Annoyed by tedious application deployment? Can’t remember the steps? Previous web developer did not leave notes on how he deployed stuff to production? Have no fear, here’s your detailed instructions.

Web application deployment is one of those tasks that are complex enough to take you half a day to do properly, and at the same time they are simple enough that when you finally figure out how to do it, you say, “Aha, so that’s how it’s done! I’m glad I know now!” And you happily forget about it, until some weeks or maybe months later you need to deploy another one, and you scratch the back of your head, and for the love of everything good, can’t remember why WSGI can’t import that %*!$^& module or something like that.

Well, no more. Here’s the latest, freshest guide to deploying your app to Ubuntu 10.04 LTS, Apache2, mod_wsgi, Python 2.6 or 2.7, MySQL, and Django 1.4, which hopefully will still work in at least one or two future versions.

Assumptions / Prerequisites

We’ll assume that you have an Ubuntu server with Apache2 installed. And MySQL (or PostgreSQL, but we won’t go into details on Postgres here – configuration is similar enough, no need to repeat what’s easy to google). We’ll assume that Apache2 is running under www-data user, and that you have your root password to MySQL.

We’ll assume that you have a way to access the server via SSH and that you can sudo.

And you have Python installed. Ubuntu 10.04 comes with Python 2.6 and does not intend to upgrade to 2.7, so if you want to upgrade, you’ll need to build Python 2.7 and mod_wsgi from sources.

We’ll assume that you’ve got all that, and also the sources of the app to a server directory.

Let’s verify our assumptions.

• Check that you have Python (and learn what version you have):

  $ python -V
  Python 2.6.5

  or (if you compiled and installed Python 2.7 by hand)

  $ python2.7 -V
  Python 2.7

• Check that you have MySQL:

  $ mysql -V
  mysql  Ver 14.14 Distrib 5.1.63, for debian-linux-gnu (i486) using readline 6.1

• See if you have Apache2 and who’s running it:

  $ ps -ef|grep apache
  root     30596     1  0 02:29 ?        00:00:01 /usr/sbin/apache2 -k restart
  www-data 32034 30596  0 03:45 ?        00:00:01 /usr/sbin/apache2 -k restart
  www-data 32035 30596  0 03:45 ?        00:00:01 /usr/sbin/apache2 -k restart
  www-data 32036 30596  0 03:45 ?        00:00:00 /usr/sbin/apache2 -k restart
  ...

• Finally, see that you can log in to MySQL as root:

  $ mysql -u root --password=<your password>

If there are no errors so far, we’re ready to start.

Set Up Database

During development, it is ok to use sqlite3 for your Django app. But in production, we’ll need something more serious. Let’s say you already have a database name, a user name, and a password in settings.py file. Do you remember if you’ve already set up the DB in the past, or was it still on TODO list? Let’s check:

$ mysql --batch --skip-column-names -u <username> --password=<userpass> -e "SHOW DATABASES LIKE '<dbname>'"

If it spits out the name of your database, you’ve already set it up. Otherwise, follow these three steps:

mysql -u root --password=<rootpass> -e "CREATE DATABASE <dbname>"
mysql -u root --password=<rootpass> -e "GRANT USAGE ON *.* TO <username>@localhost IDENTIFIED BY '<userpass>'"
mysql -u root --password=<rootpass> -e "GRANT ALL PRIVILEGES ON <dbname>.* TO <username>@localhost"',

Of course, if you plan to do everything by hand, it’s more convenient to log in to MySQL as root and do everything in its shell. But consider scripting this task, so that you don’t have to remember how to do it, ever again:

def check_mysql(dbname, username, userpass, rootpass):
    log.debug('Checking database %s...' % dbname)
    db_match = None
    try:
        db_match = subprocess.check_output('mysql --batch --skip-column-names '
                                           '-u %(username)s --password=%(userpass)s '
                                           '-e "SHOW DATABASES LIKE \'%(dbname)s\'"'
                                           % locals(), shell=True)
        log.debug('SHOW DATABASES said: %r' % db_match)
    except subprocess.CalledProcessError, e:
        log.debug('show databases returned %s' % e.returncode)
    if not db_match:
        commands = [
            'mysql -u root --password=%(rootpass)s -e "CREATE DATABASE %(dbname)s"',
            'mysql -u root --password=%(rootpass)s -e "GRANT USAGE ON *.* TO %(username)s@localhost IDENTIFIED BY \'%(userpass)s\'"',
            'mysql -u root --password=%(rootpass)s -e "GRANT ALL PRIVILEGES ON %(dbname)s.* TO %(username)s@localhost"',
        ]
        for cmd in commands:
            thecmd = cmd % locals()
            log.debug('Running command: %s' % thecmd)
            error = subprocess.call(thecmd, shell=True)
            if error:
                raise RuntimeError('Failed to set up database. Last command: %(thecmd)s. Error: %(error)s' % locals())

