The word "disaster" is one you never want to hear in business. Even if it's a seemingly minor disaster, it usually means taking time away from business to investigate the root cause, clean up the mess, update processes, and sometimes even apologize to clients or employees who were harmed in the wake of it.\r\n\r\nBut it's not just business operations or physical workspaces affected by disaster. WordPress websites can face their own kinds of disasters.\r\n\r\n<a href="https:\/\/pagely.com\/blog\/wordpress-security-action-plan\/" target="_blank" rel="noopener noreferrer">WordPress security<\/a> breaches are definitely the most common.\r\n\r\nUser error can also play a role in the (unintentional) harm of a WordPress site.\r\n\r\nNatural disasters can contribute their own kind of destruction if they reach the main location of your web server.\r\n\r\nEven WordPress itself can lead to disaster if your website isn't<a href="https:\/\/pagely.com\/solutions\/secure-wordpress-hosting\/"> managed properly and securely<\/a>. This is most commonly seen with cowboy coding or the issuing of plugin or theme updates on a live site without first testing them in a safe staging environment.\r\n\r\nNot to sound completely pessimistic, but disaster is all around us. And, even though we can mitigate for known risks, something bad could still happen down the road. It might be an easy enough issue to fix, but any downtime, defacement, or broken functionality on the frontend of your website is bad.\r\n\r\nA disaster recovery plan will help you prepare, prevent, and handle one if and when it does happen.\r\n<h2>The Costs of a Disaster in WordPress<\/h2>\r\nAn IBM-sponsored report, the <a href="https:\/\/www.ibm.com\/security\/data-breach" target="_blank" rel="noopener noreferrer">2017 Cost of Data Breach Study<\/a>, provided some revealing facts about the state of <a href="https:\/\/pagely.com\/blog\/wordpress-security-action-plan\/">web security<\/a> and how expensive cleanup can be in the face of a breach. Although this report focuses mostly on data breaches, I want to remind you that anything that affects the "face" of your online brand can be harmful and costly to your business.\r\n\r\nSo, let's focus on the overall message of this report \u2014 that disaster can affect any website and will lead to serious consequences if left unchecked-\u2014 and make our way from there. Here are the key takeaways:\r\n<h3>Cost of Data Breaches and Other Disasters<\/h3>\r\nAs you can see from this chart, North American countries are the ones currently faced with the most expensive data breaches.\r\n\r\n<img class="aligncenter size-full wp-image-14959" src="https:\/\/pagely.com\/wp-content\/uploads\/2018\/06\/Disaster-Recovery-Plan-Total-Cost-of-Breach-per-Country.png" alt="Disaster Recovery Plan - Total Cost of Breach per Country" width="900" height="693" \/>\r\n\r\nOn average, the cost of a data breach amounts to $3.62 million.\r\n\r\nNow, if we want to break that down by person (and corresponding records stolen), it's best if we look at the industry distribution of costs per capita:\r\n\r\n<img class="aligncenter size-full wp-image-14960" src="https:\/\/pagely.com\/wp-content\/uploads\/2018\/06\/Disaster-Recovery-Plan-Cost-by-Industry.png" alt="Disaster Recovery Plan - Cost by Industry" width="900" height="682" \/>\r\n\r\nFor those of you working in the health, financial, and <a href="https:\/\/pagely.com\/solutions\/universities\/">education<\/a> sectors, you can see how expensive every stolen record can be. That's, of course, not to discount the costs to other industries as the average cost per stolen or lost record is $141. Multiply that by however many records your website holds and you can imagine what that sort of hit your profit would take as a result.\r\n\r\nThe same sort of logic applies to anything that forces your WordPress site to stop working or to go offline altogether. The cost of <a href="https:\/\/pagely.com\/blog\/configuring-site-zero-downtime\/">downtime<\/a> can be calculated by:\r\n<ul>\r\n \t<li>Starting with the amount of revenue your site earns in an hour.