AgilePress

Category: Security

Security is infrastructure, not plugins. We reject heavy bloatware and rely on server-level WAFs and the 3-2-1 Backup Protocol. Protect your business assets without killing performance.

  • The Parachute Protocol: Why Your Hosting Backup Is Not Enough

    In March 2021, the OVH datacenter in Strasbourg caught fire. In a matter of hours, thousands of websites were physically destroyed. When panic-stricken clients contacted support asking for their backups, many received a chilling response: “Your website was on Server 1. Your backup was on Server 2. Both servers were in the same room. They are both ash.”

    This tragedy taught us a brutal lesson: If your backup lives in the same building as your website, you do not have a backup.

    At AgilePress, we follow a strict protocol to ensure that if the entire internet breaks, our clients’ businesses survive.

    The Golden Rule: 3-2-1

    In cybersecurity, there is a universal standard. We apply it to every WordPress site we manage:

    • 3 copies of your data (Production, Backup A, Backup B).
    • Stored on 2 different types of media (Server disk and Cloud storage).
    • 1 copy must be Off-Site (physically in a different location).

    Most website owners fail at the “Off-Site” part.

    Level 1: Hosting Backups (Convenience, Not Safety)

    SiteGround, Cloudways, Kinsta, and most premium hosts offer “Daily Backups.”

    • The Good: They are incredibly fast to restore. If you accidentally delete a page, you can bring it back in 1 click.
    • The Bad: They violate the 3-2-1 rule. If your hosting account is suspended (billing error), hacked, or the datacenter burns down, you lose the website and the backups simultaneously.
    • Verdict: Essential for daily mistakes, but insufficient for disaster recovery.

    The Tool Selection: UpdraftPlus vs. Duplicator

    This is a common debate. Both are giants in the WordPress ecosystem. Duplicator is arguably the most powerful migration tool on the market, and its Pro version offers excellent encrypted backups. However, for the AgilePress Standard Stack (where we seek maximum efficiency with zero recurring costs), we choose UpdraftPlus.

    Here is why:

    The “Free Tier” Difference

    • Duplicator (Lite): Fantastic for manually cloning a site or moving it to a new domain. However, features like Automated Schedules and direct Cloud Storage (Google Drive/Dropbox) are typically locked behind the Pro paywall.
    • UpdraftPlus (Free): It allows us to schedule automatic backups AND send them to remote cloud storage (Google Drive, S3, Dropbox) for free.

    The “Atomic” Restore

    • Duplicator typically restores the “Whole Package” (Site + DB). It’s a “Nuke and Pave” approach, great for total disaster recovery.
    • UpdraftPlus splits the backup into separate entities: Database, Plugins, Themes, and Uploads. If a plugin update breaks your site, you can restore just the plugins in 2 minutes without rolling back the database (and losing orders/comments).

    Verdict: If you already pay for Duplicator Pro, keep it; it’s excellent. But for a universal, cost-effective safety net, UpdraftPlus Free is the winner.

    Level 2: The “Local Storage” Bloat

    Some users install a backup plugin and leave the default settings. The plugin creates a .zip file every day and saves it inside your /wp-content/uploads folder.

    This is a critical error.

    1. Bloat: If your site is 1GB, after 10 days of backups, your server usage is 11GB. You will run out of disk space and crash the server.
    2. Security: Hackers scan specifically for these zip files. If they find them, they can download your entire customer database without logging in.
    3. Redundancy: If the server crashes, you cannot access the WordPress dashboard to download the backup file. It is locked inside the burning house.

    Level 3: The AgilePress Solution (Automated Off-Site)

    We need a tool that:

    1. Runs automatically.
    2. Sends the file to a remote cloud.
    3. Deletes the local file from the server after sending it (to save space).

    The Setup (UpdraftPlus Free):

    • Service: Connect it to a generic Google Drive account (or Amazon S3 for pros).
    • Schedule: Weekly (for brochures) or Daily (for active blogs).
    • Retention: Keep the last 4 backups.

    The Alternative (WPVivid): If UpdraftPlus fails or conflicts with your server, WPVivid is our backup choice. It has a modern interface and also supports free cloud transfers, making it a worthy rival.

    Level 4: The Enterprise Solution (Incremental SaaS)

    If you have a massive WooCommerce store (20GB+), running a standard plugin might crash your server because creating such a huge zip file consumes 100% of the CPU.

    The Tool: BlogVault (or ManageWP)

    • How it works: It is a SaaS. The backup logic happens on their servers, not yours.
    • Incremental: It only copies the files that changed since yesterday. It doesn’t copy the whole 20GB every night.
    • Real-Time: For high-volume stores, it can back up every time an order is placed.

    Schrödinger’s Backup

    A backup file does not exist until you have tested it. We have seen clients with gigabytes of .zip files that were corrupted and empty (0kb) when they tried to unzip them.

