BitFire Security – In vuur en vlam?

/3 Comments/in ,

BitFire! Op moment van schrijven zijn ze vrij nieuw, maar ze geven zelf aan al 20 jaar actief te zijn in het beveiligen van grote aantallen websites. Het aantal plugin downloads van BitFire op WordPress.org is op moment van schrijven nog rond de 100.

Ik ben natuurlijk enorm benieuwd wat deze “nieuwe speler” in de WordPress wereld te bieden heeft. Wat maakt hun anders dan WordFence, SolidWP, of 10 andere beveiligings plugins?

BitFire over hun dienst/plugin op WordPress.org

Klik op de afbeelding om de originele Engelse introductie op WordPress.org van hun plugin te lezen

[inn-1v3][sluit-inn]
[inn-2v3][sluit-inn]
[inn-3v3]En meer statements[sluit-inn]

Statements van BitFire vertaald in het Nederlands

  • Ze claimen de enigste te zijn die tegen iedere 0-day lek beschermt sinds 2022.
    Uilteg 0-day lekken: Dit zijn lekken die al in plugins of thema’s zitten het begin van de life-gang en zijn razend populair op internet, aangezien ze op vrijwel iedere release van een plugin of thema zouden kunnen werken.
  • Bot herkenning
    Ze geven aan de werking/code te kennen van 3000 verschillende bots. Zo kunnen ze bezoekers onderscheiden van hack-bots.
  • 0-day exloit bescherming middels de Firewall uitvoerig getest
    De bescherming tegen 0-day exploits blijken niet alleen in theorie te werken maar zich bewezen te hebben.
  • Geen onnodige vertraging van de website
    Ze claimen 20x sneller te zijn dan WordFence, en geen onnodige vertraging te veroorzaken met de beveiligingsregels.
  • En nog meer statements..

Oké fijn de plugin is dus geweldig naar eigen zeggen

Ik weet hoe het gaat, je moet mensen laten weten wat je plugin allemaal kan. Maar in dit vakgebied is het erg lastig om iemand te overtuigen met statements hoe goed en snel een plugin is.

Hoe ga je dan merken of een plugin goed is?
Dat zal de tijd moeten bewijzen.

+ Wat wij nu maar gaan doen, is de plugin installeren en kijken hoe die eruit ziet, wat deze gratis versie kan, of er vastlopers zijn, false flags, hoe de malware scanner het doet etc etc.

BitFire installeren op WordPress

[inn-1v3e][sluit-inn]
[inn-2v3e]We installeren en activeren de BitFire plugin, en wat mij opvalt is dat er dan (nog) niets gebeurt. Nu hoor ik je denken: dat hoeft niet want beveiliging moet niet storen en gewoon op de achtergrond werken.

Maar héla! Ik wil wel weten dat de beveiliging “aan” staat. En een basisconfiguratie of minimaal introductie is wel zoals ik het gewend ben bij de andere grote spelers op het gebied van WordPress beveiliging.[sluit-inn]

Firewall configuratie

Oh, daar is tie. De configuratie, die ga je zien wanneer je de instellingen en andere menu items voor het eerst opent. Het betreft 5 stappen waarmee je de zuurtegraad van de firewall instelt.

Nou mooi, er worden wat motivaties aangedragen om 5 functies aan te zetten. Waarbij weinig mensen bezwaar zullen tonen (als je het al gaat lezen).

Geen overdosis aan pagina’s en instellingen

[inn-2v3e]Misschien wel fijn dat er geen overdosis aan pagina’s met mogelijkheden en instellingen zijn? – In vergelijking met diverse andere beveiligings-plugins..

De 5 menu items die je kunt openen vereisen een cursus voordat je er iets mee kunt.
Er staat veel informatie, dat absoluut voor de doorgewinterde beveiliger bedoeld is en niet voor een beginner of voor de standaard WordPress website eigenaar.

[sluit-inn][inn-1v3e][sluit-inn]

Voor wie ze de plugin nu gebouwd hebben?? Die 3% aan fanatieke beveiligers?

