Start learning with our library of video tutorials taught by experts. Get started
Viewed by members. in countries. members currently watching.
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
In this screencast, we're going to restore a WordPress site that, for whatever reason, has crashed and lost a bunch of data. The only solution is performing a full site restoration, which includes both the database and the physical files. The restoration process takes some time, but conceptually is very straightforward. Here are the basic steps. First, obtain the most current version of your backup files. Second, set up a temporary maintenance page telling visitors that you'll be back soon.
Third, upload the new files. Fourth, restore the database and lastly, remove the temporary maintenance page. To do this, we will need an FTP connection for the file upload and an app to work with the database. A very popular, well-documented, and open-source app is phpMyAdmin. If it's not, ask your host for help finding an alternative. In any case here is what our WordPress database looks like using phpMyAdmin. All of our tables are listed here in the left, and we have options to do just about anything we need to do with the database.
So with this open and ready to go, let's return to our FTP editor and set up the temporary maintenance page. First, grab a copy of the maintenance.html file that's included with the exercise files and upload to your server. If you don't have the exercise files, copy this code the best you can, and that should work just fine. You want to save the file and upload to the server, like so. Next, place a copy of the blank htaccess file--also included in the exercise files-- place it in the root directory of your site, open it, and then paste in the htaccess code that's also included with the exercise files.
Save the file and upload it to the server. We do need to make sure that the IP address matches your own. Return to the browser and type in 'what is my IP?' in Google. That will take you to a page such as this where it lists your IP address right upfront. Grab a copy, return to the editor, and replace the IP address with your own, and save the file and upload it to the server.
This will ensure that you have access to your site while everyone else is redirected to the maintenance page. To see this in action, let's go to a proxy server, such as the one at proxy.org, and we'll try visiting our site using a different IP address other than our own. We enter the URL, click on the Go button, and we see our maintenance file in effect. The redirect is working and everyone except for us will see this message. This means that we can work on the server in a relaxed fashion, without worry that visits might be interrupted.
So with the maintenance page in place, we're now ready to begin the site restoration process. Because file uploading takes the most time, we'll get that started first. Return to the FTP file editor and we are connected to the server. As you can see, besides the maintenance.html file and htaccess files, all files have been removed, leaving us a clean slate to work with. Note that if you have large collections of non-WordPress files on the server, such as image files or video uploads, you'll save time by not deleting them; however, part of the restoration process is to start completely fresh and eliminate any hacked files. So it's your call.
If you do decide to leave the files on the server, just make sure to check them thoroughly for anything unexpected or unusual. That said, let's begin the restoration process by uploading our backup files to the server. We select all of our files and click the Upload button to go. It is totally okay to replace the existing htaccess and maintenance.html files. Let's click Replace, and while that's happening, let's go back to phpMyAdmin to restore the database.
Here in the phpMyAdmin app, we are looking at the WordPress database, and the first thing we want to do is delete all traces of the previous database by clicking Check All and then selecting Drop from the dropdown menu. It will ask you if you really want to do this. It's a big move, and you do. We have a backup of the database, so we want to delete everything in this database. Here we see that the tables have been dropped. Everything is ready to go for a fresh import of your backup database.
So to do this, click on the Import tab at the top of the page. Then browse to the location of your most current backup and leave everything else set at the default settings. Finally, select Go to upload the database. It can take some time for large files, but a default WordPress database should go pretty quick. And as seen here, our database is now restored to the most recent backup. Let's return to the FTP/file editor and check on those files. And we're all set.
At this point, all files have been uploaded to the server, as you can see here, and the database has been completely restored as well. So let's return now to the site and see if it works. Refreshing the page. Yes, it's working great. From here, it's just a matter of going through and making sure that everything is working. Check as much as you need to be convinced that the site has been fully restored. Maybe you want to log in to the admin area and take a look around, check posts and pages, and so on.
Once everything is running smooth, let's go ahead and delete the maintenance.html file and remove the htaccess code that we added to redirect site visitors. We now want them to enjoy full access to our restored site, so we can just delete this and upload the file, and for the maintenance page we need to go to the server and just delete that from the server like so. And with that, normal traffic should be flowing once again through our site.
We can hit Refresh and then visit the proxy site again one more time to see what happens when someone from a different IP address tries to request the site. There it is, and I have the WordPress directory right here, and it looks like it's just fine. In the screencast, we've completely restored our WordPress site, using our most current set of backup files. We covered an excellent method of keeping good backups in the previous screencast, so be sure to check that out too.
There are currently no FAQs about WordPress 3: Developing Secure Sites.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.