'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
Why it's not your host's fault
1. Why it’s not your host’s fault
Chad Mowery | chadmow.com | @chadmow03
WordCamp Milwaukee 2016
2. Who am I?
• Started working in IT in 2006
• Currently working as a System Administrator
for a local cloud hosting company
• Been on both sides of the fence
• I’ve had bad hosting experiences too
• My first CMS experience was with Joomla
• My Joomla sites kept getting hacked
• Thank god I found WordPress
3. What I’ll talk about
• Your site got hacked
• Bummer… may not have been your host’s fault though.
• Your site was down temporarily and you’re furious
• I’ve been there. I used to think my site needed to have 100% uptime.
• Ways you should take ownership of your site
• Use your host as a last resort. Don’t depend on them to do your job.
• Things to look for and ask your host about
• My recommendations.
4. Who do you host with?
• Bluehost
• DreamHost
• Flywheel
• Siteground
• GoDaddy
6. So your site was hacked
Probably wasn’t your hosts fault though
7. So your site was hacked
• Did you take steps to harden your site?
• Don’t use ‘admin’ as a username
• Don’t use wp_ for your DB table prefix
• Don’t share a DB or user accounts
• Secure your wp-config.php file
• Secure your wp-includes folder
• Limit access to wp-admin by IP
• Use Two Factor authentication
• https://codex.wordpress.org/Hardening_WordPress
• https://codex.wordpress.org/Brute_Force_Attacks
• Was your site up to date?
• Core, Plugins, Themes
• Are your plugins and themes still supported?
• Running old versions is not ok
8. So your site was down and you’re furious
• Lets talk about the required pieces for hosting
your WordPress site
• The server itself (Windows, Linux)
• Web server (IIS, Apache, Nginx)
• Database server (MySQL, MariaDB)
• Mail server (SMTP, Postfix)
• Control Panel (Plesk, cPanel)
• DNS
9. So you’re relying on your host
Take ownership of your site.
Use your host as a last resort, don’t be dependent on someone else.
• Understand everything that your host provides
• Backups, Hardening, Security, Statistics, DNSSEC
• Perform regular backups of your site
• Yes, your host is probably doing backups of the server and can provide you a copy of
your site or do a restore for you. Do it yourself. Be in control.
• Test restoring your site from those backups
• Backups are great and you may feel safe knowing you are doing them but do you
actually know how to restore your site from them?
10. So you’re not taking backups
Ways you can backup your site
1. Through your control panel
1. cPanel
2. Plesk
2. With a plugin or service
1. BackupBuddy
2. BackUpWordPress
3. ManageWP
4. CMS Commander
Don’t store your backups on your FTP
• They’re going to count against your
allocated disk space
• If your FTP is ever compromised, bye bye
backups
Test your backup
• Make sure backup is good
• Test restoring your site
11. So you’re relying on your host
• Monitor your sites uptime and performance
• There are many good free and paid services for doing this. Start out with a
free service and once you feel comfortable move up to a paid service to get
additional monitoring capabilities.
12. So you don’t know which host or plan to choose
Types of hosting
Managed WordPress Hosting – Great for someone just getting started
in WordPress.
Shared Hosting – Most common. Traditional web hosting. You will be
sharing the server with other customers.
VPS Hosting – Think of a VPS as a shared dedicated server. Easily
scalable.
Dedicated Hosting – Dedicated server that you have 100% control of.
13. So you don’t know which host or plan to choose
These are the questions I would ask a host
• What Windows or Linux OS version are you running?
• What Apache, IIS, MySQL, PHP version are you running? If you are unsure what the
latest versions are do a quick Wikipedia search on each of these.
• How do you update to the latest versions of these?
• What types of things do you do to ensure my website will be secure?
• Do you have 24x7 phone support for all your levels of support?
Do your own research
• Browse the community forums or knowledge base for a particular host
• Seek out online reviews or polls
14. So you need a summary?
There are really two things I hope everyone takes away from my talk
today.
• When you experience an issue, and I really mean when, don’t jump to
conclusions. Keep a level head and do the proper troubleshooting. There are
numerous things going on behind the scenes to make your website function
and any number of them could be the cause of your problem.
• Take ownership of your site! Follow best practices and you’ll have less issues
to start with.
15. Thank you!
If you have any questions please feel free to contact
me! I’ll help you out as best I can.
