12 simple steps to bulletproof wordpress backups

Safety Nets: Crafting the Ultimate WordPress Backup Strategy

Blog Audio: Read/listen time: 22 minutes

I think you’ll agree with me when I say:

It’s very hard to have 100% confidence in your wordpress backups. To know absolutely that if anything goes wrong, at any time, that your safe.

But it doesn’t have to be that way.

This guide gives you 12 simple steps that you can complete today, to ensure that your website is safe should something go wrong. We are going to show you an easy process to avoid ever losing information again.

We promise to include links to any plugins you might need and any advice we think you can’t do without and, if for some reason you would like me to take care of your WordPress website maintenance for you thats fine too! Let’s get started!

1. STOP. Run a website backup. Then,  run another

If your thinking:

but I don’t know how to backup my website

Don’t worry.

Read this guide before doing anything else to your website and you will have a bulletproof system for keeping your website safe.

If you are a reader who already has some kind of backup system in place for their website but wants to learn a bit more, then great. Please go to your website now and ensure you run a full backup of your site, then, run another one. Keep one on your server and download one of them to your computer or a third party location like Dropbox.

Done? Great, let’s get to it

We have just learned the key and probably the most single important rule of backing up a website.

If you are altering any critical files, changing structure or doing anything time intensive or with far reaching repercussions if something goes wrong, run a backup first.

The rules change a little between when you are working on your own site and when you are working on a client’s site. Although it is good practice to backup any site before working on it, the repercussions are different when working on a client site. When I log into a client website before I literally do anything at all I run a backup, not only does this give me a savepoint it is also proof of the condition of the site when I first logged into it.

We are only human

Sometimes the best of us press the wrong key, clicks on the wrong button or simply has a moment of questionable sanity. The peace of mind that comes from having a backup you made 2 minutes before you accidentally deleted every post on a website is invaluable. Frequent backups will prevent loss of time, money and prevent getting shouted at by your client or colleagues. If in doubt back it up!

Recommended WordPress backup plugins:

Backup plugins provide an easy to use interface for those who are less ‘techy’ and don’t understand working server side. For those of us that are techy and do understand working on a server, backup plugins provide valuable insurance in terms of having scheduled multiple backups. Either way, having a reliable backup plugin on your WordPress website is a no-brainer.

Not sure what plugin to use?

There are loads of plugins out there and it can often be difficult to work out which one is reputable, reliable and provides the functions that you may want and need. Largely finding the right plugin is trial and error but there are some shortcuts you can use to find the right one.

Use these shortcuts to find a reputable WordPress backup plugin

Step 1

From your dashboard (when logged in) click on Plugins>Add New.

Screenshot of WordPress dashboard showing selected menu item to 'Add New' plugin.

Step 2

Type ‘Backup’ into the search bar and press return.

Screenshot of 'Add Plugins' screen in WordPress dashboard. The screenshot shows where to add search terms to find a plugin in the WordPress repository.

Step 3

Look at the search results and use the statistics shown to weigh up whether you should try a plugin.

Screenshot of WordPress dashboard where you add plugins. The screenshot draws attention to how many installs a plugin has and when it was last updated.

Always look at the ‘number of installs’. A larger number is generally better. Look at when the plugin was last updated. More recent is better. Lastly look at if the plugin is reviewed highly and by a large number of people.

Use your intuition

Find what you think is a good balance between these statistics and that will be your plugin of choice. Click on ‘install now’, activate it and run a backup. The instructions for doing this will vary based on your chosen plugin and information will be available from that plugin provider by clicking on ‘more details’.

We use WP All in one migration on most of our client sites and have found it really useful for not only backing up to file and Dropbox ( a cloud storage service ) but also for scheduling and restoring backups as and when needed. Updraft plus is also really popular.

2. Keep your website software, plugins or modules updated

Modern websites often run on very sophisticated bundles of software. Software, being written by humans often contains errors, security vulnerabilities and more.

Don’t advertise your weak spot

When these vulnerabilities are discovered they are often published online for anyone to read and as such, it is of paramount importance that your website is updated to remove those vulnerabilities before hackers attempt to exploit them.

But that’s not all…

Failure to keep your site updated may result in loss or theft of data, loss of income, defacement or even deletion of your site.

This will only happen to you once before you realise that it is way cheaper to keep your site updated with a website care plan than to try and repair or rebuild it after something has gone wrong.

dashboard for wordpress updates

So, what can you do?

Quite simply you can either manually or automatically keep your WordPress core and your WordPress plugins updated. You can do this yourself or you can employ a third party to do this on your behalf.

