Chapter 7. Backing up Your Entire WordPress Website

This is a chapter from my book “A Practical Handbook for WordPress Themes”. Keep reading here, or download the full Amazon Kindle version.

For [ WP ] (?)

While this chapter isn’t specific to themes, working with themes means we will be adding, modifying and deleting parts of our website, including the database. Backing up your entire website—database included—will give you piece of mind, and ensure you can take a step or two back if things goes badly.

What Does Backing Up Mean?

To back up your website means to make a copy of every file (WordPress Core, themes, images, and other content) and store it in a safe place for later. To backup your database means to export it as a .sql file (pronounced “sequel”) and store it in a safe place. Together they are your entire website/blog, and can be used to reinstall a part or all of your website.

Sounds tedious, but the beauty of WordPress is that the WordPress community has made numerous plugins and online services that can do this for you automatically and automagically. Depending on the backup option you choose, you can also use your backup file to:

  • clone your site and create a development site/URL (such as
  • migrate your website to a new web host (moving from GoDaddy to HostGator)
  • move to a subfolder (from to or subdomain (from to

What Are We Looking for in a Backup?

Your specific needs and requirements may vary and expand beyond this, but I recommend three basic things in a good backup plugin or service: it should be scheduled or automatic, it should be secure, and it should copy everything.

Scheduled Backup

I highly recommend scheduled backups since it is not always possible to remember to, or even be able to initiate a backup. Depending on the plugin or service you choose, these can be hourly, daily, weekly, or at other designated intervals. At the end of this chapter I tackle the age-old question, “How often should I backup my site?” This is where scheduled backups will come in handy.

Automatic Backup

This is similar to scheduled backups, but is usually set up to happen only when there has been a change made to your site. If you add an image, change a Post, update a theme, then the backup will initiate and save all the additional and changed files.

Secure Backup

It is imperative that you keep your backup files safe. Your WordPress site contains a couple of very important files that you need to backup, but that can also be used to gain access to your website, server, and database. One of them is the wp-config.php file in the root of the WordPress Core. It has the login info for the database. The database is the other file that contains your information and content. While a seasoned hacker or bot can use a vulnerability to inject code into your site’s files without these two, gaining access to these makes it infinitely easier.

We’ll go over more security considerations in the following sections of this chapter.

Copy it all

You save little and take a big risk by being frugal with what you backup. I’ve seen some backup plans only saving the themes folder and nothing else. Another was only backing up the WordPress Core (which includes the themes.) In both cases, the database was being forgotten.

Keep in mind that your database is where the bulk of your content (Pages, Posts, theme settings, comments, users, and more) is stored. Losing that is far more detrimental than losing your theme or WordPress Core.

The last reason you should copy it all was mentioned above in that you can now easily clone, migrate, or move your site as you see fit. (Some backup plans/services have push-button functionality in that you can clone, migrate, or move your site in a matter of minutes from their control panel.)

Caution: Be careful where you store the backup and how you handle it, as everything a hacker needs to gain access to your website and database can be found in this backup.

How Do We Set This Up?

There are numerous options when it comes to backing up your site, but it usually boils down to four types:

  • your web host’s backup service,
  • a WordPress plugin,
  • a third-party service,
  • the manual method

You can use one, some, or all of these. Let’s go over each of these options.

Web host plan

Virtually all major web hosting companies have a backup plan. Some offer it for free. Some do it whether you want it or not. And some sell it as an add-on service. Either way, backing up your website using your web host is typically one of the easiest ways to go because there is often nothing to install or maintain. In some cases, you can use your cPanel (control panel) to schedule a periodic backup service or you can initiate one immediately.

Depending on the web host company and the web hosting plan you signed up for, you may even be able to install a backup with a simple click in the cPanel. Others may require you to call their customer service to install a backup. Check with your web host for details about its backup plans.

The backup file may be stored separate from the other files on the website, or in a folder that is not publicly accessible. This can be a bit of a drawback in that the backup may not be accessible to you via the cPanel file manager or even FTP. You may need to ask your web host’s customer service for access. It’s an added layer of security, but (depending on the web host) can be hard to access if you need to.

