Date aired: March 28, 2018
In this webinar, you will learn how backups can complement your security strategy and why it shouldn’t be considered a replacement for having a website security solution.
Question #1: How many days does Sucuri Backups keep data for?
Answer: 90 days.
Question #2: Is auto-restore included?
Answer: Yes, we have a one-click restore option. You can read more here.
Question #3: Do all web hosts offer backups?
Answer: Not all hosts will necessarily have backups available for customers. I would encourage a conversation with your host.
Question #4: What if my site is hacked now? Can backups help me in the meantime?
Answer: Not necessarily as the existing backup you have may also carry the same backdoor that exploited your site in the first place. I’d be careful to ensure the site is cleaned and you have a pro-active layer in place.
Question #5: What type of software/tools would you use to backup manually, instead of depending on a vendor?
Answer: I would use something like FileZilla via SFTP.
See all Questions & Answers
ExpandName: Victor Santoyo – Title: Account Executive
Thank you, Val. As Val mentioned, we’re based out of Southern California today. If you know me, a little bit about me first for people who aren’t too familiar.
Basically … Sorry about that. Been with Sucuri for about three years, it’ll be coming up in April, so I’ve been with the company a long time. A bit more about me is that I have a two-year-old son whose birthday that, actually, coincides right along with that date. So April’s a big month. And I also speak Spanish. Based out of Miami, Florida, which is where I speak it predominately. But we’re out of, actually, Sucuri headquarters today, so if you do hear some noise in the background, it’s essentially our team working hard to make sure we keep your site safe. So if you hear it, don’t worry about it too much.
But in any events, what are we here to talk about today? Well, backups. Val touched on it a little bit, about preventing data loss. Wanna focus on a couple aspects about backups, so a lot of people understand the idea of … Even the manual process of doing so, uploading, downloading, or auto-restore functions, but I want to focus on more specific aspects of backups that people often either overlook or misunderstand. First, is why shouldn’t it be considered a replacement for your website security solution. Secondly, more importantly, how to properly deploy backups and as well as best practices that’ll help fit the mold of your website. What does your website need in terms of a proper backup strategy?
Now, there are a lot of tools online, plug-ins and stuff, that help automate a lot of this process, but just consider this webinar more of a guide in, maybe, highlighting some aspects of existing tools you might be using and, maybe, thinking back on whether those tools that you are using might be suiting the need. So first misconception, of course, is, “I don’t need website security because I have backups.” Well, that’s not necessarily true. When all else fails, and everything’s broken, and your site’s not available, sure, it brings your site back, but let’s be a bit more cautious about when we talk about if backups means security.
So let’s consider this: why shouldn’t backups act as my existing strategy? Well, as I just touched on, backups will absolutely revert your site content back and bring it back online, but it only brings it back online based on when the backup was last previously set. And depending on the frequency, there may be a gap in between, in terms of content that you might’ve lost and if you’re updating your site with a lot of content, that might mean a lot of content that you’ve lost as a result in that gap. Second aspect is simply, you bring your site back online, but it doesn’t actually fix the problem. It doesn’t keep the hackers from, maybe, identifying your website again and then going right back in to exploit whatever existing vulnerability was there in the first place. The site will still be bare, and we’re always going to recommend, of course, some kind of proactive layer or defensive strategy, like a web application firewall to ensure the site remains safe.
But in the moment, if you don’t have some kind of [inaudible 00:04:51] like that in place as it is, backups can help bring a site back online, but we’ve seen reinfections happen with ours. And of course, the last aspect of this is simply that sometimes backups may not work as intended. We had a case where a client came to us, and we had to help them remediate a lot of malware, but the main issues they were having is that they had originally a dedicated server that was commissioned by an older developer and the server that the developer had set up for them had pretty big stability issues. So the developer moved on [inaudible 00:05:31] had the different opportunity for them and the client was left trying to figure out what to do next.
Now part of the problems they were also facing: email wasn’t functioning properly. So the host wasn’t actually alerting them properly to some of the issues they were facing, and by the time that the client had been made aware of the issue, the hard drive failed. The server wasn’t responding at all. Now while they had some backups in place, set up in a certain way. Not all of the content from the website was there and, in fact, what was there, good percentage of it, also was corrupted.
Meaning that backups that were set up weren’t functioning and essentially, they lost everything because on top of everything else, the fact that they were set up on that same hard drive. So imagine you think you have a backup strategy in place, and it may be a band-aid while you look for a security solution, but then the backups fail, and you’ve lost all your content anyway.