Stick with us and we will show you exactly how to backup your site and what resources you may need.

Want some extra reading?

It is always useful to stay up to date with security practices and other relevant information. You can do that by keeping an eye on the WordPress news blog and also by looking at a leading company who operate WordPress security plugins, like the Wordfence blog.

3. Maintain backups of both the WordPress files and WordPress database

If you’re thinking…

This is going to be difficult, here comes the jargon. I won’t be able to do this…

You can do this!

We will walk through some really simple steps with pictures and notes so that in about ten minutes time you will know exactly how to do these things for yourself.

Some WordPress plugins such as WP All in one migration, for example, may run a complete all in one backup which includes both a copy of your website files and also a copy of the WordPress database. These backups are normally intended to be imported by the same plugin if everything goes wrong or if you simply want to roll back to a point before you made a mistake or deleted some content you wanted to keep.

What’s the catch?

Plugins do occasionally experience problems, errors, vulnerabilities etc. That is one of the reasons why I advise that you not only use a plugin to run a backup on some kind of schedule but that you also run server-side backups of both your files and your database manually.

If for some reason your plugin created backup fails or becomes corrupted you have an alternative method of recovery to attempt. It may just prevent you pulling all your hair out or throwing the computer out the window.

Let’s do this together

Firstly let’s take a backup of your database. My assumption here is that you are using the industry standard software on your server which is CPanel. CPanel, simply put is the web hosting industry’s most reliable, intuitive control panel and has been in use since the late 1990’s. It is the most likely bit of software you will find that gives you access to managing your server.

Step 1 – Log into your Cpanel/server

When you set up your hosting account or even if it was done for you by a web designer you should have a login and password for your server. This is not the password and login you use for WordPress or your content management system but the details given for accessing your server.

If you don’t have the login details you should be able to get these from your web designer. You will need:

  • The URL that you log in to. This is a web address for your server login
  • Login name
  • Password

Use your login details to log into your CPanel account.

Screenshot of cPanel login screen. No credentials have been added to the form fields. Orange cPanel logo on light grey background, white fields with blue login button below them.

Step 2 – Open PHPMyAdmin

When you are logged in to CPanel you will see a screen full of icons. Look for the one called phpMyAdmin and double-click on it.

Look at the green arrow in the image to see what the icon looks like.

Screenshot of a Cpanel dashboard with attention drawn to an icon that leads to a program called phpMyAdmin.

Step 3 – Find your database

Select the database being used by your WordPress installation. Most people only have one website on their hosting package and if that is the case for you, you will only see one database listed. Click on it once.

Screenshot of phpMyAdmin dashboard showing the process for exporting a database.

Step 4 – Run backup

Now you have clicked on your database and it is selected (you will see all the table names listed below the database name) click on the ‘Export’ tab at the top of the window.

Look at the image here and the export tab should be where the green arrow is pointing.

Screenshot of phpMyAdmin showing a highlighted tab called 'Export'

Step 5 – Press go

Leave the default options alone unless you know what you are doing. Click on ‘Go’ and your database will be exported to a file.

Screenshot of phpMyAdmin export process and a button marked 'Go'

Step 6 – Save it

When the save dialogue box appears click on ‘save file’ and then ‘OK’ and your file will be saved to your computer.

We recommend running at least two exports and then saving them in two separate locations. Preferably at least one physical and one cloud location.

Screenshot of Microsoft Windows dialogue window for opening or saving a file to your computer.


We are nearly done.

Next, we need to download a copy of the physical files on your server. Both the database backup you made a moment ago and the files are needed to be able to restore your site if something goes wrong.

Step 1 – Go to File Manager

Logged in to CPanel, click on the ‘File Manager’ icon. The green arrow shows you what the icon looks like. Its position in your CPanel may be different but the icon should look the same.

Screenshot of phpMyAdmin dashboard with attention drawn to an icon called 'file manager'

Step 2 – Select your website files

Click on ‘public_html’ on the left side of the window. All the fils listed in that directory should now be listed to the right.

Screenshot of website directory structure with attention drawn to 'public_html'

Step 3 – Highlight your website files

Highlight all the files on the right-hand side by clicking on ‘Select All’. The green arrow in this image shows you where that is.

Screenshot of website directory structure with all files in a folder selected.

Step 4 – Compress the files for download

Click on ‘Compress’. This will combine all the files into one big zip file (compressed archive of multiple files) which you can then download.

Screenshot of website folder structure with selected files and attention drawn to a button called 'compress'

Step 5 – Download the files

Download the file by clicking on ‘Download’. See the green arrow for the location of that option.