Managed hosting

The ‘other’ web hosting option is a managed web host. The vast majority of the managed hosting plans I have seen come with a backup plan as a standard—even mandatory—feature for all sites. Some even scan your backup files for malware, as well as a bevy of other great features. In some cases, managed hosting is less expensive and easier than a handful of other added services you may be paying for already.

WordPress plugin

One of my favorite things about WordPress is the sheer multitude of plugins available. This can also be a problem when you are looking for a backup plugin and there are dozens of them: which do you choose? (I’ll help you with that in a minute.)

With a WordPress plugin, you have full control over your backups. Some plugins have a scheduler and the ability to back up only parts of your site or the entire thing, as well as reinstall a backup when you need to. In virtually all cases, you have access to your backup files.

There are so many backup plugins today that it can take a good block of time to decide on one. So, after trying a dozen of them, and listening to others’ experiences, I feel confident in suggesting the following backup plugins. Obviously you should do your own extensive research into each of these before choosing one—these are only suggestions. (And no, I do not have any affiliation with these plugins.)

BackUpWordPress by Human Made Limited — — This really is a simple, free plugin to setup and use. It has a scheduler, the ability to ignore certain folders, and even gives you the choice to backup only the database, only the site files, or both. The backups are stored in a folder inside your WordPress Core, but it uses a unique naming convention for the backup storage folder to keep bots from guessing it. The drawback for some is that reinstalling the backup is a manual process. Another drawback to storing your own files on your own server is that if your server goes down you will lose access to your backups while it is down.
VaultPress by Automattic – – Being that this is developed by the very people that operate WordPress, I feel very confident it will be supported longer than any free plugin. And that’s the catch: there is a monthly fee to use it. But, seriously, with three tiered plans to choose from, and the fact that they scan your files for security threats as well as help you clean up some common threats, you really should look through their features.

BackupBuddy by iThemes — — This is another paid service, but my favorite part of this is that you can have your backups sent to your Dropbox, Amazon S3, RackSpace accounts, an FTP server or even emailed to you (though I highly caution you against ever emailing your backups. Email is not a safe place for your backups, ever.) You can even reinstate a backup from the dashboard, as well as clone your site to a development server, or vice versa.

ManageWP by ManageWP — — Not only is this a backup service, but it’s like the Swiss Army knife for managing all of your individual WordPress sites. As far as backups go, they have a plan that allows you to store your backups on your Amazon S3, Dropbox, or Google Drive accounts. They even have an app for smartphones. It is definitely worth checking out.

If you choose to use a backup plugin, make sure you update it as needed. These plugins deal with sensitive information, so you want to make sure you always have the latest version installed. If you go with a plugin+service like VaultPress, ManageWP or BackupBuddy, really make sure the login for your account uses a strong username and password.

Multiple websites. If you operate or manage dozens of websites, the following solution—third party services—may be easier than having to manage another plugin across all of the sites. (Though, you can use a web app like InfinteWP to manage all of your WordPress sites, themes and plugins from one Admin Panel. This is slightly different than WordPress Multisite in that it can work across sites owned by different individuals—like clients—and still remain independent.)

Third-party services

In this case I am talking about backup services that do not require you to install a WordPress plugin, but instead backup your website files and database remotely. This can be done through a remote login into your cPanel, a content delivery network (CDN), or other proprietary means. The takeaway here is that the act of backing up your site is controlled at the server level and in most cases the files are not stored on your server but instead on the company’s servers. In the vast majority of cases, no controls or plugin will be integrated into the WordPress Admin Panel, everything is controlled through their website and or a mobile app.

Third-party solutions are often platform agnostic, meaning they don’t care if you are running WordPress, Drupal, or have a static HTML website. What matters is typically the type of database you are running—WordPress uses MySQL—and which web host and cPanel you have. As with the VaultPress and BackupBuddy plugins above, you will be granting this company access to your website via your server, so be discerning when it comes to which company you sign up with.

One of the biggest reasons people choose to use a third party service is that it is highly scalable. You can set these up so that every domain and website you add can be managed using one account/application. No plugins to update and manage across multiple sites.

A huge benefit to using a third party will be covered below in “Store backups offsite.”
An example of a third-party backup service is SiteVault.


