WordPress Security Problems
Here's how I tackled my security problems by moving to WordPress Managed Hosting! I hope this post will be helpful for anyone who has had these problems and is at their wits end to know how to solve them. Like I was.
This post, originally written at the end of February 2016, has now been updated to reflect my first three months with Pressidium and updated again at the end of February 2019.
Regular readers will have seen my earlier posts – probably too many over the months to mention individually – stressing about my poor hacked blog, despite all the security measures I had tried to take.
I have had so many hacked WordPress sites, over various hosting companies, that I was seriously considering giving up blogging altogether. I'm a part-time blogger, so trying to secure my sites and clean them up was actually taking more time than I was spending writing and promoting them.
Whatever I did, the hackers seemed to be winning. The worry this caused me had taken away almost all the pleasure of blogging.
Have you felt the same way? If you've ever had a hacked WordPress site you'll probably understand how I felt.
And more to the point, if I didn't have a solution for my own blogs, how could I advise new bloggers about blog security?
Who Has A Backdoor Into Your Blog?
How the hackers got into my site, I don't know. For years – ever since I became aware how important it was to do so – I've kept my sites up-to-date, had strong passwords and used security plugins.
Yet my site was severely damaged – despite appearing completely fine to visitors and even within the WP dashboard.
The only warning was that, every so often I would get a message from my previous hosting company to say that my site had been compromised. This was then followed up by frantic efforts on my part, password changing, and then back to a few more weeks of peace, lulled into a false sense of security.
What I hadn't at the time understood was that despite all seeming well on the surface, my blogs had “back-doors” into them, which meant that the hackers could come into my site at will and do whatever they wanted.
So adding the security plugins I mentioned in my last post was locking the stable door after the horse had bolted!I had no idea my blog was hacked - is YOURS safe? Click To Tweet
All this has come as a bit of a revelation to me over the last few weeks. YOU maybe know all this, but despite having been blogging for about three years, I have only become aware of the full extent of the threat over the last few weeks.
- My blog looked fine, to visitors and even within the dashboard
- It passed various security scans with no problem
- Google was still sending me traffic (according to my Analytics)
- I had a “HackAlert” service with my hosting company and I kept getting weekly “clean” reports
Is Shared Hosting A Security Problem?
I don't even know which hosting company I was with when the site was originally compromised. I've been through a few, to be honest, and the ultimate reason for leaving all of them was because my site was hacked.
Every hosting company I've been with says it wasn't their security that was breached, and blamed me. But I genuinely feel I had done as much as, and probably more than, the average WordPress site owner.
What I didn't realise was that as I moved to each new hosting company, having been hacked earlier, I was probably dragging the damage from each hosting company to the next – although it's surprising that a new hosting company doesn't routinely scan your sites before putting a blog onto a shared server!
So you never know quite who you're sharing with…..
Some people, more knowledgeable than I, say that being on shared hosting means that you can “catch” an infection from a different blog on the same server if that blog owner isn't as careful as you have been.
Others, also more knowledgeable than I, say that this is extremely unlikely!
Make up your own mind who to believe.
Whichever is correct, it sounded plausible to me, so moving away from shared hosting seemed something I should consider and I wanted to move to a hosting company that took security as seriously as I do.
Choosing WordPress Hosting
I'd always hoped that one day I would be able to use Managed WordPress Hosting, but a cursory look at available options a few months ago suggested it was too expensive for me at that stage of my blogging career. (I have three current sites – after a mega-blitz of old projects that I did nothing with other than security updates.)
Then a blogging friend who read about my troubles suggested I look at Pressidium® Managed Hosting, because their service ticked all the boxes I was looking for.
- Strong WordPress security – my number one requirement (Update May 2016: one remaining hack was fixed fast and free)
- Excellent reliability and up-time (Update May 2016: I have had only 10mins of outages over the last 30 days)
- Support – including answering WordPress questions
- Easy to manage interface – especially backup and restore functions
- Affordable managed hosting for 3 blogs
Cost Of Managed WordPress Hosting
OK – let's get the first big stumbling block for newbies or part-time bloggers out of the way.
Despite the undoubted benefits of managed WordPress Hosting, I had formed the impression that it was “Expensive”. And yes, of course it costs more than the shared hosting I was moving from – but see the section on value below, and my fears about shared hosting.
Here are the (February 2016) prices for WPEngine.com which is probably the first WordPress Managed Hosting company many bloggers think of:
So, ouch, my 3 blogs would cost me $87 – which is why I had dismissed the idea of managed WP hosting – until my friend introduced me to Pressidium.
