It seems like almost every other day I’m reminded why our tagline “web developers that don’t suck” came about in the first place.
Recently we took over a business’ website that had been hacked. Their business relied extremely heavily on AdWords (90%), and because of the malware, Google had suspended their ads. Overnight they went from phones ringing to not at all.
We didn’t have a clean backup, so it was a manual malware removal process. This freaking sucks, especially when we are talking around 400 hacked files.
As part of the process we had a look around to see how the site could have been hacked.
One of the most common reasons sites get hacked is because of plugins or WordPress itself being out of date. Many updates are created to patch security holes. This is why it is incredibly important to keep your sites up to date.
On first glance it looked like there were no updates available. Good sign right? Looking closer, the WordPress version was waaaaay old. But why wasn’t it saying there were updates?
Turns out someone had added a plugin called “Disable all updates”…
The name says it all really.
Why anyone would want to do this is beyond me.
I remember talking to a fairly highly regarded local web developer once who said something like this
We found this awesome plugin which hides all the updates from the client so they don’t worry about updates!
This was said like it was a great addition to their business.
I’m so sick of this kind of thing. It is 100% NOT ok for people who call themselves developers to operate like this.
It is 100% NOT ok for people who call themselves developers to operate like this.
This client went from a thriving business to going almost out of business overnight. All because of a dodgy web developer handling their business website.
(Relying on a single channel of traffic also isn’t great, but not the topic of this post)
And that ladies and gentlemen brings me to the end of this rant.
“Which hosting company should I use?”
“My website is super slow and I need a new host”
“Can I spend $4 a month and get a good host?”
Site speed is absolutely critical in attracting people to your site and more importantly – keeping them there.
It is no secret that Google favours faster websites. On average every extra second your website take to load, you’ll lose 7% of your visitors. People who will go out in search of another company with a website that loads quickly.
Those two things should be enough to convince you.
On average every extra second your website take to load, you’ll lose 7% of your visitors.
The most important part of a fast website is choosing a good host. Even if you have the most optimised site on the planet, if it lives on a crappy server, it will take forever to load.
We’ve been through a ton of different hosting companies in our time building websites. We’ve seen hosts that are lighting fast through to some that are dog slow – with similar price points. Today I’m going to share which hosts we’ve settled on. Bear in mind there are plenty of good hosts out there, and just because I don’t mention one here, it doesn’t mean they aren’t good. These are just the ones we put all our clients on to.
Let’s get to it then.
What kind of host
If you haven’t already noticed, there are a lot of techie words thrown around in the hosting world. Shared hosting, VPS, managed hosting, WordPress hosting… blah blah blah.
Let’s start with a quick intro of the three most common.
Shared hosting means that your website will live on the same physical server (just a big computer) as a ton of other websites. It’s cheap, dirty and a great way to get started.
Some people will crap all over shared hosting and say if you are a serious business, you shouldn’t use shared hosting. Most of the time, that is total BS.
Unless you are expecting tens of thousands of views on your website per month, there are plenty of shared hosts that will work for you at a very affordable price point.
The downside is occasionally you might get lumped on a server with other crappy websites that ruin the party for everyone, and may impact your performance. This isn’t so common any more as hosts get better at managing this. But it still can be a worry.
VPS means Virtual Private Server. All you need to know is that it means you get dedicated processing power for your website. You get a lot more control over what you (or your tech guy) can do.
“VPS hosting” as a termn is pretty broad. You can have very barebones hosts like Amazon Web Services (AWS) where you need a techie to do everything for you (cheap), fully managed hosts where they give you access to a support team to help you out (more expensive), and everything in between.
If you’re not a techie or don’t have someone dedicated to making things run smoothly, stay away from unmanaged VPS like AWS. It’s not worth the headache when something goes wrong.
In the last few years a whole new segment of hosting has popped up called Managed WordPress hosting. This generally means they’ll do things like automated backups, security, plugin updates and some other bells and whistles. It usually costs a little more to give you all of this.
We’re putting less and less clients on managed hosting – but that is mostly because we are now managing their sites for them so they don’t need the bells and whistles.
Like all hosting, there are a lot of crap managed hosts and lots of good ones. Don’t think just because they call it WordPress hosting that everything will be fine. There has been a big trend for everyone to start offering “WordPress hosting”, and some of them are really bad.
