Backing up your site can be an effective way to keep your content safe. But unless you remember to take a manual backup consistently, and storing copies in a secure environment, you may be lulled into a false sense of security.
The good news is that you can use a powerful tool, Jetpack VaultPress Backup, to easily set up automated backups and store a copy of your WordPress site on a secure cloud platform.Â
In this post, we’ll discuss the importance of making off-site WordPress backups. We’ll also look at some cloud-based backup solutions for WordPress. Finally, we’ll show you how to automate things with one of the best WordPress backup plugins.
The importance of off-site WordPress backups
You’re probably already familiar with backups. These are copies of your site that are stored online or on a local device.
For example, you might use a WordPress backup plugin to download your content to your computer. Some hosting providers may also perform backups of your WordPress site and store them on their servers.Â
There’s just one big problem with these solutions: if the server or computer gets hacked, you could lose your backups.
Additionally, if your server malfunctions due to a host-based or user error, you may be unable to access your content. For instance, your host’s site might be down due to a problem with its server, and you won’t be able to log into your hosting account to restore a backup until the issue is resolved.
A cloud WordPress backup can offer more reassurance. That’s because you’ll be storing your content off-site, typically on a secure platform that’s independent of your host’s servers.Â
This means you’ll be able to access your backups even if your site or server is down. Plus, if the server gets hacked or a user makes an unauthorized change, your content won’t be impacted.
A closer look at cloud-based backup solutions for WordPress
Looking for the best WordPress backup plugin? There are several tools that you can use to create WordPress backups on the cloud. For example, UpdraftPlus enables you to store copies of your site on Dropbox, Google Drive, Amazon S3, and other platforms.
Another option is Duplicator, which lets you migrate, copy, or move a site from one location to another. Like UpdraftPlus, it offers cloud storage on Dropbox, Google Drive, and Amazon S3. But you’d need to purchase the premium version to access this feature.
However, site owners looking for the easiest, most reliable solution for WordPress can’t help but consider Jetpack VaultPress Backup. In fact, made by the expert team behind WordPress.com, millions of sites already have Jetpack tools installed.Â
With this plugin, you’ll be able to save every change you make in real-time and store copies on your site on a highly secure cloud. This also means that you’ll be able to restore your WordPress site without any issues, even if your host server is down.
Plus, copies of your site are saved on multiple servers across the world for added reliability. The backups are also encrypted to keep your content secure.
And the best part is, the process is completely automated. Once installed, the plugin will create an automatic backup every time you make a new change on your site.
How to automate your cloud-based WordPress backups
Now, let’s look at how to automate your cloud-based WordPress backups with VaultPress Backup. To get started, you’ll need to purchase a Jetpack plan that includes the backup tool.
Or if you have the free Jetpack plugin installed on your site for its many other security and performance tools, you can upgrade to a premium plan, which starts with 1GB of storage.
If you have a large site, you may want to subscribe to Jetpack Security, which gives you 10GB of storage space in addition to other premium security features.
How to install and activate the Jetpack VaultPress Backup plugin
Once you’ve purchased a plan, you can install and activate VaultPress Backup through your WordPress dashboard.
Click on Install Now followed by Activate. You’ll then be prompted to purchase the plugin or sign in with an existing plan.
Next, you’ll need to enter your license key to activate the plugin. If you’ve purchased a subscription, this will be sent to your inbox.
You may also need to connect VaultPress Backup to your WordPress.com account. Simply follow the prompts to complete the process.
If you don’t already have a WordPress.com account, you can create one for free.
Once you’ve set up the plugin, you can access it by navigating to Jetpack → VaultPress Backup in your dashboard. As you can see, the plugin will automatically perform the first backup of your site.
You won’t need to configure any settings or enable automated backups. Jetpack will automatically create a restore point with every edit you make.
You can view the latest backup within your WordPress dashboard.
To access your site copies, simply click on See backups in the cloud. You’ll get an activity log that lets you see every change made to your site. This can be particularly useful if you have multiple users contributing to your blog.
Frequently asked questions
As we have seen, VaultPress Backup makes it super easy to make complete WordPress backups on the cloud, but you may still be wondering how it works. In this section, we’ll try to answer some of the most common questions about the best WordPress backup plugin.Â
Is Jetpack VaultPress Backup easy to install and configure?
Yes, VaultPress Backup is very easy to set up. The only thing you’ll need to do is purchase a Jetpack plan that includes the tool.
Once that’s sorted, you can simply install and activate the plugin on your site, and it will generate the first backup for you. From then onwards, VaultPress Backup will automatically create a backup every time you update your site. This includes backups of your files as well as your databases.
At what intervals are backups performed?
With VaultPress Backup, copies of your site are made in real-time every time you work on it — a much better solution than scheduled backups. For instance, if you create a new post today or customize your theme, the plugin will instantly make a backup to save those changes.
This system is a lot more effective than weekly or monthly backups, as you don’t need to worry about potentially losing a day’s worth of work if something goes wrong within that time frame.
Thanks to the real-time backup method, you can rest assured that every change you make on your site is stored in a secure location.
Does VaultPress Backup offer secure backup storage?
VaultPress Backup makes redundant copies of your WordPress site on multiple servers across the globe. This way, should one server fail, you’ll still have access to your backups.
Plus, it creates off-site backups, independent of your hosting server. That means there’s no load on your server, and you can still access your content if your site is down.
It’s also worth noting that your backups are encrypted. This makes it even more difficult for malicious third parties to intercept your site and manipulate your content.
How can I restore a backup? Is it easy to do so?
Yes, when you use VaultPress Backup, you can restore a copy of your site in just a few clicks.
First, you’ll want to log into your Jetpack account and click on Activity Log. Here, you can use the filters to search for the backup by Date range or Activity type.