<\/li>\r\n \t<li>Multiplying it by the amount of hours your site was offline.<\/li>\r\n \t<li>Adding the costs of running a website per hour.<\/li>\r\n \t<li>Adding the costs of website recovery activities, including the time you or your development team spend to rectify the issue.<\/li>\r\n<\/ul>\r\nThat total is the cost of downtime. It might not be as expensive as lost records, but it's not going to do your business's bottom line any favors either.\r\n<h3>Cause of Data Breaches<\/h3>\r\nUnsurprisingly, the majority of data breaches (47%) are caused by malicious entities.\r\n\r\n<img class="aligncenter size-full wp-image-14961" src="https:\/\/pagely.com\/wp-content\/uploads\/2018\/06\/Disaster-Recovery-Plan-Cause-of-Breach.png" alt="Disaster Recovery Plan - Cause of Breach" width="900" height="414" \/>\r\n\r\nThe other two causes of data breaches come from human error (28%) and system glitches (25%).\r\n\r\nYou can also see how much malicious attacks cost per capita when compared to system glitches and human error. The difference isn't too significant, but it's enough to make you want to fend off hackers as much as possible.\r\n\r\n<img class="aligncenter size-full wp-image-14962" src="https:\/\/pagely.com\/wp-content\/uploads\/2018\/06\/Disaster-Recovery-Plan-Cost-per-Breach-Cause.png" alt="Disaster Recovery Plan - Cost per Breach Cause" width="900" height="417" \/>\r\n\r\nSo, again, it's important to be mindful of security risks that exist outside your WordPress site, but to also understand the dangers that exist within your own systems and teams. Disaster really can come from anywhere.\r\n<h3>Other Factors that Contribute to Disaster-Related Costs<\/h3>\r\nThe total average cost of a data breach is quite frightening, isn't it? But where exactly do those numbers come from? Is it how much money a company pays to customers to compensate for damages? Is it how much is spent on damage control for the brand? Actually, you might be surprised to learn where these costs come from.\r\n\r\n<b>1. Loss of Customers<\/b>\r\nThis is what's known as churn \u2014 the loss of customers and revenue.\r\n\r\n<img class="aligncenter size-full wp-image-14963" src="https:\/\/pagely.com\/wp-content\/uploads\/2018\/06\/Disaster-Recovery-Plan-Lost-Business-Costs.png" alt="Disaster Recovery Plan - Lost Business Costs" width="900" height="466" \/>\r\n\r\nAs you can imagine, customers aren't going to react well after they discover that any sort of disaster put their data at risk. The same goes for visitors who encounter a broken website, a hacked website, or one that's down altogether. Disrupt their experience or put them in harm's way and it could cost you a lot of customers that you're now forced to spend money recouping in the following year.\r\n\r\n<b>2. Time to Identify and Contain the Problem<\/b>\r\nOn average, it takes businesses 191 days to <em>identify<\/em> a security breach and an additional 66 days to <em>contain<\/em> it.\r\n\r\n<img class="aligncenter size-full wp-image-14964" src="https:\/\/pagely.com\/wp-content\/uploads\/2018\/06\/Disaster-Recovery-Plan-Detection-and-Escalation-Costs.png" alt="Disaster Recovery Plan - Detection and Escalation Costs" width="900" height="450" \/>\r\n\r\nAs you might imagine, when it takes nearly two-thirds of a year to do something about a breach of your records, the severity and depth of the problem is only going to worsen. The costs above reflect how expensive detection and escalation of breaches are to organizations every year.\r\n\r\n<b>3. Notifications to the Public<\/b>\r\nNot only will a breach hurt your company's reputation, but it's going to cost you to handle the notifications and <a href="https:\/\/pagely.com\/blog\/marathon-sprint-winning-customer-service\/">customer support<\/a> surrounding it.