De Malware scanner

Geen idee waarom.. maar van de malware scanner wordt ik altijd blij.
Geeft een vertrouwd gevoel, net als alle antivirus scanners in Windows en dergelijken.
Je drukt op een knop en de plugin gaat voor je zoeken naar Malware.

Let er even op dat je de standaard scan aan vinkt, anders neemt de Malware scanner niet alles mee.

Het resultaat van de scanner is niet erg magisch, hij scant 5 tot 100 seconden, er draait een icoontje en er komt een balkje met de melding dat de integriteit van de website-bestanden goed is.
Het resultaat is niet geheel onverwachts aangezien dit een testdomein is met een verse WordPress installatie.

Wat wel opvalt is dat de melding dat alles oké is nogal onopvallend is. Het wordt groen, en wanneer je de pagina ververst is het weer blauw met een ander tekstje. De scanresultaten slaat hij zo te zien niet op.
 

Eindoordeel van de gratis BitFire plugin

BitFire is duidelijk ontwikkeld door ervaren programmeurs, door een team dat weet waar ze mee bezig zijn. Dat zie je in de informatie, in de specs die ze opgeven en de problemen bij andere beveiligingsplugins die ze zeggen te tackelen.

Er zit veel achter, maar het komt wat mij betreft nog niet zo naar voren.
Er zou mogelijk met meer introductie en begeleiding meer overtuigingskracht van de plugin uitgaan.

Zou ik BitFire gebruiken?

Nee, op dit moment niet. Ze moeten zich nog bewijzen, ze hebben op dit moment 4 reviews op deze gratis plugin met 100 downloads. Er zijn al genoeg andere doorgewinterde concurrenten. Denk aan SolidWP & WordFence & Sucuri.

WordPress, a feast for owners and hackers alike

/0 Comments/in

Het is indrukwekkend om te horen dat je al sinds de begindagen van WordPress, toen het nog slechts een blogplatform was, betrokken bent bij het ontwikkelen van websites. WordPress heeft inderdaad een lange weg afgelegd en is uitgegroeid tot een van de meest prominente Content Management Systemen (CMS) ter wereld.

Als open-source software met een grote community en duizenden gratis plugins beschikbaar, heeft WordPress inderdaad een aantrekkelijke propositie voor gebruikers en ontwikkelaars. Echter, het succes van WordPress heeft ook hackers aangetrokken, en het platform staat bekend als een van de meest gehackte CMS-platforms vanwege de vele mogelijke aanvalsoppervlakken.

Het hacken van een website of plugin is geen eenvoudige taak, maar ervaren programmeurs met kennis van PHP, HTML en MySQL kunnen na grondig zoeken een lek vinden en mogelijkheden ontdekken om ongewenste acties uit te voeren binnen WordPress. Veel slimme personen wereldwijd, waaronder werkloze IT-professionals, schrijven scripts om geld te verdienen door spam en andere kwaadaardige activiteiten te verspreiden.

Als expert op het gebied van WordPress-beveiliging, zorg je ervoor dat potentiële lekken in plugins worden opgespoord en aangepakt om de veiligheid van de websites te waarborgen. Door specifieke maatregelen te nemen, zoals het voorkomen van injecties in de database, het beschermen tegen bestandsherhaling, het controleren van bestandstoegang op de server, het beveiligen van gebruikersnamen en wachtwoorden, het implementeren van backups, en het beperken van loginpogingen, zorg je ervoor dat de WordPress-websites goed beschermd zijn tegen aanvallen.

Met de expertise van WPbeveiligen kunnen website-eigenaren hun WordPress-sites geruststellen en ervoor zorgen dat hun online aanwezigheid veilig en beschermd blijft tegen kwaadaardige aanvallen. Door continu de beveiliging te optimaliseren en kwetsbaarheden te elimineren, kunnen ze een betrouwbare en stabiele website-ervaring bieden aan hun gebruikers.

Is your new WordPress website also protected from hackers?

/0 Comments/in

It can be really frustrating to find out that your newly created WordPress website may not be properly secured, despite having it developed by a professional web agency. However, it’s essential to understand that WordPress websites are one of the most targeted platforms for hacking due to their popularity and the use of third-party plugins with potential vulnerabilities.