Site: chadmow.com
Twitter: @chadmow03
Thank you to all the WordCamp Milwaukee
sponsors and volunteers!
Notas del editor
Welcome everyone. I hope everyone is having a good WordCamp so far.
The title of my talk today is Why it’s not your hosts fault. Lets be perfectly honest here, sometimes it is.
My family
Working in IT for 10 years
Currently work for a local cloud hosting company
Bad experiences too
Working for a host has opened my eyes
Your site got hacked – I’ll talk about some ways you can secure and harden your WordPress site.
Your site was down temporarily and you’re furious – There are several things that could have gone wrong to cause an outage. I’ll try to shed some light on some of them.
Ways you should take ownership of your site – Backups, Test restores, Monitoring, Stay up to date
Things to look for and ask your host about
Lets do a little crowd interaction. By show of hands lets see who you guys use for hosting.
Don’t do this. I’m sure many of you know who Marcus Couch is. Marcus is a fairly big name in the WordPress community I would say. He has been on many podcasts, hosted many of his own podcasts. Most notably to me at least is the WordPress Weekly podcast at wptavern.com. I respect a lot of what Marcus says but this bothers me a bit.
If you have an issue with your host, don’t take to social media. Reach out to the host with a level head and work together to resolve the problem. If you’re still unhappy after that then find a new host. I guarantee you they have more happy and satisfied customers than upset ones.
Seen a hacked site with scrolling matrix background
Image on right is from Plesk control panel WordPress Toolkit
Easy hardening steps listed here. Not going in depth on how to configure these.
Don’t use admin as a username, used to be default username
Don’t’ use wp_ DB for your DB table prefix – SQL injection attack
Don’t share a DB or user accounts – One site compromised All sites compromised
Secure your wp-config.php file – Deny access in your .htaccess file. Modify permissions on this file so only you and the web server can read the file
Secure your wp-includes folder – You should not be able to execute php files from here. In a browser try browsing directly to one of the php files in your wp-includes folder. You should receive an error.
Limit access to wp-admin by IP– You can limit access to yoursite.com/wp-admin by IP address. This can be done in your .htaccess file. You can add multiple IP addresses. Great for companies with static IP addresses. Can be more difficult with home consumers who would generally have a dynamic IP address.
Use Two Factor authentication – Security and passwords is no laughing matter. It is a good practice to implement 2 factor authentication on your wp-admin login. I use a Clef. They have a plugin, just add it to your site and follow the setup instructions. Took me like 2 minutes to setup, it was very easy. You download an app to your smart phone.
Codex Hardening WordPress & Brute Force Attacks – Please check out these pages and read them from top to bottom. I recommend implementing as many of the suggestion as possible. Implement in a dev environment first though as some of these may cause some of your plugins to not function correctly.
Updates - This is a no brainer. Make sure you keep your WordPress version current as well as plugins and themes. There is no excuse. Before updating though make sure you have a good backup and or test the updates in your dev environment. Updates also extend beyond WordPress. Most hosts will allow you to choose from different versions of PHP. Make sure you’re running an actively supported version of PHP.
Story: I have a customer that has to remain on PHP 5.3 due to a very old version of Drupal. This is just asking for trouble in the near future. PHP 5.3 is no longer under active support.
Use as little plugins as possible. Don’t leave deactivated plugins installed on your site. If they are deactivated and you’re not using them get rid of them. Also make sure they are still actively being supported. When was it last updated?
The server itself - This could be a Windows server or Linux server. Both of which have regular patches and security updates that in some cases require reboots of the server.
Web server - IIS and Apache also have new versions that come out that your host may want to upgrade to. At a minimum this will require a restart of the services.
Database server – MySQL comes out with new versions as well.
Control Panel - Your host may be running a control panel like Plesk or cPanel. Those have regular updates to resolve bugs or security vulnerabilities.
Story about upgrading Plesk and it resetting permissions on DLL that was used by a customer site.
Customer was running a CMS, not WordPress. I performed one of my regular Plesk control panel updates and did my usual post upgrade testing. This particular customer uses a CDN so the issue wasn’t immediately apparent. Several hours later their cache must have expired or they did a reset and boom all of a sudden their site went down and was throwing an error in the browser.
DNS – Depending on what solution your host is using for DNS. There are also updates for this. Bind or some other DNS solution.
