TL;DR -- I've seen too many sites lose everything because they had only one backup in the same location as the live site. Follow the 3-2-1 rule: three copies of your data, two different storage types, one off-site. Then test a restore quarterly — a backup you've never tested is a backup you can't trust.
Why Backups Are Non-Negotiable
I've had clients come to me after losing months of content because their only backup was on the same server that crashed. I've seen sites wiped by malware with no way to recover except rebuilding from scratch. And I've watched business owners discover that their "automatic backups" hadn't actually run in six months.
Backups are the single most important safety net for any WordPress site. Not security plugins, not firewalls, not monitoring — backups. Because no matter how many layers of protection you put in place, things will eventually go wrong. A plugin update breaks your site. A hosting provider has a hardware failure. Someone accidentally deletes the wrong database table. Malware encrypts your files.
The question isn't whether you'll need your backups. It's when.
The 3-2-1 Backup Rule
The 3-2-1 rule is a time-tested framework used across the entire IT industry, and it applies perfectly to WordPress:
- 3 copies of your data (your live site + 2 backups)
- 2 different storage types (e.g., server backup + cloud storage)
- 1 copy off-site (geographically separate from your server)
Why Three Copies
Two copies aren't enough because a single point of correlation can take out both. If your backups live on the same server as your site, a server failure or ransomware attack eliminates both. If your backups and site are with the same hosting provider, an account-level issue could lock you out of everything.
Three copies with two different storage types and one off-site location means you'd need three simultaneous, independent failures to lose your data. That's statistically near-impossible.
Practical Implementation
Here's how I implement 3-2-1 for the sites I manage:
- Live site: The live site itself (on the hosting server)
- Host backup: Automated daily backup stored on the host's backup system (different disk/server)
- Off-site copy: Weekly backup synced to a separate cloud provider (Amazon S3, Google Cloud Storage, or Backblaze B2)
"Data that exists in only one location doesn't really exist at all. It's one hardware failure away from being a memory." — Peter Krogh, digital asset management pioneer
Key Takeaway: The 3-2-1 rule isn't paranoia — it's the minimum viable backup strategy. I've seen too many sites lose everything because they had only one backup copy in the same location as the live site. Three copies with geographic separation means you'd need three simultaneous failures to lose your data.
What To Back Up
A complete WordPress backup includes two distinct components, and you need both:
Database
The MySQL/MariaDB database (the database system WordPress uses to store content, settings, and user data) contains all of your dynamic content:
- Content: Posts, pages, and custom post types
- Users & engagement: Comments and user accounts
- Configuration: Plugin and theme settings
- Layout: Widget configurations and menu structures
- E-commerce: WooCommerce orders and products (if applicable)
Files
The WordPress file system contains:
- Media library: wp-content/uploads/ — All media files (images, PDFs, videos)
- Themes: wp-content/themes/ — Your active theme and child theme
- Plugins: wp-content/plugins/ — All installed plugins
- Configuration: wp-config.php — Your site configuration
- Server rules: .htaccess or server configuration files
- Custom code: Any custom files outside the standard WordPress structure
Plugins and themes can be reinstalled from their source, but your uploads directory and database are irreplaceable. These are the priority.
Key Takeaway: Your database and wp-content/uploads directory are irreplaceable — everything else can be reinstalled. I prioritize database backups first, then the uploads folder. Themes and plugins are secondary since they can be downloaded again from WordPress.org or your purchase account.
How Often to Back Up
Backup frequency should match how often your content changes:
Daily Backups (Recommended Minimum)
Suitable for most WordPress sites. You lose at most 24 hours of changes in a worst-case scenario. Daily backups should include both the database and the full file system.
Real-Time or Hourly Backups
Essential for e-commerce sites (WooCommerce), membership sites, or any site where data changes frequently throughout the day. Losing a day of orders or user registrations is unacceptable. Services like BlogVault and Jetpack VaultPress offer real-time backup for these use cases.
