In 2014, a web hosting company called Code Spaces was attacked. Hackers gained access to their Amazon Web Services control panel and, when ransom negotiations failed, systematically deleted all data - including all customer backups stored on the same infrastructure. The company closed within 12 hours.
This isn't scare-mongering. It's a reminder that your website - possibly years of work, customer data, and your online presence - can disappear in minutes. The only question is whether you can get it back.
The Horror Stories Are Real
Every web developer has stories. Here are a few that illustrate why backups matter:
The accidental deletion: A business owner logged into WordPress to "tidy up" and accidentally deleted several years of blog posts - content that drove significant organic traffic. No backup existed. The posts were gone forever.
The plugin conflict: A routine plugin update crashed an e-commerce site on Black Friday. Without a recent backup, the owner couldn't roll back. They lost an estimated ยฃ15,000 in sales during the eight hours it took to fix manually.
The disgruntled developer: A small business had a falling out with their web developer, who still had admin access. The site was deleted, and the hosting backup had been disabled months earlier.
The ransomware attack: A WordPress site was infected with malware that encrypted the database. The attackers demanded payment. The site owner refused, restored from a backup, and was back online within two hours.
The difference between these outcomes? Backups.
What Actually Needs to Be Backed Up
A website isn't just files on a server. It's multiple components that all need preserving.
1. Website Files
This includes:
- Core system files - WordPress core, your CMS platform, etc.
- Theme files - the design and layout of your site
- Plugin/extension files - all the added functionality
- Uploaded content - images, PDFs, videos you've uploaded
- Custom code - any bespoke development work
Without the files, you have no website structure.
2. Database
For WordPress and most content management systems, the database contains:
- All your pages and posts
- User accounts
- Settings and configuration
- Product information (for e-commerce)
- Customer orders and data
- Comments and form submissions
Without the database, you have an empty shell.
3. Configuration Files
Often overlooked, these include:
- wp-config.php (WordPress) - contains database connection details
- .htaccess - server configuration rules
- Environment variables - API keys, connection strings
- Cron jobs - scheduled tasks
Without these, even if you have files and database, the site may not function.
4. Email
If you use email on your domain:
- Mailbox contents
- Email settings and forwarding rules
- Contact lists
5. DNS Records
Not stored on your server but critical:
- Your DNS settings that point your domain to your hosting
- Email routing records (MX records)
- Security records (SPF, DKIM, DMARC)
Keep a documented copy of these. If your domain settings are lost, you'll need to recreate them.
How Often Should You Back Up?
There's no universal answer. It depends on your site.
Daily Backups
Essential for:
- E-commerce sites processing orders
- Sites with user-generated content
- Blogs updated frequently
- Any site where daily changes have business value
Weekly Backups
Suitable for:
- Brochure sites with occasional updates
- Portfolio sites
- Small business sites with static content
Before Any Change
Always back up before:
- Updating WordPress core
- Updating plugins or themes
- Making design changes
- Adding new functionality
- Changing hosting or domain settings
- Letting anyone new access the admin
This is non-negotiable. "I'll just make this quick change" has preceded countless disasters.
The 3-2-1 Backup Rule
This principle comes from data recovery professionals and is considered best practice:
3 - Keep at least three copies of your data 2 - Store them on at least two different media types 1 - Keep at least one copy off-site
For a website, this might look like:
- Live site - your actual website on the server
- Hosting backup - automatic backup from your host
- Independent backup - stored in cloud storage (Dropbox, Google Drive, AWS) or downloaded to your computer
The point is redundancy. If one backup fails, you have another. If your hosting company has a catastrophic failure, you have a copy elsewhere.
Hosting Backups vs Independent Backups
What Your Host Provides
Most quality hosts offer automatic backups. But they have limitations:
Typical hosting backup limitations:
- May only keep 7-14 days of history
- Often stored on the same server infrastructure
- You may not be able to access them directly
- Restoration might require contacting support
- If your account is suspended, backups may be inaccessible
- Not always tested or guaranteed
Always ask your host:
- How often are backups made?
- How long are they retained?
- Where are they stored?
- Can you restore yourself or do you need support?
- Are they guaranteed or "best effort"?
Why You Need Independent Backups
Hosting backups are your first line of defence, but you need backups you control because:
- Account issues - If your hosting account is suspended (payment failure, ToS violation, security incident), you might lose access to host-provided backups
- Company problems - Hosting companies occasionally go bust. Your backups shouldn't depend on their survival
- Insufficient retention - Seven days isn't enough if malware was installed two weeks ago
- Single point of failure - If the host's infrastructure is compromised, backups may be too
The Solution: Defence in Depth
Use both:
- Enable and verify your hosting backups (free/included)
- Set up independent backups to storage you control (small ongoing cost)
The cost of independent backup (often ยฃ3-10/month for small sites) is trivial compared to rebuilding your entire website.