All of the above requirements have regular updates. Your host is hopefully keeping them up to date with current versions. Updating them often requires a reboot of the server or at a minimum a restart of services.
This is the biggest problem I see. If you’re a developer, make sure you educate your clients properly. What I generally get is a customer calling me stating something is wrong with their website, they don’t even know how to login to the control panel, or WordPress admin dashboard. They’re completely clueless. 9 times out of 10 they will also tell me they had developer John Smith build the site for them 2 years ago.
Understand what your host provides
Log into your control panel, browse around, click on things, read. If you are unsure, ask your host
DNSSEC – Domain Name System Security Extensions. Prevents DNS cache poisoning among other things. DNSSEC isn’t new but hasn’t been widely adopted. Many hosts offer it but not many people are utilizing it. If your host offers it do some research and look at implementing it.
Backups
You may think this is a no brainer but its not. People do not do backups, I can’t understand why, they just don’t. You need to do backups people!
Restores
You need to test restoring your site from the backups otherwise you don’t know if the backup is any good or not.
Ways you can backup your site
You can take manual backups through cPanel. Scheduled backups are not allowed by default, your host needs to enable that feature. With Plesk you can scheduled automatic backups, and you can set retention periods. Both of these also offer ways to restore your site from those backups.
There are a lot of different plugins out there that will do backups for you.
Monitoring
I use uptimerobot.com. I do http checks and keyword checks on all my sites. This tells me A if the web server that hosts my site is up or not, and B that my sites haven’t been defaced in anyway or hacked. I’m just using their free plan. 5 minute monitoring intervals, up to 50 monitors, maintains 2 months of logs. I have mine setup to send me emails, I also have an RSS feed that I use in Outlook. Also has integrations to Slack.
Uptimerobot.com also checks for response time and logs it to a graph which is nice. I can see how fast my web server is responding to uptimerobots check.
Other solutions out there, Jetpack can notify you if your site is down, etc.
Managed WordPress Hosting – The host is trying to help you as much as they can. They’re essentially trying to prevent you from hurting yourself. Can be somewhat limited.
Shared Hosting – This is the most common type of web hosting out there. You’ll be on a shared server with shared resources. The host will sell you different plans for different disk space or bandwidth allotments. Given set amount of disk space and bandwidth but no guarantee to resources.
VPS – Excellent for the advanced user but may not need a huge amount of resources. This solution is highly scalable. Can increase and decrease resources fairly easily and quickly. Good to use if you do promotions and your site may experience a large amount of traffic at one time but on average doesn’t require a ton of horse power.
Dedicated Hosting – Large high traffics sites that require high performance will want a dedicated box.
What Windows or Linux OS version are you running?
You want to make sure they’re running on the latest OS available. If they come back with an answer and they aren’t, ask them why that is and what is their plan to upgrade.
What Apache, Nginx, MySQL, PHP version are you running?
Updated versions containing bug fixes and security fixes for these types of things are released regularly. How is your host staying current?
How do you update to the latest versions of these?
What is their process? Do they update automatically without telling you? Do they have regular maintenance windows that you should know about? Do they never upgrade you unless you request it?
What types of things do you do to ensure my website will be secure?
Do they have some type of intrusion prevention? Do they do any traffic filtering or blocking at the firewall level before it even gets to your site? What types of antivirus scanning or tools do they have available on their web servers?
Do you have 24x7 phone support for all your levels of support?
While they may have 24x7 phone support. If needed is there someone at the highest level that your issue can get escalated to if need be? Some hosts may only have basic level of support available 24x7.
Don’t jump to conclusions – If your site was down for a while and maybe you weren’t available to immediately react, and when you did get to a place where you could start investigating or troubleshooting it was back up. Give your host a call and ask what happened. A good host will be up front with you and tell you if there was an issue on their end. If you feel like your host isn’t give you an explanation, maybe the person you’re talking to just isn’t knowledgeable enough, ask to have your call or ticket escalated. Larger companies have different tiers of support most times. That first person you speak to may not have all the answers.
Take ownership of your site – I can’t say this enough. If you are a business, or just a blogger. That site is your online presence. Just like you would want to maintain a clean office or house, you also need to maintain a clean website. Follow the best practices and some of my recommendations and you’ll have less problems. The more preventive maintenance you do, the less reactive fixing you’ll have to do.