When Was the Last Time You Backed Up Your Website?
on Wednesday, August 10, 2016
Let's start with a basic question. Have you ever backed up your website?
I've been a web developer for 12 years and no matter how many times I ask that question the answer is always the same. (Hint: Only two people have ever said yes.)
You know what else is the same? The excuses.
Excuse #1: I don't collect any credit card data on my website
Credit card theft isn't the only reason people hack websites.
Money is a big motivator, but when it comes to small mom and pop sites it's more about the resources. Hackers can turn your site into a zombie, they can insert malicious code so that your site becomes an infection machine, or they can use your site as a weapon in a distributed denial of service attack on larger targets. (DDOS) The one thing all three of these scenarios has in common is that your site will be down and if you don't have a backup you will have a hard time recreating it.
Excuse #2: Thinking it's personal
It's estimated there are more than 1 million  hacking attacks each day. Do you really believe the criminals know all those people?
With the exception of violent crimes like assault and murder, most crimes are committed by total strangers trying to make a fast buck, cyber crime is no different.
In 2014 the Center for Strategic & International Studies (CSIS) published a joint report with Mc Afee stating that the annual global cost of cyber crime was greater than $445 billion. That makes cyber crime a very profitable global business.
You may not think your little blog is worth the notice of a cyber criminal, but every one of the 1 billion websites currently on the web is a potential resource that can be co-opted for use as part of a network to infiltrate other websites, held for ransom or used as a conduit to valuable data which can be sold. No matter what their motivation, when your site is hijacked you will take it personally.
Excuse #3: Picturing the hacker as some geeky guy living in his mother's basement.
We're not talking about one guy sitting in the dark eating Cheetos and giggling as he takes down a website. These are highly motivated people using sophisticated tools and networks.
In fact, malicious hackers are frequently backed by foreign governments and large criminal organizations and fall into one of four groups:
- cyber criminals
- hactivists (people who hijack, hack or steal for the purpose of promoting their political or personal agenda)
- cyber espionage
- cyber warfare
It's not like the movies where you see one slightly awkward anti-hero typing away at a keyboard forcing his way through a firewall to shed the light of truth on whatever misdeed he thinks is being done. More often than not the hackers are a well-funded group of people sitting in an office with a lot of other people writing code that will do the menial tasks like breaking passwords and finding security flaws so they can steal information, wreak havoc and make a lot of money. Not to sound like a broken record, but the only way to get your website back online when this happens is by being proactive and doing regular backups.
Why You Need to Be Concerned
Hacking is real. You might even say it's inevitable.
And no, I am not kidding.
Every time someone goes to your website your server opens the door and says "Come on in!"
You can improve security by using strong passwords, staying current with security patches and being selective in what plug-ins you put on your site, but at the end of the day, you have to accept the fact sooner or later you will be hacked.
The internet is designed for sharing information and there is no physical way to keep out anyone who is intent on getting in.
The best you can hope for is to minimize the damage and the downtime. And the easiest way to do that is with regular backups.
Hackers Aren't Your Only Problem
I know I just spent the last five minutes talking about the inevitability of hackers, but they're only one of the reasons you need to be doing regular site backups. Hosting issues, bad updates, and incompatible plug-ins can also result in downtime.
I once had a web host who was the victim of a DDOS attack. I had five or six websites on my account, the only reason I was able to quickly find a new host and get all of my websites up and running was because I had backups.
The threat is real.
What would you do if your host suddenly went out of business? Would you have to start from scratch or could you just drop in the backup and tweak a few settings?
Content Management Systems (CMS) are another huge issue. All it takes is one bad update or incompatible plug-in to take you down.
Everybody loves WordPress and assumes that because they are so big anything labeled as a WordPress theme or plug-in must be okay. They are wrong.
It's fine if you buy from a reputable company like WooCommerce, but what about all those "free" plug-ins you find online?
It's like taking candy from a stranger. (Don't do it!)
Then there are the issues of security patches and regular incremental CMS upgrades.