The hosts we use and recommend
Shared Hosting in Australia
Many of our clients are in Australia, so we’ve got this section just for the Aussie’s reading this.
These guys are a little different than they way most VPS hosts work. They technically aren’t a hosting company. They run some of their own software on top of a few other VPS hosts which makes them much easier to manage, without a full time tech team.
For as low as $15 USD per month, you can get set up on your own Digital Ocean server running Cloudways platform on the top.
They add two layers of cache which make your sites much, much faster right out of the box.
Right now, these guys are my favourite host out there. Just a few things to note:
They have their own control panel – so if you are used to cPanel you’ll need to re-adjust
You cannot send email from a VPS – you’ll need to set up SendGrid as well to do the emailing
You don’t get complete control of the server like you would with a barebones VPS
All in all, Cloudways are a great host to use. We’re moving all our company sites to them.
WordPress is amazing. Really. It shaves a huge amount of time (and money) from the web development process. This is of course no secret. WordPress is now used by 24.9% of the worlds’ websites.
This is also one of the downsides of WordPress. Its popularity makes it an obvious target for hackers. They can write a script which targets specific vulnerabilities and then set it lose.
The script goes from site to site, looking for whatever it can find that can be broken into. The script does not care if you are a multi-national corporation or a one-man-band who sells cheese.
Once it is in, it can do whatever it likes with your website.
I’ve seen clients’ (well, right before they became clients) sites get hacked in loads of different ways. The hacks range from subtle and unobtrusive through to very destructive. Some examples are:
Embedded links to dodgy websites. Google hates this
The website completely replaced with terrorist propaganda
Being overwritten by a hidden Russian shoe store, which only displays to people who aren’t from Australia
Over the last couple of months, the number of hack attempts has climbed exponentially.
This graph shows the number failed login attempts to WordPress sites worldwide through one particular method. These hackers are just trying many different username and password combinations to find one that works.
If you are using a default username like “admin”, this is where you should worry a litte bit. That should be one of the first things on your list to fix. Hackers love default usernames.
There are ways to protect against these threats. This is one of the many things we do for our WordPress care & support clients. This is an actual screenshot from my email.
See those numbers on the left – 59, 52, 98 etc? That is the number of user lockouts which have occurred on ONE site in ONE day. If I didn’t hide these emails, my inbox would be completely flooded.
These aren’t all massive companies. Many of them are local small business who by no means would be specifically targeted. The scripts simply attack everyone.
How to protect yourself
It isn’t all doom and gloom. There are lots of different ways you can protect yourself. The most popular is to install one of the many WordPress security plugins like Wordfence, BulletProof, Sucuri, iThemes Security, Acunetix or All In One Security.
Each have their pros and cons. Generally we use the premium version of Wordfence with custom settings.
If everything does go wrong, you need to have backups in place. Most people use default settings and back their site up on the same server where their site is hosted.
That is the worst kind of backup.
Your backups need to be stored somewhere totally different like Amazon S3, Dropbox or one of the several “vaults” that some plugins provide.
Installing a plugin is only the most basic level of protection. Outside of this, it gets a bit nerdy and can be too much for a non-technical person to handle. Soon, we’ll release a guide on this for those who want to DIY their security. This of course will take some time learning and implementing.
For everyone else, if you value your time at $75 an hour, it isn’t worth you spending time on your website. There are way more important things to do in your business.
Imagine having a team of experts for just over an hours’ worth of your time, who will not only jeep your site secure and backed up, but make changes to your site when you need it.
We’ve been looking after sites a long time, so we’ve been able to get our prices down to a point that make it a no brainer. Start protecting your most important online asset today.
Web hosting is a hot topic among many business groups. Similar questions get asked on the daily, and the answers section instantly swells out to loads of answers of “This one is the best”, “This one is the cheapest” or “My hosting is the best. Pick me, pick me!”.
With so much info out there it makes it is really hard for the non-techies (henceforth referred to as “you”) to understand what you are getting. What do all these terms like shared, managed, dedicated, VPS mean? How much should I be paying? What the hell is a web host, anyway? I’ll answer all this in a bit.
A Summary (tl;dr)
This next paragraph is for someone who knows a few of the industry terms and just wants to make a decision. If you are brand new, jump right over it.
For most small businesses, shared hosting is plenty, even if you have a few hundred visits a day
Managed WordPress hosting is also good, but costs a bit more. A truly managed WordPress host takes some burden off you
Don’t use a plain VPS unless you are very techy
For higher traffic sites or higher budgets use a Managed VPS or a dedicated plan on a Managed WordPress host
A web host is a computer, connected to the internet, which responds to requests from other computers.
When you type in “mysite.com”, this is what happens:
Your computer asks a DNS (not the topic of this post) where your site lives
The DNS tells your browser the internet address of the web host
Your browser asks the web host for the web site
The web host spits out a bunch of code and gives it to the browser
Your web browser builds the code into a web page
When you see the word “server” mentioned, it essentially just means a big beefy computer that can handle lots of things happening at the same time. For the purpose of this post, a server and web host mean the same thing.
A quick note on Australian Hosting
It is worth nothing that everything is more expensive in Australia. Hosting companies have to pay more to house their servers in datacenters in Oz. They pay more for the data which is sent to and from the servers, and will pass this cost onto you.
Should you host in Oz? Ultimately it is up to you. It doesn’t make a huge difference in the load times for your website, but it does make a little difference. This site is hosted in Dallas, USA.
Also consider where you want to keep your data. If you are storing sensitive client data on your website, privacy laws may effect your decision. If it is just a few pages about your business, it really doesn’t make a difference.
The Types Of Hosting
Price range: $4-30 / month
What it is: It is essentially lots of websites living on one server. Servers generally have a lot of computing power, so a single server can handle a ton of requests. This means you can have a bunch of lower traffic websites on one server with little downside.
Just don’t expect to be able to send out lots of emails from the server. They will usually end up trapped in spam. For email you should be using something like Mail Chimp Or Active Campaign.
The potential downside of shared hosting is that one website on the server can be problematic and cause issues for everyone else on the same server. Most good hosts are onto this though, and shut down the offending websites. I’ve only had one issue like this in my years on the web.
Cheapest option (which doesn’t mean that it is bad)
Server updates and issues handled for you
Usually offer automatic backups
Can usually install WordPress in a couple of minutes with no tech knowledge
Limited control of the server. You only get a control panel. (not a problem unless you are trying to do something out of the ordinary)
Other websites on the same server can effect the performance of your site
Won’t support high traffic
Who we recommend: Site5. They offer free migrations if you have an existing website. They have a 24/7 live chat that has resolved any issues we’ve had within minutes. They are very well priced and have an Australian datacentre option.
Price Range: $10-100+ per month (for normal use – enterprise is different)
What it is: VPS stands for Virtual Private Server and is what most people refer to when they say “Cloud Hosting”. A “virtual machine” is a computer that lives on another, bigger computer. One large server may have several VPS’s on it, but each acts just like a private computer. A VPS usually has dedicated computing power so other sites can’t impact yours.
If you are reading this post, chances are you will not want a plain old VPS. These are for tech heads, or those with staff who are tech heads. A plain VPS means you have to manage EVERYTHING yourself. From core server updates, performance/uptime monitoring, to security updates and web hosting software. This is stuff you just do not want (and should not have to) to deal with as a small business owner, and likely a waste of your time. In the last few months there have been 3 MAJOR Linux security breaches that everyone with a plain VPS has to patch themselves. Granted, that is fairly rare.
Most power for the price
Dedicated computing power
Full control of the server
Have to manage everything yourself. If something goes wrong, you are often on your own.
Who we recommend
There are so many great VPS providers out there. My two favourite are Liquid Web and Digital Ocean. Digital Ocean is very very cheap. Liquid Web have great support.
Price Range: $60-400 per month (can range to thousands but I’m being practical here)
What it is: VPS and Managed VPS are VERY different as far as you the end user are concerned. We in the IT world like to create two things that sound the same just to confuse everyone else.
A managed VPS means that someone else handles all the tech stuff for you. Server updates, security patches, installing web host control panels (usually included in the price), and support are all handled. However, you pay for this service.
All the Pro’s from plain VPS apply here.
Dedicated computing power
All the techy IT stuff handled for you
Still have control if you want it
Generally backed up for you
The most expensive (excepting dedicated servers)
Who we recommend: Liquid Web
Price range: $250+ per month
What it is: A dedicated server is similar to a VPS in that you have full control over your server. The difference is that you are renting an entire computer in a datacenter somewhere. These are pretty much reserved for really big sites, and even then most people opt for larger VPS’s in this case.
