You need to backup the complete WordPress site on a regular basis.
You also need to store the WordPress backup safely outside of your hosting account.
In This Article
- Why WordPress Backup Is Important
- You Might Also Want To Read
- How You Complete This Security Checkpoint
- Rescue Plan
- Bonus Tips
- Further Resources
- Follow The White Rabbit
- Questions Or Comments?
Why WordPress Backup Is Important
No site will ever be 100% secure.
If your site is compromised you need to be able to restore it quickly. The quickest and safest way to recover after your site has been compromised is by restoring a good WordPress backup.
You need to keep a number of backups in case the attack on your site is discovered after some time.
You Might Also Want To Read
These are related articles that you might also want to read (all open in new tabs):
- How To Test Your WordPress Backup
- How To Restore A WordPress Site
- Are WordPress Backups On Dropbox Safe?
- And if you have not done so already:
Download the WordPress Security Checklist now. It’s free!
How You Complete This Security Checkpoint
It is important that your backup:
- Includes both your WordPress files and database.
- Is scheduled to run automatically.
- Stores backup files outside the public_html folder so they are not accessible from the Internet.
- A copy of your backup is stored safely outside your hosting account in case everything in your hosting account is erased.
Daniel Hüsken has created a fantastic plugin – BackWPup – that does all this for you.
BackWPup can store your backup files in many different places: Folder, FTP Server, Amazon S3, Google Storage, Microsoft Azure (Blob), RackSpaceCloud, DropBox, SugarSync and send by Email.
You can use any of these places to store your backups, however at least one place has to be outside your hosting account. We do not recommend that you email the backup. Email is not secure and your backup includes sensitive information about your WordPress site.
If you have no preference we recommend that you use Dropbox.
Don’t have Dropbox?
(Affiliate link – you and we both get a little extra space) |
How Often Should You Backup WordPress?
This is a very good question. It really depends on how often your WordPress site is updated.
If your site is updated daily we recommend the following backup schedule:
- A daily backup job, where you keep the last 14 backup files.
This will allow you to go back two weeks with daily changes. - A weekly backup job, where you keep the last 12 backup files.
This will allow you to go back three months with weekly changes. - A monthly backup job, where you keep the last 24 backup files.
This will allow you to go back two years with monthly changes.
If your WordPress site only changes weekly you can consider not scheduling the daily backup job.
What Should You Backup?
If your WordPress site contains a lot of media files that rarely change you can consider backing up those files manually or only in the monthly backup job to save space.
Datafeedr Tip!
If you have many products in your store consider leaving out the store folder from your backup. All files in this folder can be re-downloaded with very little effort. Remember to backup your merchant logos if you have created any yourself! |
If you are using Datafeedr you should be storing your product image files locally (for performance reasons).
How Do You Setup Your Backups?
Follow these steps to setup your backup correctly:
- The default setup for BackWPup is to store the backups in your wp-content folder.
The backup files contain sensitive information about your site, so you want to store the backups outside the public_html folder.
This way the backup files will not be accessible from the internet.
In your hosting account create a folder at the same level as the public_html folder to hold your backup files.
Then create a folder for each type of backup job you wish to create: daily, weekly and monthly.
- Install and activate the BackWPup plugin.
- Go to Settings.
Enter the path to your log files. Note that the log files from all three types of jobs will be stored in the same folder – the backups folder.
- Delete the folder(s) BackWPup automatically created in wp-content.
Note part of the name is random, so yours will be different.
If you have two folders with similar names delete both.
- Add a new job.
- Give the backup a name.
- For Job Type we recommend you only select Optimize Database Tables and Check Database Tables for the monthly job.
- Activate scheduling and select the time interval you require.
- Optionally exclude selected folders.
Tip! If you use a caching plugin exclude the folder for the cached files. They will typically be in the Content section.
Datafeedr! Exclude the store folder.
- Enter the location to store the backup files in. This is for the copy of the backup file stored in your hosting account.
Select the number of backup files to keep.
- Click Authenticate in the Dropbox section and follow any prompts to log in to Dropbox.
Enter the path you wish to store the backups in and the number of files to keep.
- Click Save Changes.
- Create jobs for the Weekly and Monthly backups. Keep 12 backup files for the weekly backup and 24 backup files for the monthly backup.
Remember to select Optimize Database Tables and Check Database Tables for the monthly job. - Run each job once manually.
- Verify that the backup files are created successfully – both the file in the hosting account and in the Dropbox account.
Also check that the file sizes are not 0.
Rescue Plan
If your site is ever compromised you need to determine which backup is the most recent and safe to restore.
Please read The WordPress Rescue Plan - it will help you make the right decision.
And read How To Restore A WordPress Site.
If you have not done so already: Download the WordPress Security Checklist now. It’s free!