A word of caution: using “shell=True” with subprocess.call is not safe if your input comes from outside your script. I am using it in mine, because I am in total control of the input data, and if I go mad and start feeding my own script destructive input, I’ve clearly got bigger problems than server security.

Check Django Project Settings

Now that your database exists and is accessible to the Django app, let’s have a look at the app settings to make sure it is configured correctly.

A common practice for developing Django apps is to have a set of debug-only settings for development, and a set of production-only settings for deployed app. A convenient way to do that is to add something like this at the end of your settings.py file:

try:
    from localsettings import *
except:
    pass

Create a file localsettings.py in the same directory, but do not include it into source control and do not deploy it to the server. Instead, on the server, create a server-specific localsettings.py file. This way, you can use sqlite3 on dev machine, and a real database in production.

Your settings or localsettings now must contain correct DB connection info:

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'your-db',
        'USER': 'your-db-user',
        'PASSWORD': 'your-db-pass',
        'HOST': '',
        'PORT': '',
    }
}
    

Since we are using a script to verify our database, why not also script this part? It will look something like this:

def check_djangosettings(settings_dir, dbname, username, userpass):
    settings_fname = p(j(settings_dir, 'settings.py'))
    settings = open(settings_fname)
    settings_text = settings.read()
    settings.close()
    if not ('from localsettings import *' in settings_text):
        # Need to fix settings module to import localsettings
        log.debug('Adding import localsettings to settings module: %s' % settings_fname)
        settings_text += ('\n'
                          'try:\n'
                          '    from localsettings import *\n'
                          'except:\n'
                          '    pass\n')
        f = open(settings_fname, 'w')
        f.write(settings_text)
        f.close()
    fname = p(j(settings_dir, 'localsettings.py'))
    if os.path.exists(fname):
        log.debug('Localsettings module already exists: %s' % fname)
        return
    log.debug('Creating localsettings module: %s' % fname)
    f = open(fname, 'w')
    f.write('''
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': '%(dbname)s',
        'USER': '%(username)s',
        'PASSWORD': '%(userpass)s',
        'HOST': '',
        'PORT': '',
    }
}
    ''' % locals())
    f.close()

In this function, we use the localsettings trick to create a server-specific config.

WSGI File

Starting with Django 1.4, “django-admin startproject” gives you a nice starting point for WSGI config file. However, it needs to augmented if we want it to be useful.

But first, mod_wsgi needs to know where to load your Python from, in case you are using virtualenv. Simply open /etc/apache2/mods-enabled/wsgi.conf and add a line that looks like this:

 WSGIPythonHome /path/to/my/virtualenv

Now, for the WSGI script. All you really need to do is add your project’s directory to sys.path:

import os, sys

CWD = os.path.abspath(os.path.normpath(os.path.dirname(__file__)))
PROJECT_DIR = os.path.dirname(CWD)

sys.path.append(PROJECT_DIR)

Of course, this should also be scripted:

def check_wsgi(project_dir, settings_dir):
    fname = p(j(settings_dir, 'wsgi.py'))
    if os.path.isfile(fname):
        return
    if project_dir == settings_dir:
        settings_module = 'settings'
    else:
        settings_module = '%s.settings' % os.path.basename(project_dir)
    site_packages = p(j(os.path.dirname(sys.executable),
                        '..',
                        'lib',
                        ('python%s.%s' % (sys.version_info.major, sys.version_info.minor)),
                        'site-packages'))
    f = open(fname, 'w')
    f.write('''
import os, sys
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "%(settings_module)s")

CWD = os.path.abspath(os.path.normpath(os.path.dirname(__file__)))
PROJECT_DIR = os.path.dirname(CWD)

sys.path.append('%(site_packages)s')
sys.path.append(PROJECT_DIR)

from django.core.wsgi import get_wsgi_application
application = get_wsgi_application()
    ''' % locals())
    f.close()

