Website Security: Disaster Preparation Checklist [PDF]

Here's hoping you will never need this checklist. But the truth is, sites get hacked, hardware fails, and disgruntled employees can be nasty. I've been called in to help with dozens of disasters, and every time the availability of this info is what determined how successful we could be. Don't wait on this.
Jessica Hartman
Jessica Hartman
SEO Analyst
Jessie has been serving the online marketing industry since 1998. Her passion for data, metrics, and creating actionable reports is a little weird to the rest of the team, but also provides the insights we need to drive meaningful SEO results for our clients. She and her family live in Madison, Wisconsin.
June 20, 2017

In 1996, Tim Lloyd—a disgruntled network administrator for Omega Engineering—deployed six lines of software that erased all of the company’s manufacturing plans. The result: Omega lost more than $10 million in revenue, was forced to lay off 80 workers, and nearly went out of business altogether.

It may be an extreme example, but Omega’s story highlights the problem of having a single individual in charge of company technology.

While your network administrator or webmaster may not have plans to destroy your company, there’s no guarantee he/she will always be available for emergencies—or will know how to fix the problem when something goes wrong. People take vacations, fall ill, and move on to new positions. If your website goes down and the single source of knowledge for site information is either unreachable or unable to help, outside help may not be able to bring it back online.

For this reason, it’s crucial to have a website disaster preparation plan in place. Document some basic information and establish backup processes. This allows you to save the day when disaster strikes, bringing your site back online with minimal downtime, and preventing significant revenue loss.

Don’t wait until it’s too late. Scroll to the bottom of this post to download our exclusive, Website Disaster Preparation Checklist. It will help you record all the details you need to get your site back up and running as fast as possible in case of an emergency.

Start by Documenting Basic Website Information

If you only do one thing to protect your website, it should be documenting the basic information an outside support tech will need to troubleshoot problems. Ask your webmaster to document the following information, and save it to a shared location:

  • Website Host Details – Every website has a hosting company, and the hosting company is the starting point for troubleshooting issues. Document the name of the hosting company, the name of your company’s personal representative (if applicable), a phone number either for that representative or general customer service, and any secret code needed to validate identity.
  • Hosting Panel Login Credentials – Outside support may be able to restore the site by accessing files and backups in your hosting panel. Document the login URL for the hosting panel, an admin username and password, and the answers to any possible secret questions.
  • Instructions for Reverting Site to a Backup – Document the specific steps that should be taken to restore a website to a previous version, along with any URLs or credentials needed to perform each step.
  • Domain Registrar Contact Information – If your domain name is registered with a different company than the hosting provider, document the name, contact information, login URL, admin username and password, and any secret code or secret question answers for the domain registrar.
  • Domain Renewal Instructions – Document the steps required to renew an expired domain name. You may also need your tech to provide written permission for you to renew an expired domain. Have him/her submit the permission letter to the registrar, and keep a backup copy with your website emergency documentation.
  • FTP Information – Document details related to accessing your site via FTP: server address, username, password, and port numbers.
  • Password Reset Email Access – While documenting FTP login credentials is a good starting point, it doesn’t guarantee the password won’t be changed before issues arise. Have your webmaster create an email distribution list that allows for passwords to be reset by designated individuals via email.

Keep in mind that this information is highly sensitive and contains all of the details needed to hack, change, or delete your entire website. Save the information to a place where it can be accessed during emergencies, but take steps to ensure it’s very secure. Save it to a folder or drive that requires permission to view, and consider adding password protection.

My Website Is Down: Now What?

With website information documented, you can effectively lead the troubleshooting conversation to expedite resolution.

Before calling for help, validate that the problem is truly with the website and not just your individual network. Enter the website address on DownForEveryoneOrJustMe.com to find out.

It’s also good to determine if company email is working properly by sending two test emails. Send one email from a work email account to a third-party (ex: Gmail) account, and one email from the third-party account to a work email address. If delivery fails to or from a work account, there’s a problem. (Note that this only really works if your email system is on the same server. It usually is, but some larger companies have separate email servers, which makes this little trick obsolete.)

