This guest post is by Anders Vinther of The WordPress Security Checklist.
Do you have insurance on your car? And on your house? Of course you do.
Do you have insurance on your WordPress site?
A good backup plan is your insurance policy on your WordPress site!
You might be a serious blogger who is already aware of the value represented by your WordPress site. The time and money you have invested in building it. The income stream it provides. The audience you have attracted. The traffic you get.
Or maybe you are a hobby blogger, and over time you have, little by little, built significant value on your site, be that emotional or monetary value.
Your web presence is like your real life presence. You buy your first house, move in, and get your first home and contents insurance based on the value of your possessions at the time. And ten years later you are still only insured for that initial value.
As with your real house, your WordPress site could disappear in an instant.
It does not matter if the reason is criminal intent, a natural catastrophe, or an accident. If you do not have good insurance, you have to start again from scratch.
So just how good is your WordPress insurance?
Here I’ve compiled a list of the most common WordPress backup mistakes, and added a few tips on how to avoid them.
In no particular order, these are the mistakes:
- not making a backup at all
- not making a complete backup
- relying on manual backups
- not getting the backup frequency right
- relying on your hosting company’s backup
- only storing your backup on your hosting account
- not storing your backups securely
- not testing your backup
- not storing your backups long enough.
Not making a backup at all
Yes, it’s sad, but it happens more often than you would think! Some people don’t take out insurance either. Don’t be one of them.
Tip: Do make backups!
Not making a complete backup
Some WordPress plugins only back up your WordPress database. WordPress consists of a database and a number of files. Unless you have a good backup of everything you probably don’t have anything!
A backup of your database will take you some of the way to a working site, but without images, plugins and themes (some of which might have been customized), you are a long way away from a fully functional site. And if you only have a backup of your files you have lost all your settings, posts and comments.
Tip: Make sure you back everything up!
Relying on manual backups
When the topic of WordPress backups comes up on discussion forums, there is almost always someone who swears by manual backups.
Why is that a problem?
Computers are excellent at performing routine tasks at scheduled intervals. Human beings, not so much. We tend to forget. And go on holidays. Before we know it it’s been six months since we last made a backup. All of a sudden we desperately need that backup. That’s when grown men start crying.
Tip: Let the computers do what they do best: automate your backups!
Not getting the backup frequency right
If your WordPress site changes daily, a monthly backup schedule could cost you up to a months work.
If your site changes monthly and you make daily backups storing only 30 backup archives you could be left without a usable backup archive. This could happen if you discover that you were infected with malware three months ago, for instance.
Different parts of your WordPress site change at different frequencies.
If you have a large site, you might want to split up your backup based on the update frequency:
- Themes and plugins rarely change.
- Backups of the uploads directory can be split by year, or even by month if necessary. Under normal circumstances, only the directory for the current month changes.
- The database might change daily if you get many comments or release new posts.
- What will you do if your hosting company cannot give you your backup archives?
- If they go bankrupt and everything is shut down from one day to another.
- If they are hacked and all their data disappears (see 4800 Aussie Sites Evaporate After Hack).
- If they can only go back one month and you need to go further back.
- If the backup you need did not complete successfully for whatever reason.
- What do they back up?
- How often do they back up?
- For how long to do they keep the backup files?
- Can they restore single files or tables in the database selectively?
- Have you tested that they can restore your data?
Tip: Understand your site and adopt a backup schedule that fits!
Relying on your hosting company’s backup
Many hosting companies back up their customer’s accounts on their behalf.
While this is a very good service, you need to ask yourself some questions about it:
While relying on your hosting provider to back up your data can be a very convenient solution to an unwanted technical challenge, it is most likely not the right solution for you.
You need control.
Consider that it is quite simple to implement a good backup strategy of your own. If you use the right WordPress plugin, you can customize your backup jobs to match the needs of your WordPress site. And your backup archives can be stored in an offsite location that’s completely under your control.
Best of all the solution does not have to cost you a thing if you know how to do it right.
Fortunately the strategy is laid out in my article WordPress Backup – The Plugin and The Plan, which has easy-to-follow instructions.
Tip: While your hosting company’s backups can be a good complement to your own, don’t let them be the only backups you have!
Only storing your backup on your hosting account
Your hosting provider might offer you daily backups of your account. And most WordPress backup plugins allow you to store backups on your hosting account.
But your hosting account might be compromised and all data erased, or the server might crash, losing all your data. You get the picture.
That is why we recommend that you have at least two separate backup locations: your hosting account could be one, but make sure at least one of them is off site. Even if you lose one backup location, you’ll still have your backup archives.
If you’re paranoid, you can also store a backup on a USB drive in your bank vault. You need to ask yourself: how much is your business (web site) worth?
Tip: Make sure you have complete control over at least one copy of your backup archive and store it outside of your hosting account.
Not storing your backups securely
Your backups contain sensitive data. For example, your database userid and password, and the names of your administrative users are stored in your backup archives. If your backup falls into the wrong hands, this makes it too easy for malicious parties to break into your site.
Some backup plugins allow you to email a backup to yourself. Email is inherently insecure. You have no control over the path an email follows on the way to your inbox, for example. And it gets even worse if you create a webmail account with an easy to remember (and to guess) password.
Imagine what happens if a hacker takes over control of your webmail account: you have not only left the doors to your WordPress site wide open, but also lost your offsite backup! Ouch!
It is much safer to upload your backup archives via Secure FTP to an offsite location, or store them on a Dropbox, Amazon S3, or Google Drive account which only you have access to.
Tip: Make sure you store your backups in a safe location.
For more information on this topic see the post Are WordPress Backups On Dropbox Safe?
Not testing your backup
An essential part of backing up your WordPress site is to test that the backup can be restored. This is a step that many people miss. But it is a crucial step.
Testing that you can restore your backup serves two purposes:
- It ensures that your backup software has created a useful backup archive.
- It forces you to learn and practice the procedure for restoring your WordPress site.
Would you rather discover that the restore process is broken or the backup archive is unusable while you are testing, or while you are trying to restore your live site after a breakdown?
Ideally you need to test your backup every time the backup software is updated. But at a minimum you should do this once per year. At the same time, you can review your backup plan to determine if you need to change the frequency of your backups.
Tip: Make sure you can successfully restore your WordPress site from your backup!
Not storing your backups long enough
One of the great reasons why you need a good backup is to make your blog easier to recover if someone breaks into your site.
Cyber criminals who compromise WordPress sites for financial gain (stealing traffic, boosting their own SEO rankings, posting ads etc.) do not want you to find out that your site has been compromised.
This means it could be months before you realize that you have been hacked.
If you do daily backups and only store them for 30 days, you could easily be out of luck when it comes to restoring your site.
I recommend that you use a mix of different backup types:
- a daily backup that you store for two weeks
- a weekly backup that you store for three months
- a monthly backup that you store for two years.
This allows you to go up to two years back in time if needed.
Of course, you can adjust the retention period of each type of backup to suit your needs.
With the right choice of backup software this can all be run on auto-pilot with automatic purging of old backup archives to manage your space requirements.
Tip: Make sure your backup strategy allows you go to far enough back in time!
Don’t get caught out!
As the old saying goes, “Real men don’t make backups, but they cry a lot”.
With these tips, you can avoid the common pitfalls and sleep well at night knowing that no matter what happens, you’ll be able to recover your blog.
It doesn’t have to cost you anything to have a good backup plan, but it could cost you the world if you don’t!