Our aim is to bring to bear – our decades of e-business operations experience in helping you learn how to maintain a Wordpress website.
Maintenance – Concept
In simple terms – maintenance is activity needed, after project design, build and commissioning stages to keep things in an optimal state. Examples of maintenance are changing the car engine oil and checking brake pad wear, cleaning pool filters and checking chlorine level and descaling the coffee machine.
Maintenance – Requirements
In the examples above the absence of maintenance will cause mechanical failure – through wear and degradation with potentially catastrophic impact. Moving parts, bearings, things which heat up and cool down and reasonably foreseeable impacts of workload and abuse all need to be considered when maintaining even the most basic machinery and systems.
Your wordpress website is no different – the server it runs on will have moving parts in the cooling systems, power supplies and god forbid in todays SSD world, possibly even hard-drives. However, this stuff should be taken care of by your web-host who should not only do the maintenance they will also provide redundant systems – with guaranteed availability.
However, we will pause for thought on workload and abuse. Putting aside the upstream hardware – one of the easiest examples to understand and also most overlooked workload impacts, is file growth. On a very busy site with content generated by users ie. blogs and forums – files and databases can grow to an astronomical size very quickly and on a shared server this will become a problem if not checked. System log files should automatically be compressed and routinely deleted at a pre-defined point. This is an example of a solution being implemented pro-actively to solve a problem before the catastrophic impact of the drive petition running out of space as even in todays world of – cloud based, global content delivery networks (CDN), the end points are still virtual private servers (VPS) running web-hosting control systems within disk quota based, drive petitions.
Foreseeable Abuse and Misuse
In a modern world – the concept of abuse and misuse is firmly focussed on hackers and spammers. These are individuals who’s aim is to obtain various types of resources from your website and deploy them to their own advantage. This can range from gaining access to your email-server – to send unsolicited email, adding your server to a network of zombie machines to participate in denial of service attacks and of course stealing all manner of sensitive information such as credit card details and personal data.
WordPress is based on a structure which is well understood – enabling maximum compatibility, for template and plugin authors to create stunning, feature rich websites. Unfortunately, this structure also enables hackers to understand where they need to check for potential exploit opportunities.
There are many ways this can be done and the pooled knowledge and devastating capability of the hacker community is vast. However, the risk of being hacked can be mitigated with simple, regular maintenance.
Brute Force – Access attacks
If hackers gain access to your website file system or your wordpress admin panel they can do serious damage. It is however, unfortunate that if we are not pro-active it is just a matter of time. Bots will find websites with the resources they need and fire usernames and passwords at the logon scripts in very quick succession – this is known as a Brute Force attack.
To protect our site, we need to do 2 things. We need to put what services we can – out of reach or behind a firewall and we need to routinely change passwords. We also need to give some thought to the next level of protection if a password is breached – limiting the number of sites which can be accessed via the same username and password.
Spam – posting attacks
Labelling the posting of spam as an attack – may seem a bit extreme. After all we can set our wordpress preferences to ensure posts and comments are queued for moderation and manually approved before becoming visible. However, putting aside reputation risks, breaking it down spam will cause catastrophic failure.
The aim of the spammer is generally – to promote their own products and services. This can take the form of affiliate links where commission is paid if a customer buys, but it can also be links to sites with unscrupulous owners selling controlled or prescription drugs and stolen electronic/downloadable products.
Your wordpress comment system is a good place to do this – as there is a large text field to fill with information and even a website url field to point the prospective customers to their product pages. Due to the predictability of the wordpress system structure, Spammers will just fire structured http posts at your site in the form of simple text strings, effectively mimicking the action of the comment form submission button. This means comment posting can be automated and potentially very fast indeed, meaning that logging in to find several thousand comments queued for moderation is to be expected. Mass deletion risks loss of real comments, it can take an inordinate amount of time to manage and the system resources consumed by the act of posting them in terms of network bandwidth and storage can be damaging.
To protect our site we need to stop the comments from being posted and ideally identify spammers and stop them in their tracks before they can do any damage.
Compromised – WordPress Plugins
The way plugins work within the WordPress structure is also well known and hackers obviously have the opportunity to build a site and install plugins with a view to identifying potential exploits. Plugin authors are usually on the look-out for exploits and if any are reported they usually respond by publishing an update which includes a patch or fix. Plugin authors are continuously updating their code with a view to capitalising on new PHP or MySQL features, aiming to improve performance and security. To protect our site we need to ensure the latest version of the plugin is installed and kept up to date at all times.