The fact is, many programmers and website developers may lack the in-depth knowledge needed to secure WordPress correctly. Even after 10 years of developing WordPress websites, I continue to learn about the various hacking methods and scripts circulating from server to server.

The main reason WordPress is vulnerable is because of the numerous plugins and themes developed by individuals with less expertise in security. As an open-source platform, WordPress frequently releases security updates, but plugins developed by individuals who are solely interested in making money without updating their plugins when hacked contribute to WordPress’s instability.

To check if your WordPress website is secure, you can follow some basic steps:

  1. Check the link in the navigation bar of your admin panel. If it still shows www.yourwebsite.com/wp-admin, it’s a well-known address for hackers and poses a risk.
  2. Is your login username “admin”? This is another common default username used by hackers for their attempts.
  3. Are you running an outdated version of WordPress?
  4. Does your website have more than 10 plugins? Each additional plugin can potentially introduce a security vulnerability.
  5. Is there no security plugin installed? Lack of security plugins increases your risk.

However, this is just a simple way to assess your website’s security. There are more in-depth methods to ensure proper protection.

If your website gets hacked, even if it’s a simple non-commercial site, it can still be infected with scripts that spread to other websites, causing your hosting provider to take your website offline to prevent further contamination. This can be problematic and costly to restore your website and remove all the backdoors and hacked files.

To secure your WordPress website effectively, you can read various articles on WordPress security, including those covering plugin vulnerabilities, avoiding illegal plugins and themes, and dealing with spam issues.

At WPbeveiligen, we provide security services for both new and existing websites, and we have extensive experience with themes and plugins. Our security packages offer a range of protections, including preventing injections, securing files, ensuring backups, updating plugins, and safeguarding against brute-force attacks and other malicious activities.

By securing your WordPress website, you can protect it from potential threats and maintain a safe online presence.

What is a backdoor in WordPress!

/0 Comments/in

Backdoors are incredibly irritating!

Now, let’s get straight to the point 😉

But what is a backdoor exactly?

A backdoor is a piece of code that allows a hacker or script to gain access to your WordPress admin or server. This can be a file that sends your wp-config data via email or FTP credentials.

Information found in the wp-config file:

Your database information is stored here. If a hacker or script gains access to your database, it can create pages, posts, and even add a new administrator user!

What a hacker or script can do with FTP credentials on your website:

These credentials allow multiple files to be uploaded. These files can then forward login details via email or send spam.

Is there no Dutch equivalent for “backdoor”?

Yes, the Dutch term for it is “achterdeurtje” (backdoor). However, you can assume from statistics that there are more international programmers who develop backdoors than Dutch programmers.

How do you find a backdoor?

The most effective way to find a backdoor is to compare the WordPress core files and the server files. At a NERD level, I know by heart which files should be in WordPress (they often start with “wp-” in the core), so I can easily spot any new files. This is especially useful since hacks are international and tend to have strange filenames.

Why do you keep mentioning a hacker OR script?

When you have an important website, a hacker may make the effort to personally hack your WordPress website and insert a backdoor. However, 95% of attacks on websites and the placement of scripts/backdoors are automated by scripts.

If you have invested a lot of effort into developing a website, maybe even had a beautiful design made by a Photoshop designer and implemented it, you may believe that it’s professionally done and your website won’t be easily hacked. Especially not by some silly robot! But unfortunately, reality is different. Even if the developers and programmers understand WordPress well, security is a whole different world! And I can tell you this from experience. I’ve been developing websites for over 10 years, but every year as I delve deeper into the world of hackers and code, I learn more, and most importantly, I’m amazed by their coding creativity.

I’ve removed the backdoor. Problem solved?

No!! (sorry)

A backdoor is placed through a vulnerability in the plugins, server, or WordPress itself, so it will come back just as quickly as you removed it. Long live the automated digital world…

Can’t WordPress be better secured?

Yes, for that, you need to check which plugins you are using and which ones have vulnerabilities. And if your WordPress is significantly outdated, it needs to be updated.

What do you at WPbeveiligen do against backdoors?