Next, take note of the error the site is throwing. Come common errors include:

  • 404: Not Found – A 404 error means that the page you’re trying to visit doesn’t exist. It may have been deleted, or a preexisting redirect may have been removed. Test the problem by typing in URLs for other pages on the site to see if the 404 applies to the entire site or just a single page.
  • 500: Internal Server Error – A 500 code represents a generic error that’s thrown when the specific problem cannot be identified. It can be caused by a corrupt file, a plugin conflict, or a permission error. Before calling for help, try clearing your cache and closing the browser. Then, revisit the page and see if the error persists.
  • 503: Service Unavailable – A 503 code means a server is unavailable. This could be caused by scheduled maintenance, but it may be the result of a more serious issue like a DDoS attack or server overload. If site maintenance wasn’t scheduled, there may be a significant problem that needs to be investigated.
  • 509: Bandwidth Exceeded – A 509 error is usually the result of exceeding the amount of traffic allowed in a limited hosting plan. Resolution consists of contacting the site hosting provider and upgrading to a plan with more—or unlimited—bandwidth.
  • 504: Gateway Timeout – A 504 error signifies that two backend servers are unable to communicate. Contact your hosting provider to find out if the problem is on their end. If not, get a network or systems admin to troubleshoot data center server problems.
  • Redirect to Domain Registrar – If the site URL redirects to a domain seller’s landing page or throws an error stating that the server DNS address couldn’t be found, it’s likely that the domain name expired. Contact your domain registrar to renew the domain name.

Use this information to validate that there’s an issue, and then contact a backup webmaster or outside support provider. Provide information on the error being thrown, and use emergency plan documentation to expedite the resolution and get the site back online quickly.

Preventing Site Emergencies

While it’s good to have a website emergency plan, it’s better if you never have to use it. Take a few measures to protect your website and keep it up to date to significantly reduce the likelihood of encountering issues.

  • Create daily backups. All website files should be backed up every day. This ensures that if your site goes down, there’s always a full backup that’s less than 24 hours old to revert to. Check with your hosting provider to find out if automatic daily backups are available and turned on, or purchase a third-party product—UpdraftPlus is a personal favorite— that conducts automated daily backups.
  • Install system and plugin updates regularly. Hackers often use vulnerabilities in outdated versions of WordPress systems, themes, and plugins to access websites. When using the WordPress CMS, login once per week and install any recommended updates.
  • Remove and avoid vulnerable/targeted plugins. WordPress users need to keep an ear to the ground regarding plugins that are more susceptible to attack. This requires some regular, active maintenance. The alternative is to migrate the site to WP Engine. WP Engine bans questionable or conflicting plugins, and will automatically warn you and disable/delete one that is on their blacklist if you happen to install it by mistake.
  • Add firewall protection. Security monitoring with a firewall is the best way to protect a site against threats and hackers. If using WordPress, two of the best solutions are WP Engine or Sucuri. (I checked with Josh, our lead Development Manager, and those are his favorite options!) If both website and network protection are needed, there are dozens of providers to consider.

If you only do one thing to protect your site, it should be daily backups. Backups ensure that there’s always a recent version to revert to, protecting against data loss caused by corrupted files, coding mistakes, and compromised site security.

And Josh wants you to know that when you’re ready for a full security package, our preferred solution is to host the site on WP Engine. Firewall protection, daily backups, 24/7 plugin monitoring, and more, is all rolled into WP Engine.

Transforming Website Disasters into Minor Inconveniences

website security informationWebsite disasters can be caused by a variety of reasons. It could be the result of an internal threat—as was the case with Omega Manufacturing—or an external threat. From 2015 to 2016, the number of hacked sites increased by 32%. Then there’s oversight in terms of renewing domain names, server issues or limitations, and simple coding or file upload mistakes.

A website disaster recovery plan is akin to keeping personal valuables in a safe and locking important documents in a fireproof box. It’s the responsible thing to do, and it will make life much easier if disaster strikes.

Start by working with your network administrator and/or webmaster to document basic troubleshooting information, and make sure to establish a system of conducting daily site backups. With a plan to prevent and recover from website disasters, you can preserve web-driven revenue and expedite service restoration.

Thoughts?

We've love to hear your feedback, questions, or inspiration about this post.
Hit us up on Facebook, Twitter, or LinkedIn.