    The Protocol: Once a quarter, try to restore your backup to a Local environment (LocalWP). If it opens, you have a backup. If it doesn’t, you have nothing.

    Conclusion: Sleep Well

    The cost of losing your digital business is infinite. The cost of configuring UpdraftPlus to Google Drive is zero.

    Don’t trust your hosting provider blindly. Automate the parachute.

  • The Security Illusion: Why We Banned Wordfence and AIOS

    When a site owner fears getting hacked, their knee-jerk reaction is usually to install the “biggest” security plugin they can find.

    Names like Wordfence, All In One Security (AIOS), or Solid Security dominate the market. They are the “Norton Antivirus” of WordPress.

    At AgilePress, we do not use them.

    In fact, we often remove them to instantly improve a client’s server response time.

    Security is not measured by how many settings your plugin has. It is measured by where you stop the attack. Here is why we shift the weight to the server and use minimalist tools inside WordPress.

    The Problem with “The Giants” (Wordfence, AIOS, Sucuri)

    These popular plugins operate on a flawed premise: Application-Level Security.

    They run inside WordPress. This means that for the plugin to block a malicious bot, WordPress has to load first. The PHP engine has to spin up, connect to the database, and execute the plugin’s code.

    The “PHP Trap”: Imagine 1,000 bots attack your login page simultaneously.

    • With Wordfence: Your server has to execute WordPress 1,000 times just to say “Access Denied.” This consumes CPU and RAM, often crashing the server (a self-inflicted DDoS) even if the hackers don’t get in.
    • Database Bloat: These plugins log every failed attempt in your database. We have seen wp_options tables bloated by gigabytes of security logs, slowing down the entire site.

    The AgilePress Strategy: Defense in Depth

    We believe that malicious traffic should be stopped as far away from your WordPress installation as possible.

    Layer 1: The Edge (CDN & Cloudflare)

    The best request is the one that never hits your server. We use Cloudflare (or your hosting’s edge firewall) to block geographical threats and known botnets.

    • Cost to your server: Zero.
    • Speed impact: Positive.

    Layer 2: The Server (Hardening & Imunify)

    This is where most people undervalue their hosting. If you use a quality provider with cPanel or Plesk, you already have enterprise-grade tools that operate at the root level, far more efficiently than any plugin.

    • Native Hardening: We configure the server to apply strict rules (like disabling PHP execution in upload folders) directly from the control panel.
    • Imunify360 / ImunifyAV: Many modern servers come with Imunify built-in. This tool scans files and blocks malware at the Linux OS level. It runs in the background without slowing down your WordPress and without writing junk logs to your database.
    • The Reality: If your server has Imunify, installing Wordfence is redundant and harmful to performance.

    Layer 3: The Application (The AgilePress Stack)

    Once traffic passes the Edge and the Server, it reaches WordPress. Here, we need a lightweight goalkeeper, not an army.

    1. The Firewall: NinjaFirewall (The “True” WAF)

    Unlike Wordfence, NinjaFirewall is a stand-alone Web Application Firewall.

    Why we choose it: It hooks into PHP (via php.ini or .user.ini) before WordPress loads.

    • It filters requests before the WordPress database connection is established.
    • If a request is malicious, it is killed instantly. WordPress never wakes up.
    • It saves massive amounts of CPU compared to standard plugins.

    2. The Identity Guard: WP 2FA (by Melapress)

    A firewall protects the perimeter; 2FA protects the user. We use WP 2FA because it adheres to the Unix philosophy: “Do one thing and do it well.” It doesn’t scan files, it doesn’t check IPs. It just provides a rock-solid, lightweight Two-Factor Authentication.

    3. The Anti-Bot Shield: Cloudflare Turnstile (Goodbye reCAPTCHA)

    Spam and brute-force attacks are usually automated. Traditionally, developers stopped this with Google reCAPTCHA, which forces users to “click on traffic lights” and loads heavy scripts that spy on your visitors.

    At AgilePress, we use Cloudflare Turnstile.

    • Invisible: It verifies if the visitor is human without forcing them to solve puzzles (Zero Friction).
    • Lightweight: It is far more privacy-respecting and lighter than Google’s solution.
    • Effective: It stops bots at your login and contact forms without punishing your real customers.

    Conclusion: Engineering vs. Fear

    The “Big Security Plugins” sell peace of mind through complexity. They want you to see a dashboard with 50 checkboxes and a map of blocked attacks so you feel like the plugin is “working.”

    In reality, that dashboard is slowing you down.

    At AgilePress, we build secure sites by design. We block at the Edge, harden the Server with Imunify, filter with NinjaFirewall, and verify with Turnstile.

    Maximum Security. Minimal Footprint.