Then, select the Actions button and click on Restore to this point to open the Restore Site dialog box.
Next, you can use the provided list to deselect any items that you don’t want to restore, like plugins and themes. If you want to restore everything, leave all boxes checked and click on Confirm Restore.
Jetpack will then restore your site according to your selections. Once the process is complete, you’ll see a success message. That’s it!
If you have a WooCommerce site, VaultPress Backup enables you to restore your WordPress site to any previous state without losing your most recent orders and products. You’ll also be able to create custom WooCommerce table backups.Â
Note that you also have the option to download backups to your computer. You can then upload them to another storage device of your choice, like Google Drive.
Make WordPress backups a breeze with VaultPress Backup
Performing backups can help ensure that you always have a copy of your site to restore should anything go wrong. But, if you’re storing these copies on your server or local device, you risk losing your content in the event of a cyberattack or hardware malfunction.
For extra peace of mind, you’ll want to save your backups off-site. With VaultPress Backup, you can make cloud backups in real time. The plugin will automatically generate a copy of your site every time you modify your content, and store it in a highly secure location.
Are you ready to automate the backup process? Get started with VaultPress Backup today!
We are thrilled to introduce the latest addition to Jetpack VaultPress Backup – the backup file browser! Say goodbye to full backup downloads and welcome a seamless way to access and manage your backup files.
It’s not just about accessing backups—it’s about exploring them. The backup file browser transforms backups from mere archives to detailed landscapes, allowing you to dive deep into the specifics of your stored data.
Seamless Access
Effortlessly navigate through your backups using an intuitive interface. No more waiting for full backups to download – instantly find and access the files you need.
You can access the files of any backups in Jetpack Cloud by clicking on the `Actions` menu and then on `View files`.
Files Preview
Curious about the content of a specific file? With the backup file browser, you can preview images, videos, audio, texts, and other supported file types before downloading them, ensuring you get the right files every time.
Download Individual Files
No more downloading entire backups just to retrieve a single file. Choose individual files, plugins, themes, or database tables, and download them directly to your local storage.
Dive into the New Landscape of Your Backups!
Already with us? Experience the power of the backup file browser today! Navigate through your backups, preview files, and download what you need with ease. Take control of your backups and get started now.
In the world of business, particularly in the digital realm, we’re not just storing office supplies and paper files. We’re guarding treasure chests full of digital data, sensitive information that forms the bedrock of our enterprise.
But, just as you wouldn’t bury treasure in your backyard, you shouldn’t store critical data only on your primary server. This is where the principle of offsite backups comes in.
What is an offsite backup?
In a world that’s rapidly going digital, data is the new gold. An offsite backup, then, is essentially a safe deposit box. It’s a copy of your data stored at a different location from your primary server. It could be another physical location, or, increasingly, it’s in the cloud.
Unlike the more traditional onsite backup, which replicates your data on a local server or device, an offsite backup ensures that a version of your data is stored at a different geographical location, safe from any calamities or security breaches that could affect your primary server.
Your WordPress site has a hosting provider that may offer backups. However, these are considered on-site since they’re hosted at the same place as your regular website files. If something happens, all of your data may be irrecoverable — your fortune gone.
Why offsite backups are essential
Now you might wonder why you should even bother with offsite backups. You’ve got a reliable host and a strong password. Isn’t your data safe enough?
Well, as we’re about to delve into, there are numerous reasons why this belief is, not only flawed, but potentially dangerous.
The digital landscape is fraught with risks, from natural disasters that can wipe out physical servers to cyber-attacks that can compromise your data integrity. These dangers pose a significant threat to your business continuity, especially if your primary server is your only line of defense.
Think you’re not a target? Cybercriminals often aren’t individually selecting which sites to attack. Instead, they use automated programs that look to exploit any weak site, and they use economies of scale to penetrate just a few of thousands of attempts to make massive gains.
The role of offsite backups in a disaster recovery plan
A sound disaster recovery plan is like a well-rehearsed fire drill. You hope you’ll never need it, but when disaster strikes, you’ll be glad you took the time to prepare. For websites, one of the central tenets of a good disaster recovery plan is offsite backups.
If your primary server is compromised, you can lean on your offsite backups to restore your website and ensure that your operations continue as smoothly as possible. It’s the digital equivalent of having a fireproof safe to protect your most important documents from a blaze.
The risks associated with a lack of offsite backups
Imagine you’re a skilled acrobat, performing breathtaking stunts high above the ground. Now imagine doing so without a safety net. Sounds terrifying, right? That’s what running a business without offsite backups is like.
The consequences could range from the inconvenient, such as delays in accessing your website, to the catastrophic, such as halted operations or a significant loss in revenue.
What does the ideal offsite backup solution look like?
We’ve established that offsite backups are crucial. But how do you choose an ideal solution for your business? The best offsite backup solution should offer you secure and robust storage, easy retrieval of your data, real-time updates, and scalability. Additionally, it should also offer remote management of your backups and a simplified process of restoring your data. Sound like a tall order?
Let’s make it easier. Introducing Jetpack VaultPress Backup — a premier backup solution designed for WordPress sites. With VaultPress Backup, not only are you getting the peace of mind that comes with knowing your data is safe and secure, you’re also getting a solution that’s specifically designed to meet the unique needs of your WordPress site.
12 key advantages of using offsite backups
1. Peace of mind — Your data is safe in case of an onsite disaster
You’ve heard the stories. A server crash that wipes out months of hard work. A devastating natural disaster that destroys local data storage. Cybercriminals breaching defenses and holding valuable data for ransom. This stuff of nightmares is, unfortunately, a very possible reality in the digital world today.