Database Schema

Time to update your DB structure! If it’s the first time, you’ll need to do:

python manage.py syncdb

And on every update to the schema, don’t forget to migrate (assuming you are using South, which you should):

python manage.py migrate --all

Let’s script it, too:

def check_db_schema(project_dir):
    '''SyncDB and migrations
    '''
    log.debug('Updating database schema from %s' % project_dir)
    cwd = os.getcwd()
    os.chdir(project_dir)
    for cmd in ('syncdb', 'migrate -all'):
        full_cmd = '%s manage.py %s' % (sys.executable, cmd)
        result = subprocess.call(full_cmd, shell=True)
        log.debug('%s returned: %s' % (full_cmd, result))
    os.chdir(cwd)

We’re getting close! So, at this point our database is in the correct shape, our web sever is good, and WSGI stuff is ready. Let’s start moving files to the right places.

Copying Application Files

On a server running multiple applications, a good practice is to have a directory somewhere outside /var/www to keep all of your Django applications. For each application we deploy, we’ll create a subdirectory, and put all its code, uploads, static data in there. (There are other sensible approaches – e.g. have a dedicated place for all media files and uploads for all apps, separate from sources, so YMMV).

Let’s name the subdirectories according to domain names of the applications – so, the app for my.domain.com will live under /path/to/apps/my_domain_com/. Copy the entire contents of your Django project, starting with the level where manage.py lives, into your my_domain_com directory and set ownership to www-data:www-data.

Python’s distutils has a handy function for “soft-copying” a directory tree, aptly named “copy_tree” – so,

from distutils.dir_util import copy_tree

copy_tree(source, destination)

To change ownership of a tree in Python, we do this:

pw_uid = pwd.getpwnam('www-data')
os.chown(dirname, pw_uid.pw_uid, pw_uid.pw_gid)

After you’ve set up the directory and copied the app code, you also want to create two more things within the deployed app’s filesytem: logs and (optionally) uploads. This way, you’ll always find the logs of your application easily, and you’ll have everything sitting in one neat place.

Now, all that’s left to do is to add a site configuration in Apache, and we’re done.

Apache2 Site Configuration

Create a file under /etc/apache2/sites-available/, named just like your app directory. The contents of the file should look a bit like this:

<VirtualHost *:80>
    ServerAdmin you@yoursite.com
    ServerName www.domain.com
    ServerAlias domain.com

    Alias /static/ /path/to/your/app/static/

    <Directory /path/to/your/app/static>
        Order deny,allow
        Allow from all
    </Directory>

    Alias /uploads/ /path/to/your/app/uploads/

    <Directory /path/to/your/app/uploads>
        Order deny,allow
        Allow from all
    </Directory>

    LogLevel warn
    ErrorLog  /path/to/your/app/logs/apache_error.log
    CustomLog /path/to/your/app/logs/apache_access.log combined

    WSGIDaemonProcess %(app_name)s user=www-data group=www-data threads=20 processes=2
    WSGIProcessGroup your-app-name

    WSGIScriptAlias / path-to-your-app-wsgi-script
</VirtualHost>

Of course, this step is also included in the full version of the script.

On to the final step!

Restart Apache

sudo apache2ctl restart

…and you are done!

The full script automating this process can be found here. It’s open-source, use and modify it to your delight!

Drupal can be described as a hybrid between a CMS and a web framework, and in this sense it gets close to our favourite web development platform of all times – Django. We won’t get into holy war of languages and web development tools here. Besides the fact that every CMS and framework has its unique merits, often customers have their own reasons to prefer a certain set of technologies for their web applications.

Recently we completed two Drupal-based projects, bespoke-online.com and kazookyloyalty.com.

A few notable things about Drupal:

First of all, of course, it’s open source. So is every module and plugin that we use with it. We have full access to the inner mechanics of the framework and all its extra parts.

Drupal has a mature system of modules/plugins, and a great selection of them for every kind of need – from WYSIWYG editing to email connectors and flexible web forms.

Drupal’s template system is well thought-out and extremely flexible. It allows theme author to fully control all parts of every page, distinguish between kinds of content, and override defaults for specific pages, if needed.

