The case for backups
None of us know when disaster will strike. If we’re lucky, we’ll use a backup to restore our site when our WordPress host has a hardware problem. If we’re unlucky, it’ll be because hackers intruded on our site and covered it in malware.
Whatever the reason, having a backup of your WordPress website ins’t a “nice-to-have” – it’s an essential. If your business relies on WordPress, you need to have a backup – and a plan.
The truth is that most people don’t think about their backups until disaster strikes. Maybe they’re facing some kind of security vulnerability and a hacked WordPress instance. If you only think about your backups when your back is against the wall, it’s already too late.
These five tips will help you in developing a solid WordPress backup strategy. They’ll help you make sure your site is secure, safe and most importantly, available to your customers. And they’ll help prevent a disaster by providing you peace of mind and safety.
Tip 1: Take regular backups
It should go without saying that the first step in backing up a WordPress website is, well, to actually back it up. Unfortunately, many WordPress site owners don’t even do this basic first step.
If you don’t have any means of backing up your website, the first step is to start. Pick a backup plugin and start doing automatic backups. If you’re using a WordPress hosting company or managed WordPress service that provides backups, great. They’re probably already taking care of this for you. Make sure you ask them.
It’s highly recommended that you back up your site regularly. WPConcierge backs up sites daily for our clients. Ensure that your WordPress backup solution backs up your media files, plugins and themes, and your database. WordPress stores all its content data in a database, so failing to back this up will cost you.
Storing the backup securely is important as well. Storing a backup in a publicly accessible part of your site (like /wp-content) means anyone can steal your backup. This is a security issue. Make sure your backups are not accessible to the public, or visible to search engines.
Tip 2: Store your backups off site.
Many people store their backups alongside their WordPress instance. This is a mistake. Backups are there to help you when something goes catastrophically wrong – like a hardware failure or site hack. Storing them on the same server as the site makes them vulnerable to alteration or loss.
Most managed WordPress hosts will store your backups in their own environment and make them available for you to download or restore. Ensure with your host that they store your backup off site or in a different region. WPConcierge stores all client backups in a different region from the client’s site. This ensures a regional failure does not cause a loss of data for our clients.
If you’re responsible for backing up your own site, make sure any plugins or processes you use can safely move the backup off site. This way, if your hardware fails, you have the backup to fall back on.
An easy way to store your backups offsite is to use Dropbox or even Amazon S3 and move the backup there. Doing so will protect you against data loss. Most WordPress backup plugins can move your backup to another location; some of them may charge for this feature.
If your hosting provider doesn’t offer a way to get your backups off site, and doesn’t offer automatic backups, that’s a red flag. Similarly, if your hosting provider can’t guarantee that your automatic backups are stored differently from your site, that’s a problem. Consider a different WordPress host.
Tip 3: Carefully select what you back up
Different WordpPress backup plugins will back up in different ways. Some will back up just the /wp-content directory, while others will back up everything, including the WordPress core files and even your wp-config.php file. Most if not all will also dump the database for you.
WordPress core is easily available as an online download, so you’re simply wasting space and money by backing it up. And backing up your wp-config.php file, with all the credentials stored there, can be a security problem if your backup isn’t properly secured.
Instead, you want to focus on backing up the files in /wp-content and the database. These are the files that are custom to your WordPress website. Do not put sensitive information in your backup – like database credentials – unless your backup is somehow encrypted.
Note that when you do export your database, it will include a host of sensitive credentials, like hashed passwords for WordPress users. This makes it incredibly important to keep the backup out of public view, to protect your website.
It’s up to you if you back up your plugins and themes, especially if they’re available from other sources. For example, all plugins you install in WordPress are available from WordPress.org. If your theme is stored in something like Git (and it should be!) you can easily restore it. If you choose not to back up the plugins, make certain that you maintain a list or manifest of what you had installed to make it easy to restore your site later.
Tip 4: Secure your backup
Your backup contains incredibly sensitive information. It contains the hashed passwords for your WordPress users, as well as their email addresses. If you have external services attached, it may contain unencrypted API keys. And it may contain information about your users, especially if you permit registration on your website.
