Backup For Your WordPress Site

WordPresslogoOne of the most important and easily implemented security protections is data backup.  That’s right, backup is a part of a well crafted security program.  Because whatever the disaster, whether cyber-attack, theft, data corruption, hardware failure, fire, flood, or bad weather, having a good backup program means that you can recover from disaster and continue operations.

And one of the most important things to backup is often the most overlooked – your website!  With websites constantly in the sights of cyber-criminals your website could be the victim of defacement, rogue malware distribution, database exfiltration, or be used in a phishing scam or the distribution of illegal music, video, or pornographic files.  Recovering your website under these circumstances is most easily accomplished from a good backup of your website files and associated databases.

All websites can be backed up, and there are companies such as CodeGuard , DropMySite, SiteVault and that can back up any website from straight HTML sites to Joomla, Drupal, and even WordPress sites.

But for WordPress site owners, there is the additional options of adding this functionality through a WordPress plug-in.  All of these plug-ins will make a copy of your website and save the backup to the web server.  This is not optimal, as we will discuss in a minute.  Two of my favorite WordPress backup plugins are BackupWordPress, and UpdraftPlus.  Either of these programs will send you a copy of your backup to you by email, but Updraft will allow you to set up backup to cloud services such as DropBox, Google Drive, and Rackspace.

When setting up your backup, here are some important principles to follow:

  • Automate it.  If your backup solution requires a human to remember to do it manually, this is a recipe for disaster.  Humans are bad at automatic.  Machines are great at automatic.  Your backup plugin needs to automatically backup your site files and database on a schedule that you determine.
  • Double up.   Jack Schofield’s second law of computing says that “data doesn’t exist unless there are two copies of it.”  I have been recommending to my clients for years that there needs to be three copies of data:  the original, a local backup copy for quick restoration, and an online backup copy in the event of a disaster that would take out both the original and local copy, such as a fire, or burglary.  You should plan for this with your website backups too.
  • Location.  Many web site backups, such as the cPanel backup available from most hosts, and many FTP backup programs, and even some WordPress plug-ins, create a backup on the same directory as the site itself.  This is poor practice because if the hard drive fails or server crashes your backups are gone with the original.  And if your website is compromised by an attacker, your backups can be deleted or altered along with the main website files, and become unusable.  Your backup strategy should have your site files in three locations, the web server, on your personal computer (via email), and on a cloud storage service.
  • Verify.  This is the hard part.  You really need to restore your site to see if the backup is working.  This involves creating a test site location, restoring your site, and checking for full functionality.  How often this happens should depend on how much revenue your site is generating, or put another way, how much revenue you would lose if your site had to be built from scratch?

So that’s the scoop on backup for WordPress sites.  And believe it or not, it won’t take a lot longer for you to set up than it took to read this article.  But if you don’t feel confident doing this yourself, there are plenty of WordPress experts available to do it for you.  We certainly take care of this for our own WordPress clients, and could assist you, too.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.