This guest post is by Anders Vinther of The WordPress Security Checklist.
Do you have insurance on your car? And on your house? Of course you do.
Do you have insurance on your WordPress site?
A good backup plan is your insurance policy on your WordPress site!
You might be a serious blogger who is already aware of the value represented by your WordPress site. The time and money you have invested in building it. The income stream it provides. The audience you have attracted. The traffic you get.
Or maybe you are a hobby blogger, and over time you have, little by little, built significant value on your site, be that emotional or monetary value.
Your web presence is like your real life presence. You buy your first house, move in, and get your first home and contents insurance based on the value of your possessions at the time. And ten years later you are still only insured for that initial value.
As with your real house, your WordPress site could disappear in an instant.
It does not matter if the reason is criminal intent, a natural catastrophe, or an accident. If you do not have good insurance, you have to start again from scratch.
So just how good is your WordPress insurance?
Here I’ve compiled a list of the most common WordPress backup mistakes, and added a few tips on how to avoid them.
In no particular order, these are the mistakes:
- not making a backup at all
- not making a complete backup
- relying on manual backups
- not getting the backup frequency right
- relying on your hosting company’s backup
- only storing your backup on your hosting account
- not storing your backups securely
- not testing your backup
- not storing your backups long enough.
Not making a backup at all
Yes, it’s sad, but it happens more often than you would think! Some people don’t take out insurance either. Don’t be one of them.
Tip: Do make backups!
Not making a complete backup
Some WordPress plugins only back up your WordPress database. WordPress consists of a database and a number of files. Unless you have a good backup of everything you probably don’t have anything!
A backup of your database will take you some of the way to a working site, but without images, plugins and themes (some of which might have been customized), you are a long way away from a fully functional site. And if you only have a backup of your files you have lost all your settings, posts and comments.
Tip: Make sure you back everything up!
Relying on manual backups
When the topic of WordPress backups comes up on discussion forums, there is almost always someone who swears by manual backups.
Why is that a problem?
Computers are excellent at performing routine tasks at scheduled intervals. Human beings, not so much. We tend to forget. And go on holidays. Before we know it it’s been six months since we last made a backup. All of a sudden we desperately need that backup. That’s when grown men start crying.
Tip: Let the computers do what they do best: automate your backups!
Not getting the backup frequency right
If your WordPress site changes daily, a monthly backup schedule could cost you up to a months work.
If your site changes monthly and you make daily backups storing only 30 backup archives you could be left without a usable backup archive. This could happen if you discover that you were infected with malware three months ago, for instance.
Different parts of your WordPress site change at different frequencies.
If you have a large site, you might want to split up your backup based on the update frequency:
- Themes and plugins rarely change.
- Backups of the uploads directory can be split by year, or even by month if necessary. Under normal circumstances, only the directory for the current month changes.
- The database might change daily if you get many comments or release new posts.
- What will you do if your hosting company cannot give you your backup archives?
- If they go bankrupt and everything is shut down from one day to another.
- If they are hacked and all their data disappears (see 4800 Aussie Sites Evaporate After Hack).
- If they can only go back one month and you need to go further back.
- If the backup you need did not complete successfully for whatever reason.
- What do they back up?
- How often do they back up?
- For how long to do they keep the backup files?
- Can they restore single files or tables in the database selectively?
- Have you tested that they can restore your data?
Tip: Understand your site and adopt a backup schedule that fits!
Relying on your hosting company’s backup
Many hosting companies back up their customer’s accounts on their behalf.
While this is a very good service, you need to ask yourself some questions about it:
While relying on your hosting provider to back up your data can be a very convenient solution to an unwanted technical challenge, it is most likely not the right solution for you.
You need control.
Consider that it is quite simple to implement a good backup strategy of your own. If you use the right WordPress plugin, you can customize your backup jobs to match the needs of your WordPress site. And your backup archives can be stored in an offsite location that’s completely under your control.
Best of all the solution does not have to cost you a thing if you know how to do it right.
Fortunately the strategy is laid out in my article WordPress Backup – The Plugin and The Plan, which has easy-to-follow instructions.
Tip: While your hosting company’s backups can be a good complement to your own, don’t let them be the only backups you have!
Only storing your backup on your hosting account
Your hosting provider might offer you daily backups of your account. And most WordPress backup plugins allow you to store backups on your hosting account.
But your hosting account might be compromised and all data erased, or the server might crash, losing all your data. You get the picture.
That is why we recommend that you have at least two separate backup locations: your hosting account could be one, but make sure at least one of them is off site. Even if you lose one backup location, you’ll still have your backup archives.
If you’re paranoid, you can also store a backup on a USB drive in your bank vault. You need to ask yourself: how much is your business (web site) worth?
Tip: Make sure you have complete control over at least one copy of your backup archive and store it outside of your hosting account.
Not storing your backups securely
Your backups contain sensitive data. For example, your database userid and password, and the names of your administrative users are stored in your backup archives. If your backup falls into the wrong hands, this makes it too easy for malicious parties to break into your site.
Some backup plugins allow you to email a backup to yourself. Email is inherently insecure. You have no control over the path an email follows on the way to your inbox, for example. And it gets even worse if you create a webmail account with an easy to remember (and to guess) password.
Imagine what happens if a hacker takes over control of your webmail account: you have not only left the doors to your WordPress site wide open, but also lost your offsite backup! Ouch!
It is much safer to upload your backup archives via Secure FTP to an offsite location, or store them on a Dropbox, Amazon S3, or Google Drive account which only you have access to.
Tip: Make sure you store your backups in a safe location.
For more information on this topic see the post Are WordPress Backups On Dropbox Safe?
Not testing your backup
An essential part of backing up your WordPress site is to test that the backup can be restored. This is a step that many people miss. But it is a crucial step.
