Your backups are worthless

Last week, we discussed that business owners do a good job of protecting their business assets – except for work-in-process and data. While I could one-off any number of work-in-process situations, doing that in a vacuum isn’t particularly effective. I can, however, cover some common steps for making backups of your data that anyone can work from.

Backups don’t matter if…

Backups don’t matter if you can’t restore from them. That’s what makes them worthless. I once encountered a financial services client whose backup tape had not been written to for over five months. Meaning: They couldn’t have recovered any of the contracts, loan documents and other paperwork that had been processed for at least five months. Even worse, the tape was bad, so even the five month old backups were unusable. Their financial / account data was housed off-site, so it was not at risk. Even so, having no backups of those files could have put them at serious risk if a hardware failure occurred.

The take home: It’s important to check your backups to make sure they succeeded and to attempt a practice recovery on those files on a regular basis. If you can’t restore a backup, the time taken to make the backup is wasted and your business data is unprotected.

Don’t forget your website

While the next portion of this pertains specifically to WordPress, the steps and justification for the steps I’m about to recommend also apply to other web-based content systems – such as Drupal, Wix, Joomla, etc. These systems are popular because they allow you to build and maintain a nice site without an expensive custom programming job. According to research done by non-WordPress researchers, WordPress is used on 27% of web sites.

In February 2017, a WordPress bug related to their new REST API was fixed and rolled out. While WordPress fixed the bug quickly, they waited only a week after the bug fix was available before publicly revealing the details of the most severe part of the bug. Legit or otherwise, any delay in updating WordPress on sites that use it made a WordPress site subject to this hack. Within hours of revealing the previously mentioned details, the volume of hack attempts using this bug escalated into the millions of attempts over a few days. In a few days from Feb 6th through Feb 10th, over a million WordPress sites had been defaced. Fortunately, the defacing was easy to reverse.

While the flaw was on WordPress, it’s a painful reminder to keep your WordPress-based site updated. You can tell WordPress to auto-update itself, as well as themes and plugins. Despite the availability of auto-update functionality, only 37% of the many millions of WordPress sites are up to date, according to data published by WordPress.org.

In addition, replace or remove plugins that aren’t updated and tested regularly. Many once-popular plugins are no longer maintained. They may continue to work, but any security vulnerabilities in the plugin(s) won’t get fixed. Any security problems will be there until you stop using the plugin. Bottom line – Not worth the risk.

Finally, protect yourself against the cretins who do this kind of stuff. I recommend a combination of the free Sucuri security plugin and the paid WordFence plugin. The latter tool provides a flexible set of tools to block people from your site – including the ability to block users by country. If your business has no need to interact with folks from countries known to harbor hackers, then you can prevent most access by people in that country. “Most” because IP-based geolocation technology is dependable, but not 100% perfect.

Automated and off-site

As with most things of this nature, I suggest automation. There are a number of tools you can use to automate backups for your website, whether or not the site uses a content management system like WordPress. There’s no reason to make this yet another manual task you have to do each day. As I noted above, backups are worthless if you can’t restore from them. Be sure to test your ability to restore from the backups you’re taking.

Last but not least, take a copy of the data off-location or use an online service. If your building burns, the backup media was sitting on the computer won’t help you recover. Dealing with fire or theft is tough. Losing your business data only makes it worse.