No matter what you do, at some point in time your website will go down. It’s inevitable. Perhaps your server will crash. Maybe your website will get hacked. Perhaps your database will get corrupted. Whatever it is, it is crucial that you be able to recover from these calamities as quickly as possible.
Our online store was recently hacked. While I’m still not 100% sure how they got in, I was able to recover from the attack in a very short period of time. Why? Because I was prepared.
Don’t kid yourself. Even if you are up to date with all of the security patches and you think your
code is robust, someone someday will break into your website if they want to. There are far too many exploits and patches to keep track of that any experienced hacker can and will take advantage of.
Adjust Your Attitude
The first thing you need to accept is that your website is not invulnerable to attack. By taking on the attitude that your website will get attacked at some point, 3 things immediately become obvious.
- You need to be able to detect that your website is down as soon as possible
- You need to be able to detect whether your website has been hacked
- You need to be able to diagnose and repair the problem quickly and efficiently to avoid downtime
Two things happened relatively recently that caused me to beef up my website recovery protocols. In one case, my database got corrupted because one of my machines went down. In another case, my online store got hacked. The hackers were pretty clever. They inserted hidden links in my php code that I would never have noticed unless I was paying attention.
After these events occurred, I immediately made several changes to combat these issues. Here’s what I did.
I Signed Up For A Site Monitor
You can’t always be around to tell if your website is running or not. For me, I would say that I’m in front of the computer monitoring my websites less than 10% of the day. The other 90% of the time, my sites could be down without my knowledge.
Fortunately, there are many services available that you can sign up for to monitor your website uptime. These services will ping your website at select intervals and then email you if your website is down. The service I use is called SiteUptime.com, but there are many other ones out there that I’m sure are equally as good.
The good news is that most of these services are free. If you require a more complicated uptime test protocol, you can usually pay a small monthly fee to gain the ability to perform more intricate monitoring tasks. For most people though, the free service is usually more than adequate.
I Set Up A CheckSum
Monitoring your site for downtime is all fine and dandy, but it will not be able to detect when you are hacked. These days, most websites are broken into through the use of php exploits or SQL injection vulnerabilities. Sometimes, hackers will gain access to your site because of weak ftp passwords as well. Whatever methods they use, your files will get altered or defaced in a non desirable fashion.
To help detect hacks, I’ve setup an hourly cron job that generates a checksum of my entire website. This checksum is a unique number that represents the contents of all of my web files. If any of the files are altered in any way shape or form, the checksum will no longer match. If the checksum does not match, I know that I’ve been hacked or someone has tried to alter my files.
Setting something up like this is extremely easy to do. All you need to do is to run the following unix command to generate your checksum
tar cf – /dir | md5sum
Once this initial checksum has been calculated, you then need to set up a script to run this command once per hour (or whatever interval is desired). This script calculates the checksum and then compares it to the known good generated checksum. If the checksums are different, then have the script email you letting you know that you’ve been hacked.
Setting all of this up takes just 20 minutes and could save you a ton of heartache if you are ever hacked. The absolute worst thing about getting hacked is that Google could flag your site as a malicious website which would flush your page and search rankings right down the drain.
I Set Up Automated Regular Backups
Discovering that you’ve been hacked is no good unless you can recover. That is why it is crucial to have a good backup handy to restore your website. Most websites these days are composed of both a website and a database backend. Both parts of the website need to be backed up regularly. For our online store, regularly means at least once a day and sometimes once every several hours.
You don’t have to store each and every backup permanently. You can create a circular buffer of backups such that you only keep the last 30 days worth in order to preserve disk space. Being the paranoid person that I am, I backup my stuff on the server itself, at home and at a remote location in case of a fire.
If I get hacked or my database gets corrupted, I’m usually alerted by email fairly quickly and I can usually have my website back up and running in a reasonable amount of time.
No matter what you do, any determined hacker can break into your server or website given enough time. Your web server hardware could also fail at any time and corrupt your database.
Especially if your website is mission critical to your business, you absolutely need to be able to recover quickly from any sort of downtime. At a bare minimum, you should implement the simple protocols described in this article. I’ve been caught off guard and with my pants down in the past. Learn from my mistakes!
- How To Automate Backups For Your Online Store And Why I’m An Idiot
- The Easiest Way To Start A Fully Featured Online Store Without The Headaches
- When To Upgrade From Shared Hosting And Why Unlimited Bandwidth Is A Lie
- The Best Way To Setup A Home Office Filesystem On The Cheap
- Why A Lack Of Server Diversification Cost My Business Thousands Of Dollars