When using WordPress a website backup is your best protection against accidental and malicious changes. From simple things like making changes you later decide aren’t suitable (but you forgot how you made them – yes, I’ve done that too so don’t worry), installing a new theme that just doesn’t work out (yep, done that), having your site hacked, or needing to suddenly move your site to new hosting, you need to have a backup.
Table of Contents
What to backup
Your web site is made up of a number of components. There is the WordPress software itself that you or your hosting provider installed. There is your content and images. There are the themes and plugins you have installed and configured. There is also your site customisation which could take hours or days to recreate.
The WordPress software can always be installed fresh if needed so doesn’t need to be backed up in most cases.
The content and configuration of your WordPress site is managed by a database. Functionality beyond the core WordPress is achieved through the plugins you have installed. Plugins are computer code that exists in files in a directory on your site. The visual aspects of your site are controlled through themes and child themes. These also exist in files on your site. The media (images and video) that you uploaded are also stored as files on your site.
Your backup must include all of your content, themes, plugins, and media, plus the database so that you can recreate your site exactly as it was when the backup was taken.
How To Backup Your WordPress Site
Before we start to talk about backups, let’s be clear: Don’t rely on a manual approach and don’t try to cobble together something yourself. Use one of free or paid-for WordPress plugins that will meet your specific website backup needs.
To answer how to backup your site you need to ask what a good backup looks like. In the previous section we identified what to backup but there are more questions such as when and where, and how long to retain a backup.
A good backup will be
- automated and regular
- stored on a different server to your web site
- secure from tampering
- auditable
- tested
One additional characteristic that would be nice to have is that it should be easy to manually run at any time. If you can easily run a backup at any time them you can make multiple backups as you modify your site. Most backups will only take a minute or two.
The solution that I use is a free plugin, UpDraftPlus, and Amazon S3 storage. UpDraftPlus backs up everything you need to restore your site or migrate it to another hosting service.
UpDraftPlus can be scheduled so backups happen regularly and automatically.
UpDraftPlus can be configured to email you a report every time it runs. I have an email filter set up that looks for the message in the email body that says the backup ran successfully. These emails are marked as read and moved to my UpDraftPlus folder. If an email comes through that doesn’t contain the success report it stays in my inbox and I’ll know to investigate.
Where To Keep Your Backups
Choosing a place to store your backup is important. Your website backup should never be stored with your hosting provider. It must be stored somewhere else. The reason is that your hosting may become unavailable due to hacking, denial of service attacks, or sudden business closure. If your hosting provider is down for any of these reasons, you won’t be able to access your site backup. In the case of business closure you’ll need to migrate to a new hosting provider anyway.
I use and recommend Amazon S3 storage to store the backup away from your site. Amazon S3 requires a bit more configuration than some of the other alternatives but it is one of the few that provides versioned storage and granular access controls to prevent previous backups from tampering or being overwritten.
Here is how it works. When you create your Amazon S3 account, your initial account credentials can do anything to any of the data you have stored there. When you create a storage location, what Amazon calls a “bucket”, for your web site backups you create a new set of credentials that can write and read but not delete in just that one bucket. The Amazon S3 credentials you provide to UpDraftPlus can’t access anything else that you’ve stored on your account.
This is really good because, if your site is hacked, the hacker can find your Amazon S3 credentials from the UpDraftPlus configuration. They can read your files, stealing your site information which is public anyway, and they can create zero-length backups with the same name as your existing ones in an attempt to overwrite those files. This is where Amazon S3 shines. When you create your S3 storage bucket, you enable versioning, so even if a hacker gets your credentials, they can’t overwrite prior backups even if they use the same file names. The original version of your file will still be there. Really, the worst that can happen is that you get hit with a huge bill for storage from Amazon if your hacker starts writing garbage to your S3 bucket. At the moment Amazon doesn’t limit the size of S3 buckets.
It is important that you only ever use your restricted Amazon S3 credentials on your web site, never your Amazon account credentials. Your Amazon credentials should be kept securely.
Quick tip: If you have multiple WordPress sites to backup, create a different Amazon S3 bucket and credentials for each site. If one site is hacked then the other backups are not exposed.
How often to backup
So we’ve determined what to backup, where to backup to, how to make the backups tamper resistant, we have automation, and we have reporting. We still need to answer the question, how often to backup?
The answer to this question is: “it depends”. If you are an avid content creator then daily might be appropriate, If you post a new blog weekly then weekly backups would be appropriate. If you upload a month of blog posts and schedule their publication time, then you might only need to backup just after you upload. As a general rule, you can’t have too many backups so err on the side of too frequently rather than less frequently. Really, Amazon S3 storage is very economical so that shouldn’t be a deterrent from creating as many backups as you need.
How long to keep backups
With backups tucked away safely on a remote server, the next question is: “how long do we keep them?” Again, it depends. Amazon S3 allows lifecycle rules to be created on each bucket so, once configured, you don’t even need to worry about it. Unless you have a reason for a shorter or longer retention period then you can start out with three to six months. With a typical WordPress site you are unlikely to need to go back more than six months. If you are a corporate in a regulated industry, you may need to be able to recover information from backups to five years or more if you find the information you may have published is in breach of some regulation. For the majority of us though, that scenario doesn’t apply.
Testing your backup
We’ve now met all the above requirements except testing….. Ok, hands up. Who tests their backups? Be honest. When was the last time you did a test restore? Where did you restore to? How did you know your restore was a success?
Testing your backups is an important step. Firstly it proves that your backups are valid, and secondly it gives you practice that will be valuable if you ever find yourself needing to restore your web site.
I recommend using a pre-built WordPress virtual machine to restore your site to. There are a number of advantages.
- Speed – once you’ve downloaded your backup files everything runs locally so is likely to be much faster
- No data costs as you won’t need to be online to test the restore
- Iterable – by taking snapshots of the state of the virtual machine you can quickly restore to a point in time and try again if something goes wrong
- Further testing – once the backup is restored you can take a virtual machine snapshot and use it as a test bed for any major changes you want to try out before updating your main site.
You will need software that runs the virtual machine. On Windows, Linux, and MacOS you can download and run VirtualBox. There are other virtual machine platforms that you may already be familiar depending on your operating system.
The one caveat is that, to run a virtual machine you will need a modern PC or laptop with at least 4GB of memory and about 20GB of free disk space. You may also need to enable a setting in the computer’s BIOS. All of this information is covered in the VirtualBox installation instructions.
Virtual machine images and instructions are available at a number of sites including:
The virtual machine images are around 500MB so you’ll need patience or a high speed Internet connection. Some sites will send you physical media for a moderate cost.
Oracle VirtualBox is entirely free to download and weighs in at around 70 – 80MB. VirtualBox is available from Oracle Corporation and the VirtualBox community site.
You only need to install VirtualBox and the virtual machine image once.
How to restore your UpDraftPlus backup
The UpdraftPlus site has detailed instructions on how to restore your backup. You should refer to the UpDraftPlus documentation for the latest information.