WordPress Backup – The Plugin and The Plan

You need to backup the complete WordPress site on a regular basis.

You also need to store the WordPress backup safely outside of your hosting account.

In This Article

Why WordPress Backup Is Important

No site will ever be 100% secure.

If your site is compromised you need to be able to restore it quickly. The quickest and safest way to recover after your site has been compromised is by restoring a good WordPress backup.

You need to keep a number of backups in case the attack on your site is discovered after some time.

You Might Also Want To Read

These are related articles that you might also want to read (all open in new tabs):

How You Complete This Security Checkpoint

It is important that your backup:

  • Includes both your WordPress files and database.
  • Is scheduled to run automatically.
  • Stores backup files outside the public_html folder so they are not accessible from the Internet.
  • A copy of your backup is stored safely outside your hosting account in case everything in your hosting account is erased.

Daniel Hüsken has created a fantastic plugin – BackWPup – that does all this for you.

BackWPup can store your backup files in many different places: Folder, FTP Server, Amazon S3, Google Storage, Microsoft Azure (Blob), RackSpaceCloud, DropBox, SugarSync and send by Email.

You can use any of these places to store your backups, however at least one place has to be outside your hosting account. We do not recommend that you email the backup. Email is not secure and your backup includes sensitive information about your WordPress site.

If you have no preference we recommend that you use Dropbox.

Don’t have Dropbox?

DropboxSign up for a free account here.

(Affiliate link – you and we both get a little extra space)


How Often Should You Backup WordPress?

This is a very good question. It really depends on how often your WordPress site is updated.

If your site is updated daily we recommend the following backup schedule:

  • A daily backup job, where you keep the last 14 backup files.
    This will allow you to go back two weeks with daily changes.
  • A weekly backup job, where you keep the last 12 backup files.
    This will allow you to go back three months with weekly changes.
  • A monthly backup job, where you keep the last 24 backup files.
    This will allow you to go back two years with monthly changes.

If your WordPress site only changes weekly you can consider not scheduling the daily backup job.

What Should You Backup?

If your WordPress site contains a lot of media files that rarely change you can consider backing up those files manually or only in the monthly backup job to save space.

Datafeedr Tip!

(What is Datafeedr?)

Datafeedr Folder ListIf you are using Datafeedr you should be storing your product image files locally (for performance reasons).

If you have many products in your store consider leaving out the store folder from your backup.

All files in this folder can be re-downloaded with very little effort.

Remember to backup your merchant logos if you have created any yourself!


How Do You Setup Your Backups?

Follow these steps to setup your backup correctly:

  • The default setup for BackWPup is to store the backups in your wp-content folder.
    The backup files contain sensitive information about your site, so you want to store the backups outside the public_html folder.
    This way the backup files will not be accessible from the internet.
    In your hosting account create a folder at the same level as the public_html folder to hold your backup files.
    Then create a folder for each type of backup job you wish to create: daily, weekly and monthly.
    Create Folders
  • Install and activate the BackWPup plugin.
  • Go to Settings.
    Enter the path to your log files. Note that the log files from all three types of jobs will be stored in the same folder – the backups folder.
    WordPress Backup Log File Location
  • Delete the folder(s) BackWPup automatically created in wp-content.
    Note part of the name is random, so yours will be different.
    If you have two folders with similar names delete both.
    Delete Default Folders
  • Add a new job.
    Add New Backup Job
  • Give the backup a name.
    Name The Backup Job
  • For Job Type we recommend you only select Optimize Database Tables and Check Database Tables for the monthly job.
    Optimize And Check Database Tables
  • Activate scheduling and select the time interval you require.
    Activate Scheduling
  • Optionally exclude selected folders.
    Tip! If you use a caching plugin exclude the folder for the cached files. They will typically be in the Content section.
    Datafeedr! Exclude the store folder.
    Exclude Folders
  • Enter the location to store the backup files in. This is for the copy of the backup file stored in your hosting account.
    Select the number of backup files to keep.
    Select Backup Location
  • Click Authenticate in the Dropbox section and follow any prompts to log in to Dropbox.
    Enter the path you wish to store the backups in and the number of files to keep.
    Backup To Dropbox
  • Click Save Changes.
  • Create jobs for the Weekly and Monthly backups. Keep 12 backup files for the weekly backup and 24 backup files for the monthly backup.
    Remember to select Optimize Database Tables and Check Database Tables for the monthly job.
  • Run each job once manually.
    Run Backup Jobs
  • Verify that the backup files are created successfully – both the file in the hosting account and in the Dropbox account.
    Also check that the file sizes are not 0.
    Verify Job Completion

Rescue Plan

If your site is ever compromised you need to determine which backup is the most recent and safe to restore.

Please read The WordPress Rescue Plan - it will help you make the right decision.

And read How To Restore A WordPress Site.

If you have not done so already: Download the WordPress Security Checklist now. It’s free!

Bonus Tips

Derick Schaefer from Copyblogger / Synthesis gave these brilliant tips as a comment on another post:

A couple of other points I always advise are:

1) Go through the exercise of taking a BackWPUp backup and restore it somewhere else to make sure you understand the recovery process. You can use your local host file to point to it for testing.

2) For larger sites, consider a yearly backup of everything and limiting your daily backup to this year’s /uploads/ (e.g. 2012) . Smaller backups have less of a chance of failure.

3) Keep a local copy of small, but critical files (e.g. most recent theme rendition and css ). No sense in going through a full site restore transfering a huge backup file for a tiny little css file that you botched up. It’s the difference between a 2 minute fix and a 2 hour exercise.