But with offsite backups, you don’t have to worry. It’s a safety net that stands ready, offering assurance that should the worst happen, your data will be safe. With tools like VaultPress Backup, every change you make is stored in a safe location, ready to step in if disaster strikes.
2. Security — Keep your backups away from potential breaches
Cybersecurity threats are a significant concern in today’s digital landscape. The security of your data shouldn’t be something that keeps you awake at night. Offsite backups provide an extra layer of protection, ensuring that even if your primary systems are compromised, your data remains secure. VaultPress Backup, for instance, encrypts your data during transmission and stores it in secure offsite locations, far from the prying eyes of cybercriminals.
3. Safeguard your data — Protect against accidental deletions
Ever deleted a file accidentally and wished you had a time machine? We’ve all been there. Accidental deletions are more common than you might think, and they can have catastrophic consequences. Offsite backups are like a digital time machine, enabling you to recover accidentally deleted data and get back on track. VaultPress Backup provides real-time backups, meaning every change is recorded — even those accidental deletions.
4. Easy retrieval — Access and restore backups from anywhere
You’re on vacation, and you get an urgent call — the website’s down, and they need it restored immediately. Is your day away ruined? Not if you have offsite backups. They can be accessed from anywhere, allowing you to retrieve and restore data whenever you need to.
5. Accessibility — Retrieve data even if the primary server is down
Imagine your primary server is down, and nobody can access your WordPress site. What do you do? With offsite backups, you’re covered. Even if your primary server faces downtime, you can access your offsite backups and retrieve the necessary data. A plugin service like VaultPress Backup ensures that your data is always available when you need it, irrespective of what happens to your primary server.
6. Time efficiency — Offsite backups can be performed automatically
Running a business is a juggling act, and time is one of the most valuable resources you have. Offsite backups can be set to run automatically, eliminating the need for manual backups that take up precious time. VaultPress Backup, for example, provides real-time automated backups. You set it up once, and it takes care of the rest, leaving you free to focus on growing your business.
7. Peaceful updating/testing — Confidently experiment with changes
Innovation is key to success in today’s fast-paced business world, but making changes to your website or testing new features can be risky without a safety net. Offsite backups allow you to confidently experiment and innovate, knowing you can restore your site to its previous state if necessary. VaultPress Backup keeps a detailed log of all changes, making it easy for you to undo any that don’t work out as planned.
8. Scalability — Expand storage without affecting the primary server
As your business grows, so does your data. Offsite backups are an efficient way to manage this growth. They allow you to quickly and easily scale your storage capacity.
9. Regulatory compliance — Meet data protection requirements
Many industries are required by law to have a certain level of data protection in place, which often includes offsite backups. By ensuring your data is securely backed up offsite, you can work towards maintaining compliance with these regulations.
10. Customer trust — Demonstrate reliability and show your clients their data is safe
A slow website annoys visitors and potential customers. A site that’s completely down? It wreaks of incompetence and not much sends them to a competitor faster. Be there when customers are looking for you with a continuity plan that includes easily-recoverable offsite backups.
Plus, having robust offsite backups in place, shows customers that you take their data security seriously, which builds trust in your business.
11. Business continuity — Keep your business running smoothly
In the event of a disaster, having offsite backups ensures that your business can continue to function. You can minimize downtime and disruption to your business operations. VaultPress Backup makes WordPress site recovery simple, fast, and efficient.
12. Easy migration — Simplify website transfers to new environments
Picture this scenario. You’re poised to make a leap, set to transfer your website to a new hosting provider or perhaps a new domain. But the thought of the potential headaches involved makes you hesitate. We’ve been there. The truth is, migrating a website can be a daunting task, filled with uncertainties.
But with offsite backups, this process becomes a walk in the park. Your website’s data, safely stored in an offsite location, can be easily moved and re-deployed in a new environment, significantly simplifying the process. It’s like packing up your belongings from your old house (your existing server) that have been carefully cataloged and stored away, ready to be set up in your new home (the new server) — except all the heavy lifting has been taken care of for you.
A deeper dive into VaultPress Backup
As a part of the Jetpack suite of plugins for WordPress sites, VaultPress Backup fills the universal need for a robust, easy-to-use offsite backup solution.
Features and benefits of VaultPress Backup
VaultPress Backup is more than just an offsite backup solution. It’s a comprehensive WordPress site recovery tool that offers:
Real-time and automated backups.
Easy restoration of your site — even if you can’t access your dashboard.
A centralized place to manage backups.
Premium support from a team of WordPress experts.
High-grade security to protect your backups from threats.
How to configure VaultPress Backup on your WordPress site
Setting up VaultPress Backup on your WordPress site takes just a few simple steps:
In your WordPress dashboard, go to Plugins → Add New. Search for “Jetpack VaultPress Backup†and click Install now → Activate.
In the new window that pops up, click Set up Jetpack.
You’ll be prompted to connect to a WordPress.com account. You can either create a new one, or log into an existing profile.
Then, choose a VaultPress Backup plan based on your needs and set up your payment information.
And that’s it! Once VaultPress Backup is set up, you don’t need to worry about anything. Everything happens automatically, in real-time, and your backups are stored off-site in an ultra-secure cloud. And the Jetpack support team is always on standby to help you out.
Onsite vs offsite backups — what’s the difference?
Onsite backups involve storing copies of your data on your local devices or server, while offsite backups store copies of your data at a different location from your primary server. In other words, offsite backups shield your data even if something happens to your primary server, giving you an additional layer of protection.
Why are offsite backups important for my website?
Offsite backups are vital for your website because they protect your data and content from a multitude of risks, including physical damage to cyber threats. Having a copy of your website stored off site ensures that you can get it back up and running quickly if your server is ever compromised.
How do offsite backups help in a disaster recovery scenario?