If you are looking to host with someone, and they include “hosting on our dedicated servers”, generally they mean that they rent a dedicated server, and host lots of small sites on them. This is effectively the same as shared hosting, except the company maintains control of the websites on that server.
Same as VPS, but usually more computing power
More difficult to put backup plans in place. VPS providers usually have systems in place to easily backup a VPS, where dedicated servers usually don’t.
What is Caching?
Every time someone visits your site, your server runs a bunch of code to generate the web site, which gets sent to the user and displayed on their internet browser.This code takes time and computing power to run.
If 100 people visit your site, the server runs that code 100 times.
Caching means that after the server runs all that code, it stores the result into a little file somewhere. The next time someone visits that same page, it just sends them the information in that file, so all that code doesn’t have to run. “Cache expiry” defines how long the server will use that file before it decides to build a new one in case anything has changed.
What does this mean in practice? Your site speed should improve and the server can handle more volume without more power.
Managed WordPress Hosting
Price range: $30-150 per month
What it is: This is essentially shared or managed VPS hosting with a bunch of extra features and benefits. These may include caching (see the description in the box on the right), automatic backups, easy restores, WordPress updates, guarantees to fix your site if it is hacked, options of CDN (hosting media files on computers around the world to make them load faster) and staging area (ability to make changes to your site in a testing area so only you can see it).
Managed WordPress Hosting is often the most worry-free hosting, as so much is taken care of. Thankfully, there are still low priced entry points.
The term “Managed Hosting” is thrown around a lot by different companies. Not all of them offer “true” managed WordPress hosting. Be careful with this one. Feel free to drop us a line if you are unsure on a company.
Not much to worry/think about, except WordPress plugin updates
Some companies will let you scale up your plan really easily as your traffic gets larger
Little to no control on the server. Generally the way the host says it goes, goes
Who we recommend: The biggest player in this space is WPEngine. This is who we use. So far the best player I have found to host in Australia is Kinsta. As yet, no others come close to the likes of WP Engine.
There’s a client of ours who host their WordPress based website on their own server which we do not have access to.
On Monday, their site was hacked and the home page was replaced with some Israeli propaganda. We advised them how to clean it up (since we had no access) and they got it sorted out. Then they were hacked again on Wednesday with a Russian front page. And again on Friday.
They only found out they were hacked when they had clients calling them up asking them what the deal was. To make things worse they were paying for Adwords. We stopped the campaign as soon as we found out, but can you imagine if they were paying to send potential new customers to a hacked site?
It’s one of the worst feelings when this happens.
There’s a lot of things that can make your site vulnerable to being hacked. Sometimes, there are exploits discovered which hackers can take advantage of before the rest of the world is able to create patches and fix those holes. They are called 0-day exploits, and are completely unavoidable.
Recently, there were security problems discovered in OpenSSL and Bash. These are two packages installed on a huge majority of servers worldwide, so the exploits were huge news. The IT world scrambled to patch their servers, but many were vulnerable for days, and many probably still are.
So can you protect yourself against these things? Absolutely.
By regularly backing up your site and having a recovery plan in place, you can be back up and running in minutes after your site gets hacked.
Backups are in my opinion, completely necessary, yet not many sites are regularly backed up. That’s why we’ve tried to make it really affordable for small businesses to get their site backed up, and get the peace of mind that comes along with it.
Unfortunately, no one really worries about backups until everything comes crashing down overnight. It happens more regularly than you’d think…
If you would like to protect yourself against your site being hacked, as well as other disasters like web hosting failures, check out our WordPress backups and maintenance packages starting at $29 / month.
It can be a little confusing when techies start talking in languages you just don’t understand. With all these parts that make up your website – domains, web hosting, WordPress, databases, PHP – it’s really easy to get overwhelmed and just give up.
Recently I had a chat with a very avid blogger friend of mine – Jennie Gorman. After explaining WordPress backups and how databases work, she told me that she believes this is something that more business owners need to understand. Hopefully you get a little something out of this as well.
This post is a series of posts to help you better understand the workings of your website so you can make sense of all that tech talk. Today’s topic is databases. If this is still too techie for you, let me know and I’ll update the post.