Weekly Full + Daily Incremental
A more storage-efficient approach: take a full backup weekly and incremental backups (only changed files) daily. This reduces storage costs while maintaining good recovery points.
Backup Retention
Don't just keep the latest backup. Maintain a rolling retention policy:
- Daily backups: Keep the last 30 days
- Weekly backups: Keep the last 12 weeks
- Monthly backups: Keep the last 12 months
This allows you to recover from issues that weren't discovered immediately — like malware that was injected weeks ago, or a database corruption that happened gradually.
Key Takeaway: Backup frequency should match your content velocity. E-commerce sites need real-time or hourly backups — losing a day of orders is unacceptable. Most other WordPress sites are fine with daily backups and a 30-day retention policy.
Manual Database Backup via Command Line
Every WordPress administrator should know how to take a manual database backup. When plugins fail or your admin dashboard is inaccessible, the command line is your fallback.
# Export the full WordPress database
# Replace the placeholders with your actual credentials from wp-config.php
mysqldump -u DB_USER -p DB_NAME > wordpress-backup-$(date +%Y%m%d).sql
# Compress the backup to save space
gzip wordpress-backup-$(date +%Y%m%d).sql
# Verify the backup file was created and has content
ls -lh wordpress-backup-*.sql.gz
# To restore from a backup:
gunzip wordpress-backup-20260129.sql.gz
mysql -u DB_USER -p DB_NAME < wordpress-backup-20260129.sqlIf you're using WP-CLI (WordPress Command Line Interface — a command-line tool for managing WordPress installations without using the admin dashboard, which I strongly recommend), the process is even simpler:
# Export database using WP-CLI
wp db export backup-$(date +%Y%m%d).sql
# Import a backup
wp db import backup-20260129.sqlKeep a copy of your wp-config.php database credentials somewhere secure and accessible — you'll need them if your site goes down and you can only access the server via SSH.
Key Takeaway: Every WordPress administrator should know how to take a manual database backup via command line. When plugins fail or your dashboard is inaccessible, mysqldump or WP-CLI is your fallback. I keep wp-config.php credentials in a secure password manager so I can SSH in and export the database in an emergency.
Choosing a Backup Solution
Plugin-Based Backups
For most site owners, a backup plugin is the easiest approach:
- UpdraftPlus — The most popular free backup plugin. Supports scheduling and remote storage (S3, Google Drive, Dropbox). The free version covers most needs.
- BlogVault — Premium service with real-time backups, built-in staging, and a dedicated backup server (doesn't use your hosting resources).
- Jetpack VaultPress — Part of the Jetpack suite. Real-time backups with one-click restore. Good for sites already using Jetpack.
- BackWPup — Free option with good scheduling and storage options. Less user-friendly than UpdraftPlus but very capable.
Host-Level Backups
Most managed WordPress hosts include automatic backups:
- Kinsta: Daily automatic backups with 14-30 day retention (depending on plan), plus manual backup snapshots
- WP Engine: Daily backups with one-click restore and a staging environment
- Cloudways: Automated backups with configurable frequency and off-server storage
Host-level backups are convenient but should not be your only backup. They're typically stored within the same hosting infrastructure. If there's an account-level issue (billing dispute, provider outage, data center incident), you could lose access to both your site and your backups simultaneously.
Testing Your Restores
A backup you've never tested is a backup you can't trust. I've seen "successful" backup files that turned out to be corrupted, incomplete, or missing critical database tables. The only way to know your backups work is to actually restore from them.