Further Resources

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

Then you can find your next article below.

If not you should take a look at the Table Of Contents.

Next article: Delete Unused Plugins And Themes
Previous article: Sucuri WordPress Security Plugin[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!

About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.

Most Popular Articles – All Time

Most Popular Articles – This Week


  1. I moved the backup folder just like you said to the same level as the public_html and everything was fine, till I had to move my site to a new host.

    Now it is looking for a folder at the old path, which was on the old host, and can not be created at the same path on the new host. Nothing I seem to do will allow me to change it to work with the new host. It keeps looking for that old path that doesn’t exist any more. I don’t even see the old path in the settings anywhere. I have changed them all and nothing makes the error go away and the backup always fails with this error:

    Backups folder /home/app/backwpup-xxxxx-backups/ does not exist and cannot be created. Please create it and set proper write permissions.

    I can not put a folder at the same level as the public_html folder on this host. And even if I could, it still wouldn’t be at the same path as the old host, How do I edit this path to fix it? Where is this stored? What file name is this setting in?

    In other words, how do I undo what I have done, to fix it to work on this new host?

    • You can change the destination folder for the backup in the definition of the backup job.

      Cheers, Anders

      • I did mention that I changed them all? There is nothing left to change in the UI. I am now looking for another solution, perhaps a file I can open in a text editor to change and correct this path error?

        • You have to go to Backup Jobs, then edit the definition of the job. There is a Folder tab, which is where you specify the target folder for the backup file.

          As I understand your comments your problem is that the backup job tries to create the backup file in a folder that no longer exists.

          Either I have misunderstood the problem or you are not looking in the right place.


          • Nope, sorry, I changed that and it didn’t work. It’s still looking for the path on the old server. There is no box anywhere within the WordPress Admin UI that mentions the path on the old server. I have changed everything and this plugin is still looking for that old path. I have gone over it very carefully and thoroughly, and there is nothing left to try changing in the UI. I even tried to use the “Reset all settings to default” button but that had no effect, either.

          • What happens if you create a new backup job? Does that work?

            Otherwise you can try to uninstall the backup plugin and then install it again.

  2. Hi there superb website! Does running a blog like this take a large amount of work?
    I have virtually no knowledge of computer programming however
    I had been hoping to start my own blog soon. Anyhow, if you have any recommendations or techniques
    for new blog owners please share. I understand
    this is off topic but I simply needed to ask. Thank you!

  3. What do you think of Vault Press backup and restore? Is it worth the cost?

  4. What do you think about the VaultPress Realtime backup system?

  5. Thanks to your thorough instructions I think I’ll be able to set up this plugin by myself. But of course I got hung up on the very first step. Please advise: What and where is the “hosting account”?

    • The hosting account is the account you have with your hosting provider (e.g. GoDaddy, Bluehost, Hostgator etc), and is where your WordPress site is physically located. The example shown in step 1 is what you would see if you connect to your hosting account using FTP. In case you need help doing that please ask your host how you should connect via FTP.

  6. Thanks Anders – you made this simple (I installed the plugin and didn’t know where to start really!)

    Good suggestion to test all backups are working, too – not all of mine did work first time so it’s better I know now rather than later!

  7. I’m using BackWPup since 2 years now and had to restore 3 Sites in the beginning – which was easy doing.
    An Idea to enhance security a little is to name the ‘Backup’ directory different than Just Backup which could be a nice target to add some malicious files, as everybody uses this name.
    My schedule is weekly to Dropbox x 12 (I’m a lazy writer) and then download a copy to my Notebook.

  8. Thank you for this very detailed tutorial!
    I tried to follow, but had 2 problems:
    1. i couldn’t delete the default backup folder (in my bluehost “file manager”
    2. My default file directory seems to be: /home5/chicnche and I set up the “backups” folder under this. Is this right?

    • 1 Do you get an error message?
      2 Yes, this is correct. Your backups folder should be at the same folder level as your public_html folder… NOT inside the public_html folder…

      Thanks for the kind words :-)

      • Hi Nathan,
        Thanks for the quick response!
        For 1/Deleting a folder – I get no error, the default Backup folder in Bluehost is simply grayed out with no ability to delete it.
        For 2/New Backups folder set up – Yes I created it right under the “Home” folder so it is outside the public/html folder. I get this error in WordPress:
        - Log folder ‘/home5/ChicnChe/Backups/’ does not exists!
        - Log folder ‘/home5/ChicnChe/Backups/’ is not writeable!

        • That sounds like you have permissions issues. Perhaps you are logging in to the file manager with a different userid than WordPress is running under.

          I suggest you open a support ticket with Bluehost and ask them about this.

  9. I just wanted to thank you so much! I was reading on the Warrior Forum how important it is to backup my blog and since I’m so new to this, I thought it would be hard for me. I followed your steps and tested and it all worked. I wish other instructions I had looked for online were this simple to follow. You made my life a little easier tonight so thanks again! =)

    • I second this is great. Buying beer when I get home.

      One thing is puzzling me though. After setting up a daily backup as described above for a folder and dropbox, I get 2 copies of the backup. One ends up in the home/backups folder and another identical one ends up in the ‘home/backups/daily’ folder.

      Dropbox it is only creating the one copy it should. Any idea why that happens?

  10. Remember that there are a lot of hackers-vulnerable WordPress plugin, here there’s the list of them!

  11. Nice and constructively well written piece. you made it seem so simple. I like your angle to it. You’ve just won a new reader.

Speak Your Mind

   Login Using:


To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax