard-and-fast rule.

If someone wants to create a back door into a large number of websites, all they have to do is to create a popular ‘free’ plugin – and wait for unwitting website administrators to install it.

Even WordPress themes can create holes in your site’s armour. Be wary.

If in doubt – go without!

Database Permissions

Your website runs as a specific user on the server it lives on. It also connects to your database as a specific user. If this database user has the power to drop tables in your database, then so does a hacker that manages to exploit your site. Consider how many database permissions your website really needs – does it really need to be able to alter tables on your database? Probably not.

Security Through Obscurity

If you wrote your own scripts, or someone did it for you, you might think that you’re safer than someone who uses an off-the-shelf piece of software. After all, if a hacker works out how to exploit an old version of WordPress, he can expect to be able to hack many websites in one go.

Now, whilst this might be true, there are a number of very common attacks that apply to a lot of bespoke website scripts.

If this applies to you, make sure you or your developer have a good understanding of common vulnerabilities.  Here is a list to get you started:

http://www.computerworlduk.com/how-to/infrastructure/424/the-top-10-web-vulnerabilities-and-what-to-do-about-them/

Much, much more!

We’ll revisit this topic in future, as there is far more to cover. If you have any requests, please let us know in the comments!

Conclusion

Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll! Backup Machine can backup your website for you every day, automatically.

Steve Protecting Your Website #1 – Password Security

Having your website hacked can be a devastating experience, and unfortunately for you, hijacked websites can be very useful tools for criminals.  Hackers may want to use your site to propagate viruses, steal your customers’ information, or commit other crimes – and it’s not as far fetched as you might hope or think.

FTP Login BoxIn this “Protecting your website” series, I’ll be taking you through the ways that you can protect your site. This week we’ll focus on password security.

Your FTP and/or SSH credentials are the keys to your kingdom. Guard them well!

Reusing passwords

Have you ever used the same password for more than one site?

If we look back over just the last couple of months, the volume of passwords that have been stolen from sites such as LinkedIn, Gizmodo, Yahoo! and others is huge.  Use the same password on more than one site, and you’ve hurt yourself more than you can imagine.

Of course, choosing a different password for every different site is not an easy thing to do by yourself.  Eventually you’ll find yourself writing the passwords down and this is clearly not a great idea!

Fortunately there is a solution: Sign up for a service such as LastPass which can be used to generate passwords for every site you visit, and store them in an encrypted file.

Stealing passwords with a virus

Unfortunately there are several other ways an attacker can steal your password.  A common way is by using a virus, which can read your keystrokes as you unwittingly type your password in.  Other viruses can look at the information your computer keeps to ‘remember’ your passwords, so you don’t have to re-type them.

To protect yourself against these problems, always:

1) Ensure you run up-to-date virus scanning software.  If you’re running Windows, you could download Microsoft Security Essentials or AVG, which are both free and will protect you well.  If you’re running on a Mac – don’t be complacent.  Macs have now become popular enough to be legitimate targets for viruses.

2) Be wary of logging into your site on someone else’s computer.  Not sure what’s been downloaded in the past?  Using a computer owned by someone who’s not particularly clued up?  It’s probably best to steer clear!

3) Change your password frequently.  Especially if you’ve had the misfortune to avoid the advice in (1) and (2)!  If your password is out of date before an attacker has a chance to use it – you’re winning again.

4) If you’re running an old copy of the Internet Explorer browser, upgrade it now.  There are a number of attacks that are specifically targeted at Microsoft’s infamously insecure old browser versions.  Better yet, download the most secure browser available – Google Chrome.

Stealing passwords by sniffing

FTP does not protect your username or password when you access your website’s files.  If an attacker has control over any of the machines inbetween your computer and your server, they can see your username and password floating past.  This eavesdropping activity is known as ‘packet sniffing’, and is a relatively trivial exercise.

Have you ever sent passwords in an e-mail?  Again, it’s very easy to read e-mails as they fly around the Internet.

Think of it as sending a postcard with your secret information in plain sight as it goes through the sorting office.

To avoid this, wherever possible, use SFTP rather than FTP to connect to your site.  SFTP uses SSH to communicate, which is secure (as the name “Secure SHell” suggests).  And never send passwords around in an e-mail!

Brute force attacks

Even if you manage to avoid your password being stolen, another way hackers can get into your site is through an attack known as ‘brute force’.  Such an attack typically involves cycling through a list of possible words (such as a dictionary) until the attacker is let in.

To protect yourself against this form of attack,  make certain you choose a ‘strong’ password.  Conventionally, a strong password is never just a single word that could be found in a dictionary or book of names.

Mix up your password with symbols and numbers.

Remember that LastPass site I mentioned before?  It’ll generate you a strong password with a click of the mouse, and remember it for you.

Conclusion

Of course, if the worst does happen, and your site does get hacked: Make sure you’ve got a backup ready to roll!  Backup Machine can backup your website for you every day, automatically.

Steve Check your site is ready with Launchlist!

How do you know if you’re ready to launch your new website? What do you need to check?

Go to Launchlist and check off everything you should have done!

http://lite.launchlist.net/

Of course, we know you’ve got your backups sorted already, right?

Steve Track changes to your website via e-mail

Backup Machine uses a unique incremental backup system that keeps track of changes to your website’s files.  We use this to only backup those files that have changed since the last time (saving you bandwidth and server load).

You have always been able to see these changed files through your Backup Machine control panel – but now we’ll also give you a heads-up of the files that have changed via e-mail.

Some of our customers have been using this feature to keep track of changes to their site, and spot possible malicious activity.  We hope you find it useful too!  You can never be too careful with your precious data.

To turn on this feature, visit your “Account Settings”, and select “Notifications” then “Include Extended Information”.

Change Notification Email

Change Notification Email

Andi Website Resolutions

What is your New Year resolution? Do more exercise, eat less chocolate, or perhaps see your family more often?

While you’re working on your plans for 2012, don’t forget your website. What is your website resolution (and we’re not thinking about 1024 x 768 … not those resolutions!)? Here are a couple of suggestions from us:

  • - Set up automatic website backups (of course!).
  • - Update your blog more often.
  • - Communicate with your customers more frequently about the things that matter to them.
  • - Make your social media more social, and not just about selling.
  • - Review some of your key user interfaces to work out how you can make them slicker, easier to use and better at converting sales.

We’ve got many of our own ideas too. What are yours? Tweet us yours at @BackupMachine!