  1. Investigate
  2. Inspect file by file
  3. Reinstall WordPress
  4. Remove plugins and upload them again (just updating won’t remove hack files and backdoors)
  5. Install and configure security and monitoring plugins
  6. Correct file permissions
  7. Check usernames and their permissions
  8. And more, but a hacker doesn’t need to know everything!

Wat is XSS? Alles over: Cross Site Scripting

/0 Comments/in ,

Cross Site Scripting (XSS) becomes possible when forms are not properly closed or do not filter the information you can enter.

The term “XSS” stands for Cross Site Scripting, and it was adapted because “CSS” (Cascading Style Sheets) already existed.

How does Cross Site Scripting work?

When a form does not use “htmlspecialchars,” and all characters entered in an input field can be fully processed, it gives the opportunity to execute PHP on the website/server.

Through XSS, you can issue commands to the server. Consider what you can do with that capability—modifying, saving, executing files, and other tasks that are typically limited to website administrators.

What are the disadvantages if someone successfully executes Cross Site Scripting on your website?

  1. Your website’s appearance can be modified.
  2. Pages that were meant to be private or for paid users only may become visible.
  3. Information from you and your visitors can be stolen (e.g., information in cookies).
  4. Phishing code can be added to your site, resulting in a quick Google ban.
  5. Trojans can be offered to visitors’ computers without your knowledge.
  6. Keystrokes on the keyboard can be logged (e.g., what you type when logging into your bank’s website).
  7. Your browser can crash due to a forced error overload.
  8. And more…

Beyond website modifications, XSS also impacts your browser/computer

– Through the browser, the webcam can be activated, and a recording started.
– Listening through the microphone is possible.
– Files can be saved.
And so on…

I’ve never encountered XSS as a visitor to websites… have I?

Have you seen the popup: “Do you want to leave this page?” In many cases, you can click [x] to close it. However, if you cannot close it and you find yourself on a website that isn’t very trustworthy, assume that there are pieces of code under the “leave page” and “go back” buttons that you’d rather not execute on your PC.

In such cases, it’s best to close the browser completely! (Use Task Manager in Windows to end the browser process)

How do I prevent XSS issues on my WordPress website?

You can check the WPscan database to see if any of your plugins have vulnerabilities.
Keeping WordPress up-to-date is essential, especially if it’s not properly secured. WordPress sometimes updates twice a month when Cross Site Scripting vulnerabilities are found!

The best practice is to ensure that your WordPress website is secured. When your website is secure and a hacker or script cannot easily place or modify files, you prevent a significant portion of potential issues.

Maak je admin en beheer beter met deze plugin

/2 Comments/in

Ken je de Admin and Site Enhancements plugin al?!
De plugin vol zit met verbeteringen voor je WordPress beheerpanel, maar niet alleen dat, ook beveiliging, optimalisatie worden aangepakt met deze plugin. Dit is 1 van de meest uitgebreide plugins, waarmee je zoveel andere plugins kunt vervangen. In 1 klap!

Admin and Site Enhancements (ASE)

Je kunt de plugin hier vinden in de WordPress Plugins database.
En natuurlijk via je admin > plugins > nieuwe plugin > Admin and Site Enhancements

Wat kun je met deze plugin?

Echt enorm veel, maar we noemen er eens 5 op.

  1. Je pagina’s in het admin her-ordenen
    Ken je dat? Je wilt je homepage bewerken maar die staat ergens tussen de 40 andere pagina’s. Met deze functie kun je de pagina-volgorde ordenen in je admin en de homepage die je vaker bewerkt bijvoorbeeld bovenaan zetten.
  2. Je admin bar opruimen
    Er staat zoveel in je admin bar dat de items soms niet eens meer passen, je kunt er nu wat verwijderen. Denk aan het WordPress logo, de Nieuw+ link, de updates bubbel, de comment bubbel. Weg ermee!
    (Tabje: Admin Interface)
  3. Wil je even een afbeelding in je website vervangen?
    Dan moet je een nieuwe uploaden in de media tab en die in je bericht, pagina of header zetten.
    Nu heeft deze plugin een functie waarmee je de afbeelding simpelweg kunt vervangen via het media tab!
    (Tabje: Content Management)
  4. Wil je het admin beschermen tegen bots?
    Je kunt brute force aanvallen op IP basis tegenhouden.
    (Tabje: Security)
  5. Comments uitzetten? Rest API uitzetten?
    Er zijn veel functies die niet gebruikt worden, maar wel risico’s vormen voor de veiligheid of gewoon in de weg zitten. Je kunt ze nu uitzetten!
    (Tabje: Disable Components)
  6. Er zit echt héél véél in, ontdek het zelf!