Aside: For both WPEngine and Pressidium there are higher level plans than I have shown here (check their respective websites), but I'm pretty sure that most of my regular readers will fit comfortably into these plans – or you can ask for a custom plan.Think Managed WP Hosting is costly? Think again - see this price! Click To Tweet
Price Of Pressidium Managed WordPress Hosting
So, for less money than two WPEngine installations, Pressidium were offering me three installations – and I have 3 blogs. Good start!
I wondered what would happen if I had a sudden spike in traffic and exceeded the 30k visits a month and was reassured that this wouldn't be an automatic “excess” charge, as with some hosting companies. My account would be monitored and if it happened regularly, Pressidium would have a chat to discuss the best way forward.
For start-up bloggers there's also a micro plan for a single WP installation at $24.90 per month if you can fit into 10K visits/month and 5GB SSD space. Obviously upgrading your plan as your business grows is easy.
(NB Add VAT to prices where applicable. 60-day money back guarantee on monthly, but not annual plan.)
If none of these quite suit ask about the customized plan.
Still Worried About The Extra Cost?
Don't try and compare the price of Managed WP hosting to the price of shared hosting, compare it to the cost of pizza meal out for the family!
My new WordPress hosting costs about the same per month as that.
Which would I prefer? A family pizza once per month or a stress-free blog? Given the HOURS I wasted fighting hackers, I'll happily skip a monthly pizza, to save time and stress blogging.
But don't think “cost” at all, think instead of the value of the extra services included:
- My previous hosting company suggested securing my blogs by adding a security scan plugin costing about $16 per month per blog. Pressidium hosting includes security scans
- It wasn't quite clear with the previous company whether that $16pcm was AFTER I paid for my blogs to be repaired and cleaned. Pressidium scanned and cleaned each of my 3 blogs free of charge as part of the installation process.
- Many hosting companies will only import one site free of charge – Pressidium migrated all 3 at no extra cost
- Got a WordPress question? Pressidium are WP experts and will answer questions that many hosting companies wouldn't want to know about from “Hey, my site is having issues“, to “Can you recommend a plugin for XYZ?“.
- Free SSL certificate and free CDN
I don't know how you value your own time… if you're lucky enough, like me, to still be working, compare their cost per month to your own hourly rate.
- How many hours would you work to earn that monthly hosting cost?
- How many hours have I wasted in February, and previous months/years, failing to fix my blog issues?
- How many hours do you waste in a typical month researching WP questions?
- Can you spend that time in your business in a more profitable way than WordPress trouble-shooting?
- If you only spent the extra time relaxing with the family, what would you pay for that extra time?
- Next time you have a tricky WP problem, just think…. you could have had a WP expert looking at it like I have now
For me, it was a no-brainer when considered like that, so I decided to take the plunge. However, an affordable price wasn't the only factor.
The Final Research Stage
Perhaps I should be telling you that I spent days researching prices and quizzing Managed WP Hosting gurus who know a zillion times more than I know. I didn't. It would quickly be obvious that they could baffle me with tech-speak in one minute flat.
Instead, I had a chat with my friend about his experiences and read up a lot on Pressidium's website, then I spent several hours getting my questions answered by Filip, one of the co-founders. When I had exhausted my own list of questions Adrienne Smith and Enstine Muki suggested others I hadn't thought of! Big thanks to them, as always. All our questions were answered to my satisfaction.
I was ready to press the “Join” button. But first there was a big problem to overcome…
Repairing My Hacked WordPress Blog
Once I realised how badly damaged my site was, it became obvious that before I moved anywhere else, it was essential to clear out the back-doors and damage in my blog.
I had been quoted several different prices for fixing my blog – no-one but Pressidium said they would do it free!
To cut yet another long story short, this blog was apparently one of the most badly damaged blogs they had ever had to deal with.
- It had passed several security scans by my existing hosting company
- To you and I it looked fine, even within the dashboard.
- It was only on inspection of my FTP account that I started to be suspicious, plus a warning from the hosting company that they later passed off as fixed – when I could see from the FTP that it clearly wasn't
- My own scan with a popular (premium) malware scanner didn't pick up the problem
Despite all this Pressidium took on the job.
With the repair and clean-up done, on their staging site, the move “proper” started, taking the sites one at a time. This one first.
Review of My Move To Managed WordPress Hosting
On Tuesday night my blog underwent major surgery, but in less than 24hrs it was live on its new home, fully repaired.
There was no perceptible down-time, because the site stayed live on the old hosting while it was repaired on the new. Then I checked the moved site on the new “staging” area, before agreeing it could go live.
Throughout the process I was kept informed of what was happening, and occasionally consulted about options.