Because of the sensitivity of your backup data, it’s incredibly important to secure the backup so it cannot be accessed by people who don’t have permission to do so.
Some backup plugins will let you use a strong password to create your backup archive. While this provides some level of protection, you’re vulnerable to brute force attacks against the backup file. Best practices require that you not only encrypt the backup, but that you limit access to it.
WPConcierge stores our backups in secure file storage systems that encrypt the backup. We limit access to a select few people who need access. We transport the backup using HTTPS, meaning traffic is secured with an SSL certificate. We also ensure that the WordPress database is stored safely and encrypted, at rest and in transit.
Most managed WordPress providers will take care of this level of security for you. But it’s always good to ask. WordPress security is a matter of a multi-layered approach, and you want to make sure that your site is safe and secure.
Tip 5: Practice restoring your backup
Site backups that are never tested are worthless. if you think that your site is backed up, but you never test that backup, you’re never going to know if it works until an emergency strikes.
There are two reasons for testing the restore process of your backup.
The first is that you want to know that your backup is comprehensive and complete. If you restore your backup and go through the WordPress install process only to find missing files or an incomplete backup, you know something is wrong. And you have time to fix it – before emergency strikes.
The second reason is that you want to know how to restore your backup when you’re not under pressure. Imagine that your site has been hacked or is offline – do you want that to be the first time you restore your backup? I doubt it. You’ll want to have practiced the process and know exactly how to do it.
If you’re using a managed WordPress provider or host that maintains backups for you, they may have a support team that can help. Make sure you practice this with them and know what their response times and service levels look like. You never want to find out during an emergency that they take 36-48 hours to get back to you, or don’t offer that level of service.
Of course, it doesn’t make much sense to overwrite a perfectly functioning website with a copy just for practice. Instead, take an opportunity to set up what is called a “staging site” – a site that you can use for practice and testing. This site would have a different URL from your live site. it provides a playground for testing new things, like plugins, themes and content.
WPConcierge practices our backup restores regularly, to ensure we have the capability to do a restore in an emergency. We can set up staging sites for our customers. We also offer first-class service aimed at ensuring your site is always available. if disaster strikes, we’re positioned to restore your site and get you back online quickly.
Don’t wait until something goes wrong to create a backup.
Too many WordPress website owners wait until they’re under attack or their website is offline to care about backups. This is a mistake. Backups are an essential part of being a responsible business owner and website maintainer. Not backing up your site can have catastrophic consequences, from loss of data to being offline for long periods of time.
WPConcierge builds backups into our offering from the absolute beginning. We use backups from our hosting partners, as well as manual backups that we store off-site. Just like WordPress security is a multi-layered process, we treat backups as a multi-layered process. This ensures that we have a backup at every step of the way to protect our customers.
Backups don’t protect you against everything
A backup is not a replacement for good security practices. It doesn’t replace a WordPress security plugin or prevent something like a distributed denial of service (DDoS) attack. It won’t prevent you from being hacked or having your server go down. But it can provide tremendous peace of mind.
A backup is a key component of your website strategy. It’s an essential part of your overall strategy, which should include regular updates, a solid security posture, and routine monitoring of your site for security flaws. But if you’re ever hacked or your website goes down, you’ll be glad you have a backup.
Recommended backup plugins
Ready to start capturing backups of your website? If your managed WordPress provider or hosting provider offers automated backups that are stored securely and offsite, there’s not usually a need for a plugin. But if you’re without backups and want to get started, here are some plugins recommended by the WordPress community.
WPConcierge doesn’t recommend a specific plugin, and we don’t use them either. We prefer a targeted, precise approach to backing up our client’s websites. We take database snapshots, as well as backups of the /wp-content folder, and have an automated process for restoring backups. We take backups on a daily basis, and we rely on repeating tasks (not wp-cron) to ensure backups are taken routinely.
Protect your website with WPConcierge
WPConcierge offers a comprehensive solution for hosting, monitoring, backing up, securing and updating your WordPress website. We go above and beyond most managed hosts, providing a comprehensive solution to your website needs. Our clients love us because we solve not just their WordPress problems, but their web presence problems.
We offer daily backups in addition to much more. Check out our offerings or schedule a consultation today to see if WPConcierge is right for your website.