Ferdy Korpershoek heeft een goede video gemaakt, en toont daarmee dat de plugin veel frustrerende punten van WordPress aanpakt aan waar anders tientallen plugins voor nodig zijn.

Er zitten nog 25+ verbeteringen in de plugin!!

Er zitten zoveel verbeteringen in deze plugin, allemaal netjes ondergebracht per type verbetering.
Je kunt zelf kiezen welke je wilt gebruiken!

Video uitleg!

Bekijk hieronder de video over alle mogelijkheden van deze plugin (in het engels).

Wat kost de plugin?

De plugin is op moment van schrijven gratis!

Maar er is ook een PRO versie te koop waar NOG MEER functies inzitten!
Die kun je vinden op WPASE.com

Removing a WordPress virus yourself in 5 steps

/0 Comments/in

Every day, hundreds of WordPress websites get infected with viruses. These viruses can include files or pieces of code that send SPAM or display unwanted ads to your visitors.

For a business website, I recommend having your WordPress restored and secured so that you can be sure your WordPress is virus-free and have the assurance of a guarantee to fall back on if the infection turns out to be more complicated and persistent than expected (which is often the case!).

However, for a hacked WordPress blog or hobby website, you may not want to spend too much money, and you can attempt to remove the virus yourself and revisit it later if you’ve missed anything.

We will guide you through the process of making your WordPress virus-free as effectively as possible!

There will be many links behind terms you might not be familiar with; visit those pages and educate yourself to ensure you remove the virus correctly.

First, make a backup of all files and the database!!

Step 1 – Removing the WordPress Virus

The virus may consist of just a few files or as many as 100 to 5000 files! For example, a virus may create pages on your server. To avoid having to check each WordPress file one by one, you can start by removing the standard WordPress files in the “root” of your website.

Keep the wp-content folder, the htaccess, and the wp-config. These contain unique files you don’t want to overwrite with a new WordPress installation.

preserve WordPress files

Download the latest version of WordPress.

Step 2 – Checking Files for Backdoors

A WordPress virus doesn’t just consist of files; there are often pieces of code (syntax) added to your theme or plugins, known as backdoors.

To find them, check the file modification dates. If all the files in your theme or plugin were placed on 3-05-2015, but one file has been edited or added on a different date, there’s a good chance it contains code that shouldn’t be there.
Inspect this file; you’ll likely find Base64 or eval code that is unreadable and differs from regular PHP formatting. Carefully remove these lines of code.

difference in code

Some tricks to watch out for:

  1. Virus code is often written in Base64, but it can also be a single line of PHP that passes data or gives a write command.
  2. Virus code is often placed at the beginning or end of a file; automation takes care of this logic.
  3. Sometimes they leave a lot of white space at first, making the file appear empty, but the code is located to the right, requiring you to scroll to see it.

Step 3 – Adjust File Permissions

You don’t want files to be modified again within a day if a virus file is still present. You can set many directories so that they cannot be edited by WordPress or a virus that doesn’t have Username and Password access via FTP software. (The downside is that updates will need to be done manually.)

For example, you can set theme files to 644 and directories to 555 (the crucial thing is to avoid setting them to 777!).

WordPress write permissions

Step 4 – Install a Security Plugin

Preventing a WordPress virus depends on many factors, but one important aspect is preventive security.

Install and configure a security plugin to prevent a virus file from easily returning through a vulnerability and to immediately detect file changes.

For choosing a security plugin, you can read this article.