When I'd run my first blog (this one, the worst hacked of the 3) for a few days I asked, on Friday evening, about migrating over the other two. Andrew said they were pretty busy and the migrations may not get done until the coming week, which wasn't a problem to me.
However, I went out for the day on Saturday and by the time I'd returned both sites were waiting for me to check over.
Being “me” it had to be done between the hours of 10pm and 1am Saturday night / Sunday morning, but Gianni was there backwards and forwards with answers and finally practical help with changing over the DNS.
Now all three sites are live – clean and safe. Phew.
Apparently migrating and cleaning my 3 sites, in total, took about 3-man-days…. which I can believe because I took a peak in some of the WP directories and noticed stuff that didn't look as if it should be there, but not being an expert I couldn't be sure and daren't fiddle.
So a big thanks to the Pressidium team and I will NOT be testing their 60-day money back guarantee!
What Snags Did I Hit?
Nothing goes 100% smoothly, so I was hit with a few problems. All but number (1) were resolved easily, and that isn't Pressidium's problem.
1) My biggest problem was that Pressidium don't include an email service, so I've had to set up my own emails. Zoho was their suggested “free email” supplier. This took quite a while to set up, because so much was new to me. However, Zoho rang me and set it up for me in the end, which was very helpful. I WAS warned about this up-front, and it's probably my lack of technical skills, but I hadn't realized how difficult I would find setting up the email service. Update May 2016: Although this was a pain to set up, it's worked perfectly since then.
2) Pressidium have a list of banned plugins and I was using some of them. Some were for image optimizing, caching, and of course all my WordPress security plugins. These were removed as the tasks are done better by Pressidium. Fine. Unfortunately one that I didn't realize had been uninstalled at first was my beloved Broken Link Checker. Andrew told me that it's a big no-no, because it performs database intensive operations that tie up infrastructure and slow your site down. It is not allowed on many premium managed WordPress platforms. Andrew suggested other tools instead, but I have to run them manually, whereas Broken Link Checker ran automatically and warned me by email. Pressidium aren't the only company to “ban” that plugin. Here are several ways to check for broken links. Update May 2016: The free tool Pressidium suggested (Link Checker) found old broken links that hadn't been picked up by the plugin I was using…. another improvement!
3) Pressidium don't support subfolder installs, so one of my other site's main URLs unfortunately would not work. As a work around Andrew created a 301 rewrite-rule to give an SEO friendly redirect that was entirely transparent to my site's visitors.
4) I had three non-WP sites on my old hosting and they can't move to Pressidium. Sadly one of those had been hacked too – so I just cut my losses and deleted them all. Better focus for me!
What Improvements Have I Noticed?
The snags section appears to be longer than the improvements, but that's misleading, because the whole migration process was a delight in that I hardly had to get involved, other than to check my site out and give the “Go live”, after which….
- The first thing I noticed was better speed while creating a post. Before, when trying to find an image from the library it was a “make yourself a cup of coffee while you wait” type task. Now, they just zip into view.
- The whole posting experience seems faster, and some odd problems I used to have, occasionally losing posts, I haven't seen since my move.
- Support (see the co-founders on the right) has been prompt and friendly. I haven't had a really tricky WP problem yet, but from the answers I've had so far I'm confident Pressidium will protect me from many future technical problems.
- The hosting dashboard is easy to find my way round.
- Backups are done for me daily, and I can do instant ones too. It's easy to see them, which gives confidence that they're being done. (One very old hosting company I was with “forgot” to do backups for about three months, which in my innocence I only realised when my site was hacked and I asked them to recover from backup. Yet another lost blog.)
- Best of all – my blog is clean and protected. I certainly don't miss the scary emails telling me about “intrusion attacks” that I had no idea how to fix!
Of course, it's early days still, and I'll be monitoring “things” very closely, but so far I'm delighted with my move to Pressidium's Managed WordPress hosting. Learn more here (affiliate link). Update January 2017 – Still delighted!!
Update March 2019 – Free SSL Certificate
Well, here I am updating this post three years after I first wrote it and still loving Pressidium (affiliate link).
As a coincidence, just a couple of days ago I finally conceded that it was time to add an SSL certificate to my blogs. Pressidium support patiently walked me through the options with no pressure and showed me the most cost-effective route for my own set-up, which wasn't what I had originally understood.
It did mean a little extra monthly cost and I'll admit I wavered. Then I remembered the three years of trouble-free blogging and patient support, and it was a no-brainer to stay with Pressidium.
I knew nothing about SSL certificates except that not having one was causing me grief. So I put myself in the hands of 3 of the Pressidium support team – I had a lot of questions and indecision!
Within a very short time of confirming the “go” my sites were up and running with SSL certificates.