In a disaster recovery scenario, offsite backups act as your fail-safe. They allow you to restore your website quickly and continue operations, minimizing downtime and data loss.
What key advantages do offsite backups offer compared to onsite backups?
Offsite backups offer several advantages over onsite backups, including added security, accessibility, scalability, and help to comply with regulatory standards. They also provide a safety net in case of damage or security breaches to your primary server or local device.
What differentiates VaultPress Backup from other offsite backup solutions?
VaultPress Backup stands out from other solutions due to its seamless integration with WordPress, user-friendly management dashboard, high-grade security, and exceptional support.
One of the key highlights is that all backups are taken in real time, so every single change that happens on your website — from updated pages to published posts and customer orders — is always available in case of emergency.
How secure are my backups with VaultPress Backup?
VaultPress Backup uses state-of-the-art security measures to protect your backups. From encrypted transmission to secure storage, Jetpack goes the extra mile to ensure your backups are secured from threats. Your WordPress backups are safe with Jetpack VaultPress Backup.
How frequently should I schedule offsite backups?
For maximum data protection, you should create offsite backups in real-time. VaultPress Backup makes this possible, ensuring that every change you make to your site is immediately backed up.
Where can I find more resources or support for using VaultPress Backup?
Jetpack VaultPress Backup: Real-time, offsite backups for WordPress
In an ideal world, you’d never need to restore a backup. But the reality is that there are a variety of reasons you might have to, from a hacked website to a coding mistake.
Jetpack VaultPress Backup was designed to offer real-time, offsite backups for WordPress sites. So, whether you own a small business, an ecommerce store, a blog, or an enterprise company, VaultPress Backup provides a secure, easy-to-use, and robust offsite backup solution that gives you peace of mind.
From disaster recovery to easy data retrieval and beyond, offsite backups are not just a good-to-have feature for businesses; they’re an absolute necessity. It’s the digital safety net that keeps your business running smoothly, safeguards your website content and data, and keeps you sleeping well at night.
So, take the leap towards securing your website’s future with offsite backups.
a broken access control on form submissions export feature that allows Subscriber and Contributor role users to export all of the Ninja Forms submissions on a WordPress site (7.6 CVSS 3.1 score)
Patchstack researchers discovered the vulnerabilities on June 22, 2023, and Ninja Forms patched them on July 4, 2023. The security advisory was publicly released on July 27, 2023.
The plugin’s changelog for version 3.6.26 transparently identifies the security fixes included in the release:
Security Enhancements: * Prevent unauthorized download of submission * Prevent scripts in dashboard field labels; responsibly reported by Sayandeep Dutta * Prevent front-facing label scripts; responsibly reported by Jonathon Zamora & WordPress.org * Prevent excess extra data through automated form submission * Prevent override access where not permitted
Ninja Forms is used on more than 800,000 WordPress sites. The majority of the plugin’s users are on version 3.6.x (73.6%) but WordPress.org doesn’t offer a more detailed breakdown of minor versions, so it’s not clear how many are still vulnerable. Ninja Forms users are recommended to patch their sites immediately. At this time, the vulnerabilities are not known to have been exploited.
All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0.
I was absolutely shocked that a security plugin is making such a basic security 101 error (not to mention being out of compliance with NIST 800-63-3, ISO27000, CIS, HIPAA, GDPR, ….)
How can I stop the logging of clear text passwords?
How can this be fixed so we don’t fail the upcoming security review and audit by our third-party compliance auditors?
A support representative from AIOS confirmed that it was a known bug in the last release and offered a development copy of a zip file with a fix. It took more than two weeks for the patch to be published.
In version 5.2.0, released on July 10, 2023, AIOS included the following security updates in the plugin’s changelog:
SECURITY: Remove authentication data from the stacktrace before saving to the database
SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
Users are advised to update to version 5.2.0+ immediately in order to secure their sites. At the time of publishing, almost no users have updated to 5.2.0+, leaving hundreds of thousands of users who are running 5.1.9 still vulnerable.
“So far the developer haven’t even told the users to change all passwords,” Patchstack CEO Oliver Sild said in response to the issue on Twitter. “Due to the scale, we will 100% see hackers harvest the credentials from the logs of compromised sites that run (or has run) this plugin.
“We have also sent out vulnerability alert to all Patchstack users. Hopefully the Updraft team will do the same and will tell their security plugin users to clean those logs ASAP and ask all the site users to change the passwords where ever they used the same combinations.”
 Snicco, a WordPress security services provider, has published an advisory on a vulnerability in the MalCare plugin, which is active on more than 300,000 sites.
“MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites,” WordPress security researcher Calvin Alkan said.
“Requests are authentication by comparing a shared secret stored as plaintext in the WordPress database to the one provided by MalCare’s remote application.
“This can allow attackers to completely take over the site because they can impersonate MalCare’s remote application and perform any implemented action.”
These potential malicious actions include creating rogue admin users, uploading random files to the site, and installing and removing plugins.
Exploitation requires a pre-condition to be met, such as a site with a SQL injection vulnerability in a plugin, theme, or WordPress core, or a database compromised at the hosting level, or subject to another vulnerability that allows the attacker to read or update WordPress options.
“MalCare has received the full details of this vulnerability three months before this public release, and despite us offering (free) help, they subtly dismissed it because ‘supposedly’ this is the industry standard for API authentication,” Alkan said.
“Furthermore, concerns were raised, because the vulnerability requires a pre-condition that on its own, would be a vulnerability.”
Two days after Snicco published the security advisory with the proof of concept, MalCare pushed a patch in version 5.16 on July 8, 2023, along with a notice on the plugin’s blog:
In the rare situation, where a site has a pre-existing, high severity SQL injection vulnerability, an attacker might be able to read the MalCare key. To address such issues, we are further strengthening our authentication systems.