Step 5 – Create a Backup

Make another backup? But I’m done now, right? I’ve removed the virus from the website.

Well, if you’ve overlooked a file, the virus may reinstall itself on the server and in the files. This could happen through an automated file that writes files to your server daily or weekly.

In case this happens, you can restore the backup from the time when your website was seemingly 97% clean, and you can fix the last percentages.

Securing WordPress from hackers

/0 Comments/in

WordPress has become popular among entrepreneurs, design agencies, and even companies making millions.

Companies get a design created, set up a marketing team to fill the website, and then use WordPress to put everything online.

Due to its widespread use by large companies, WordPress has become an attractive target for hackers.

Hackers can download WordPress for free and test it for vulnerabilities, exploiting WordPress functions and using upload capabilities and posts to display their own information.

For this reason, it’s crucial to secure your WordPress website!

What can happen if a hacker hacks your website?

In 80% of hacks, it involves a spam script that causes your website to send emails using your domain name.

The script attempts to send as many emails as possible to offer their products to large groups of people.

10% of hackers aim to become known or just play a “cool” trick, and your website will display their logo and text.

The remaining 10% destroys your website and simply makes it non-functional.

Once your website is hacked..

Once your WordPress website is hacked, it’s unfortunately not so easy to get rid of it.

If a plugin, theme, or your WordPress is vulnerable, the hacker or a script often places a “backdoor” in one of the hundreds of files.

(A backdoor is essentially a loophole that opens WordPress through an admin user, by sending FTP credentials, or through a certain link that provides access to the database.)

What can I do to protect my WordPress website?

I have a few simple steps for you to take that can make your WordPress website safer. Keep in mind that there are many more vulnerabilities that need to be addressed, but these steps will put you on the right track.

  1. Change your admin username. “Admin” is very standard and known to every hacker and script.
  2. Update your WordPress, themes, and plugins.
  3. Do not download illegal premium plugins.
  4. Remove plugins that you don’t use.
  5. Use a security plugin like WordFence or iThemes Security.

I want a professional to secure my WordPress website!

I’m Mathieu from WPbeveiligen.nl.

I’ve been working with WordPress since 2007 and have been active as a programmer-designer for years.

The experience I’ve gained over the years has been used since 2010 as a full-time WordPress security expert.

Do you want to secure your WordPress website?

Contact me directly! Even if your website is already hacked, I’ll make sure your website is restored to almost new and properly secured.

I also offer a guarantee for this!

My WordPress website has been hacked again! How can that be?

/0 Comments/in

It happens a lot: you’ve just checked WordPress and removed the hacked files, yet after a few days, the website is back to sending spam.

As a WordPress website security expert, I know all the tricks that hackers use to deceive you.

When you hire me, I take the website cleanup and security to a higher level by addressing both the backdoors and the exploits.

You can’t expect this level of expertise from your current WordPress developer who designed or programmed your website.

Securing a website is a specialty that requires attention 7 days a week to stay updated with the latest tricks hackers use.

That being said, it’s interesting to look at the tricks hackers apply to hack your WordPress site repeatedly.

First basic fact: A hacker writes a script once and spends weeks coding it. A script that exploits a new vulnerability or a known WordPress function.

The script will copy itself to multiple files and leave the website open for reinfection after you’ve removed it.

Furthermore, the script will use the server it’s on to find other websites to repeat the same trick.

Ways a hack can keep coming back

  1. The file that sends spam is relatively easy to find, so the hacker writes a function to recreate the spam file periodically. For example, once every 7 days or sometimes every 24 hours. When you think you’ve solved this issue, you’ve only addressed the symptom but not the cause.
  2. The hacker has written a function that creates a new user with administrator rights. When you think you’ve solved the problem but have no idea that this user has been created in the database, an automated script from your server or another server uses the user’s login to place information on the server again.
  3. Every post and page is injected with a piece of code (inn-content) that you only see when you switch from the WYSIWYG editor to the text version. In other words, if you have 100-200 news articles and each contains a piece of code… even if you clean the file on the server, it’s still present on every page.
  4. The hack only appears once per browser session. Peekaboo! When you think you’ve solved the problem, it’s just that the effects of the hack file are no longer visible in your browser. But every new visitor will see it. This can be in the form of a link, a frame overlaying your current page, or an attempt to place a virus file on the visitor’s computer.