Backup Solutions by Platform
WordPress
UpdraftPlus (Most Popular)
- Free version covers most needs
- Backs up to cloud storage (Dropbox, Google Drive, S3)
- Scheduled automatic backups
- Easy restoration
- Premium version adds more destinations and features
BlogVault
- Real-time backups for high-traffic sites
- Staging sites included
- Managed restore process
- Premium service (from ยฃ60/year)
Jetpack Backup (VaultPress)
- Daily or real-time options
- Integrated with Jetpack suite
- One-click restore
- From ยฃ35/year (daily) to ยฃ135/year (real-time)
All-in-One WP Migration
- Great for manual backups and site migration
- Free version has size limits
- Simple interface
Wix, Squarespace, Shopify (Hosted Platforms)
These platforms handle infrastructure backups, but they're not comprehensive:
Wix:
- Site History feature saves versions
- Can duplicate entire site
- No native backup export for database
- Third-party tools like Rewind offer additional backup
Squarespace:
- Export content as XML
- Export products as CSV
- No complete site backup
- Keep manual exports regularly
Shopify:
- Export products, customers, orders
- Theme files can be downloaded
- No one-click full backup
- Third-party apps like Rewind Backups recommended
Custom/Static Sites
- Git version control - every change is backed up
- Export databases regularly via phpMyAdmin or command line
- Download files via FTP/SFTP
- Automate with scripts if you're technical
Testing Your Backups (The Step Everyone Skips)
Here's an uncomfortable truth: most people never test their backups until they need them.
And that's when they discover the backup is incomplete, corrupted, or they have no idea how to use it.
How to Test WordPress Backups
- Set up a test environment - A subdomain (test.yoursite.com) or local development environment
- Restore the backup - Follow the exact process you'd use in an emergency
- Verify everything works - Check pages, images, forms, e-commerce functionality
- Document the process - Write down the steps while they're fresh
- Time it - Know how long restoration actually takes
What to Look For
- All pages and posts present and correct
- Images displaying properly
- Forms submitting successfully
- E-commerce products and checkout working
- User accounts functioning
- No error messages
How Often to Test
- Full test: At least quarterly
- Quick verification: Monthly (download a backup, check the file sizes look right, open and inspect a few files)
If testing reveals problems, fix them now - not during an emergency.
How to Restore From a Backup
When disaster strikes, you need to act quickly but carefully. Here's the general process:
Before Restoring
- Assess the situation - What exactly has happened? Do you need a full restore or can you fix the issue?
- Don't make it worse - Avoid making additional changes that might complicate recovery
- Choose the right backup - Pick the most recent clean backup (if hacked, this might not be the most recent)
- Document current state - Screenshot error messages, note what's broken
WordPress Restoration (UpdraftPlus Example)
- Access WordPress admin (if possible) or fresh WordPress install
- Install UpdraftPlus if not already present
- Go to Settings > UpdraftPlus Backups
- Click "Restore" next to the desired backup
- Select components to restore (files, database, or both)
- Wait for restoration to complete
- Verify site is working
- Update admin passwords and check for vulnerabilities
If You Can't Access WordPress Admin
- Access hosting control panel (cPanel or similar)
- Restore files via File Manager or FTP
- Restore database via phpMyAdmin
- Update wp-config.php if database credentials changed
- Access site and verify
After Restoration
- Change all passwords - Admin, FTP, database, hosting
- Update everything - WordPress, plugins, themes
- Scan for malware - Ensure no infection remains
- Investigate cause - Understand what happened to prevent recurrence
- Review backup system - Make sure backups are current and tested
What You Can Do This Week
Don't let this article become another "I should get around to that" item. Here's a practical checklist to act on now:
Day 1: Audit Your Current Situation
- Log into your hosting and find where backups are stored
- Check when the last backup was made
- Confirm what's included (files, database, both?)
- Note how long backups are retained
Day 2: Set Up Independent Backup
- Choose a backup solution (UpdraftPlus is free and effective for WordPress)
- Install and configure it
- Set up automatic schedule (daily for active sites, weekly minimum)
- Configure off-site storage (Google Drive, Dropbox, etc.)
Day 3: Create and Test
- Run a manual backup now
- Download a copy to your computer
- Document where backups are stored
- Write down the restoration steps
Day 4: Document Everything
- Create a "disaster recovery" document with:
- Hosting login details (securely stored)
- Backup access instructions
- Restoration steps
- Emergency contacts (host support, web developer)
- Store this document somewhere accessible even if your site is down
Day 5: Set a Calendar Reminder
- Monthly: Verify backups are running
- Quarterly: Test restoration process
- Before any updates: Run manual backup first
The Bottom Line
Website backups aren't exciting. They're not visible to your customers. They don't directly make you money.
But when something goes wrong - and eventually, something will - backups are the difference between a minor inconvenience and a business-ending disaster.
The cost of proper backups:
- 30 minutes to set up
- A few pounds per month for cloud storage
- A few minutes monthly to verify
The cost of not having backups:
- Days or weeks of rebuilding
- Lost customer data and trust
- Potential legal liability
- Revenue lost during downtime
- Possibly everything
Don't learn this lesson the hard way. Set up proper backups today, test them regularly, and sleep better knowing your business website can survive whatever happens.