Am I secure enough from a hack?

Hi guys, I'm just about to launch on Monday and this is my number 1 concern! I would hate to get hacked. I use a private server so I'm not on shared hosting, I have pretty good passwords I think and I have WP secure installed with all of the default settings including login lockdown after 5 false password attempts.

I back up using the S3 backup plugin. This backs up;

Config file
Database dump
Themes folder
Plugins folder
Uploaded content

Do I need to back anything else up and could my host backup from these files that S3 backup takes or do I need to do a full backup through cpanel?

Any ideas as I want to be as safe as I can be. My one concern was the 'group docs' plugin I use. I have it set to only enable PDF, TXT and WORD docs. Could anything malicious be uploaded and executed through this way?

Thanks so much,
Ross :slight_smile:

  • drmike

    Gotta agree with Aaron. No backup should be done via php. Almost always php has low file limits on the size of files it can use.

    The 5 password attempts is a good safety value. Just make sure that 1) you leave folks a way to contact you if they have a problem logging in and 2) After the first attempt, you run down a laundry list of common reasons why they may be logging in incorrectly. This includes:

    - Instead of using their username, they trying to log in with their email address, full name, first and/or last name, etc.

    - The Caps lock is turned on. That's usually the cause, especially since yu can;t see what you;re trying for a password.

    - They didn't complete their signup process and verify their email address.

    - They're at the wrong site. You have no idea how many times we had folks trying to log into wp.com thinking they were trying to log into their site hosted elsewhere. :slight_smile:

    Oh, and using the word "should" when talking about backups shouldn't be. When was the last time you grabbed a backup, uncompressed it and checked to see if the files and valid and complete? I pay for my backups as well (well, service contract. I own the hardware though.) and I'm still checking randomly every day. And yes, I;ve caught empty and corrupt files in there. (One of the reasons why we do server backups as well as account ones.)

    As to permissions, the number is only about a third of the question. What specific os and server software are you running? Without knowing that, there's really no way to answer that question.

  • rossagrant

    Cheers Mike, I'll look into my server for version and software.
    Just been looking at backup options in cpanel and in backup I noticed this message:

    'A Full Backup will allow you to create an archive of all the files and configurations on your website. You can only use this to move your account to another server, or to keep a local copy of your files. You cannot restore Full Backups through your cPanel interface.'

    So I take it that this is no good if say I got hacked and wanted to restore.
    It gives me an option for partial backups such as just the DB too.

    So what should I back up and how is best? A cron job etc?

  • Barry

    @rossagrant - I have a cron set up to backup my databases to s3 and tend to keep 3 months worth of them there (still only costs me less than $5 a month for that). There are a few ruby based s3 sync scripts available that could probably handle images / files as well, but I prefer just to snapshot the lot.

    I always point people to this, now quite old, post - but it's the base setup I used for over a year:
    http://paulstamatiou.com/how-to-bulletproof-server-backups-with-amazon-s3