Now with that, you also want to keep in mind that an example like this, where you may be in the process of, maybe, handing the reigns off to someone else or, maybe, managing the security or the management of your website as well, knowing what previous administrators or developers had in place. [inaudible 00:06:54] an example like the previous one, knowing what kind of issues the server was facing will be really important for you.
Another common issue that we’ve seen in the past, and was relayed to us from another website order was that another developer with a different client, also moving on, handed the complete reigns of their hosting account to the website owner. Now, the owner wasn’t necessarily very proficient or didn’t exactly know how to navigate their seed panel, and like that. But the fact was the responsibility was on them, but the website owner didn’t ask enough questions of the developer about what was already in place. They knew on their bill they were paying for backups through their host, so they assumed the backups were set up. And they faced a hack, and they were facing all kinds of issues, and the website owner thought, “Well, let me go fetch my previous backup while I figure out something else.” So they went to the host, but the host notified them, “Well, yeah, you have backups available, but they were never set up.” So the client gets upset, goes to the developer, and says, “Well, hey, what happened? I thought we had backups on our website?” And the developer them, “Well, yeah, you had it available, but never set up and I told you to go through your account.” And as a result, a lot of the content updates, a lot of configurations settings they had made over a course of about four to five months if I remember correctly, were lost, just gone.
So biggest thing here, especially, is don’t want you guys to feel like you’re left hanging. If you do end up in a situation like this, where an administrator or developer is moving on, and you need a transition when it comes to backups, and really, just about most things in general, know what they have in place, so you’re not caught off guard in a situation like this.
Now that we understand why backups won’t necessarily be a good replacement for security, or how to address incidents, how do you properly deploy backups? We’re going to go over a number of topics, and we’ll go a little bit more in-depth in each. Basically, these are going to be the things you’ll want to consider when you’re trying to identify a proper backup strategy for you. A: the frequency, how often those backups are running. The types of backups that you’ll have. There are different types of backups. It’s not a universal thing. Which files should you back up? Where will those backups be located, and along with that as well, the data that’s included in the file structure? And the last part, and it kind of goes back to the start of what we were just saying, making sure you consider talking to your host and provider about, A: their existing policies on backups and potential options that they may have of you.
So let’s touch on the frequency. First things first, is understanding the content you have driven on your website. If you generate a lot of content, then it’s really important to consider a backup solution that will update very frequently. You might have a daily set up, maybe every two days, every week. How often are you posting? The last thing you don’t want is that gap in between where you lose content unnecessarily because the frequency just wasn’t adjusted your needs.
Similarly, if you don’t update as often, make sure the backups match that. If you don’t want to have too much redundancy, then ratchet down the frequency on that as well. Consider the retention period. How far back do you need those backups? A lot of places do it for a month, 90 days, forever, but do you need that much history of your backup? Think about, even so, the history of your history. So do you need to establish baselines where you might have tested a different theme, or premium plug-in just to see how it functions? Maybe you want to, then set aside a backup right before you make that change so you can revert to something in the event that those changes go wrong.
And more importantly, how often are they checked? How often do you know that those backups actually succeeded? In some cases, backups can fail, so knowing how often you should be checking back wherever you have your backups set up, seeing the green check marks will be just as important.
Now we go into the types of backups. A lot of people, I think, have this understanding that when you backup your website, you’re backing up everything. Well, that is one way of doing it. That’s called a full backup. Your entire file structure, your entire database, and that gets backed up on top of each other, over and over. But we do two different types of backups as well, and different providers may implement a different way. For example, incremental backups. So incremental backups work this way: you set it up initially, and yes, it’s a full backup to start. But from there, incremental backups will then backup the files that have been changed or modified since that last backup. So then, after that, you’re backup interval then check for the next most recent changes and backup those specific files.
So it’ll do a couple things. Obviously, it’ll help save space. If you have 100 or 200 GB website, and if you’re going to set up daily backups, then backing up every day for 200 GB may not make sense if you don’t have that much space. Incremental backups might be something for you.
Differential backups work slightly differently. How that works, is that it’ll backup everything since the previous full backup. So let’s say in this case, maybe, you do a full backup every month. Differential backups will save everything from that date. Now from here, we have to understand, which files are worth backing up. Most people might consider, “Oh, well lets backup everything.” That seems like the most logical. But if you are running on a popular CMS platform like WordPress, Drupal, Magento, or the like, then really, you only need a copy of certain aspects of that file structure, that actually do change, like themes, and plug-ins, extensions, and the like. WordPress is a good example, popular. Really, all you’ll ever need to copy or backup of them is your WP content directory, your WP [inaudible 00:13:15] file, because, that’s really where the bulk of those changes are made. The rest of the files and folders that are part of the WordPress installation as a whole don’t typically need to be backed up because they’re readily available and don’t get touched.