Bonus Tips
Derick Schaefer from Copyblogger / Synthesis gave these brilliant tips as a comment on another post:
A couple of other points I always advise are:
1) Go through the exercise of taking a BackWPUp backup and restore it somewhere else to make sure you understand the recovery process. You can use your local host file to point to it for testing.
2) For larger sites, consider a yearly backup of everything and limiting your daily backup to this year’s /uploads/ (e.g. 2012) . Smaller backups have less of a chance of failure.
3) Keep a local copy of small, but critical files (e.g. most recent theme rendition and css ). No sense in going through a full site restore transfering a huge backup file for a tiny little css file that you botched up. It’s the difference between a 2 minute fix and a 2 hour exercise.
Further Resources
- 4800 Aussie sites evaporate after hack (or “why you should always store a copy of your backups out side your hosting account”)
- Tale of a Hacked Website
Follow The White Rabbit
Then you can find your next article below.
If not you should take a look at the Table Of Contents.
Next article: Delete Unused Plugins And Themes
Previous article: Sucuri WordPress Security Plugin
Questions Or Comments?
Please leave them below. Thanks!
About Anders Vinther
Hi there superb website! Does running a blog like this take a large amount of work?
I have virtually no knowledge of computer programming however
I had been hoping to start my own blog soon. Anyhow, if you have any recommendations or techniques
for new blog owners please share. I understand
this is off topic but I simply needed to ask. Thank you!
Hi Rachel,
Problogger.net has some good article on how to get started…
You do not need programming skills although it helps…
Have fun!
Anders
What do you think of Vault Press backup and restore? Is it worth the cost?
What do you think about the VaultPress Realtime backup system?
Unfortunately I have not had the chance to work with their system.
I wrote an article on Problogger about the mistakes to avoid when you plan your Backup strategy.
You can find the article here: http://www.problogger.net/archives/2012/12/21/backing-up-wordpress-dont-make-these-9-mistakes/
If VaultPress passes that ‘test’ you should be fine.
Thanks to your thorough instructions I think I’ll be able to set up this plugin by myself. But of course I got hung up on the very first step. Please advise: What and where is the “hosting account”?
The hosting account is the account you have with your hosting provider (e.g. GoDaddy, Bluehost, Hostgator etc), and is where your WordPress site is physically located. The example shown in step 1 is what you would see if you connect to your hosting account using FTP. In case you need help doing that please ask your host how you should connect via FTP.
Thanks Anders – you made this simple (I installed the plugin and didn’t know where to start really!)
Good suggestion to test all backups are working, too – not all of mine did work first time so it’s better I know now rather than later!
I’m using BackWPup since 2 years now and had to restore 3 Sites in the beginning – which was easy doing.
An Idea to enhance security a little is to name the ‘Backup’ directory different than Just Backup which could be a nice target to add some malicious files, as everybody uses this name.
My schedule is weekly to Dropbox x 12 (I’m a lazy writer) and then download a copy to my Notebook.
Thank you for this very detailed tutorial!
I tried to follow, but had 2 problems:
1. i couldn’t delete the default backup folder (in my bluehost “file manager”
2. My default file directory seems to be: /home5/chicnche and I set up the “backups” folder under this. Is this right?
1 Do you get an error message?
2 Yes, this is correct. Your backups folder should be at the same folder level as your public_html folder… NOT inside the public_html folder…
Thanks for the kind words
Hi Nathan,
Thanks for the quick response!
For 1/Deleting a folder – I get no error, the default Backup folder in Bluehost is simply grayed out with no ability to delete it.
For 2/New Backups folder set up – Yes I created it right under the “Home” folder so it is outside the public/html folder. I get this error in WordPress:
BackWPup:
- Log folder ‘/home5/ChicnChe/Backups/’ does not exists!
- Log folder ‘/home5/ChicnChe/Backups/’ is not writeable!
That sounds like you have permissions issues. Perhaps you are logging in to the file manager with a different userid than WordPress is running under.
I suggest you open a support ticket with Bluehost and ask them about this.
I just wanted to thank you so much! I was reading on the Warrior Forum how important it is to backup my blog and since I’m so new to this, I thought it would be hard for me. I followed your steps and tested and it all worked. I wish other instructions I had looked for online were this simple to follow. You made my life a little easier tonight so thanks again! =)
I second this is great. Buying beer when I get home.
One thing is puzzling me though. After setting up a daily backup as described above for a folder and dropbox, I get 2 copies of the backup. One ends up in the home/backups folder and another identical one ends up in the ‘home/backups/daily’ folder.
Dropbox it is only creating the one copy it should. Any idea why that happens?
Thanks
Please check the file extension on the file created in home/backups… I believe this file would be the log file from the backup…
Looking forward to the beer
Remember that there are a lot of hackers-vulnerable WordPress plugin, here there’s the list of them!
http://webdevelopblog.com/wordpress/security/50-wordpress-plugins-vunlerable-to-arbitrary-file-upload.html
Nice and constructively well written piece. you made it seem so simple. I like your angle to it. You’ve just won a new reader.