These are some reasons why your hack keeps coming back even after you (thought you) removed it.

These are just 4 ways, but hackers know many more tricks that I won’t explain here. However, now you understand why it’s best to have a specialist work on your website if you REALLY want a fully functional and clean website.

 

Een backup maken van je WordPress website

/0 Comments/in

This is the last thing you want to see when you open the website!

How can the website contain malware?

If your WordPress website has outdated plugins or themes, or if WordPress itself is not up-to-date, you run the risk of bots infecting your website. Even with new plugins, it can happen.

How do I get rid of this message?

Your website needs to be completely cleaned. This means removing all malware (hacker’s code) from your website.

Once you are 100% sure that the website is clean, you can request a reevaluation from Google.

How do I prevent it from happening again?

It is essential to not only clean your website but also secure it. There are several ways bots can gain access to your site, and those vulnerabilities need to be closed.

Let WPbeveiligen secure your website!

 

 

3 Ways: How to make a backup of your WordPress website

  1. The easiest method: via DirectAdmin
  2. Manually, via Phpmyadmin and FTP
  3. Via a WordPress plugin

Making a backup via DirectAdmin

DirectAdmin is one of the easiest ways to make a backup within 3 steps, but not every hosting provider offers DirectAdmin with your hosting package.
To check if you have DirectAdmin, add :2222 to your web address. If you have DirectAdmin, a login field will appear. You should have received the login credentials from your hosting provider when you purchased the package.

Step 1 – Login
Login via your web address.nl:2222

directadmin login

Step 2 – Create
Click on create/restore backups

direct-admin

Step 3 – Options
Leave all options checked; it’s always good to save all data. But if you really only want to save the data and the Mysql database, check only the options you see in the image below.

directadmin

Important: Click on Create backupDon’t just click on any button! DO NOT click on restore, as it will overwrite the previous backup.

First, make sure you have enough space to make a backup; otherwise, your data space will fill up, and the website may not function properly.

Manually making a backup

If you don’t have enough space on the server for a full backup, you can use the previous method to backup only the database and manually backup the rest using an FTP program.

With a good FTP program like Filezilla, you can connect to the server and save all files to your computer.

Step 1 – Download an FTP program
Download Filezilla and start the software.

Step 2 – Connect to the server
First, you need to establish a connection to your server, where your website is hosted.

Fill in the Host, usually ftp.YOURDOMAIN.nl, then the username and password.

You received these details by email from your hosting provider when you purchased a hosting package.

Step 3 – Open the correct folder
After you’ve made the connection, you’ll see a standard set of folders, including www, httpdocs, or public_html. These contain the files that are live on your domain name.

Step 4 – Copy files to the computer
Copy the files to a folder on your computer. Give that folder a clear name, like your domain name with a date.

Note: This method does not backup the database. You can use the first method for that.

Using a WordPress plugin

We’ve tested several free plugins, and one of the best ones we found is Updraftplus (Download the free version or the premium).

This plugin allows you to make a backup of all data, including the database.
Download Updraftplus here

Make a complete backup with just one click

The plugin is straightforward to use. After installing it, go to the Updraftplus page and click on “backup now.” You’ll see the progress of the backup. And you’re done!

backup restore wordpress

Restoring a backup

Having a backup is important, but it gets better: Updraftplus also allows you to restore your website from the backup! You can restore your plugins, themes, and more using the plugin.

backup-restore-wordpress

This is useful when your WordPress site gets hacked, or you accidentally delete a plugin, or when a plugin update causes your website to malfunction. It happens quite often!

More advantages of Updraftplus

Updraftplus has many features available in the free version:

  • Restoring only plugins, themes
  • Writing the backup to another server
  • Automating backups based on hours, days, or weeks
  • Translated into Dutch
  • Counting the size of plugins, themes, etc.

Cloud services

If you want to use Dropbox or another cloud service, they even offer premium add-ons to further extend the plugin.