Authentication is a critical system and any improvements must be done in a careful manner. We have reviewed various plugins and best practices in our ecosystem to come up with our solution.
In light of the current public discourse, we are expediting the update of our plugin. We will initiate a rollout by EOD.
MalCare reports that its users have seen no evidence of the vulnerability being exploited.
Snicco noted that the same vulnerability also exists in WPRemote (20k installs) and Blogvault (100k installs) plugins, as they share the same code. Users of either of these plugins or the MalCare plugin should update to the latest versions as soon as possible now that the vulnerability advisory and proof of concept have been published.
Working through the complexities of this security issue, WPScan researcher Marc Montpas opened a ticket on WordPress trac, identifying an issue with the meta key field in the usermeta table using accent insensitive collations:
Looking at the latest string of vulnerability issues that came up related to the Ultimate Member plugin I discovered that the usermeta table has an accent insensitive collation for the meta_key field. This results in queries for wp_cãpăbilitiës to return the actual wp_capabilities row! See update_metadata() function in wp-includes/meta.php
Imagine the attack surface this brings. In fact, don’t imagine, just look at the recent attacks in the wild.
This particular issue made it more difficult to fully patch the vulnerability in question. Ultimate Member released version 2.6.7 on July 1, 2023, which whitelists for metakeys the plugin stores while sending forms. The plugin’s security advisory details a few other changes that may affect third-party developers:
2.6.7 also separates form settings data and submitted data and operates them in 2 different variables.
[It]Â includes some significant changes to how forms submissions are handled. This may cause 3rd-party modifications to stop working. For Third-party developers, please update your customizations to support the new changes in the latest version
Ultimate Member recommends users review and delete any unknown administrator accounts, reset all user passwords including the admin, enable SSL and backups, and send any advisories to site members and/or customers about the incident. The plugin’s developers are working on releasing a feature inside the plugin that will enable the website admin to reset passwords for all users, but it is still being finalized:
The reason for this is a site using our plugin may have been hacked or injected with malware that sniffs login inputs, because this vulnerability issue is prone to these attacks, we recommend to reset passwords after updating with a security patch. This is to ensure the best protection for your website user’s passwords.
All Ultimate Member users should update to the latest available version, 2.6.7, which has the patch for the vulnerability. The plugin’s developers are awaiting more feedback from WPScan and are evaluating all their extensions to ensure they are secure.
WPScan is reporting a hacking campaign actively exploiting an unpatched vulnerability in the Ultimate Member plugin, which allows unauthenticated attackers to create new user accounts with administrative privileges and take over the site. The vulnerability has been assigned a CVSSv3.1 (Common Vulnerability Scoring System) score of 9.8 (Critical).
Automattic’s WP.cloud and Pressable.com hosting platforms picked up on a trend in compromised sites where each had rogue new administrators popping up. After further investigation they found a discussion on the WordPress.org support forums about a potential Privilege Escalation vulnerability in the plugin, as well as indications that it was already being actively exploited.
Ultimate Member, which is active on more than 200,000 WordPress sites, patched the plugin, but WPScan reports that it wasn’t sufficient.
“In response to the vulnerability report, the creators of the plugin promptly released a new version, 2.6.4, intending to fix the problem,” WPScan security researcher Marc Montpas said. “However, upon investigating this update, we found numerous methods to circumvent the proposed patch, implying the issue is still fully exploitable.
“Adding to the urgency of the situation, a look at our monitoring systems also confirmed attacks using this vulnerability were indeed happening in the wild.”
WPScan has identified more than a dozen IP addresses from which exploits are originating, common usernames for malicious accounts, and other indicators of compromise, such as malicious plugins, themes, and code. Check the security advisory if you believe you have been compromised.
Version 2.6.6 is the latest release from the Ultimate Member plugin but it is still believed to be vulnerable. WPScan recommends users disable the plugin until it has been adequately patched.
A website is like your physical storefront — it’s your virtual chance to showcase your business, welcome customers, and close deals. But just as the foundation of a building must be strong and secure, the hosting of your WordPress website must be, too.
Whether you’re a one-person business or a rapidly-expanding startup, choosing a hosting solution is a vital decision that can significantly impact your website’s performance, security, and overall success. In this comprehensive guide, we’ll walk you through the essential considerations and factors to help you navigate the maze of options and find the perfect match for your business.
Finding the perfect host for your WordPress website requires an understanding of each type of hosting solution. In this section, we’ll demystify the options, so you can make a solid choice.
Shared hosting
Shared hosting is the equivalent of renting a room in a house full of tenants. You share the server’s resources with other websites. It’s an economical option for startups and small businesses. However, if one website on the server experiences a surge in traffic or a security breach, it could affect the performance and security of your website. You also tend to have fewer resources allocated to your site, since you’re sharing a finite number with everyone else.
Virtual private server (VPS) hosting
VPS hosting is like upgrading to a townhouse from a cramped apartment. You still share the server, but resources are divided into separate virtual environments. This provides better performance and more control over your website. VPS is ideal for businesses that have outgrown shared hosting but aren’t quite ready for dedicated server hosting.
Managed WordPress hosting
Managed WordPress hosting is like having a personal butler for your website. The hosting provider takes care of technical aspects like updates, backups, and security. This allows you to focus on growing your business. Managed hosting is best for those who want a hands-off approach to website maintenance.
Dedicated server hosting
Dedicated server hosting is the equivalent of owning a single-family home. You have an entire server to yourself, with unparalleled control, performance, and security. However, it comes with a hefty price tag and is best suited for large businesses or high-traffic websites. And it typically requires more maintenance, so you’ll either need to have some server management experience or hire someone who does.
