That means that your website is vulnerable to malicious attacks which could utilize software based hacks.

That doesn’t mean WordPress is a bad choice for a site’s infrastructure.  Quite the opposite.

WordPress is still the best website platform available as it makes your life easy as an end user.

There are things you can do, simple things, to protect your website against attacks.

We’ve talked about backups and security in the past, but we feel it’s important enough to bring up again.

First and foremost, you can keep your sites updated.  There are multiple updatable items within WordPress that should definitely stay updated.

Let’s discuss those.

• WordPress – The core system behind your website.  Up until 2014, WordPress was updated maybe once or twice a year with major updates, and a few minor updates in-between.  As of 2014, WordPress is update much more often with both minor and major updates.  Many of which include security fixes for things you would never expect to be vulnerable.
• Themes – Just like the WordPress core, most themes get updated with new features, bug fixes and security patches.  You should see more updates with premium themes than free themes, however.  Premium theme developers are typically more proactive when it comes to addressing security issues, and because you are paying, are more likely to add features.
• Plugins – Like themes, plugins are often updated with new features, bug fixes and security patches.  So keeping up to date means you’re keeping your website as safe as you can.

There are, of course, additional layers of protection you can add to your site.  Let’s go over some of those, starting with security plugins.

Security Plugins

There are many security plugins available for WordPress.  Generally we do not recommend plugins that hard-code changes to your filesystem.  While in theory it could add a higher level of security than the other options, it has a tendency to break themes and plugins.

So instead we recommend using lighter, but effective security plugins that will monitor your site for odd behavior.  For example, Limit Login Attempts will monitor the login for hack attempts, and will block the IP based on the severity you designate.

WordFence is a very popular solution.  It does not hard-code changes, but does have the ability to monitor your site in realtime or on a schedule.  The plugin is free and also have premium features.  But even the free version can serve you very well.

Sucuri is a WordPress security company who also provides a free plugin which can scan your site and log changes.  They also have a premium service which adds automated scheduling and additional vulnerability scanning.  Sucuri services also come with hack response, to fix your site just in case the worst case happens.

Services

I have already mentioned Sucuri’s premium service.  But we thought we’d share another options as well.

VaultPress is a plugin and service made by Automattic, the company responsible for WordPress.com.  They have plans which can backup your site to their system and also scan your site for hacks.

There are a variety of similar services, but not all come with security scanning like VaultPress.

Hosting

Last, but definitely not least, another layer of protection is a good hosting company.  Many shared hosting providers offer security scanning, like SiteGround.  But there are also WordPress Managed Hosts that work with 3rd party security companies to do regular scanning, like WP Engine and Synthesis.

The key to host security is to make sure you understand exactly what security is being done and how it’s handled. For example:

• Are they just scanning for hacks?
• Are they proactively protecting against hacks?
• Are they responding toe hacks by restoring to the latest backup?
• Are they using the latest MySQL and PHP versions?

Questions like that can help guide you in the right host direction. You can read more about hosting with WordPress here.

Conclusion

Even with keeping everything up to date, using security plugins and proper hosting, there is still no 100% guarantee against your site being hacked.  It’s impossible to guarantee protection.  However, by doing everything you can to protect yourself, you’re bringing the hack possibility down drastically.

As always, if you have questions please comment or send us an email.  We are happy to help.

Recommendations

I will start with some recommendations and then move into answering some common questions that come into Photocrati support.

Backup: Files & Database

BackupBuddy is a fantastic WordPress plugin to automate full-site backups. However, there are many free alternatives in the WordPress plugin directory that can also get the job done. For example, WordPress Backup to Dropbox. Keeping regular backups offline is ideal for a WordPress website so it can be restored if something did happen.

• BackupBuddy – Premium plugin with annual subscription. Can backup to FTP, Amazon S3, Dropbox and more
• WordPress Backup to Dropbox – Free with premium upgrades – Can backup to Dropbox only
• VaultPress – Premium plugin with monthly subscription. Service from Automattic, developer of WordPress

Of course, there are many other backup plugins available. If you have one to suggest please comment below.

Database Optimizing

Keeping your WordPess database optimized is one of the ways to keep it running fast and strong. Database optimization can be done through a database tool, however that is not something that should be touched by someone without full understanding of the tool. There is a plugin that can help anyone optimize their database at any time. WP-Optimize is one of the more popular tools of its kind.

Of course, there are many other database optimization plugins available. If you have one to suggest please comment below.

Security: Monitor & Fix

Because of the popularity of WordPress, it is more vulnerable to attack than other content management systems. One of the top security plugins, free in the directory, is Wordfence. Let it monitor and safeguard certain aspects of your site. Some security plugins come with incident actions, where they will log in and fix hacks if they occur.

