: How do I professionally manage a website? My wife has started a business, and the website is an important way to reach potential customers. I'm a software developer, so 'of course' I'm taking
My wife has started a business, and the website is an important way to reach potential customers. I'm a software developer, so 'of course' I'm taking care of the technical stuff. I arranged a webhost and uploaded and configured WordPress (which, together with a decent theme, fits our bill nicely). My wife has some knowledge of HTML and CSS, so she can customize the website herself.
Now, I want to professionalize this stuff. If anything stupid happens (accidentally mess up a file, bug in WordPress update, site is hacked) we lose the entire site.
What do I need to manage the site? When googling this subject, I only find FTP tutorials, which is not quite the level of info I'm after. I've figured:
backup of files + database (I already have these, but I have not tested whether restore works)
a local test environment for editing the theme and testing wordpress updates
a test plan, containing some things to test before uploading the test environment to the live site
versioning - should anything go wrong, we should be able to go to a previous version.
uptime monitoring - if the site goes down, I won't have to hear it from customers
Suggested by bybe, mostly security related:
use a VPS. This will shield me from attacks on other shared hosting accounts, however it opens up another can of worms, because I have to keep the server safe myself.
remove write permissions on all files that don't need to be writable (template files, .htaccess)
subscribe to the CMS mailing list (Wordpress in this case) and update as soon as new releases are available
minimize the number of CMS plugins - they have their own vulnerabilities
remove the default admin account of the CMS
put the website in maintenance mode when modifying. It allows for a consistent backup and is nicer to visitors.
Is there anything missing from this list?
More posts by @Shakeerah822
5 Comments
Sorted by latest first Latest Oldest Best
The other answers have a lot of good advice but assume some greater or lesser expertise in server maintenance and WordPress knowledge that you a) may not have and b) may not have the time to dedicate to really learn it.
Assuming you are already paying for hosting and considering upgrading to a VPS I would strongly recommend moving to an ISP that specializes in WordPress hosting and provides malware protection and recovery, security checks on plugins, backups, and upgrades the core for you. Two that I use for clients now are Pagely and WP Engine. A nice bonus is that these ISPs are also optimized to provide a speed boost which WordPress sometimes needs. WP Engine also comes with a staging environment for testing...
If you prefer to not use managed hosting, I STRONGLY recommend you subscribe to VaultPress as your primary backup and security plan. The Premium service level handles both (the regular service is only backup/restore) and the peace of mind alone is worth the fee. VaultPress is pretty pricey and may be more expensive than using the managed hosting recommended above.
The third way to go is to piece together security from your experience, plugins, and ability to search on Google and backups/versioning the same way. Again, this assumes a level of expertise with server config and WordPress that you may not have right away and recovering from a WordPress hack can be a miserable experience, moreso if the attacker is executing scripts in the shell.
I'm a new webmaster myself, so I'm far from an expert. What I can tell you, though, is my own experiences over the last few months. A little background: I'm a Windows guy with little Linux/Apache experience, proficient in PHP/HTML/CSS, with a decent base knowledge of WordPress (WP).
I setup a local test environment with XAMPP and spent a good amount of time installing/configuring/deleting WP. Then I spent a good few days learning WP plugin development. Did it all locally, creating a small plugin. Got it running fine, uploaded it live, then had to spend a bunch of time trying to figure out why it wasn't working on my live site.
I don't remember the exact causes, but it boils down to my host having different settings/permissions/etc., than my local server. While I could have spent a lot more time learning about server management in-depth and trying to match my local-to-live environments, I decided to take an easier route. I setup a live test domain - multiple actually.
My hosting plan is a typical shared plan. In fact, it's the cheapest one my host offers, which allows unlimited domain addons but doesn't allow those domains to point anywhere but the root. So I found out how to use .htaccess to dynamically redirect different domains to different directories, some simple cut-n-paste stuff. Then I got some free subdomains through CU.CC. While I wouldn't use them for any true sites because they're not true domains, i.e., you don't 'own' them, they work great for live testing.
I use one freebie as a clone of my live site, so if I want to install a plugin or theme I can test it thoroughly before sending it live. Since my test domain is on the same server, I know exactly how my live site will appear. I use another freebie as a general WP testbed. And yet another for general webdev testing.
For cloning my site, I use a free WP plugin called 'Duplicator'. It backs up a site's files and database. It also handles all the WP backend stuff necessary if you want to restore to another domain. This works great for my WP testbed, since I only had to install WP once, load it with my dummy content & users, setup my admin prefs like permalinks, timezone, etc. Now I can hack WP all I want then restore the backup at will, to my near-virgin yet configured-as-I-want WP install.
Good Questions, security is your main issue and is the same for everyone who undertakes looking managing their own websites. WordPress isn't the most secure content management system on the planet however it can be made secure with good hosting and good knowledge of what to secure and ensure is set.