The companies behind most popular CMS try to respond quickly to new security flaws, but they can't test for every scenario and it's not unheard of for patches and upgrades to break websites.
What Happens When You Don't Have a Backup-Up?
Before we go any further I need to explain that I am not including directions on how to do backups or recoveries because there are too many variables to include every possibility here. (web host, type of hosting account, type of website, which CMS, server, etc...)
My general rule of thumb is the average blog or small business website should do a complete account backup once a month and database backups either daily or weekly, depending on how frequently they post new information.
If you're only posting new information once a year I would still suggest you check your website daily and do a monthly backup and check for patches and security updates.
If you're not making regular backups, the best case scenario is one of those good news/bad news situations.
The good news is that your web host does routine server backups. The bad news is that they don't always do them every day and it's probably going to cost you some money.
Web host 1and1 does free monthly backups, but you're on your own when it comes to doing the recovery. Hostgator offers free weekly backups, but charges $15 to restore your website. They both sound pretty good compared to Wix who doesn't offer any way to backup your website and GoDaddy  who offers a confusing array of free and paid backup options and charges between $0 - $150 to restore a website.
No matter how you look at it, you're going to have some downtime and you're going to lose some data unless your site went down immediately after the backup. Just in case you're thinking that this doesn't sound too bad, if your website went down because of a bad update or plug-in, you better hope that the backup your web host has on file is from before you made the change.
Sadly, all the other scenarios go from really bad to unrecoverable.
If you have a situation where you need to change hosting accounts because your current host is experiencing extended downtime, has gone out of business or is holding your website hostage, there is no way to recover your existing website without a backup.
Ignore it at Your Own Peril...
Downtime is not something you can ignore. I know it can feel overwhelming, but leaving a compromised or broken website on the internet will lead to even worse consequences like a negative brand image, loss of income and blacklisting.
Your website is the most visible symbol of your brand. People will understand if your host is down or if you got hacked, but when they see McAfee pop-ups and Google warnings for more than 24 hours they will question how professional you are any why you haven't done anything about it.
Then there's the money. It doesn't matter whether your website is a storefront or simple business card, a down website means your business is closed and you will lose sales.
The biggest repercussion of not recovering a hijacked website in a timely fashion is that your domain and email will be blacklisted by virus software companies, major browsers, internet and email providers. You can petition to have your URL removed from their lists after you prove that you've taken control of your website, but it's a tedious, time-consuming process and there will always be a few email companies who don't update their databases.
If any of these things happens and you don't have a backup, do yourself a favor and take the site down. A basic HTML temporary landing page is a much better option than one of those red pop up boxes and will give you some breathing room until you can figure out how to rebuild your site.
Now that we've reached the end I want to make sure you understand I am not exaggerating. At one point or another, I've seen all of these scenarios happen to people right here in New Hampshire and they could all have been avoided by doing regular backups.
1. Symantec 2016 Internet Security Threat Report
2. Center for Strategic & International Studies Net Losses: Estimating the Global Cost of Cybercrime, 2014
3. This schedule is an opinion based on my own observations of client behavior. Ideally, websites would be set for daily automatic backup, but that is not going to happen in the real world.
4. 1and1 Hosting Activate Automatic Backups for Your Wordpress Install
5. Hostgator charges $15 to restore your website from their server backup file, but will do it for free if you provide your own backup.
6. Wix does not provide any backups - you can "copy" and old version of your site from the dashboard, but that doesn't help if you want to move to a new host.
7. GoDaddy does not appear to have one consistent backup/restore policy for all of their web hosting products. Some products have free backups, others require a monthly fee. Please see the help section for your account for information about fees and procedures to back up or restore your GoDaddy website.
8. Never use your web host as your domain registrar. If you think losing your website is bad, try losing your website and your domain name. I have heard too many first-hand tales of woe from people who had disputes with their host and discovered that because their host was the registered owner of their domain they could not take their URL with them when they changed hosts.