Cloud hosting
Cloud hosting is like having an ever-expanding floor plan. Your website is hosted on a network of servers, allowing you to scale resources as needed. This offers flexibility and performance without the need for a dedicated server. Cloud hosting is ideal for businesses with fluctuating traffic or those anticipating rapid growth.
2. Determine your WordPress hosting needs and budget
Before diving into the sea of hosting providers, it’s essential to assess your needs and budget. This will help you narrow down your options and find the best fit for your business.
Traffic and bandwidth requirements
Estimate your website’s traffic to determine the amount of bandwidth needed. High-traffic websites require more resources, so look for hosting plans that offer generous bandwidth allowances or even unmetered bandwidth.
If you’re just starting, it’s unlikely that you’ll need to account for massive amounts of traffic. However, if you have an aggressive marketing plan or expect national exposure, you may want to plan accordingly. It’s somewhat common for unprepared sites to crash when they get sudden, unexpected exposure from major influencers or national press.
If you’re moving your site from another platform or buying an existing property, you can reference Google Analytics or Jetpack Stats data to help you make a more informed decision.
Storage space requirements
Consider the amount of storage needed for your website’s files, databases, and emails. Websites with large media files or extensive databases may require more storage space than others. Ensure the hosting plan you choose offers enough to accommodate your needs, and allows you to easily scale as you grow.
Memory is different from storage in the sense that it’s space used temporarily to process data. Once that’s complete, the data no longer takes up space unless it’s moved to storage.
WooCommerce, for example, recommends a minimum WordPress memory limit of 256MB, though it’s possible to run with less if you’re willing to sacrifice performance (you shouldn’t be).
Popular sites can receive numerous requests simultaneously, and a lack of memory can overwhelm its ability to process data. This can crash a site or, at the very least, make it run very slowly.
Ensuring your host allocates enough memory to process all the plugins and features on your website is just as important as having enough storage.
Website security requirements
Security should be a top priority for every business. Assess the level of security your website needs, including protection against hackers, malware, and DDoS attacks. Some hosting providers offer built-in security plugins such as Jetpack Security, while others may let you figure out security on your own.
Technical expertise and control requirements
Determine how much control you want over your server environment. If you have the technical expertise, you may prefer a hosting solution that allows for more customization. On the other hand, if you prefer a hands-off approach, managed hosting may be a better fit.
Budget constraints
Evaluate your budget to ensure that you choose a hosting plan that offers the features you need at a price you can afford. Keep in mind that some providers offer promotional pricing for the first term, which may increase dramatically upon renewal.
3. Look for reliability and uptime guarantees
A website that’s constantly down is like a store with its doors locked — customers can’t access it, and you lose potential sales. Reliability and uptime are crucial factors when choosing a hosting provider.
Service Level Agreements (SLAs)
Examine the hosting provider’s Service Level Agreement (SLA) to understand their uptime guarantees and the compensation offered for any downtime. A good SLA should guarantee at least 99.9% uptime, ensuring your website is accessible the vast majority of the time.
Historical uptime performance
Review the provider’s historical uptime performance to determine if they consistently meet their SLA guarantees. Look for third-party downtime monitoring services or independent reviews that track uptime data for a less biased view.
Redundancy and backup measures
Inquire about the hosting provider’s redundancy and backup measures to ensure your website’s data is safe and recoverable in the event of a disaster. A robust backup solution should include daily or weekly backups, offsite storage, and easy restoration options.
You’ll also want an independent, real-time WordPress backup solution from a third party. This way, your investment is protected in case your host is compromised.
4. Consider server performance and speed
People won’t stick around for a slow-loading site. In addition to strong WordPress performance optimization for your site, ensuring your hosting provider offers excellent server performance and speed is vital for a positive user experience and improved search engine rankings.
Server hardware and infrastructure
Investigate the hosting provider’s server hardware and infrastructure to ensure that they use up-to-date, high-quality components. Look for providers that use solid-state drives (SSDs), as they offer faster data retrieval compared to traditional hard drives.
Content delivery networks (CDNs)
Instead of serving your website to everyone around the world from a single location, a content delivery network (CDN) stores your website’s content in locations around the world and serves it to visitors from the location nearest to them. CDNs help reduce latency and improve page load times. Check if the hosting provider offers CDN integration or if you can easily set up a free third-party CDN such as Jetpack CDN.
Caching technologies
Caching technologies store and serve frequently-accessed data, reducing server load and improving website performance. Look for hosting providers that offer built-in caching solutions or support popular caching plugins.
Server location and latency
Choose a hosting provider with data centers located near your target audience to reduce latency and improve page load times. If your audience is spread across multiple regions, consider using a CDN to further enhance performance.
5. Check the hosting provider’s security measures
Your site and host should be like a fortress, keeping unwanted visitors out to protect valuable contents inside. Evaluating the hosting provider’s security measures is essential for safeguarding your website and customer data.
Firewalls and intrusion detection systems
Ensure the hosting provider uses firewalls and intrusion detection systems to protect your website from hackers and other security threats. These security measures act as a barrier, preventing unauthorized access to your server environment.
Secure Socket Layer (SSL) certificates
An SSL certificate encrypts data exchanged between your site and visitors. They’re essential for protecting sensitive customer data. In fact, they’re so important that Google includes SSL certificates in their ranking factors and some browsers will display bright red warning labels on sites that don’t have them. Look for hosting providers that offer free SSL certificates or support third-party SSL installation.
Check if the hosting provider performs regular malware and virus scanning to protect your website from threats. Some providers offer built-in scanning tools, while others may require additional plugins or services.
Data encryption and backup
Data encryption and backup are crucial for protecting your website’s data from unauthorized access or loss. Look for hosting providers that offer encryption options and robust backup solutions. Ideally, you’ll also install a WordPress backup plugin that provides more control and keeps your backups safe if your server is compromised.
