WordPress Security and Backups

One of the most important elements in using a CMS website as WordPress is security and backups. There thousands of attacks on WordPress sites across the world and that number (which is pretty big) is not going to get smaller. It does not matter what your CMS website is about or who you are, it will be attacked.

This brings me to speak about WordPress security and backup.

Risk of Getting Hacked is High

Say “WordPress” and like a swarm of parasites, hackers will head to your CMS website in droves.

How can I say that? – because I have seen it first hand.

I build and secure websites for a living. One of my clients came to me because his WordPress site got hacked. His website host shut down his website because it contained malicious viruses and codes.

Inspecting the damage, what did I find?

The hacker inserted over 8000 HTML pages in the root folder and each one had malicious codes. The hacker also corrupted several WordPress PHP (core and working) files with more malicious codes. That was not all, and here comes the limitation.

The hacker apparently had access to the file structure of the WordPress site for over a month and no one knew, not even the website host. The hacker corrupted the PHP files before he dumped his 8000 HTML files into the root folder, according to file dates.

Website Backups

The website host did “regular backups” and since the website content changed a lot over the month, the backups that were more than a month old were outdated. The backups for the past 30 days were also corrupted because the website hosting backup system saved corrupted files in the backup process. Hence all backups by the host were useless because using one of those corrupted backups only replaced the hackers work.

As a result, I had to do a complete “manual” re-install of WordPress (worst scenario that can happen is a required delete of the entire site and a complete new re-install, but that did not happen in this case). The manual re-install deleted all core WordPress files with the original. This did not affect any plugins, those also required a complete deletion (included the folders) and re-install to remove any hidden malicious codes. So yes, any custom settings in these files also had to be replaced. Images were not affected as the image file dates showed they were the originals.

I manually removed all corrupted HTML files (yep, all 8000) and did several scans for more hidden malicious codes. Once the site got cleaned, I had made backups of the clean website files, returning the website to its original form. The work did not stop there. I worked to secure the website and created backups along the way. With each new backup, I deleted the previous one. Backups are necessary if something goes horribly wrong, at least I have the last finish point to work from instead of having to do the entire thing from scratch again.

Why did I tell you all this? – To show you that repairing a hacked WordPress site is not easy, its a lot of work and takes a lot of time and most of all, you have to know what you are doing because to clean out the hackers work requires PHP knowledge, JavaScript & jQuery knowledge and SQL (database) knowledge. Its not a simple task of just replacing WordPress files. You must be able to know what you are reading when viewing the source code of files.

So here are my suggestions to avert this catastrophe.

Do Not Involve The Website Host.

Website hosts can be hacked, even with their wonderful security. Backups made by them are not 100% reliable and since their scans don’t seem to pickup corrupted backups (as it was in this case), the work to secure and backup lies 100% on your shoulders.

Don’t depend on paid security offered by web hosts or 3rd party services. Remember, they are working on a volume customer base and if they have a lot of customers strewn across the world, your but a small number and most small number clients do not get the top of the line service. – Why? – because for web hosts and 3rd party services, it is time consuming and expensive to have to provide top line service to a huge volume of customer who get hacked. A lot of their work to return your site is based on the quickest recovery possible, less time, less cost, lower overhead. This means they rely heavily on backups and automated scans. I know the dependability of that when left to other service providers.

Since the web host’s own security scans did not detect the intruder for over a month and their security is suppose to be top of the line, where do you fit with these 3rd party security services that claim to make backups and recover your website if hacked?

If you want 100% security and reliability, do the backup yourself on regular basis. Always monitor your site. When you post content, make sure you have a single backup of each post or page right after you finish the last edits and this is apart from a global backup of the entire site.

If you were to depend on the web host backups, your fear of loosing the website is pretty much guaranteed and to have your web hosting company do the fix is another headache that will cost you a lot of money.

The best time to do backups is the first time you install WordPress to your website host servers. From the beginning to the final product, backup along the way then backup again at the completion of the final stage. Make sure you know what each backup can do, so include the necessary information in the name of the backup without making the file name too large.



Save your backups on your own archive drive, not on some Cloud storage as those can be hacked as well. Don’t save a backup on your active computer because if that collapses, you can loose everything including the backups.