\r\n\r\n<img class="aligncenter size-full wp-image-14965" src="https:\/\/pagely.com\/wp-content\/uploads\/2018\/06\/Disaster-Recovery-Plan-Notification-Costs.png" alt="Disaster Recovery Plan - Notification Costs" width="900" height="461" \/>\r\n\r\n<b>4. Post-Breach Activities<\/b>\r\nThese are the activities you do after a breach has been detected and you've notified customers.\r\n\r\n<img class="aligncenter size-full wp-image-14966" src="https:\/\/pagely.com\/wp-content\/uploads\/2018\/06\/Disaster-Recovery-Plan-Ex-Post-Response-Costs.png" alt="Disaster Recovery Plan - Ex Post Response Costs" width="900" height="447" \/>\r\n\r\nThis includes things like:\r\n<ul>\r\n \t<li>Help desk<\/li>\r\n \t<li>Inbound customer support communications<\/li>\r\n \t<li>Investigation into the cause of a breach<\/li>\r\n \t<li>Remediation work<\/li>\r\n \t<li>Hiring legal representation<\/li>\r\n \t<li>Offering product discounts and refunds<\/li>\r\n<\/ul>\r\nBasically, anything you do to clean up after the fact--including trying to salvage your customer relationships--falls into this category.\r\n\r\n<b>5. Other Factors That Influence Cost<\/b>\r\nThe chart below breaks down some other factors that could positively or negatively affect the total costs of a breach.\r\n\r\n<img class="aligncenter size-full wp-image-14967" src="https:\/\/pagely.com\/wp-content\/uploads\/2018\/06\/Disaster-Recovery-Plan-Financial-Factors-of-Breach.png" alt="Disaster Recovery Plan - Financial Factors of Breach" width="900" height="633" \/>\r\n\r\nThe things that could increase costs:\r\n<ul>\r\n \t<li>Identity protection services<\/li>\r\n \t<li>Hiring of a consultant<\/li>\r\n \t<li>Mismanagement of notifications<\/li>\r\n \t<li>Extensive use of mobile systems to manage data<\/li>\r\n \t<li>Failure to follow compliance regulations (like <a href="https:\/\/pagely.com\/blog\/gdpr-wordpress-2018-resources\/" target="_blank" rel="noopener noreferrer">GDPR<\/a>)<\/li>\r\n \t<li>Third-party involvement<\/li>\r\n<\/ul>\r\nThe things that could decrease costs (that have to be done before a disaster arises):\r\n<ul>\r\n \t<li>Employing an incident response team<\/li>\r\n \t<li>Utilizing extensive <a href="https:\/\/pagely.com\/blog\/http-vs-https\/">encryption<\/a> in your systems<\/li>\r\n \t<li>Implementation of an employee security training program<\/li>\r\n \t<li>Installing and monitoring security analytics<\/li>\r\n \t<li>Protecting your business assets with insurance<\/li>\r\n<\/ul>\r\nAs you can see, a lot of this goes beyond the basics of what you think about when it comes to securing a WordPress website. That's not to say that what you've been doing up until now isn't right. It's more that, if your company stands to lose a lot from a data security breach or any serious amount of downtime, there's much more you should do to prevent, detect, and remedy the situation.\r\n<h2>Your WordPress Disaster Recovery Plan: A Checklist<\/h2>\r\nNo matter how serious of a disaster your business is faced with, it can't afford the consequences. Even if no sensitive information is compromised or leaked, there are other costs to contend with that add up.\r\n\r\nHere's what you can do about it:\r\n\r\nDon't panic. Disaster will happen at some point, so there's no sense in worrying endlessly about the risk. But don't completely ignore the possibility either. Instead, turn to your disaster recovery plan. This checklist includes all the steps you should take before, during, and after a disaster as you aim to recover from it.\r\n<h3>Conduct a risk assessment.<\/h3>\r\nAre there any gaps in security? Has your site been attacked within the last two years (which increases the chances of recurring attacks)? Is your industry at high-risk for attack? These kinds of questions will help you determine the likelihood of an attack and, consequently, focus on your weak spots.\r\n<h3>Conduct a business impact analysis.<\/h3>\r\nIf your site were to go down, how much would it reasonably cost your business to bring it back up? If data were to be compromised, do you know how much would it cost to not only recover the website, but to pay for damages caused by the lost data? Can your business handle these costs? And how much time could your business stand to be without a website before you're forced to close up shop permanently?