If you’re asking what is the best way to backup a WordPress website, then you’ve made a good start. That means you know backing up your WordPress website or blog is necessary. You just want to know which option works best for you. We’re here to help you answer the question.
In this blog post, we explain why backups are a neglected but vital aspect of your WordPress website security and maintenance routine. First, we outline the detrimental effects of neglecting to establish a secure backup system and what you stand to lose. But before you rush to solve this problem, you need to know what backups are and exactly what to back up. We also suggest some basic strategies to help you select the best solution for your WordPress website from the various backup methods. Finally, we help you reflect on the bigger picture of what you need beyond backups to reinforce your website security strategy.
Table of contents
Why bother with WordPress backup?
Backups are an absolute necessity for your WordPress websites and blogs because of the sheer volume of potential scenarios that could put your WordPress online content in jeopardy. Server crashes. Hosting and hard disk failures. Malicious hackers. Malware infections. Developer mistakes and accidental deletions. Corrupted or erased databases. Faulty plugins. Even data centre power failures. The list is endless.
The worst case scenario is that you lose all the content on your WordPress websites, such as web pages, blog posts, images, comments, and links. You lose your customized theme design themes. But, these are only the internal issues. Depending on your industry and sector, you may have payment and customer records, shipping addresses, the setup of e-commerce solutions, and other kinds of valuable data that could disappear forever. And, when it comes to customer data, along with loss of reputation and brand damage, heavy fines and other devastating sanctions could follow.
Maybe you’ve not yet encountered any content or data losses from your website. That’s great! Now is the time to choose and activate a WordPress backup strategy that puts you in charge. Do not rely solely on the backup on your own website or even on your website hosting company to make regular backups. Increase your control to decrease your risk from today. This is what you need to consider.
What exactly is a backup?
A backup is a saved copy or duplicate version of your website and its content. It acts as a failsafe mechanism and a precautionary measure that enables you to restore your WP site from a backup if something goes wrong, and you suffer a loss of content.
And what exactly needs backed up? In a word, everything! This most obviously includes the databases that store your WordPress content, usually in MySQL. Not only does this include posts, users, comments, categories, tags, admin options and the rest. If you’re a health organization, for example, that can include patient records. If you’re a university, then research, student lists and scores are at stake. Then, think of all the data that an e-commerce solution holds!
Individual website files also require backup. They provide your WordPress website with its structure and functionality. Examples include installation, themes, plugins, and code files. It is as vital to back up these files as it is your databases. One without the other will not allow you to restore your complete site. And a full backup makes restoration easier, whichever backup method you select.
The best backup approach for you?
Before we examine different backup methods, it’s important to look at the larger strategies behind them. For instance, backups provide a cure when something goes wrong. But there are additional, preventative security measures you can put in place to support your backup solution. This includes updating your plugins, using strong WordPress passwords, and changing the database prefix.
You need to consider issues of backup volume and frequency. How much data do you have? High volumes of data – due to images, videos or millions of customer payment records – require a strategy that combines different types of backup. This may involve a full backup of everything periodically (weekly, bi-weekly or monthly) plus incremental backups following a change to website files or databases. One strategy to reduce the backup size is to backup the current month’s uploads directory and keep an offline copy of all the previous ones. Certainly, we recommend you perform a backup before installing any new WordPress theme, upgrade or plugin in case a problem occurs.
It’s useful to reflect on how often changes occur on your websites. This will help determine how often you will need to back them up. How regularly do you blog? What’s the frequency of other site activity? How often are you prepared to perform updates? The answer to these questions depends on the nature of the websites themselves, the frequency of website updates (content and design/functionality), and the importance of the website to your organisation. The safest option is to backup each website every time you publish or update a post or page.
Finally, it is important to realize that your individual or organisational situation plays a part in backup method choice. What are your specific requirements? How much time do you have to invest in backup operations? What is your business size? What is your online security budget? How many websites do you have live and what is their priority and value? What stage are you at in your business growth? What is your level of technical expertise? These personal and circumstantial issues will help determine what method best suits you.
What are the different WordPress backup methods?
Now that you’ve reflected on the big backup questions, you can evaluate what is the best way to backup a WordPress website for your particular situation.
A manual backup of WordPress directory sub-folders can be carried out using cPanel, MySQL command line or phpMyAdmin. If you select this option, it is important to understand the basics of WordPress installation in order to complete a manual backup successfully. For more information on this, see WordPress backup blueprints to backup your WordPress manually.