Drupal is production-ready and has better reputation with regards to security than its PHP relatives, like WordPress.

In short, we love Drupal almost as much as we love Python and Django. Design Practica makes custom web applications in Django, Google AppEngine, WordPress, Drupal and a bunch of other technologies. You can contact us to get a brand new website or to update and existing one.

Niche wanted a website that would sell their shampoos, conditioners and other products to consumers and inform potential business partners about options to buy bulk, get samples, and set up long-term relationships. The store site had to be scalabe, easy to maintain, and convenient to tune for SEO – you’ve got to be liked by Google if you want to be noticed on the web.

We built a flexible, SEO-optimizable, modern online store for our customer based on Django and Satchmo. Satchmo is one of the most popular Python-based ecommerce frameworks. Built on top of Django, arguably the most elegant web application engine, it provides web developers with a way to quickly create scalable, flexible eCommerce systems. For dynamic features on the browser side, we used jQuery, of course.

Here’s how Satchmo, Django, jQuery and other tools have enabled us to quickly create a functional, dynamic website that acts both as a CMS and an eCommerce system, and is easy to manage by its owners.

Security

For an online store, this is the most important factor. If you do everything else on your eCommerce website right, but ignore security, you will end up harming your customers, hurting your reputation, losing money, potentially destroying your business beyond repair. So we’ve got to think about security first. Because of the way Django application model is designed, it facilitates creation of secure websites more than many other popular web technologies. Built-in features such as cross-site forgery protection help save development time and allow everyone involved to focus on the real business goals of the project, instead of worrying about every detail. Satchmo allows to integrate the online store with a variety of payment gateways, and encourages a well-though-through, safe approach to handling payments and customer information.

Flexibility

To successfully sell products from your website, you need complete control over all the aspects of the site. With Django, we can tune everything: the way URLs of the website are organized, the appearance of the pages (Django has a powerful templating system), the database, caching system, admin features, and so on. Satchmo gave us great flexibility in choosing payment methods, automating shipping cost calculations,
generating PDF documents (invoices, shipping labels), and managing custom discounts.

Unique Design

I’ve already mentioned the powerful support for page templates that comes with Django. Django templates allow designers and programmers to collaborate in a productive fashion, without worrying about each other’s parts in the process. Unlike older web programming technologies, such as ASP or PHP, Django templates enable us to work on the visual aspects of a site independent from the server-side data management. Likewise, changes to business rules or logic on the server can happen without wreaking havoc on the visual side of things. This separation of concerns allows our graphic design team to focus on the presentation aspects of the site and create unique, usable pages, while the programmers implement the logic of the application.

Updates

How easy or difficult it is to update your site’s content and design can define your site’s success or failure in the long run. New products, new information, new ways to present it – all this must be easy to do on your site if you want it to perform well. With Django and its templating system, your website’s design is organized in a hierarchy. This makes it very convenient to update overall design and layout of the site. Changing things like header or footer on all pages uniformly, adding a sidebar, or popping a message about special offer – with well-organized page templates, these things do not cause trouble. In fact, with this online store project, we went though several revisions of overall design and layout, without interrupting the functionality of live website.

Payment System

Satchmo has built-in support for major payment gateways, such as Authorize.net, PayPal, and a handful of others. It also provides a straightforward way to add new payment plugins. So, when we found we needed to add support for MiraPay, a Canadian merchant service, we simply added a plugin that implemented MiraPay’s API. Satchmo allows site creators to have multiple payment methods, which is a great thing – many customers are expecting to be able to pay through their PayPal account, while others prefer to use direct credit card payment.

Shipping Cost Calculation

Evaluating the cost of shipment is not a trivial task. Satchmo has great plugins for this, able to communicate directly with carrier companies to get a precise price for each shipment. As with other aspects of commerce, shipping with Satchmo can be easily customized to implement any specific rules that apply to a given business. Out of the box, it supports integration with the following carriers:

• UPS
• Fedex
• USPS
• Canada Post
• Flat rate shipping
• Multi-tiered shipping based on quantity or price
• Per item shipping cost

Discounts, Special Offers, Coupons

Satchmo comes pre-packaged with support for discounts and coupons. Default templates provide a nice starting point for showing discount information, giving the customer information about special offers, handling the whole process gracefully and correctly (the most important part). Customizing Satchmo templates proved to be a pretty straightforward process, and we were able to take full advantage of its support for coupon codes and specials. Again, this area is extensible, and if your website, like our case here, needs special custom rules for discounts, it’s convenient to implement them using Satchmo.