Now be cautious, though. If you are one that’s making custom configurations or changes to that core, well then in those cases, backing up the entire installation would be absolutely pivotal. Of course, you see there at the bottom. It seems redundant, but backing up the backups as well will also be important. You just never really know when you may need them, and I’m going to go through on the next slide an example of where backing up those backups will also be important in certain situations.
So we know how often we should, maybe, backup, and, which files we should backup as well. Where does this happen? A lot of people have an understanding I’ve spoken to about backing up where your production environment sits. Backing up instead of a different directory or something. But realistically, you should isolate both things. Let’s consider the first story I mentioned where they had their backups set up on the production environment in their server, but that got completely corrupted, which then also completely squashed their existing backups that they had. So keeping them separate, whether it’s just different servers, or off-site through a cloud, or most storage may pale out at dividends when you face a crisis like that.
Using both physical and remote locations. So I just touched on using cloud storage. Some people might use DropBox. Some people might use a vendor that’d be utilizing their own cloud network, where the backups are stored. We do that, for example. But even understanding, having a physical copy of that on a external hard drive. Backing up your backups, both on cloud storage, and then backing that up on an external hard drive, may also be really fruitful for you.
Why would you do that? Well, suppose you’re somewhere where you just don’t have Internet access, and you need to access those files. If I have that hard drive, I can connect that into my desktop and then work within a [inaudible 00:15:29] or something, and then navigate my file structure from there. I at least have access to them from a physical mobile device that would allow me to get access to my files straight away.
Think about the data and where they can be accessed on these backups. A lot of times, people say, “Well, I work from my laptop. I’m the only person accessing my desktop, so I don’t have to worry about that.” But a lot of agencies might work out of an office. Might share access to cloud storage, like DropBox. Who has permission to access your directories if you have specific concerns about the data you’re backing up? GDPR is going to be something, as well, that you should consider with this. Where is that data being stored, so that you don’t run into fees or fines when you might break compliancy there.
So consider this, if you have personally identified information and data that gets backed up, make sure that’s somewhere where it’s going to be safe and secure. Don’t have that backed up, let’s say, on your home office where you might have kids going on to your computer, trying to play games, open up a file, open up a directory or something, and they have access to information they shouldn’t. That’s definitely something you don’t want to run into, as well.
Now as we wrap up, I also want to also talk about your host. Obviously, most people may consider the idea of, “Well, I can just go to my host. My host should take care of that.” Well, talk to them first. A lot of times, hosts do have backups available, but really it’s backups that suite their needs, and sometimes the backups that they may be able to offer you may take a few days, may take a while, they may not even be accessible to you. So first ask, are they available? Are they included within my fees? If not, how much are they? And then go through the list of questions that we’ve come to this point with your host about, well, okay, if it’s going to be a few dollars per site every month, then how often are they going to run? Where are they going to be stored? How am I going to access them? Is it going to be readily available within my dashboard? Or will I have to submit an inquiry with support and wait for office hours to get my backup back online?
Are there limitations for storage space? If you intend to use a backup solution, for example, that’ll be a full backup. Will I have enough space for those backups to live? Or do I need to consider something different? So you see all these questions keep circling back to the same point, which is having a full understanding of how often your backups need to run, and ultimately what your website needs in terms of what kind of content you have out there.
Now the only other thing I want to leave you with, in terms of, before we touch all of these points is also the ability for you to do that either automatically. So we talked about the frequency here, we touched on how often your content gets changed, the types of backups, whether it’s full or incremental, which is popular. Which files, if you’re using something like WordPress, there’s only going to be so many files you should back up. The location of them, which is whether you lean on a cloud storage or whether you decide to manually do it yourself. And talking to your host, do you have an option as well, to auto-restore? If you are going through your host, will they be able to simply click one button and then you’d be able to restore that right back into your hosting environment? Or will you need to download them locally and then upload them manually as well?
I think the only other point left when it comes to backups, and I know we’ve talked a bit about it to this point, is testing your backups. Knowing that they work is absolutely key, just simply because you know that they run at the frequency you need, they’re set up in a storage area that you feel confident in, does not necessarily mean that the backups work. Design a time and a plan to try and test a few files on a different computer, or from a different location, so you can test this plan before you actually need it, and then you’re not caught off guard when you face a moment that you thought everything was fine, but then the backups fail.
With that, hopefully, took away something from this webinar today, in terms of, at least, having a better understanding of the specific needs of your website and how backups may play a role. I’ll shoot this back to Val, and if you guys have any questions, I’d be happy to answer them.
See Full Transcript
ExpandIn the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.
All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..