Why it's not your host's fault

Editor's Notes

• #2: Welcome everyone. I hope everyone is having a good WordCamp so far. The title of my talk today is Why it’s not your hosts fault. Lets be perfectly honest here, sometimes it is.
• #3: My family Working in IT for 10 years Currently work for a local cloud hosting company Bad experiences too Working for a host has opened my eyes
• #4: Your site got hacked – I’ll talk about some ways you can secure and harden your WordPress site. Your site was down temporarily and you’re furious – There are several things that could have gone wrong to cause an outage. I’ll try to shed some light on some of them. Ways you should take ownership of your site – Backups, Test restores, Monitoring, Stay up to date Things to look for and ask your host about
• #5: Lets do a little crowd interaction. By show of hands lets see who you guys use for hosting.
• #6: Don’t do this. I’m sure many of you know who Marcus Couch is. Marcus is a fairly big name in the WordPress community I would say. He has been on many podcasts, hosted many of his own podcasts. Most notably to me at least is the WordPress Weekly podcast at wptavern.com. I respect a lot of what Marcus says but this bothers me a bit. If you have an issue with your host, don’t take to social media. Reach out to the host with a level head and work together to resolve the problem. If you’re still unhappy after that then find a new host. I guarantee you they have more happy and satisfied customers than upset ones.
• #7: Seen a hacked site with scrolling matrix background
• #8: Image on right is from Plesk control panel WordPress Toolkit Easy hardening steps listed here. Not going in depth on how to configure these. Don’t use admin as a username, used to be default username Don’t’ use wp_ DB for your DB table prefix – SQL injection attack Don’t share a DB or user accounts – One site compromised All sites compromised Secure your wp-config.php file – Deny access in your .htaccess file. Modify permissions on this file so only you and the web server can read the file Secure your wp-includes folder – You should not be able to execute php files from here. In a browser try browsing directly to one of the php files in your wp-includes folder. You should receive an error. Limit access to wp-admin by IP– You can limit access to yoursite.com/wp-admin by IP address. This can be done in your .htaccess file. You can add multiple IP addresses. Great for companies with static IP addresses. Can be more difficult with home consumers who would generally have a dynamic IP address. Use Two Factor authentication – Security and passwords is no laughing matter. It is a good practice to implement 2 factor authentication on your wp-admin login. I use a Clef. They have a plugin, just add it to your site and follow the setup instructions. Took me like 2 minutes to setup, it was very easy. You download an app to your smart phone. Codex Hardening WordPress & Brute Force Attacks – Please check out these pages and read them from top to bottom. I recommend implementing as many of the suggestion as possible. Implement in a dev environment first though as some of these may cause some of your plugins to not function correctly. Updates - This is a no brainer. Make sure you keep your WordPress version current as well as plugins and themes. There is no excuse. Before updating though make sure you have a good backup and or test the updates in your dev environment. Updates also extend beyond WordPress. Most hosts will allow you to choose from different versions of PHP. Make sure you’re running an actively supported version of PHP. Story: I have a customer that has to remain on PHP 5.3 due to a very old version of Drupal. This is just asking for trouble in the near future. PHP 5.3 is no longer under active support. Use as little plugins as possible. Don’t leave deactivated plugins installed on your site. If they are deactivated and you’re not using them get rid of them. Also make sure they are still actively being supported. When was it last updated?
• #9: The server itself - This could be a Windows server or Linux server. Both of which have regular patches and security updates that in some cases require reboots of the server. Web server - IIS and Apache also have new versions that come out that your host may want to upgrade to. At a minimum this will require a restart of the services. Database server – MySQL comes out with new versions as well. Control Panel - Your host may be running a control panel like Plesk or cPanel. Those have regular updates to resolve bugs or security vulnerabilities. Story about upgrading Plesk and it resetting permissions on DLL that was used by a customer site. Customer was running a CMS, not WordPress. I performed one of my regular Plesk control panel updates and did my usual post upgrade testing. This particular customer uses a CDN so the issue wasn’t immediately apparent. Several hours later their cache must have expired or they did a reset and boom all of a sudden their site went down and was throwing an error in the browser. DNS – Depending on what solution your host is using for DNS. There are also updates for this. Bind or some other DNS solution. All of the above requirements have regular updates. Your host is hopefully keeping them up to date with current versions. Updating them often requires a reboot of the server or at a minimum a restart of services.