Custom Products

Some of the products our client sells through the website are customizable – you can choose certain options before purchasing, and the price adjusts accordingly. This is where Satchmo proved most helpful. In fact, it supports several flavours of customizability – as long as you know what you need, you can get it with Satchmo.

Subscription-Based Products and Downloadable Producst

Although we did not use subscriptions in this project, and downloading a bottle of shampoo is not quite yet possible with today’s technology, it’s worth mentioning these Satchmo capabilities here. Satchmo can just as easily sell your ebooks or software, or a paid subscription to monthly market insider tips, as it sells conditioners.

In short, as a web development company, we are excited that such high-quality frameworks as Django and Satchmo exist in open-source world. This gives is the power to solve our customers’ problems elegantly, with confidence and speed.

Contact DesignPractica to discuss your eCommerce or custom web project. We give free estimates.

Vancouver, BC Nov 25, 2011 – DesignPractica, a company that specializes in web development and support, after its experience with recent WordPress attacks, shares the expertise through its new offer to restore and secure WordPress-based websites.

DesignPractica has been building and supporting websites and dynamic web applications since 2009. Its team of professionals is now providing additional support for owners of sites who suffered from hacker attacks against WordPress plugins.

According to internet security agencies, such as SpiderLabs, there are 1.2 million websites that were affected by the latest attack. “We’ve had our share of trouble with this vulnerability, and now we want to share what we learned so that other can benefit from our efforts”, says DesignPractica founder Vlad Orlenko.

For additional information about WordPress vulnerabilities, restoring your website and security help, contact Vlad Orlenko at vlad@designpractica.com or visit www.designpractica.com.

(as seen in all major online news outlets)

Vancouver, BC Nov 21, 2011 – DesignPractica has been creating and maintaining custom websites for small businesses in Greater Vancouver area for several years. Now, in addition to offering WordPress, Django and Google Application Engine websites, DesignPractica also provides support and development services with all top open-source and hosted eCommerce and CMS systems, such as Magento, Drupal, Volusion, Shopify, Satchmo and others, for small, medium and large businesses in the greater Vancouver region. Adding ecommerce for website has become a necessary feature of modern online presence, and DesignPractica is increasing its efforts to satisfy the demand.

DesignPractica has a successful history of helping local manufacturers, farmers, restaurants and entrepreneurs with web design and custom web application development. Over the years, it has accumulated expertise and gathered brilliant talent in its distributed team of designers, analysts, marketers, and programmers. Now it is stepping up its effort to deliver the best web products that can be created with today’s top technical tools to local Vancouver businesses. The solutions DesignPractica provides allow customers to add ecommerce for software products, traditional goods, subscription services and more.

“We feel that by providing best tools available on the market, such as Magento eCommerce framework, we can bring great value to local businesses looking to build new sales channels and to take advantage of online marketing”, says Vlad Orlenko, founder of DesignPractica. “But instead of pushing a single solution to every customer, we begin with analyzing the needs of every particular business that works with us — not everyone requires the same product, and personalized approach to eCommerce and CMS in today’s complex world is our great strength”.

Combining the advantages of global team and local business presence, DesignPractica sets an ambitious goal of building dozens of modern, efficient internet stores that will appeal to the public and provide strong sales for the business owners over the next months, starting this Christmas season. Introduction of ecommerce for websites that did not previously have it is a welcome news.

For additional information about eCommerce and CMS development services provided by DesignPractica, contact Vlad Orlenko at vlad@designpractica.com or visit www.designpractica.com.

(as seen in all major online news outlets)

The online store that we build for you serves one goal: bring you lots of sales. But to achieve this seemingly simple task, it takes a lot of knowledge, skills and experience.

The store has to automate all the parts of the process that can be automated, such as creating invoices and shipping labels, calculating shipping costs and taxes, offering the right discounts and encouraging customers to buy related products.

We always build our sites with search engine optimization (SEO) in mind. Things like standards-based layout and styling, customizable titles and headers, easily-editable content are absolutely necessary for promoting your site with Google, Bing and Yahoo, and we make sure your online store gives you all that today’s web is capable of.