Hosting
The safest way of hosting your site is in a VPS or dedicated assuming that you have good security on the OS. The problem with shared hosting is that malware can spread from one account to another, even though they are in jails these hackers find their way around and infect multiple sites. GoDaddy for example was hacked last month and left 100,000's of websites hacked with greyhat backlink inserts.
From what I've read you want to go with a VPS but important you want something to manage your backups, what you need is a VPS with CentOS6 with Cpanel. You will need to pay additional for the Cpanel but this will make setting up websites and backing up the database, and file system automated as well as sending you emails daily when the backup has completed or failed for one reason or another.
Now I don't know how strong skills you have within linux itself but VPS can often bring other security problems if your not strong in this department. Lucky enough these days we have things like Google and you can pretty much learn how to secure your VPS with ease. The basic thing about your VPS box is to ensure that your using a SSL Key that you have on your computer meaning that even if they know the password they can't access your system without that certification. Furthermore to stop people guessing the password you could always change the ssh port.
There are many things you can do to prevent access to your Box and Google serves this best, theres just far to many to list.
WordPress
Securing Wordpress is pretty straight forward, My strongest advice is to secure the template files within the /wp-content/themes directory. Since your wife will not be editing the template files you want to chmod these so they can't be written to from WordPress directly. There is a setting within the configuration.php you can set but seriously just CHMOD them using FTP or if you do go and use a VPS change the ownership of these files from www-data to root. This way they can't be changed from WordPress or any other software running on the server. Most injections, scripts based will attack the index.php files of the templates and add the malware. Furthermore there is a few .htaccess redirect attacks, so again chmod the .htaccess file to unwritable once you have the desired settings, or again change from www-data to root. Also the configuration.php you should set to root, or chmod so it can't be read by guests and outsiders.
Don't under estimate the power of the CHMOD, the more files you can make unwritable the better. Try to avoid unnecessary WordPress plugins. While some are great, ask yourself do you need. The more you have installed the more your hackers have to play with, so avoid plugins as much as you can and don't bloat the site with them.
WordPress updates weekly to monthly, update as soon as possible - There's a reason why they have so many updates and one of them is security issues and loopholes they have found.
Furthermore, by default you will have a "admin" "password" account, make another administrator such as yourwifenames along with a good password. Then delete that admin account.
Test Plan
You can always mimic your site, i.e. have a clone. Using cpanel you could setup a sub domain test.subdomain.com and have that running the same WordPress along with a clone of the database.
Personally if your not using major extensions for WordPress then you could just take the site offline i.e. Maintenance in progress. and then update the system, if anything goes wrong then you have the automated backup or a backup you did while it was in maintenance. that way your safe either way.
Always best to update in maintenance mode, while some updates don't ask, some do. Best to take it offline so you have a GOOD snap shop.
Versioning
With each daily backup you do it'll have a date, inside the GZ/Zip your be able to read the config file with version numbers of WordPress.
Uptime
Good Vps systems will monitor it for you and reboot if required, since you operate the server you can always install a cron job that will send you a email if the server goes down, but again. A good server never goes down really, pick a good VPS company which operates on a cloud with redundant power supplies and hardware, Rackspace for example, or amazon work on a cloud.
Test Version
Again just clone the site onto a sub domain that is uses a .htaccess password.
Hope this helps, and if you have any additional questions please ask.
You will definitely want to keep it simple. But ultimately it depends on what kind of site you are going for (will people be able to purchase stuff?).
If you have a simple WordPress site, then you would want to make backups (or make sure the copy on the public server is not the only copy; don't backup the static files from the server but DO backup the database every week). For larger sites or if you are storing any user-data on the database, back up more often.
For larger e-commerce sites, it may be a good idea to invest in a SSL certificate to gain visitors' trust as well as encrypt the data (you could generate your own self-signed certificate for free but it should only be used in a development environment).
Definitely consider renting a VPS or even a dedicated server if you are concerned with security; it offers much greater flexibility but with power comes responsibility (and also the potential to mess things up). You could get really fancy and set up synchronized databases across remote servers, use rsync to backup the data on a schedule, etc. But again, keep it simple.
For a test environment, not a bad idea, and probably a good thing if you would be changing the design and content often, but you'd want to make sure the WP versions and settings are identical. Very important.
Lastly, keep it simple. Human errors in deleting/messing files up are the leading cause for data loss. Hackers are not.
If you afraid of your site getting hacked or getting effected by malwares, then I suggest to use the sucuri.net/
Although is a paid one, but it will take care of your site security quite efficiently.
Apart from this, from your side taking precautions is advisable. Get the database backup every week. Set the option of backup database in your hosting ON and you will get the database backup in your mail time and again on a regular basis.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.