Quarterly Restore Test Process
- Download backups: Download your latest backup files (database + file system)
- Setup local environment: Set up a local development environment (Local by Flywheel, DDEV, or Docker)
- Import files: Import the database and files into the local environment
- Verify site loads: Verify the site loads correctly — check the homepage, key pages, media files
- Test functionality: Test functionality: forms, search, user login, any custom features
- Document time: Document the restore time — know how long recovery will take in an emergency
What to Check After a Test Restore
- Frontend: Homepage loads without errors
- Media: All images and media display correctly
- Navigation: Navigation menus are intact
- Configuration: Plugin settings are preserved
- Authentication: User accounts can log in
- Forms: Forms submit correctly
- Content types: Custom post types and taxonomies are present
- E-commerce: WooCommerce products and orders (if applicable)
If any of these fail, your backup process has a gap that needs to be addressed before you need it in a real emergency.
Key Takeaway: A backup you've never tested is a backup you can't trust. I've seen corrupted backup files, incomplete database dumps, and missing uploads directories discovered only when someone tried to restore. Test your restores quarterly — it's the only way to know they'll work when you actually need them.
Off-Site Storage Options
Your off-site backup copy should be on a completely separate platform from your hosting:
- Amazon S3 — Extremely reliable, pay-per-use pricing. Use S3 Glacier for long-term retention at minimal cost.
- Google Cloud Storage — Similar to S3, good if you're already in the Google ecosystem.
- Backblaze B2 — The most affordable option at $0.005/GB/month. Works with most backup plugins.
- Google Drive / Dropbox — Convenient for smaller sites. Not ideal for large sites due to storage limits and sync reliability.
Choose a provider in a different geographic region from your hosting server. If your site is hosted in Sydney, store your off-site backups in a US or European data center.
Frequently Asked Questions
How often should I backup my WordPress site?
Daily backups are the recommended minimum for most WordPress sites. E-commerce sites running WooCommerce, membership sites, or any site with frequent transactions need real-time or hourly backups — losing a day of orders or user registrations is unacceptable. For lower-activity brochure sites, weekly full backups with daily incrementals work fine.
Can I rely only on my hosting provider's backups?
No. Host-level backups are convenient but shouldn't be your only backup. They're typically stored within the same hosting infrastructure. If there's an account-level issue — billing dispute, provider outage, data center incident — you could lose access to both your site and your backups simultaneously. Always maintain an independent off-site backup copy.
What's the difference between full and incremental backups?
A full backup captures your entire site — database, files, uploads, themes, plugins, and configuration. An incremental backup only captures files that have changed since the last backup. I use a weekly full backup plus daily incrementals for storage efficiency while maintaining good recovery points.
How do I know if my WordPress backups are actually working?
Test them. Download your latest backup, set up a local development environment using Local by Flywheel or DDEV, and restore from the backup. Verify the site loads, media displays, forms work, and users can log in. I test restores quarterly for every site I manage. A backup you've never tested is a backup you can't trust.
Disaster Recovery Planning
Backups are only half the equation. You also need a plan for how to use them when disaster strikes.
Document Your Recovery Process
Create a written disaster recovery document that includes:
- Where each backup copy is stored and how to access it
- Login credentials for your hosting control panel, database, and cloud storage
- Step-by-step restore instructions specific to your hosting environment
- Contact information for your hosting provider's emergency support
- Expected recovery time for each type of failure scenario
Recovery Time Objectives
Know how long each scenario takes to recover from:
- Plugin/theme conflict: 15-30 minutes (restore from host backup)
- Malware infection: 1-3 hours (clean restore + security audit)
- Server failure: 2-6 hours (migrate to new server from off-site backup)
- Complete account loss: 4-12 hours (rebuild hosting + restore from off-site)
Building Your Backup Strategy
If you take away one thing from this article, let it be this: set up automated backups today, with off-site storage, and test a restore within the next 30 days. The effort is minimal — most backup plugins can be configured in under 15 minutes — but the protection is priceless.
If you'd rather not think about backup schedules, retention policies, and quarterly restore tests, a managed WordPress maintenance service handles all of it. Every site I manage has automated daily backups, off-site storage, and tested restore procedures — because when something goes wrong at 2am, there's no time to figure out your backup strategy from scratch.