Screenshot of a website directory structure including a selected zip file and attention drawn to a button called 'download'

Step 6 – Save the files to your computer

Click ‘Save As’ and ‘OK’ to save the backup of the files to your computer or a location of your choice.

Screenshot of windows dialogue allowing user to set save location of a downloaded file.

Well done!

If you have followed the steps above you now have a backup of your WordPress database and you have a backup of your website files. Already you are in a much better situation than you were when you started following this guide.

Whatever happens now, you have a way to restore your website.

Not only that

You have done the hardest part of backing up a website. From here on in everything gets much easier!

4. Maintain website backups at a frequency which reflects the value of your site

You’ve got a plugin and some backups. What now?

Set a backup schedule that is proportionate to the importance of either the data, or the function of your site. The higher the level of importance and or value, the more frequent your backups should be.

So, what does this mean for you?

This is quite subjective and your chosen backup frequency may be monthly, weekly, daily or even hourly. This is down to you and how much time/data you are willing to lose if everything goes badly wrong and your website blinks out of existence.

Backup frequency is set by how much data, reputation or income you are willing to lose

It isn’t a frequent occurrence for a website to just disappear but it can and does happen and you can rest assured that it will be when you least want it to happen.

Sometimes, despite the best care plan being in place if an individual is intent on breaking into your site and damaging it then they will achieve it.  Pretty much like house security, we can reduce the risks of burglary but if someone really wants to get in they are going to. The same goes for websites.

How can you actually use this?

To get a quick answer to how often you should backup and maintain your site you can use this useful infographic:

Flowchart allowing user to determine how often they should update their website.

5. Maintain as many backups as you can. Going as far back as you can

Why does this matter?

  • What happens if you find out that your website has been hacked because of a weakness that was exploited 6 months ago?
  • What if you only keep 30 days of backups?

A lot of hosting companies offer backup systems and lots of companies and freelancers will happily keep backups for you. BUT, and it is important but. How many backups do they keep? How far back do the backups stretch?

Many websites for small businesses run on shared hosting accounts which often have a limited amount of storage space meaning that it is unlikely going to be enough storage space to keep a year of backups.

How can you get around this limitation?

You may not have the chance to keep many backups so use an off-site or cloud service like Dropbox to store your backups. If you have a business Dropbox account you will likely have enough storage space to mean that you almost never will have to remove a backup. We recommend no less than 6 months of backups. Preferably a year.

Dialogue for creating wordpress backups using the WP All in one migration plugin

What’s the real story?

It is not unheard of for a website to become defaced, deleted or damaged from a vulnerability that was present 6 months before. The hacker may have left malicious code sitting in your database for many months before exploiting it. There is no point restoring a backup that has this vulnerability or malicious code in it and as such you need to roll back to a date that predates that vulnerability.

You did keep those backups, right?

When backing up our client sites we keep multiple copies in multiple unconnected locations which stretch back between 6 months and a year. More in some cases depending upon what was agreed with that particular client and in line with the profile and value of that site.

6. Keep your backups in multiple physical and cloud locations

You might be wondering:

How do I keep my website backups safe from accident, disaster and failure?

If you are a business with buildings in multiple locations this is as straightforward as mirroring your data to multiple locations over the web and by supplementing with professional backup services/cloud services.

But what about an SME or home business?

You may be able to keep backups at family members houses and you can certainly keep your backups in the cloud using Dropbox or similar. If you absolutely cant keep backups in a building far away from your own then it is prudent to get yourself a firesafe.

It sounds quite grand but a firesafe can be as small as a briefcase and cost as little as £30. Such a device will allow you to keep backups safe from fire for approximately 30 minutes. Not the ideal solution but certainly better than nothing. If you really cant keep your backups in multiple locations then your only real option is to use professional backup services and cloud services such as Dropbox, Google Drive etc.

Sentrysafe lockable portable firesafe about the size of a sheet of A4 paper. Beige colour with black lock and silver keys in lock.

Here’s what we do:

When we back up our files or those of clients we ensure we keep multiple copies of those files.

Technology is flawed because it is built by humans. Sometimes a hard drive will fail. It may be a raid array with mirroring and both volumes may corrupt or fail at the same time. Often drives in raid arrays are purchased out of the same batch and bought and fitted at the same time. As the drives experience the same environment and stress it is not unknown for those drives to fail simultaneously.

Avoiding disaster

To avoid a disaster such as fire, flood and theft. We keep physical copies of backups in two locations which are not in the same building. This means that if there is fire, flood or theft we have a copy of our data intact.

Just in case it is a really big flood or fire and in the unlikely event that both locations are hit we also keep duplicate backups in the cloud using a professional system with redundancy and backup systems of its own.