Lastly, there is the manual method, one of the most secure methods. Don’t discount this on the basis it sounds tedious. After reading the options above, you will notice that a common concern runs though them: you are relying on someone else to create a secure and safe plugin/application, and trusting that they handle your backups properly. One way to ensure things get done the way you want is to do it yourself. It’s fairly easy.

All you need is access to your cPanel file manager where you will compress your entire website into a .zip file, then download it to your local drive (or better yet, to your Dropbox, Box, Google Drive or other cloud storage sync folder), and then delete the .zip file from the server. Deleting the .zip file from the server is really important since it contains the wp-config.php file that has your database login information.

You can also download your entire site via FTP, but be sure you zip the files up first. It can take a long time to download your website one file at a time.

The last step is logging into your phpMyAdmin and exporting your database as a .sql file. Some cPanels allow direct access to phpMyAdmin, whereas other more secure cPanels require you to enter your phpMyAdmin login information (if you don’t have it, you can find it in the wp-config.php file in your WordPress Core installation’s root.)

With both—site files and the database export—you now have your entire website. What I explained above is essentially what a backup plugin does for you; only they do it much faster and in fewer steps than you can do it manually.

Why use a manual method? A few reasons may be that you have found plugins, web apps, and web hosts to be unresponsive, have become recently compromised, or are just too expensive. Or, maybe you just love the control that comes with doing the backup yourself.

The downside is that the manual method is for those that have only one or two websites. This is not scalable: you could spend all day manually backing up a dozen websites. Also be aware that since you are downloading a .zip file that can be in the neighborhood of 10MB to over 100MB, it can not only take a long time but it might eat into any data cap your broadband provider or web host has set for downloads.

Store Backups Offsite

In most cases I leave it up to you to determine what is best for you and your site. But with backups I strongly recommend you consider storing them (or at least a copy) offsite. Why? Time and time again web hosts experience outages anywhere from a few seconds to a few hours or days.

If the web host’s datacenter goes down for hours (like it did with HostGator, BlueHost and HostMonster in the summer of 2013), you may not be able to retrieve any files from your server, let alone a backup. That being said, if a particularly lengthy outage happens—or one you find unbearable—you can get your backup from a third-party that is storing it offsite (and hopefully they aren’t affected by the outage too!)

That being said, having a good, reputable third-party store your backups on redundant servers is a smart move. You’ll pay for this, but the cost is a tiny fraction of the what it will take to rebuild your website from scratch, or the potential loss in customers/sales should your site be down for hours.

What About Using GitHub As a Backup?

Wait, what is this?

Some developers use GitHub to develop and maintain their WordPress websites. GitHub is a repository for your files that maintains a history of changes as well as version tracking. GitHub allows people to have public repositories (“repos”) used for collaboration with other developers, as well as private repos.

This is going to get a bit technical…

You can connect your private GitHub repo to your web hosting account and essentially clone your latest repo for your website to your server using secure shell (SSH). So, how it works is that you make a change to a theme file and save it locally. Then merge it with your GitHub repo, which automatically updates that file on your web hosting account. If I later find out that I totally messed up the site with this change, I can go into my repo and revert that file back to its previous state and re-sync it.

So, how do you back up your site with GitHub?

This is not a true backup in the sense that it is “version control.” Joonas Pulakka’s response on StackOverflow says it better than I could:

“The fundamental idea of version control is to manage multiple revisions of the same unit of information. The idea of backup is to copy the latest version of information to [a] safe place – older versions can be overwritten.” – Joonas Pulakka, (source)

If you are comfortable with using your Git/GitHub repo as a ‘backup’ for your website, then by all means use it. I love using GitHub for my projects and web development, but when it comes to backups I still want to know that I have 5-10 discreet and individual backups standing by, each with a matching snapshot of the database.

What Happens if I Don’t Back Up My Site?

Nothing. Millions of people do not backup their websites. Millions of people also get their sites defaced or infected, resulting in lost data, lost customers, lost trust, lost time, lost money… you get the picture. It wasn’t fun listening to a website owner cry over the phone when I told her that her website and all its data was gone because there was no backup anywhere. Countless hours of work, data and stored documents that she was never going to get back, all because someone deleted the wrong web hosting account. A complete backup (stored on a third-party server) could have had her up and running in under an hour, only losing whatever data was ingested since the last backup.