Plugins are software components that add functionality to your website. They are installed on your website and require third party storage. You need to monitor them yourself, conduct regular updates and stay alert for any problems updates cause. Since you may not be alerted if a plugin fails, the use of plugins can bring reliability problems. See How to choose the best WordPress plugins for your website for advice on how to search for and select the best plugin for your needs.
The hosting provider
Many WordPress web hosts are starting to offer automatic backups as a service. These are often sufficient for security purposes. While some WordPress-friendly hosting companies offer this service for free as part of the package, some charge an additional fee. Web hosts no longer store backups on the site by default. However, backups are accessed from the web host account, which means if that is maliciously hacked, the attacker has access to everything about the site, including the backups.
The backup provided will differ in quality and features depending on the host. Ideally, this backup should be conducted regularly (daily), fully (databases and files), on a separate server to your websites, and with other security measures in place. If all this is in place, using the host provider for your WordPress backup is a strong option. If you experience problems with your hosting provider, you can move to another within minutes, providing you possess a backup.
However, we still recommend that you use an additional third party service. The reason is that with some website hosting providers, generic technical problems may mean you cannot easily retrieve your website from their backup. They may have only backed up the database, not the files. They may be difficult to reach. Or, the issues may be from your side, so that your website host can’t access your account. These are unfortunate events for which you must prepare now.
An online service
This option has several advantages. It is an all-inclusive package. For example, security and related matters are all taken care of for you. Backups are stored remotely. Their reliability is always superior to plugins or web hosts because it is a specialist service. And you are advised immediately if something goes wrong.
WP White Security rate Online WordPress backup services [as] the ultimate WordPress backup solution and recommend BlogVault. However, backups as an online service can prove more expensive than other methods, depending on the option you select. For example, BlogVault has packages that can cost from $7.40 per month (for website backup) up to $20.75 per month (for real-time backup and security).
Where should you store your WordPress backup?
Where your backup files are stored is of critical importance due to the security risks of storing your WordPress backup files on-site, that is, on your own website. This makes them susceptible to malicious hackers or anyone who wants to download your files. While most plugins suggest that you store the backups in a third party location, users are unaware of the dangers and tend to take the easiest options of storing the backup on the website.
Backup files and old revision files stored on site can be a source of many problems. Old revision files are typically created by developers when coding directly on live websites. For example, before making a change in the file index.php, developers make a copy of it named index.php.bak, so that if something goes wrong, they can easily restore the original file.
Both backup files and old revision backup files contain a wealth of information for hackers. The information in revision files depends on which file it is in, but it can include database connection details, WordPress authentication keys and salts, IPs allowed to access the dashboard, or a list of passwords for HTTP authentication. As already noted, WordPress backup files can contain all sorts of sensitive user information, such as passwords, account numbers, financial records and the website’s database.
One way malicious hackers work is to exploit the predictability of backup filenames on your WordPress site. They use a method called fuzzing – inputting massive amounts of data to a system – to automatically send thousands of HTTP requests to your WordPress site requesting probable file types. When the correct filename is sent, a download is initiated and the information stored in that file is captured.
It requires little technical ability and effort for malicious hackers to carry out this or similar attacks on your website. The best way to prevent such attacks is to save all your WordPress backups off-site and remove all old revision files. Always use a staging website. There are other reasons why backup copies should be stored remotely and never on your website. If your web server is down, then you cannot access the backups. Or, if there are technical problems, you lose your backups.
You’ve backed up. Now what?
Whichever method of WordPress backup you select, you need to be able to test it regularly. This means testing that the backup is safe before restoring your website. It also means running regular test restores in an offline location to ensure everything included is properly backed up. If you frequently and properly backup your WordPress websites, you can restore them in an offline location and safely test your WordPress upgrades and customization there.
It is also vital that you use multiple backup mediums. Use those listed here. If you don’t use an online service, use CD/DVDs, different hard drives, thumb drives, external drives, and your email account. Also, make multiple backup copies. WordPress recommends you use at least three. These three backups should be in three different places and formats, in case one of them is corrupted or damaged. And the backup process is best automated to reduce the amount of backup admin.
To conclude, on the topic of malicious hackers, backup protocols should form part of a larger website security programme. There are many tactics to making your WordPress website more secure or ‘hardened’, such as regularly updating and running less software. For example, remove or uninstall every file, plugin, theme or any other object that is not being used by the website. For details on these and other strategies, see The definitive guide to hardening WordPress.