\r\n\r\nFigure out this threshold and plan the rest accordingly.\r\n<h3>Define possible disasters.<\/h3>\r\nBusiness disasters, in general, come in a broad list of forms. Website disasters, however, typically fall into one of a small handful of categories:\r\n<ul>\r\n \t<li>Coding error<\/li>\r\n \t<li>Software conflict<\/li>\r\n \t<li>Malicious coding<\/li>\r\n \t<li>Malware, ransomware, spam, or other content infection<\/li>\r\n \t<li>DDoS attack<\/li>\r\n \t<li>Organic surge in traffic<\/li>\r\n \t<li>Natural disaster (server-side)<\/li>\r\n<\/ul>\r\n<h3>Lay down a strict security protocol.<\/h3>\r\nA lapse in security is just one reason for disasters, but it's a big one, so it deserves its own category. If you haven't done so already, <a href="https:\/\/pagely.com\/blog\/3-simple-wordpress-security-tips\/" target="_blank" rel="noopener noreferrer">lay down a strict security protocol<\/a> both inside and outside your WordPress site.\r\n<h3>Create stricter access rules.<\/h3>\r\nIf you aren't already, be very careful in <a href="https:\/\/pagely.com\/blog\/wordpress-roles-capabilities\/">choosing who receives full access to your WordPress site<\/a>. By establishing more granular levels of access that keep users relegated to only the most relevant parts of WordPress, you can prevent the chance of user error from affecting your site.\r\n<h3>Schedule backups.<\/h3>\r\nOne of the key elements in quickly restoring a damaged WordPress website is the backup. By creating and storing backups of your website on a separate cloud-based platform, you can effectively recover your online business in minutes. Not hours or even days. Make sure you have these scheduled to occur frequently (at least once a week).\r\n<h3>Select monitoring methods.<\/h3>\r\nIt's not sufficient to install a security plugin and call it a day. You need to monitor your website for all kinds of disasters, which means employing tools like uptime monitoring, malicious threat detection, security analytics, database change alerts, and so on. Automate these monitoring methods and set your tools to notify you on a daily basis of any issues. Serious issues detected should be delivered to your inbox in real time.\r\n<h3>Define the recovery process.<\/h3>\r\nThe steps you take during a website recovery will, of course, be dependent on what sort of disaster you face. Cover all your bases and create robust documentation that lists out every step that needs to be taken, and by whom, in order to restore your website from a server outage, an injection of malware, a total site takedown, etc. You must be prepared for every scenario imaginable.\r\n\r\nStart with your list of possible disasters and develop a custom response for each.\r\n<h3>Designate a disaster response team.<\/h3>\r\nYou can't just leave it up to machines to monitor and manage disaster threats. If your organization is large enough where the loss of data or a serious bout of downtime could cost you tens or hundreds of thousands of dollars (or, gulp, millions), you can't afford to be without a disaster response team. They will be responsible for watching over your website and responding immediately after a threat is detected.\r\n<h3>Train everyone else.<\/h3>\r\nEmployees as well as any third-party contributors or partners should be well-trained in disaster recovery and preparedness. This means educating them on security best practices as well as teaching them to spot the signs that something is wrong.\r\n<h3>Create a list of contacts to repair the damage.<\/h3>\r\nThis is something that comes in handy for a traditional disaster recovery plan as the loss of equipment or workspace can disrupt one's ability to communicate. That said, having a list of contacts for your WordPress site is important as well. In this case, your list will include individuals like:\r\n<ul>\r\n \t<li>Your <a href="https:\/\/pagely.com\/">web hosting<\/a> company's support number or live chat link.