• WordPress Firewall 2 – Free plugin with limited capability
• Wordfence – Free and premium plans – many free options for monitoring levels
• Sucuri – Premium plans starting at $89 per year. Includes malware cleanup
• VaultPress – The $40 plan comes with security features

Of course, there are many other security plugins available. If you have one to suggest please comment below.

Security: Admin Accounts

The most important thing I can tell you about your admin account(s) is this… Your admin account should not be called “admin”. In fact, it should not be your name. Call it something that no one would ever guess by looking at your website or social profiles. For example, your admin account could be named “RainSnow.” The account that you are using on a regular basis can be your name, but their user role should be less than an admin, like editor.

Hosting: Good, Better, Best

Many hosting companies have multiple options of hosting styles. At Photocrati, we recommend Bluehost for our customers (who do not photograph adult oriented images) because of their highly rated shared hosting platform. What many don’t realize is that Bluehost also offers virtual private server hosting which provides more speed, security and flexibility for websites. Other hosts we like are WP Engine and Synthesis, who provide WordPress specific hosting and are regularly scan for security vulnerabilities.

• SiteGround – A very popular hosting solution, that is proactive when a hack is detected. They offer shared hosting, cloud hosting and more.
• WP Engine & Synthesis – Great option for heavy WordPress users that want the highest security without separate security fees. Both use Sucuri for regular security checks. In addition, both offer built-in daily backups, similar to Apple’s Time Machine. The feature can be very useful if something goes wrong and you want to turn back the clock to the previous day.

Of course, there are many other web hosting solutions available. If you have one to suggest please comment below.

Common Questions

Now I am going to share some common questions we have through Photocrati support.

I’m afraid to update WordPress/plugins because I am worried it will break my site!

Understandable, and you are not alone. My best advice is as follows.

• Keep your backups up to date. If possible, schedule backups to run daily or weekly.
• Whenever a plugin, theme or WordPress has a minor update (i.e., 3.4 to 3.4.1), then update it right away. Typically minor updates contain important bug or security fixes.
• If a plugin, theme or WordPress has a major update (i.e., 3.4 to 3.5), then hold off on updating until developers and other users have put the updates through further live testing. Or if you have access to another WordPress install, duplicate your live site to a “staging site” or “development site” and update there to see if it’s okay to update the live site.

Here is an article I’ve written with more on WordPress updates.

Here is an article discussing how to manually create a secondary (or staging) site or use BackupBuddy to create one.

It is also worth noting that all WP Engine plans come with a staging site feature where you can automatically create a staging site at any time.

Can I revert back to an older version of WP, Theme, Plugin if my site does break?

As mentioned, before updating anything on a live (production) site, create a backup.

To answer the question, it depends on the update. Many times if it is a minor update, then the database is not changed much at all. If that’s the case, then replacing the WordPress files on your server should revert smoothly. If the WordPress update is a major one, then it is likely that reverting back to an older version might break the site. Using a plugin like BackupBuddy (mentioned and linked above) can help reverting to older versions smoothly.

Typically with themes and plugins you can revert at any time, but you will have to speak to the developers of each. With the Photocrati theme, reverting is safe with minor updates. Major updates typically have database changes. The same goes for NextGEN Gallery.

What if my site breaks, and I lose everything? How can I restore my site to a working version?

This is where a backup tool comes in. Of all the backup plugins available, BackupBuddy has the easiest for restoring a WordPress website. Another option is going with a host that supplies backups on a daily or weekly basis (as mentioned above).

How do I do a full backup of my site before upgrading?

Most backup plugins will do a full backup with all the files on the server. However, not all of them can or will backup your database, which is also extremely important. When deciding on a backup plugin, make sure that the one you decide on offers database backup as well. Many times these plugins also have a one-click solution to perform the backup. My upgrading workflow includes:

1. Manually click the backup button to get it going
2. Wait until the backup is complete and confirmed
3. Perform the upgrades

How do I know if the new version will fix my issue?

Take a look at the changelog that comes with themes or plugins. Each plugin in the WordPress directory should have an included changelog. For example, here is a link to NextGEN Gallery’s changelog page in the WordPress directory. Many themes, like Photocrati, publish a blog article with the changes, in addition to including a changelog file within the theme’s ZIP. Here is a link to the Photocrati changelog archive.

In a changelog, developers include what is new, what was fixed and what was changed. Before doing an update, look at the changelog to see if it addresses your issue. If so, check the issue after updating.

If you are not seeing the change fixed, verify that you do not have caching activated on your website or server because that will delay the changes from being live. We find that many WordPress users are using plugins like WP SuperCache or W3 Total Cache. Both can be very effective for speeding up your website. However, they both take a lot of time for the cache to clear and updates to show.

Clear cache and then deactivate the plugins to see changes on your live site. Then reactivate when complete.

If your issue was addressed in the changelog, but you continue to see the issue after updating, then contact the developer.

I’m worried about being hacked, how can I protect my site?