Do the right thing: periodically back up your site and store it in a safe place.

How Often Should I Backup My site?

I originally wrote this as a blog post for those running a website on a shared server. I modified it slightly for this book and included it below:
These guidelines are aimed at self-hosted websites for individuals, small businesses or other small to medium sized websites using shared web hosting from providers such as GoDaddy, HostGator, Bluehost, or others. Millions of websites fit this bill. If you are in charge of a major brand with household name status, you are likely using a CDN/Cloud from a large web service company and a backup system is in place. The guidelines here are more for the self-hosted websites used by those working with a tighter budget.

How to decide frequency/schedule

We will use some simple math to help estimate how often you should back up your website. After you run through the list, we’ll talk about what the total means.

  • You will need to figure out how large your website is (usually in megabytes or gigabytes). For every 50MB of storage your site takes up, +1. So, a 50MB site is +1, a 75MB site is +1.5.
  • You will need to think about how often your site gets updated. Only consider manual updates, such as adding/editing content on pages and posts, additional post comments, or other such conscious edits and additions to your site (a Twitter feed is not a manual update.) Daily is -7, every 3 days is -3, and once a week or month is -1.
  • You will need to research the average daily traffic to your site, so, you need to check your site’s analytics for this. No guessing! Let’s break it down to: 1-500 unique visitors is a +2; 500-1000 is +3; 1000-5000 is +4

The sum total of the three steps above should tell you how many days between backups. A total of zero or less is considered daily (or every other night, if you prefer.)

Example site #1: a 100MB site that gets updated daily (on average) and has 1,050 visitors a day should backup nightly (or every other night.) That’s (2)+( −7) + (5) = 0.

Example site #2: a 500MB site that gets updated daily and has 4,000 visitors a day should backup every 7 days. That’s (10) + (–7) + (4) = 7.

This math doesn’t make sense!

It’s not science, but an estimator to show you how updates, size and traffic should be accounted for in your backup schedule.

I know you are thinking that a site that gets updated daily should be backed up more often, but that is not the case in example #2. For one, the size is 500MB (half a gig!) and the traffic is at a good clip of 4,000 unique visitors daily, so when you initialize your backup your shared server will respond slower and your visitors will experience slower load times (sometimes ridiculously slow, depending on the server.) Do you know how long it takes to archive 500MB of data?* So, this is something you want to do every 7 days, and make sure you do it during off hours for your site. Three a.m. is usually off hours for many sites, but you may want to check your analytics for what day and time has the least visitors historically.

In example #1, the daily schedule is ok since you have a lower visitor count and 100MB shouldn’t take too long to archive, even on a slow, shared server. But still, you should be choosing a time that is during a period of fewer visitors.

And seriously, I don’t expect you to be doing backups manually every 7th or 11th day. You should have access to a good plugin/service for your site that allows you to make a periodic backup schedule.

*Caution: Be careful with some cheaper web hosts. Backups can be resource intensive. The last time I initiated a 500MB backup via a WordPress plugin with a site on a cheap, low-budget hosting company, we crashed the whole server. Twice.

Store previous backups

Be sure to store the equivalent of about a month of backups. This way you have a good buffer between when your site had problems (i.e. “got hacked”) and when you found out about it. If you backup every night, but don’t store more than a day or two back, you have a very short runway to notice you have problems and be able to fix it with a backup. For many users it can take a month or longer to notice you got hacked or lost dozens of pages or were blacklisted by Google for some BlackHat SEO crap. Be aware though that if you backup and store 500MB of data every night for 30 days, you’re likely going to go over on your web hosting plan’s data cap. Know what your limits are.

No hard and fast rule

It is my belief that 90% of websites on a shared server do not need to backup every night. On the other hand, you do not want to go longer than a month between backups. The bigger the site (in size), the crappier the web host, and the more visitors you are serving all mean you should be backing up less often so as to not overtax the server and show your visitors a slow-loading site.

And yes, some web hosts and third-party services can backup your website nightly with little to no performance degradation (see “Third-party services” section in this chapter.)

Ok, let’s install the new theme!

Leave a Reply

Your email address will not be published. Required fields are marked *