Why backups matter
Things go wrong: a bad update, a hack, accidental deletion, or a failed migration. Backups let you restore your site to a known good state instead of starting from scratch Source 1 .
A backup you have not tested is not a backup you can trust. This guide covers what to back up, how often, where to keep it, and how to test a restore.
What to back up
1) Database
If your site uses a database (e.g. WordPress, Shopify backend, custom CMS), the database holds your content, settings, and user data. Back it up regularly.
2) Files
Code, themes, plugins, uploads (images, PDFs), and config files. For static sites, “files” is the whole site; for dynamic sites, include the web root and any uploads or media directories.
3) Configuration
Environment variables, .htaccess, config files that are not in the repo. Document where they live so you can restore them.
For more on security and maintenance, see website maintenance checklist and website security for small businesses.
How often to back up
- Before any big change: Theme or plugin update, migration, or bulk edit. Take a backup immediately before you start.
- Regular schedule: Daily for sites that change often (e.g. blog, shop). Weekly for mostly static sites. Do not go longer than a week without a backup.
- Retention: Keep at least a few restore points (e.g. last 7 daily + last 4 weekly) so you can go back further if a problem went unnoticed.
Where to store backups
- Off the server: Do not keep the only copy on the same server as the live site. If the server is lost or compromised, you lose the backup too Source 2 .
- Separate location or provider: Use cloud storage (e.g. S3, Backblaze, Google Drive) or a backup service that stores copies elsewhere.
- Access control: Limit who can access backups. They contain your full data.
How to test a restore
At least once a quarter, restore a backup to a test environment (staging, local, or a temporary subdomain) and check that the site works.
- Restore files and database: Follow the same steps you would use in a real disaster.
- Check key flows: Homepage loads, key pages work, login works, forms submit, checkout or enquiry flow works (if applicable).
- Document the process: Write down the steps so anyone who might need to restore can follow them.
If you cannot restore successfully, fix your backup or process before you need it for real.
Hosting and plugin backups
Many hosts and plugins (e.g. UpdraftPlus, BackupBuddy, host control panel backups) can automate backups and store them off-server. Check what your host offers and whether it includes database + files + off-server storage.
Do not rely on a single method: e.g. host backups plus a plugin or script that sends a copy elsewhere. Redundancy reduces risk.
Summary
Back up database, files, and config; do it before big changes and on a regular schedule; keep copies off the server; and test a restore at least quarterly. Use hosting or plugin backups but add a second copy elsewhere so you are not dependent on one place.
Sources
- [1] WordPress.org. WordPress. Security. Back to article
- [2] NCSC. Web application security guidance. Back to article