Are WordPress Backups On Dropbox Safe?

Storing your WordPress Backups on Dropbox is a very good idea.

But how safe are they?

[gn_note color="#ffffff"]Note!

If you are not using Dropbox and BackWPup you might still be affected by the problem described in this article.

Please read the section at the end of the article for more information.[/gn_note]

It is absolutely essential that you store a copy of your WordPress Backup archives outside of your hosting account, i.e. on Dropbox, Amazon S3, Google Drive etc.

An Australian hosting company completely lost 4800 website sites after a hack. Everything gone!

We recommend that you use BackWPup to make scheduled backups of your WordPress site.

And we recommend that you store a copy of your WordPress Backup archives on Dropbox. Read this article for instructions on how to set it up.

But what happens if a hacker gains access to your WordPress site as an administrator?

The hacker will actually be able to delete all your backup archives via WordPress – including the backup archives stored on Dropbox!

delete wordpress backup from dropbox

Oh, dear!

[gn_note color="#ffffff"]Update!

The author of BackWPup has told us that the delete function most likely will be removed from the product.[/gn_note]

Fortunately it is very easy to restore the deleted backup files on your Dropbox account. This is one of the excellent features of Dropbox.

  • Log into your Dropbox account from a web browser.
  • Navigate to the folder with your backup files.
    dropbox backup folder
  • Click on the trash can to show deleted files.
    show deleted files
  • Right click on the deleted archive and click Restore to bring your backup archive back to life!
    restore wordpress backup archive
  • Restoring the file will not make it re-appear in the list of backups on the BackWPup panel in WordPress. However you can access the file from Dropbox.

Now you can go on to restore your WordPress site.

Bonus Tip

The team behind The WordPress Security Checklist has chosen to add another layer of separation – just to be extra safe.

Each of our websites has a designated, free Dropbox account to store backups on.

We also have a paid Dropbox account which we use to store our company files.

We then share the backup Dropbox folder for each website with our main Dropbox account.

share dropbox folder

Even if a hacker were somehow able to wipe out the entire Dropbox account from within WordPress, your main account would not be affected. You would have all your backup archives too since they would also be stored in your main Dropbox account.

[gn_note color="#ffffff"]Let’s just be absolutely clear!

As far as we know it is not possible for a hacker to gain access to your Dropbox account via an authenticated WordPress site!

However having an extra layer of separation makes you sleep better at night.

And we like sleeping well.[/gn_note]

Amazon S3, Google Drive etc Are Also Affected

If you are not using Dropbox this problem could still apply to you.

In fact for Amazon S3 you do not have an undelete function, so if a hacker deletes your backup archives they are gone!

If you are using another storage type please test this and leave a comment to let us know how the different types of storage are affected.

Other Backup Plugins Might Also Be Affected

We have been told that Backup Buddy also allows you to delete backup archives from the WordPress Administrative interface (but we can’t test and confirm this at the moment).

If you do not use BackWPup please test if you can manually delete backup archives on remote storage from within WordPress Admin… if you can you should contact the author of the plugin and request that they remove this functionality.

Please let us know in the comments which type of backup plugin you use and if it is affected by this problem.


Backups stored on Dropbox are safe!

If you use BackWPup and Dropbox you are fine.

If you use another plugin or storage facility:

  • Test if you can delete remote backup archives from the WordPress Administrative interface
  • If you can’t then you are safe
  • If you can then
    • Ensure you use a storage facility which has an undelete function
      If you are not then consider changing to one that does
    • Contact the plugin developer and ask them to remove that function


About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.

Most Popular Articles – All Time

Most Popular Articles – This Week


  1. I use – and recommend – WPB2D (WordPress Backup to Drop Box Plugin) and it does not allow a user to delete the files, so it’s secure about this issue.

  2. Dropbox was compromised twice: (though the title is misleading). I do use (very) strong passwords, but they are no good when the server itself is breached…
    I now use (on a secured domain) for automated backups to Amazon S3 – yet, from the IWP-dashboard all my backups can be wiped out. I also use a plugin that emails the WP-database to different Gmail-accounts – unencrypted, so that is not secure either. And, some files/sites seem to become too large to be mailed…
    Also, with any back-up account being synchronized automatically: if the original files are deleted, then that removal is replicated – most likely before you notice. So, you need to copy the files, but manually remove older backups every now & then.
    Right now I rely on several backup-methods/plugins – there is just not one 100% secure/fail-safe method, it seems.

  3. Thanks for the tips Anders. I cetainly have ftp and database backups of my blog, but not stored in dropbox. Something to do in the quiet after-Christmas perioid I think :)

  4. Great post. The community needs to keep getting this message out there and this does in a real world way.

    A couple of other points I always advise are:

    1) Go through the exercise of taking a BackWPUp backup and restore it somewhere else to make sure you understand the recovery process. You can use your local host file to point to it for testing.

    2) For larger sites, consider a yearly backup of everything and limiting your daily backup to this year’s /uploads/ (e.g. 2012) . Smaller backups have less of a chance of failure.

    3) Keep a local copy of small, but critical files (e.g. most recent theme rendition and css ). No sense in going through a full site restore transfering a huge backup file for a tiny little css file that you botched up. It’s the difference between a 2 minute fix and a 2 hour exercise.

    Again, great post. Thanks for sharing.

  5. Anders

    Interesting Post.

    I’m curious, have you tried using the backups in conjunction with TrueCrypt? In essence you’d be creating an encrypted container within Dropbox. This container would only work when you’ve loaded it as a volume on your drive. Actually, the more I think about it, it probably wouldn’t work if the plugins are set up to automatically update.

    Going to have to download and play with it a bit.

    • Hi Tony,

      Thanks for stopping by (and tweeting too).

      I’m not too worried about the integrity of the backup archives when they are on Dropbox (although that is another valid point). I doubt Truecrypt in connection with backup plugins would work, but let me know how you go.

      I’m thinking that a grand survey of the available backup plugins to see which ones are susceptible to this problem might be in order… watch this space :-)

  6. Hi,

    Thanks for this excellent article. It’s very helpful and informative. I use dropbox for backup but in addition to dropbox, I suggest ftp backup also for safety purpose.


Speak Your Mind

   Login Using:


To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see