Depending on the business you’re in, we’ll suggest a suitable set of options for online sales.

For example, if you already have a working website with a healthy amount of traffic to it, you do not want to lose all the work that went into it and start from scratch. Fortunately, the powerful tools we use allow us to add e-commerce features to an existing website without interrupting the service or interfering with the relationships you already have with your customers.

If you are planning to build a new online store, we’ll help you choose from the multitude of available technologies and tools (which can be quite overwhelming) the right ones for the job, ensuring fast delivery and cost-effectiveness and easy maintenance in the future. Our goal is to design an approach that will work best while adding the benefits of ecommerce for website that you are either building from scratch or updating.

The main benefit of creating a customized online store is that you have full control over the behavior and appearance of your virtual storefront. You can manage the discounts and shipping the way you like it, customize product information in precisely the manner that maximizes your conversion rate, and optimize your site for search engines so that you know you are getting the maximum benefit out of your “automated sales engine”.

We work with a wide variety of popular e-commerce systems:

• Magento
• Satchmo
• Shopify
• OpenCart
• WP e-Commerce
• Volusion
• osCommerce
• UberCart
• ZenCart
• and many more…

In any web-related project, but especially in online sales, tracking statistics about your visitors is absolutely necessary. That’s why we always include Google Analytics with all the sites that we build. Additional reporting is available depending on the e-commerce framework that is chosen for a particular project, and we help you take full advantage of that.

We also integrate your site with social networks — Facebook, Twitter, FourSquare, Google Plus, etc., and help you make first steps in SEO for your online store — from optimizing the content and format of the site to registering in directories and building links.

In addition to the technical aspects of building the system for you, we take training and education very seriously. We provide instructional videos for our clients, showing how to manage their website by example, which is the best way to learn.

So, in short, here’s our secret sauce: we combine the power of industry-standard CMS frameworks and proven e-commerce solutions with custom design and programming, add generous amounts of uncompromising focus on your business and your clients, and produce great value for you and your company.

To get a free estimate for your e-commerce project, please leave a reply below, or drop us a call at 604-200-3537.

We are doing our best creating Django applications in Coquitlam, Burnaby, Port Moody, and the whole Greater Vancouver.

• First, we listen to you to understand what exactly you need to build. We ask lots of questions about your purposes for the project, the way different people will be using it, the other systems it will interact with. We can meet in person, if you are located in Vancouver area, or talk by phone, Skype, IM – whatever works best for you. (Just drop us a message about the project, and we’ll get back to you on the same day.)
• We make an estimate of the project, for free. You get a detailed list of steps covering the entire project, from analysis and design to implementation details, sketches or examples of design, and an approximate evaluation of the cost. We strive to use fixed estimates and stick to them wherever possible, because this is the most comfortable way for you, our customer. However, if there’s a significant change of plans during the course of the project, we’ll re-estimate as we go.
• Once we’ve agreed on the plan of action, we take a deposit and begin to implement your web application. We focus on early visibility and constant interaction with the customer, so that you can see what is being built, you can test-drive it, and get all the important details and clarifications to us.

Different projects require different sets of instruments. In our custom development work, we use a very wide variety of tools and technologies. We love open-source tools such as Django web application framework, Satchmo online store engine, CMS frameworks — from WordPress and Drupal to Magento and Django-CMS, Ruby/Rails, JQuery, Sencha, etc. We also use .NET, mobile frameworks, and desktop and mobile development tools for Linux, Windows and Mac.

Contact us to discuss your custom project. You’ll be glad you did.

So, my site got hacked. No, scratch that. All of my WordPress sites got hacked. No, that’s not right either. All of my WordPress sites got hacked twice. I’ve repaired it all, prepared the sites for the next vulnerability, and now I’m ready to share my regrets and shame, but mostly experience and tools.

While nobody can guarantee that a WordPress site is not going to be hacked again, there are a few things we can do to lower the risk and make it much easier to bounce back when this happens.

Backups, man! Do you have a recent backup of your site? How long will it take you to get back in the game if you start seeing, all of a sudden, pop-up ads for penis enlargement on your blog? Backups, man, backups. Back up your data, your plugins, your custom styles, everything. Store your backups off-site. All of this is common sense, but most of us start taking this stuff seriously only after a disaster.