6. Evaluate technical support and customer service
Choosing a hosting provider with exceptional support and customer service is essential for resolving issues quickly and efficiently.
If you’re not an experienced developer — and aren’t working with someone who is — this becomes even more important. Without good support, your site could go down for long periods of time during an emergency.
Available support channels
Evaluate the hosting provider’s support channels, such as live chat, email, phone, or ticket systems. Multiple support options ensure you can reach out for help in a way that’s convenient for you.
Response times and availability
Inquire about the hosting provider’s response times and availability. Look for providers that offer 24/7 support and quick response times to minimize downtime and frustration.
Technical expertise and knowledge base
Assess the technical expertise of the hosting provider’s support team to ensure they can effectively assist you with any issues. Additionally, a comprehensive knowledge base with tutorials, guides, and FAQs is invaluable for self-help and troubleshooting.
Customer reviews and satisfaction
Read customer reviews and testimonials to gauge overall satisfaction with the hosting provider’s support and customer service. Look for patterns in feedback, such as consistently slow response times or unresolved issues.
7. Review pricing plans and add-ons
Carefully review each hosting provider’s pricing options to ensure you’re getting the best value for your money. Remember to account for introductory offers that may expire after your initial commitment period.
Plan features and limitations
Examine the features and limitations of each hosting plan to ensure it meets your needs. Look for any restrictions on bandwidth, storage, or the number of websites you can host.
Payment terms and renewal rates
Review the hosting provider’s payment terms and renewal rates. Some providers offer discounted pricing for the first term, which may increase significantly upon renewal. Understand these pricing changes to avoid unpleasant surprises.
Additional services and features
Investigate the hosting provider’s additional services and features, such as website migration, domain registration, or email hosting. These extras may be included in your hosting plan or available as paid add-ons.
8. Check for user-friendly interfaces and control panels
Choose a hosting provider that offers an intuitive control panel and website management tools.
Control panel features and customization
Evaluate the hosting provider’s control panel features and customization options. Popular control panels like cPanel or Plesk offer extensive functionality and are widely supported.
Access and permissions management
Examine the hosting provider’s access and permissions management options. This is especially important if you have a team working on your website and need to grant varying levels of access to different users.
Website management tools and applications
Explore the website management tools and applications offered by the hosting provider. Look for an automated installation for WordPress, as well as tools for managing databases, email accounts, and domains.
9. Look for WordPress-specific features and compatibility
Since WordPress powers your website, it’s crucial to choose a hosting provider that offers features and compatibility tailored to the platform.
WordPress installation and configuration
Ensure the hosting provider offers a one-click WordPress installation or streamlined setup process to simplify the installation and configuration of your WordPress site.
WordPress security
Implementing strong security measures is paramount for protecting your website from threats. Consider hosting providers that offer built-in security features or include popular security plugins.
Jetpack, for example, is considered to be the best all-around WordPress security plugin. Jetpack’s Security plan includes a comprehensive array of prevention, detection, and recovery options for a wide variety of threats. From brute force attack prevention and malware scanning with one-click fixes to downtime monitoring and real-time backups with quick restore options, it provides unparalleled peace of mind.
WordPress backups
Regular backups are essential for safeguarding your website’s data and ensuring quick recovery in case of data loss or corruption. Consider hosting providers that offer automatic backups.
However, you shouldn’t solely rely on your host’s backups as an issue that takes down your site may have also compromised your servers, rendering those backups useless.
Jetpack VaultPress Backup is a reliable plugin, providing real-time backup and easy restoration features. It’s also included as part of the comprehensive Security plan for Jetpack.
WordPress performance optimization
Optimizing your WordPress site’s performance can improve user experience and search engine rankings. Look for hosting providers that offer built-in performance optimization features or support plugins that help enhance your site’s speed.
Jetpack Boost is one such solution, offering features such as critical CSS generation, deferring of non-essential JavaScript, and lazy image loading. Discover more about Jetpack Boost here: https://jetpack.com/boost/
10. Read reviews and compare hosting providers
Before making a decision, it’s essential to gather as much information as possible about your top hosting provider candidates. Reading reviews and comparing providers can help you make an informed choice.
Independent reviews and ratings
Examine independent reviews and ratings of the hosting providers you’re considering. Look for unbiased opinions from reputable sources, such as industry experts, bloggers, or publications.
Social media feedback and recommendations
Social media can be a treasure trove of customer feedback and recommendations. Browse the hosting providers’ social media pages and search for mentions of their services to gain insight into customer satisfaction and common issues.
Direct comparison of features and pricing
Create a side-by-side comparison of the features and pricing offered by each hosting provider. This will help you visualize the differences and make a more informed decision based on your needs and budget.
Word-of-mouth recommendations and referrals
Don’t underestimate the power of word-of-mouth recommendations and referrals. Consult your professional network, friends, or online communities to gather personal experiences and opinions about the hosting providers you’re considering.
Make an informed decision
Finding the best hosting for your WordPress website is a critical decision that can impact your business’s online presence and growth. By understanding the different types of hosting, assessing your needs and budget, and carefully researching and comparing hosting providers, you can find a solution that serves your needs and protects your investment for years to come.
Frequently asked questions about WordPress hosting
Where can I find recommended WordPress hosting providers?
There are several sources to find recommended WordPress hosting providers, such as independent reviews, community forums, and industry experts’ opinions.
Additionally, you can explore the hosting providers recommended by trusted WordPress partners, such as Jetpack. Jetpack’s recommended hosting providers have been vetted for their compatibility, performance, and reliability.
To be safe, you should always have an off-site, real-time WordPress backup solution in place. This way, every time you make a change on your site, it will be safely stored, and you’ll never lose your work again.
Should I back up my site with my hosting provider or a third-party service?