<\/li>\r\n \t<li>Your incident response team.<\/li>\r\n \t<li>All the administrators of your website.<\/li>\r\n \t<li>The owner of the website (if it's not your own).<\/li>\r\n \t<li>Employees who may have to deal with the cleanup or response.<\/li>\r\n \t<li>Your company's legal team and other disaster recovery advisors.<\/li>\r\n<\/ul>\r\nThey should be informed immediately so as to reduce the amount of time a disaster remains unchecked.\r\n\r\nYou should also have your business's financial institution and credit reporting bureau on speed-dial. If your business's financial data should get hacked, you're going to want to save your assets as soon as possible.\r\n<h3>Create a list of contacts to notify about the damage.<\/h3>\r\nYou should have your contact lists stored somewhere outside of WordPress:\r\n<ul>\r\n \t<li>Clients<\/li>\r\n \t<li>Prospects<\/li>\r\n \t<li>Newsletter contacts<\/li>\r\n \t<li>Warm leads<\/li>\r\n \t<li>Cold leads<\/li>\r\n \t<li>Business partners<\/li>\r\n \t<li>Employees<\/li>\r\n<\/ul>\r\nAnyone who could potentially be affected by a data breach from the website should be notified. However, keep in mind that you shouldn't respond in haste. Get all the details, assess how widespread the damage is, and take time to craft the appropriate response. You should have a support team immediately ready to step in and handle any backlash, too.\r\n<h3>Test your preparedness.<\/h3>\r\nAt least once a year, schedule a preparedness test for your WordPress website. This should help you determine how prepared your site is to handle a disaster. You can do this by:\r\n<ul>\r\n \t<li>Stress-testing your server.<\/li>\r\n \t<li>Attempting to log into the admin with the wrong credentials repeatedly.<\/li>\r\n \t<li>Digging into the backend of the site for revealing details that help others gain access.<\/li>\r\n \t<li>Incorrectly editing the code in the database.<\/li>\r\n \t<li>Submitting a spam comment to a blog post.<\/li>\r\n<\/ul>\r\nThink about where the most common threats come from and find a way to replicate them on your site. Of course, to keep your site safe from any damage you could do during the test, create a duplicate of it in a staging or local testing environment. Then, test your preparedness from there.\r\n<h3>Switch hosts.<\/h3>\r\nThis step is optional, but it's one I'm going to suggest you strongly consider now as it could improve your chances to prevent and be prepared for disaster in the future.\r\n\r\nTake, for instance, how <a href="https:\/\/pagely.com\/blog\/pagely-customers-spared-effects-of-latest-wp-vulnerability\/" target="_blank" rel="noopener noreferrer"> Pagely's customers avoided disaster in early 2017<\/a>. There was a vulnerability introduced to all WordPress sites by the REST API. However, Pagely took measures to patch its own servers with a Web Application Firewall in order to keep its customers safe.\r\n\r\nIf your web hosting company doesn't prioritize security or provide assistance in the case of a disaster, then it's time to look elsewhere. You need a partner who wants to see your website and its customers kept safe.\r\n<h2>Wrap-Up<\/h2>\r\nPreparing for disaster requires a lot of foresight and planning. If you want to decrease the likelihood of a disaster reaching your WordPress website, or, at the very least, reduce the costs to you and your business as a result of one, you must be prepared with a disaster recovery plan.\r\n\r\nRemember: don't just focus on the post-disaster recovery piece of it. The more you can prepare ahead of time, the more you can do to actively prevent disaster, and the closer of an eye you can keep on everything, the more quickly and positively you can resurface after it.\r\n\r\nOf course, all of this requires a lot of time and resources to do it right. If you're looking for assistance, <a href="https:\/\/pagely.com\/" target="_blank" rel="noopener noreferrer">Pagely's managed WordPress hosting<\/a> is a valuable resource for security, monitoring, and support.