At the end of this post, there’s a script that makes backing or restoring a WordPress site a one-step process. But if your site is hacked and you need to go through all the steps before creating the first clean backup, read on.

Step 1: Scan your PC

Often malware is introduced to a website through an infected Windows machine that you use to manage the site. Update your antivirus software and do a full scan of your computer. You want to be sure that your local computer is clean before you start repairing your website from it.

If you do not have an antivirus, AVG is good choice. They have a free version, and the prices for the paid license are very reasonable.

Some malware is very good at hiding from certain types of antivirus software. If you already have an antivirus, it may be a good idea to double-check and scan your PC with another type of antivirus.

Step 2: Verify that your site is infected

How can you be sure that your site has been hacked and has malware? How can you check which of your sites are clean and which are infected? Use an online site scanner. Scan every one of your websites before you start cleaning them up, and repeat the scan as you progress through the steps to restore sanity. Make it a habit to re-scan your sites regularly, or subscribe to Sucuri Monitor or a similar service.

Step 3: Back up your website

Although your site is infected, you still want to keep a copy of all its data and files for reference, at least until you make sure that all is back to normal.

Make a backup copy of your website’s files. If you have SSH access to your hosting provider, copy the entire directory containing your site into a backup location. If you use another way to access your files (such as SFTP, FTP, or web-based file manager), download the whole directory of the site.

Back up the database your site uses. In WordPress, you can download the content through “Tools > Export > All content” in the admin dashboard. Or, preferably, use a command line to export the whole database.

I’ve created a useful script that does both of these steps for a WordPress site automatically (it’s at the end of this article).

Step 4: Talk to your hosting provider

Most likely, the issue affects more than just your website, and your hosting provider is already aware of the problem. Most hosting companies back up their customers’ data regularly, and if your site was infected recently, they can simply restore it to a previous point, when it was not yet infected. They can also help you identify and fix the vulnerability that led to the problem in the first place. If you are lucky and your hosting support rocks, things will be back to normal before you know it. For the rest of us, there are next steps.

Step 5: Try Surgical Repair

This does not always work, but it’s worth a try. If you know the kind of attack that led to the site’s infection with malware (e.g. the infamous TimThumb vulnerability), and you can find good documentation on how the attack works, you can try to clean up the affected PHP files. There are a few WordPress plugins that can help. After every change you make, verify whether the site is infected (use Sucuri Scanner) and if it’s clean, verify that it works. It did? Congratulations! You’re done.

However, this method does not always work (as malware writers are coming up with new ways to hide malicious code), and sometimes you’ll have to scrap all code and install a clean copy.

Step 6: Disable the infected site

Sigh, so you’ve tried to remove the bad code from PHP source, and the site is still broken. You’ll need to set up the WordPress, the theme and plugins from clean slate, re-import the data, and monitor the whole process so that you know at the end of the process your site is clean and fully-functional.

To begin, let’s completely isolate the site from the outside world. The malware that got injected into your site could be acting as a backdoor, bringing more malware in. To prevent the malicious code from re-infecting the site while you’re cleaning it up, temporarily close it down.

A simple way to disable a site that runs under Apache (which WordPress does) is to add a rewrite rule into .htaccess file in the site’s directory, redirecting all requests to a temporary “your site is undergoing maintenance” page.

RewriteEngine on
rewriterule ^(.*)$ http://example.com/maintenance.html [r=301,nc]

(You’ll need to set up the maintenance page somewhere outside of your site, of course).

Now open your website in browser — you should see the maintenance message instead of the site itself.

What have you achieved so far? Your data is backed up, you’re sure that your local machine will not infect the website and you’ve isolated the site from the outside world. Now you’re ready to begin the cleanup.

Step 7: Change Passwords

Change all the passwords. Don’t leave the bastards a chance.

Don’t forget to go through all of the passwords that may have leaked:

• SSH password
• Hosting Control Panel password
• FTP password
• Database password for every database accessible to your account

Step 8: Complete Clean Up

This part will have to be repeated for every website you are repairing. With the right tools (such as the backup/restore script below), it takes about an hour or two per site. Not too terrible.