You cant be too careful. You know that someone is going to pour coffee into your office NAS or the cat is going to knock your home backup drive off the desk. Ensure you have a copy elsewhere to guard against disaster.

  1. Computer
  2. Local Network drive (RAID Array with redundancy)
  3. Cloud backup (Synced with redundancy)
  4. Remote Network Drive (RAID Array with redundancy)
  5. Fire Safe (Physical non-network connected manual backup)

Diagramme showing 5 locations of data. 1. PC 2. External drive 3. Cloud 4 NAS drive 5. Firesafe.

7. Keep any backup drives physically secured

Local security doesn’t have to be difficult or expensive. Almost all computers and peripherals these days will come with a Kensington Lock ‘hole’. All you do is connect a Kensington Lock or third party security cable to your device and then attach the other end to the nearest heavy immovable object.

It isn’t foolproof security but it is one more layer of inconvenience which may result in the thieves picking up a different item which isn’t tethered. Your office is lockable too right? I don’t want to reveal our security precautions in too much depth but there are definitely heavy chains and dogs and zombies…..and lava. You just can’t be too careful.

If you store backups at another location (you should be) then you also need to ensure that their security is also up to scratch. You likely have a data protection policy? Does it include physical security? Probably worth having a look at that.

Look after your data.

Kensington lock security cable used for backup security

8. Keep data encrypted

If someone does steal your data what will they have access to? Your client data, accounts, security information? Make sure your backups are encrypted to a recognised standard. Many computers and network drives support this with built in software these days and it may be as simple as putting a tick in a box.

Don’t let anyone access your clients/customers data if they steal your drives. That goes for laptops and thumb drives etc. too.

9. Ensure your backups are secure physically and are scanned frequently

Not only do you need to keep things chained down, you need to scan them frequently for viruses, Trojans or to check the drives for errors and signs of imminent failure.

Most NAS drives will allow you to monitor drive health and to run scheduled virus scans. I recommend that you do this but also be very wary of overreacting to issues raised by a potentially over sensitive virus scanner.  You wouldn’t be the first or the last person to delete perfectly good files without reason because a virus scanner has labelled it a threat.

Be aware too that many virus programmes won’t scan zip or archive files over a certain size. Backups can often run into hundreds or thousands of megabytes and if your scanner ignores any archives over 50mb then you have a problem.

nas drive virus scan dialogue

10. Keep at least one backup which is not network connected or mapped to any computers

In these days of ransomware, it is also advisable that you have a backup which is not mapped to any of your computers. When you map a network drive to a computer you put a log in and password into your computer that gives it access to that drive. Should you fall foul of ransomware that login and password can then be used by the ransomware to encrypt your mapped drives.

We have backup volumes which are on the network but not mapped to any computers for access. This helps give you some degree of protection if one of your PC’s is compromised and has logins and passwords for all the drives mapped to it. We also have backups which aren’t connected to our network at all and this kind of isolation is the holy grail of guarding against volume encryption by ransomware.

If the worst happens and your computers are attacked and encrypted you could in theory junk all those hard drives and restore all your information from your non-network connected backups.

11. Have a plan in place (which you have rehearsed) to recover your website

Literally, mirror your site to a subdomain or run a copy locally on your computer using WAMP (Windows) or MAMP (mac) and practice restoring a backup. See what works, what doesn’t and it will give you a good learning experience.

It is a good idea to document the process and produce a flowchart of tick list of items specific to that particular website just in case there are any unique issues or considerations to take into account that you may not worry about on other sites. If you’re ill then one of your colleagues can carry out the same process with the benefit of your learning.

12. Don’t ignore your systems

Put all these systems in place and periodically (as in putting it in your calendar as a recurring event) check that your backups are actually being saved, that they are actually being backed up to your alternate locations and that your backups actually work and are not corrupted. Try restoring one to a local copy of your website to ensure your backups are effective.

Many years ago before I maintained websites on behalf of other people I found out by pure chance that my backup NAS had turned off 6 months beforehand. It made me feel nauseous and as a result, I set up all manner or checks and notifications to ensure it never happened again. Always a good idea to have your NAS send you an email after a successful backup routine has run or on any errors or problems. You can get your website or server to do this for you using a plugin or a cron job on your server. You won’t regret it.

Thanks for reading this blog post about WordPress Backups. The above steps are easy to follow but if you don’t have the time, or you would rather someone else do this work for you then please give Paul a call on 01903 527927 and we can get your site backed up right now and keep your site updated and cared for moving forwards.

Thanks for your time.