Pick one security plugin and keep it active and monitoring your website. I personally recommend Wordfence due to its many options and levels of security. In addition, their premium plans are not too expensive if added security is needed. I also host with WP Engine, so I know that my site will regularly be scanned by Sucuri thanks to the relationship between the companies. Between my host, their security measures and Wordfence, I feel comfortable with my website.

For more security tips, please visit my article, Secure Your WordPress Website (Do It).

Oh no! My site got hacked, how can I fix it?

If you want to handle the hack on your own, It’s best to wipe your server clean and restore to a backup that is clean from hacks. Before doing so, try to figure out how the hacker got in and what was vulnerable. Keep in mind that if you run on shared host, like Bluehost or Dreamhost’s starter plan, that your website is vulnerable to attack if someone else on the same server gets hacked.

My personal recommendation is to hire a company like Sucuri to fix your hack. Being that Sucuri handles WordPress security on a daily basis, it is likely they can identify and fix the problem fairly quick.

My site is so slow, what can I do to help speed things up?

There are many things you can do to speed up your website. The list below will cover a few of the things you can do, that can make obvious improvements.

• Go with a better hosting option, not necessarily the provider. For example, a VPS (virtual private server) will push your website out to a visitor faster than a shared host.
• Reduce the amount of front-end plugins that are running on your website. For example, if you have Facebook or Disqus comments live on your website, and not many people are commenting, then remove them. Try to only keep plugins on your website that are used on a regular basis or are crucial to the function and security of your site.
• Do not use multiple security or caching plugins. Doing so can cause conflicts and actually slow down or break your website.
• Keep your database optimized (mentioned above)

What plugins do you suggest to help speed up my site?

As mentioned above, WP Optimize is a great plugin for keeping your database clean and optimized. If you would like to see which plugins are affecting page speed, there is a great plugin that tests the front end of your website. Download P3 Plugin Performance Profiler and give it a try. The results will show you WordPress, theme and plugin load speed. Of course, there will be things that you cannot remove, so the plugin is best for identifying plugins that are slowing down your site. I ran this on my own website and found one plugin causing a major drain on my page speed. See the results and how I used P3 to speed up WordPress.

Conclusion

If you have any other advice or suggestions for the Photocrati and NextGEN Gallery community, or anyone who stumbled upon this article then please comment below to share.

Thanks for reading,

Scott

I won’t be the first or last person to say this, but… it’s time to be proactive.

With WordPress being one of the most popular website platforms on the Internet, it’s wide open to new attacks. So now it’s time for you to close your processing software and pick up this free eBook from Code Poet.

“It’s easy to blame WordPress when your client’s site gets hacked and you’re trying to talk them off the ledge because their beloved site is now hawking Viagra on every single page. Your clients start to question you, and to question this WordPress thing you told them would be so easy to use and maintain.”

The eBook offers incredible advice, many of which can be implemented by non-coders, like photographers.

Visit Code Poet to download the free PDF, ePub or Kindle eBook.

Thanks for reading,
Scott

http://www.pdnpulse.com/2009/07/homeland-security-secretary-report-suspicious-photographers.html

Here’s an idea. Instead of calling the cops on people with cameras we call the cops on politicians who speak before thinking.

Now, there are a few legitimate legal issues surrounding someone asking you not to photograph someone or something. (You’re probably not going to be able to just walk into your town’s emergency operations center and start taking pictures.) Many cities, towns and parks require a permit in order to shoot commercially in their jurisdiction. Usually this is just to make sure you’re not going to disrupt the goings on, and if you are, to make sure that someone pays for that disruption (i.e., you).

But outside of legal reasons, there are all kinds of, well, just plain dumb reasons for you to be at the receiving end of a “STOP!”

Usually these are undertaken by overzealous private security guards ignorant of the legal framework involved. Usually a few polite “yes sir, no sir, thank you sirs” will move them on their way and let you get back to work. If you’ve just missed the sun being in the perfect place because you’re being hassled by a security guard, it is certainly frustrating. But if your shot is that dependent on the perfect light, you would have done well to contact the security office and inform them of what you’re doing ahead of time so you can get all this silliness out of the way.

Occasionally you’ll come across an officer who’s bored or just plain mean and it will move beyond that. For times like this, having a firm grasp of your rights is key. Attorney Bert Krages published his Photographers Bill of Rights years ago and it’s been travelling around in my camera bag for a while. Being able to confidently (and politely) explain your rights to them in a way that makes them realize you’re not going to be intimidated is very helpful. The NYPD also recently clarified New York City’s policy of photography.

Overall, remember that there are a lot of people out there who are afraid of the world and who see problems everywhere. Sometimes they will make your life difficult. Grace and civility will usually smooth things over and remember, photographers already have a pretty crappy reputation in the world, being a schmuck everytime you come across a badge isn’t going to help.