• #10: This is the biggest problem I see. If you’re a developer, make sure you educate your clients properly. What I generally get is a customer calling me stating something is wrong with their website, they don’t even know how to login to the control panel, or WordPress admin dashboard. They’re completely clueless. 9 times out of 10 they will also tell me they had developer John Smith build the site for them 2 years ago. Understand what your host provides Log into your control panel, browse around, click on things, read. If you are unsure, ask your host DNSSEC – Domain Name System Security Extensions. Prevents DNS cache poisoning among other things. DNSSEC isn’t new but hasn’t been widely adopted. Many hosts offer it but not many people are utilizing it. If your host offers it do some research and look at implementing it. Backups You may think this is a no brainer but its not. People do not do backups, I can’t understand why, they just don’t. You need to do backups people! Restores You need to test restoring your site from the backups otherwise you don’t know if the backup is any good or not.
• #11: Ways you can backup your site You can take manual backups through cPanel. Scheduled backups are not allowed by default, your host needs to enable that feature. With Plesk you can scheduled automatic backups, and you can set retention periods. Both of these also offer ways to restore your site from those backups. There are a lot of different plugins out there that will do backups for you.
• #12: Monitoring I use uptimerobot.com. I do http checks and keyword checks on all my sites. This tells me A if the web server that hosts my site is up or not, and B that my sites haven’t been defaced in anyway or hacked. I’m just using their free plan. 5 minute monitoring intervals, up to 50 monitors, maintains 2 months of logs. I have mine setup to send me emails, I also have an RSS feed that I use in Outlook. Also has integrations to Slack. Uptimerobot.com also checks for response time and logs it to a graph which is nice. I can see how fast my web server is responding to uptimerobots check. Other solutions out there, Jetpack can notify you if your site is down, etc.
• #13: Managed WordPress Hosting – The host is trying to help you as much as they can. They’re essentially trying to prevent you from hurting yourself. Can be somewhat limited. Shared Hosting – This is the most common type of web hosting out there. You’ll be on a shared server with shared resources. The host will sell you different plans for different disk space or bandwidth allotments. Given set amount of disk space and bandwidth but no guarantee to resources. VPS – Excellent for the advanced user but may not need a huge amount of resources. This solution is highly scalable. Can increase and decrease resources fairly easily and quickly. Good to use if you do promotions and your site may experience a large amount of traffic at one time but on average doesn’t require a ton of horse power. Dedicated Hosting – Large high traffics sites that require high performance will want a dedicated box.
• #14: What Windows or Linux OS version are you running? You want to make sure they’re running on the latest OS available. If they come back with an answer and they aren’t, ask them why that is and what is their plan to upgrade. What Apache, Nginx, MySQL, PHP version are you running? Updated versions containing bug fixes and security fixes for these types of things are released regularly. How is your host staying current? How do you update to the latest versions of these? What is their process? Do they update automatically without telling you? Do they have regular maintenance windows that you should know about? Do they never upgrade you unless you request it? What types of things do you do to ensure my website will be secure? Do they have some type of intrusion prevention? Do they do any traffic filtering or blocking at the firewall level before it even gets to your site? What types of antivirus scanning or tools do they have available on their web servers? Do you have 24x7 phone support for all your levels of support? While they may have 24x7 phone support. If needed is there someone at the highest level that your issue can get escalated to if need be? Some hosts may only have basic level of support available 24x7.
• #15: Don’t jump to conclusions – If your site was down for a while and maybe you weren’t available to immediately react, and when you did get to a place where you could start investigating or troubleshooting it was back up. Give your host a call and ask what happened. A good host will be up front with you and tell you if there was an issue on their end. If you feel like your host isn’t give you an explanation, maybe the person you’re talking to just isn’t knowledgeable enough, ask to have your call or ticket escalated. Larger companies have different tiers of support most times. That first person you speak to may not have all the answers. Take ownership of your site – I can’t say this enough. If you are a business, or just a blogger. That site is your online presence. Just like you would want to maintain a clean office or house, you also need to maintain a clean website. Follow the best practices and some of my recommendations and you’ll have less problems. The more preventive maintenance you do, the less reactive fixing you’ll have to do.