A couple weeks ago, the brute force WordPress attacks started. Last Thursday, Sucuri sent out a high priority alert that the popular plugins, WP Super Cache and W3 Total Cache, had a very nasty PHP execution security hole. Potentially a showstopper – and a server wrecker type of loophole. Immediate action was definitely indicated. There are some things that you can do at your convenience, and then there are others – like this one. And that’s when you realize that you have to be able to scale.
Been There, Done That
Two weeks ago, I went through every individual WordPress site that I had and modified the .htaccess file to stop the 90K bots from hitting my wp-login.php page and swamping my server3. Did get 3 of my sites on shared hosting resources (throwaway sites so to speak, thankfully) taken offline by the host for excessive CPU usage before I got in to do all of this. It was causing huge issues on one of my VPS servers sucking up CPU cycles and bringing legitimate web requests to a crawl just to respond to the bogus login requests. Every. Single. Site. OMG.
Now, this security issue the next week. OMFG.
Manually Updating over 100 WordPress Websites
This is NO small task. And while I have a solid Excel spreadsheet with a lot of data available on each of these sites, it’s just over the top to start tracking which site uses which plugins. Thus I was going to have to visit every. Single. Website. All over again. Grimly determined to yet again do battle with the effing hackers that I knew would soon be scanning for specific footprints across all of my websites and likely exploiting them if I left them unprotected (and it only takes ONE), I started through my spreadsheet again for the second time in as many weeks. At least a day will be wasted on this. Maybe two. This was on Saturday morning. 4 am. Good times.
There has GOT to be a better way.
About 30 or so sites into this mind-numbing process, it occurred to me that there HAD to be a better way. Much as I wanted to continue through to patch up the security hole, it also struck home that if there WAS something that I could do to perhaps manage ALL the blogs from a central point, I was going to have to visit all of these sites all over again. Let’s do it now and keep fingers crossed that no one has been running GScraper yet looking for the tell-tale SuperCache or W3TC footprints yet.
And, yes, there is a better way. Several in fact, though not to the point where people are naming them “Yet Another…” The choices I found were InfiniteWP, ManageWP and Worpit. There were some others that I ran across but for various reasons, narrowed it down to these for a short list. Number 1, I have over 100 sites. Gotta be able to handle that many without being too costly – and free would be even better. All of them had good reviews, but of the 3, only one was completely free on more than a trial basis.
InfiniteWP on test
InfiniteWP is a free model with paid addons. I didn’t need any of the addons just to handle my immediate needs – update plugins (specifically SuperCache), so the choice was made. InfiniteWP would be our platform. InfiniteWP is a standalone application, so you will need a site to install it on. Should be running on Apache with access to mySQL. The install process was NOT a point and click, but if you know your way around cPanel, you should be fine. Took me about 20 minutes to get it up and running.
Now back to going through every. single. site. again. Would be really nice if there was a way to do this from the control panel by providing an admin login and url to do this, but there isn’t. Gave me a fine opportunity to verify all my .htaccess files again too since I was going to be going through each site again – ostensibly for the LAST time. Total time for me to input all of my sites, verify my .htaccess files, misc code wrangling, and do spot updates of the SuperCache plugin (can’t stand the W3TC plugin so I knew that one wasn’t an issue): 14 hours.
If you were going to be less fastidious on the install of the InfiniteWP plugin on each site and just slam it in place, you could probably average 1 every minute or two. In my case though, I wanted to verify my documentation, IPs, logins, .htaccess files, etc – so it took me a while to get all these sites in and be able to finish feeling GOOD about ALL those sites for the first time in probably over a year.
When I finally finished yesterday afternoon around 1 pm, I was able to see all my sites, view any remaining instances of good ol’ SuperCache that I might have missed, and all the OTHER plugins, themes and WP updates that needed to be handled. What a joy. No more Excel spreadsheets “Last Updated” entries, no more “Oh yeah, I did update that one…” and even better, no more, “Uh oh… which blogs do I need to update based on the NEWEST security hole?”
So how DOES InfiniteWP work in practice?
Pretty darned good – particularly for a freebie product. Nice interface. Could use a few improvements IMHO, but until I buy a plugin or more to give them a little cash flow to keep updating their product, I’m not sure I have too much right to beeeyatch. A nice alphabetical listing of all sites on the left with quick access to each admin panel in window, admin panel in a new tab, write a post, backups, view backups. It’s basic, but seriously, how many features *DO* I need to handle these 100+ blogs? About this number. Not too much, not too little.
So I don’t think I have too much room to complain, but here are the issues I found – but I can work around them.
- Hiding an update – for example, a particular theme that I have heavily customized in one customer website… I can hide the update under “Websites” and the entry for that particular website, but then it still appears under “Themes” and the drop down for that site. So it’s Ajax hiding in one panel, but not until you do a refresh of the whole screen, will you make it disappear under the other.
- Not able to update my (relatively slow) Rackspace Cloud files at times. I think this more a result of the relatively weak Rackspace Cloud site hosting. Operation times out, throws a 500 error, occasionally have gotten a “Need to reinstall the plugin” error. Don’t think it’s actually a flaw in the IWP, but again, more a problem with Rackspace Cloudsites hosting. Might be a way around that though IN the IWP plugin to at least let it NOT completely bomb out. Secondary status check routine or something that is initiated.
- Backups work great from the individual site flyout, but the Restore function doesn’t seem to work right when accessed via that method. Probably just a small glitch – val not being passed properly through that bit of the interface. However, clicking on “Protect”, viewing the backups and restoring from THERE works lickety split.
- Would be nice to sort the central window alphabetically
Right out of the box, with 20 minutes setup, and the hours to install the plugin to each site, I am now sitting able to look over each of these sites with a number of updates right there in one simple to review panel. I have access to do my updates en masse directly from the primary screen, or can quickly and easily click open the admin panel and be right there to manually do updates, add entries, etc in the admin panel on the target website. I can quickly scan for particular plugins that may need updating as well as update them fast. The URGENT crisis mode Sucuri email about WP SuperCache and W3TC would have been a 30 second point and click fix across all sites if I had InfiniteWP in place last week.
One thing to keep in mind – when updating a number of sites, it still is a good idea to go back and manually CHECK those sites. After updating a few site themes/WP versions, there have been a couple of sites that needed revisiting after updates to re-modify theme look. Like any update, there is always a chance that something may break. While the update may complete successfully, the final result may NOT be exactly what you think.
There are several workable ways to manage 100+ blogs. Manually is NOT one of them. InfiniteWP, however, IS one of them. And it does it pretty well. I think it could use a little more polish, but the pricing model is great. The install will be mine, there’s no monthly, “Oh, you’ve added on 3 more sites, we need to bill you more” issues. They have additional plugins / addons that should be able to provide advanced functionality such as backing up to S3 and a variety of other things.
If you’re on a budget (or just want to keep costs down), InfiniteWP is a keeper!