1. Create a fresh WordPress application instead of the temporarily-disabled site. Use the newest version of WordPress and a new database.
   • At this point, your WordPress should be working and free of malware. Check for malware — if it’s there, you’ve got a problem. Either your PC is infected, or you have a more serious issue on the server. Stop here, call support, run a virus scan on your PC.
   • If the site is clean like it should be, proceed.
2. Create a backup copy of site directory and database. This is your new clean copy – not very useful yet, but at least it will let you come back to this point if you make a mistake at a later step.
3. Install the most recent version of the theme you want to use (make sure the theme does not use modules with known vulnerabilities — such as certain versions of TimThumb).
4. Check for malware again. If the site got infected, it’s likely the theme. Roll back to the backup you created two steps back (good thinking!), and use another theme. If it’s clean, make anoter backup copy and proceed.
5. For every plugin you need to use:
   • Install latest version of plugin
   • Check site for malware
   • Roll back or create new backups as necessary

Step 9: Restore the data

Now that your site looks and behaves close to what it should, time to import old data. We’ll assume that there are no viruses or malware in the database. That’s a reasonable assumption, but before you act on it, please make sure you’ve backed up all your work prior to this point. Ready?

Export the database your site used to use. You can do it through phpMyAdmin or from command line.. The command will look something like this (all in one line):

mysqldump --user=<old_db_user> --password=<old_db_password>
        --databases <old_db_name> --opt --quote-names --allow-keywords
        --complete-insert -c > <archive_filename>.sql

And to load it all into the new database, you’ll import it — either through phpMyAdmin or through a command line like this one:

mysql --user=<new_db_username> --password=<new_db_password> <new_db_name> < <sql_file>

Now, for the last time (hopefully) check that your site does not have any malware, and you’re done!

Except that you are not really done. Time to make sure that an ordeal like this never happens again to you and your websites.

Step 10: An ounce of prevention is worth a pound of cure

Or, in metric system, “twenty-eight grams of prevention is about half-a-kilogram of cure”, which sounds admittedly much less elegant.

Here’s what you can and should do to protect yourself against future attacks.

• Follow the advice in the official guide on hardening WordPress.
• Before installing a new WordPress plugin or theme, at least Google for vulnerabilities related to it.
• Monitor your site — use Sucuri or a similar tool.
• Keep your PC clean and secure. Don’t neglect your Windows antivirus.
• Make automatic backups that let you easily restore your site.
• Consider not using WordPress for serious sites. Use Django, Rails, heck, even .NET. Some platforms just take security more seriously than others.
• If your hosting provider is not helping you in terms of backups and recovery, move to one that does. Webfaction (where this site is hosted) is probably the best shared hosting option available.

Bonus: Backup/restore script for WordPress

Here’s the script that runs backups for DesignPractica and can restore a wordpress site in a single command: [dowload]. This is written in Python, simply because it’s the best language ever. You run these scripts like this.

Backup:

python backup.py <path-to-wordpress-application-directory>

This will create a time-stamped backup directory inside ./wordpress-backup// and put a compressed copy of the application directory and of the database in it.

Restore:

python restore.py <path-to-wordpress-application-directory> <path-to-backup-directory>

If you found this stuff useful and saved some time thanks to my article or code – you can buy me a beer! Thanks!

Note: If your WordPress site was hacked, this means there’s a vulnerability either in WordPress itself or in one of the plugins you are using. Upon restoring from backup, upgrade to all latest versions, and re-scan the site to make sure it did not get infected again. It’s generally a good idea to google for known recent vulnerabilities in WordPress plugins, and take appropriate steps — e.g. avoid affected plugins altogether, use safer alternatives, etc.

Also, if you are hosting your customers’ WordPress sites, make sure your users do not have admin rights. This may sound harsh, but seriously, “editor” role is quite sufficient for day-to-day use. There are good reasons why public hosting companies who support WordPress limit what plugins you may or may not install. There are good reasons not to trust users with this. If all you have is a few simple blogs and “business card” type of sites, sure — install all the experimental stuff you wish. The worst that can happen if they are hacked — you’ll lose your latest blog post or comments. But for large online stores keeping track of their customers, a hacked site may mean serious damage to credibility. If all your customers suddenly start getting spam, if their personal information is compromised, your business is be in serious trouble. If all of your customers’ customers are exposed in this way, you’re dead, as long as your business is concerned.

Well, thanks for reading this long post-mortem. Here are a few affiliate links to the great tools I mentioned in this post. If you decide to purchase their products, do me a favour, go through these links.

• AVG antivirus
• Sucuri Site Scanner