For maximum safety, you should have backups from both your hosting provider and a third-party backup plugin. Many hosting providers include automated backups as part of their hosting plans, while others may charge extra for this service. The frequency of backups, how securely they’re stored, and what they include can vary.
Third-party backup services, such as Jetpack VaultPress Backup, provide specialized features and options tailored for WordPress sites. Consider factors such as cost, ease of use, and restoration options when selecting a backup solution.
It’s also important to understand that if your server is compromised in any way, such as an error from your provider or a hack, you may also lose your backups. That’s just one reason that also using a third-party plugin is critical.
How important is website security for a WordPress site?
Website security is crucial for any WordPress site, as it helps protect your site from hackers, malware, and other potential threats. This allows you to safeguard your customers’ data, maintain your online reputation, and prevent downtime or data loss. Learn more about WordPress security.
What security features should I look for in a hosting provider?
When evaluating a hosting provider’s security features, look for the following:
Firewalls and intrusion detection systems to prevent unauthorized access.
Regular malware and virus scanning.
SSL certificate support to encrypt data exchanged between your site and its visitors.
Secure data encryption and backup solutions.
Support for security plugins, such as Jetpack Protect, to enhance your site’s security.
High-quality customer support services.
How can I protect my WordPress site from malware and viruses?
To protect your WordPress site from malware and viruses, follow these best practices:
Keep your WordPress core, themes, and plugins up to date.
Only download plugins and themes from trusted sources.
What are uptime guarantees, and why are they important?
Uptime guarantees refer to the percentage of time a hosting provider promises to keep your website accessible and online. These guarantees are essential, as they indicate the hosting provider’s commitment to maintaining the availability and reliability of your site. A higher uptime guarantee, such as 99.9%, minimizes the chances of your website experiencing downtime, ensuring a positive user experience and protecting your online reputation.
How can I monitor my WordPress site for uptime and performance?
Monitoring your WordPress site for uptime and performance can be done through various methods, including:
Using website monitoring tools and services, such as Jetpack, which check your site at regular intervals and notify you in case of downtime or performance issues.
Installing performance monitoring plugins, like Jetpack Boost, which provide features such as site performance metrics and one-click enhancements.
Regularly monitoring your site’s uptime and performance helps you identify and address issues promptly, ensuring a smooth and satisfying user experience for your visitors.
Jetpack: Enterprise-grade security and backups for all WordPress sites
It’s essential to emphasize the critical role that security and backups play in the success and safety of your website. Jetpack offers powerful, enterprise-grade solutions accessible to all WordPress websites.
Jetpack Protect offers features such as malware scanning with one-click fixes, instant threat notifications, and a robust web application firewall (WAF), ensuring your website remains safe from cyber threats. By choosing Jetpack Protect, you can confidently secure your site without breaking the bank. Learn more about Jetpack Protect here: https://jetpack.com/protect/
Jetpack VaultPress Backup is a robust backup solution that safeguards your site’s data and offers seamless restoration in case of data loss or corruption. With real-time backups and easy-to-use restoration features, VaultPress Backup ensures that your website’s precious data is always protected and recoverable. Discover more about VaultPress Backup here: https://jetpack.com/upgrade/backup/
For those seeking a comprehensive solution that combines the best of both worlds, Jetpack Security is the answer. This all-in-one option bundles Jetpack Protect, VaultPress Backup, and additional features to provide a complete security suite for your WordPress site. By choosing Jetpack Security, you can rest assured that your website is protected by a powerful and reliable solution that offers enterprise-grade security and backups tailored for WordPress. Explore Jetpack Security here: https://jetpack.com/features/security/
Choosing the best WordPress hosting is just the beginning of your journey to building a secure, high-performing, and reliable website. By complementing your hosting solution with Jetpack’s suite of plugins, you can elevate your site’s security and backup capabilities, giving you the peace of mind to focus on what truly matters: growing your business and providing an exceptional online experience for your visitors.
Really Simple SSL, a popular plugin used on more than five million sites for installing SSL certificates, handling website migrations, mixed content, redirects, and security headers, has added a new feature in its most recent major update.
Version 7.0.0 introduces vulnerability detection as part of a partnership with WP Vulnerability, an open source, free API created by Javier Casares with contributions from other open source, freely available databases. Once enabled, it notifies users if a vulnerability is found and suggests actions.
“Really Simple SSL mirrors the free database with its own instance to secure stability and deliverability, but of course provides the origin database with an API to enrich, or improve its current data,” Really Simple Plugins developer Aert Hulsebos said.
The new vulnerability detection feature is not enabled by default, so users will need to enable it in the settings. A modal will pop up where users can configure their notifications and run the first scan.
When emailed about a vulnerability users can manually respond with an action or set the plugin to automatically force an update (when available) after 24 hours of no response. There are other automated actions the plugin can take based on how users configure the Measures section of the settings.
For the past several years Really Simple SSL has been providing SSL certificate configuration and installation via Let’s Encrypt as a first pass at securing WordPress sites. To finance this for the free users, the plugin also has a Pro version that handles Security Headers, such as Content Security Policies, which are highly complex for most and not easily configured.
“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next.Â
“The nature of our partnership with Javier and WP Vulnerability is sponsoring the efforts of WP Vulnerability and appointing a security consultant ourselves to this open-source effort to improve, and moderate the open-source database daily. WP Vulnerability does not compensate us, nor does it have a stake in Really Simple SSL. Vulnerability detection is available for everyone and always will be.”
Because Really Simple SSL started as a lightweight SSL plugin, Hulsebos said they have taken a modular approach to minimize impact on users who only want or need certain features. Following the launch of the new vulnerability detection feature, the plugin’s authors plan to add login security with 2FA to better secure authentication on WordPress sites.