For the majority of WordPress sites, even eCommerce ones, the backups can be saved to a DVD-RW disc, which are re-writable DVD disks, but whether a DVD disk, flash (thumb) drive or external storage drive, save the backup to your own location.

Types of Backups

There are several types of backups and not all of them will completely restore your website.

Content and Images Only

These are content only backups (no images). Its not your WordPress structure nor is it the Database which WordPress needs to operate. Its usually a file that ends in a “XML” extension and only contains the text of your posts and pages. I don’t think you will see many of these anymore.

Database backup

A database backup contains the database files of your WordPress site including the content and images. This is not the core WordPress files what presents WordPress to the public.

Here is an important note about backing up your database. Export it as “sql” extension, NOT as a Zipped version, and save it. This is because some web hosts do not support other types of backup extensions for mySQL databases and some of their SQL databases will not support importing “ZIPPED” or compressed file versions of the database backup. The basic “sql” extension is pretty standard and works with most of them.

WordPress Core File Structure Backup

A WordPress file structure backup is not the database or the content. Its the core files of WordPress that builds and presents WordPress to the public, which includes the theme and image files. The content and image locations (URL’s) are held in the database, not inside the WordPress file structure.

Complete Backup

Lastly, there is a complete backup. The WordPress file structure, content, images and database files. which is everything.

To restore your content only, then the first backup is sufficient. If your database was corrupted, then the database backup is required. If the core WordPress structure files were corrupted then you require a complete re-install of WordPress unless you know exactly which files need replacing, then just replace those core files. Once you do, re-install any core file updates which is found in the Dashboard of WordPress Admin area.

You may be able to reinstall your WordPress version through the dashboard, but if for some reason that reinstall did not fix the corruption, it is best to manually re-install WordPress and include the database from a clean backup. Why manual? This is because the reinstall button in WordPress Admin Dashboard operates via a PHP script. If the hacker corrupted that script, then you cannot reinstall WordPress properly, if at all. A manual install bypasses all scripts and you are physically saving clean versions of the WordPress files over the older ones. That over writes all WordPress files and removes any hidden corruptions.

Hackers cannot control a manual reinstall unless they completely blocked your access to your web hosting account, but that is another problem.

Automated or Manual Backups?

WordPress offers a huge number of free plugins to perform backups for you. If you know how to manually backup WordPress and its database, that is the best of all because its guaranteed correct but using a plugin is not bad either and its more automated.

There are some really good plugins out there, do some research and read reviews. Ensure the plugin can backup the entire WordPress site, which is the entire WordPress files structure and database. This means a restore will be complete. Save the backup to your own backup drive and/or to a DVD disk.


Most of all, install a security scan plugin that will scan the entire WordPress site and all its files for malicious code. This is important because if the web host gets hacked, you won’t know in time and any backup they make can end up corrupted as well. So scanning your entire website is crucial BEFORE you do each backup.

Now depending on the plugin, you will likely need to have some understanding of how to handle scan alerts when a file is corrupted or marked as a problem (like the file content is changed, but with good code). Just because a file has changed, does not mean its bad, as updates do change files and some security scans use original WordPress files as templates to match against current ones and current ones (updated versions) may not match. You need to know or have someone know how to identify good changes to WordPress files vs bad ones.

Update – Update – Update

Lastly, make sure your WordPress site, all plugins and themes are up to date. Never be lazy with this because hackers depend on you being lazy or not caring. That’s usually how they get in, a plugin or theme or WordPress core files are outdated and carry security holes.

As well, old plugins that end up out of date because the plugin is no longer supported by the plugin author. That will not only break your WordPress site, but open the door to hackers. Plugins that are not compatible and not regularly updated should be removed and/or replaced. If you pay for someone to maintain your site, go in and check once in a while to ensure all is working good. I found some website managers or designers are not good (not skilled, trained and not knowledgeable at all for their work) and your paying for shoddy work.

Other CMS Websites

The practices here also apply to other CMS websites as Joomla, Drupal, etc. They are also targets by hackers and what I spoke of here for WordPress also fits for other CMS structures, but so far, WordPress has been the best one to keep up to the rapid changes that are occurring over the Internet.

Have a safe CMS Site!