Testing that you can restore your backup serves two purposes:
- It ensures that your backup software has created a useful backup archive.
- It forces you to learn and practice the procedure for restoring your WordPress site.
Would you rather discover that the restore process is broken or the backup archive is unusable while you are testing, or while you are trying to restore your live site after a breakdown?
Ideally you need to test your backup every time the backup software is updated. But at a minimum you should do this once per year. At the same time, you can review your backup plan to determine if you need to change the frequency of your backups.
Tip: Make sure you can successfully restore your WordPress site from your backup!
For more information, see How To Test Your WordPress Backup and Have You Tested Your Backup Solution Lately?
Not storing your backups long enough
One of the great reasons why you need a good backup is to make your blog easier to recover if someone breaks into your site.
Cyber criminals who compromise WordPress sites for financial gain (stealing traffic, boosting their own SEO rankings, posting ads etc.) do not want you to find out that your site has been compromised.
This means it could be months before you realize that you have been hacked.
If you do daily backups and only store them for 30 days, you could easily be out of luck when it comes to restoring your site.
I recommend that you use a mix of different backup types:
- a daily backup that you store for two weeks
- a weekly backup that you store for three months
- a monthly backup that you store for two years.
This allows you to go up to two years back in time if needed.
Of course, you can adjust the retention period of each type of backup to suit your needs.
With the right choice of backup software this can all be run on auto-pilot with automatic purging of old backup archives to manage your space requirements.
Tip: Make sure your backup strategy allows you go to far enough back in time!
Don’t get caught out!
As the old saying goes, “Real men don’t make backups, but they cry a lot”.
With these tips, you can avoid the common pitfalls and sleep well at night knowing that no matter what happens, you’ll be able to recover your blog.
It doesn’t have to cost you anything to have a good backup plan, but it could cost you the world if you don’t!
Check out Anders Vinther’s free WordPress Security Checklist, which is all about protecting your WordPress assets properly and sleeping well at night.
All of those were pretty much common sense but sometimes they need to stated out loud.
Job well done.
Important topic with solid advice. Anyone that has ever had their WordPress site hacked understands the need and importance of having a WordPress backup (xml export, files from files system and dump of the MySQL database). Sometimes only the xml export is required, but for more severe hacks, you may need all three.
Like insurance, the issue is sometimes that a loss has to occur before site owner will take action. Many Internet marketers develop and sell a WordPress sites without hardening the installation and not educating the new site owner of the need to maintain WordPress and Plugins at current release levels as well as periodic backups to minimize risk of loss.
Thanks for sharing.
no i don’t think they are common,they are common because you knew it.many new bloggers don’t or even some advance ones don’t have the time for backing up.
Nice job Anders,you remind me of something.
Common sense is not so common. I worked with ERP software for years and you’d be horrified how many businesses do not regularly backup or do not backup to an offsite location. When it all falls over, everyone else is responsible!
Loving this post! Especially since I see that I am guilty of mistake #5 Relying on your hosting company’s backup. Luckily I’ve never had any issues but my blog is fairly new, so you never know :)
Thanks for the great advice, will need to look into better “insurance” options for my blog.
Blogging is a versatile tool wherein you can express your very self and your business freely and creatively. Of course, you need some backups to make in order for you to avoid unfortunate events in the future. The guidelines are here. You just have to read them.
I didn’t brainstorm so many questions about hosting company backup before. You are right that any uncertainty can happen with them. Moreover your complete backup option has a logic which many bloggers do not concentrate always.
I am using a premium plugin that backup all the database, themes and plugins. But i haven’t tested its restored capability still. Useful sharing.
I love the point “your web presence is like your real life presence”. It is as important as life to me because I have spent many nights and days in building it up. The person who sees day by day growth of his/her blog cannot avoid this post. Thanks for a wonderful post
I wrote a similar post back in 2011.
Add to why not to rely on Hosting backup
-What if their backup was done after you were hacked? Them restoring what they have does not really solve the issue/problem.
Also as an added precaution I save the WordPress page for the posts, pages and setting pages on my computer. This way if for some reason the other method of manual backup is hooped I have another backup plan that might take a bit longer to restore the blog the way it was (complete with the right day and time of original post) but I can do it.
A lot of people live edit their themes and CSS. Dangerous situation. If you don’t have a backup before playing you have nothing to instantly restore the tampered with files with.
Backing up system might be common but sometimes we forgot the common issues. Thanks from me also for reminding this issues.
Excellent point excellent timing Anders,
Even though the world didn’t end today it’s still a good excuse to BACK IT UP. DO IT NOW.
Don’t forget to back up the backups this is one common mistake that leaves most people burned.
Back up your back ups off site. Better to be safe than sorry.
I agree with you, you have shared such a good post.Thanks a lot for sharing this great post.
Very good tips making some common mistakes on backing up wordpress sites. There are so many mistakes on can do on backups. We rely too much on hosting and we think that its all being taken care off but you will be surprised that its not.
I really like your tip about not relying on your host’s backup. Your host is definitely a viable option for getting a backup of your WordPress site but it shouldn’t be your sole source.
I have done 1 mistake and that is I have not checked my backup. Going to check it out now?
BTW The post is awesome and old saying is really good.
Thanks for the post.
Excellent post. I think that if you are not making back up of your WordPress website then you are doing one of the biggest mistakes in blogging !
If you have a good blog then hackers are always there to hack your blog and they find methods to hack it, I have been using Backup buddy to make a back up of my blog.
It would be better to make your backup when ever you do a new post !
I used to rely competely on my hosting company’s backups. I’ve since automating my own backup process, however I haven’t ever tried tesing it. Don’t even remember how to upload it. Add that to the to do list…
thanks for this helpful post.is there any new plugins for back up the database that you can offer?especially in 2013.