A Content Management System
If you are able to log in and change parts of your website easily, chances are that you also have a database. WordPress gives you this ability, and falls under a category of software called a “Content Management System”. That means it gives you the ability to make changes to your website without having to change any actual files.
When someone visits your website, they are connecting to a computer (web server) somewhere which holds at least two things – a bunch of files and a database.
There are two types of files. There are “static” files, like pictures, PDF’s, documents and other normal files that you would find on your own computer. The rest are just lines of code. Lots of them. They contain instructions for the web server on what to do when it needs to display your website to your visitor. Together, these files contain the information for:
The layout of the website e.g. show your logo first, followed by a menu, followed by picture, etc
The style of the website e.g. colours, text sizes, borders, etc
Pictures, documents, downloads
Instructions on where to find the current page in the database
All these files together are what you would call your Content Management System, or in this case, WordPress. This is also where your theme and plugin files live.
Right now you have visited a specific web address to read this post. Based on that address, WordPress knew that it needed to go into the database to dig out these actual words you are reading.
So what is a database?
The easiest way to think of a database is a bunch of tables, just like Microsoft Excel.
All your WordPress posts are stored in a table. If you were to view it, it might look a little something like this:
Looking at the above table, WordPress would have seen that you are looking for post with an id of 3. It grabs that row out of the database, displays the title at the top of the page, and all the words from the post column right here. Each row is just a new post.
Pretty simple when you look at it like that, huh?
The point of the id column is so that there is a unique way to identify each post. If you change the title, it won’t break anything because it will still be post number 3.
There will also be other columns that have other information. Things like:
The date it was posted
The user who created it
If it is public or private
That is about as simple explanation of a database that you can get. Basically everything you see in your WordPress dashboard lives in tables like this. Some other examples are comments, settings, users etc. They all just get their own table.
In reality, all this information is stored in special data structures that would look like a giant mess to most people. Databases are full of enormous complexity that would require an entire blog to explain everything that goes on inside. Obviously, way beyond the scope of this post.
What you need to know is that at a simple level a database is a bunch of tables managed by some software on the web server, and that your database sits completely separate from the files that make up WordPress.
How it relates to WordPress backups
As we have seen, there are two parts to a WordPress site. The files that make up WordPress (including your themes and plugins) and the database that sits behind it. It’s also worth nothing that themes and plugins may create their own tables inside the database to store information.
If you were to back up your website, it is not as simple as copying the WordPress files somewhere. You now know that you need the database as well. Unfortunately, you cannot backup a database just by copying some files. However, you can take the current state of the database and turn that into a normal file.
If you have ever backed up your WordPress site (if you haven’t, remind me to smack you later), you’ll notice options to do a “complete backup” or a “database backup”. If you request a complete backup, this is what happens:
A command is run to take a snapshot of the database and turn that into a file
Gather up all the WordPress files
Squash it all down into a compressed file (like a “.zip” file, but on most web servers they will be a “tar.gz” file)
If everything is set up correctly, once you download that single file, you have a copy of your entire website which you can restore on another web host. You can also use it to restore your site to a previous state in the event you get hacked or completely break your site.
Backing up regularly can be a massive pain. Some people have the backups stored on their web host. This is fine when you need to recover from a broken site, but what if your whole web host went down?
Another option is to regularly log in, create and download the backup. But who has time for this?
These days, one of the best solutions is to set up automatic cloud backup of your website. This means that WordPress will regularly backup your site, and ship the files off to a server on the cloud somewhere which you can download when you need them. You can also restore your site directly from that cloud server, without having to download the backup and upload it to your site.
And finally, the easiest method of all is to have someone else handle it all for you. Recently, I became aware of how many business owners rely on WordPress for their day to day business, yet are not backing up their site. Before I mentioned the blogger friend of mine. Last week, she told me about how she lost FOUR entire websites sue to a web host crash. Completely gone, overnight. How awful is that?
It doesn’t need to be like this, as having your backups and maintenance managed is such a simple and inexpensive process. We now offer WordPress backups and maintenance as a service to our clients, to give them peace of mind, knowing their entire site is safe at all times.
If you’re interested in not only ensuring that you won’t lose your entire website overnight, but having someone regularly service and maintain your website for speed, security and more, check out the plans at the WordPress Backups and Maintenance page.