A backup you have never restored is not a backup — it is an assumption. Most WordPress owners install a backup plugin, watch the first run finish, and never check it again until something breaks. This guide is the strategy layer almost every other article skips: how often a WordPress backup strategy should run, where copies should live, how long to keep them, and how to prove they actually work.
If you have not yet locked down the rest of your site, start with our WordPress security checklist — backups are the safety net that lets every other security layer fail gracefully.
What is the 3-2-1 backup rule for WordPress?
The 3-2-1 backup rule means keeping 3 copies of your data, on 2 different types of media, with 1 copy stored off-site. Apply it to WordPress and you get a recoverable site even if your host disappears, your laptop dies, or ransomware encrypts your office network on the same afternoon.
The rule was popularised by photographer Peter Krogh in his book The DAM Book: Digital Asset Management for Photographers, and was later referenced by US-CERT as a baseline data-protection standard. It has held up for two decades because the maths is simple — three independent failures on the same day is rare; one or two is not.
For a WordPress site, your three copies usually look like this:
- Copy 1: the live site on your hosting server
- Copy 2: an automated backup on the same host (cPanel snapshot, host-side backup)
- Copy 3: an off-server copy in cloud storage or on a local drive
Two of those live on rotating digital media. One is fully off-site. That is a real WordPress backup strategy.
How often should you back up your WordPress site?
There is no single right answer — frequency should match how often your site changes. A brochure site that updates twice a year does not need hourly backups. A WooCommerce store taking orders every hour absolutely does.
Use this as a starting framework:
| Site type | What changes | Recommended frequency | Retention |
|---|---|---|---|
| Brochure / business website | Pages, contact details, occasional posts | Weekly full + before every update | 30 days |
| Content blog | New posts several times a week, comments | Daily database + weekly full | 30-60 days |
| WooCommerce store | Orders, customers, stock, payments | Hourly database + daily full | 60-90 days |
| Membership / LMS site | User data, lessons, progress | Hourly database + daily full | 60-90 days |
Two rules apply across every row. First, always take a fresh snapshot before running plugin, theme, or core updates — that single habit lets you roll back a broken update in minutes instead of hours. Second, your database should back up more often than your files, because the database changes faster and is smaller to copy.
Where should you store WordPress backups?
The single most common backup mistake is storing the only copy of your backup on the same server as the live site. If that server fails, gets compromised, or your hosting account is suspended, you lose the site and the backup in the same incident.
Think in layers, not locations. A complete WordPress backup strategy uses three or four storage layers stacked together:
- Server-side host snapshot — your hosting provider takes a daily image of the whole server. Fast to restore, but you do not control the schedule and it disappears if the host disappears.
- cPanel or DirectAdmin backup — generated inside your control panel and downloadable as a single archive. Useful for migrations and quick restores. If you are choosing a panel for your account, our cPanel vs DirectAdmin guide covers the trade-offs.
- Off-server cloud copy — pushed automatically from a backup plugin or a cron job to Google Drive, Amazon S3, Backblaze B2, Wasabi, or Dropbox. All five are accessible from Ghana, Nigeria, and Kenya.
- Off-network cold copy — a periodic download to an external drive that lives in a drawer, not on a network. This is your last line of defence against ransomware that can reach networked storage.
You do not need all four. A brochure site can sit comfortably on layers 1, 2, and 3. A WooCommerce store should run all four. If you need step-by-step setup instructions for any of these methods, our step-by-step WordPress backup setup guide walks through the four practical ways to create the backups themselves.
How long should you keep WordPress backups?
Retention is the question almost nobody answers correctly. Keeping one rolling backup looks tidy but leaves you defenceless against the most common WordPress disaster — a malware infection you do not notice for two or three weeks.
A practical retention policy looks like this:
- Last 7 daily backups — for fast rollback after a bad update or accidental edit
- Last 4 weekly backups — for catching slower issues like a plugin compatibility problem
- Last 3 to 6 monthly backups — for catching malware, defacements, or SEO injections that hide for weeks
- One annual archive — for compliance, audits, and “what did the site look like a year ago” questions
Hundreds of thousands of WordPress sites are compromised each year, and many infections sit dormant for weeks before triggering. If your retention window is shorter than your detection window, your only “clean” backup is already infected. A 30-to-90-day retention window catches the gap.
Mid-article tip: LuminWeb WordPress hosting plans include regular automated server-side backups via cPanel/DirectAdmin. Pair them with an off-server copy and you are already two-thirds of the way to a complete 3-2-1 strategy.
Backup plugin vs cPanel backup vs host backup: which should you use?
Most articles frame this as a choice. It is not. Each layer covers a failure mode the others miss. Layer them.
| Backup type | Strengths | Weaknesses | Best used as |
|---|---|---|---|
| Host server backup | Whole-server image, fast restore, runs without your input | You do not control timing, lost if host account is lost | Disaster-recovery baseline |
| cPanel / DirectAdmin backup | Single downloadable archive, ideal for migrations | Manual unless scripted, can be heavy on shared hosting | On-demand snapshots, migrations |
| Backup plugin | Granular schedules, off-site uploads, easy restore | Runs inside WordPress (a compromised site can break it), can fail silently | Off-server cloud layer + database-only schedules |
| Cloud-only service | Versioned, off-site by default, monitored | Subscription cost, depends on third-party uptime | Off-site copy for high-value sites |
Many of the best WordPress security plugins compared also include backup features. That convenience is fine for the off-server layer — but never let one plugin be your only line of defence.
How to test a WordPress backup (the quarterly restore drill)
Untested backups are the single biggest reason recovery fails. Industry surveys consistently find that a large share of organisations never test their backups, and most of those that do discover failures only when restoration is attempted. Schedule a test once every quarter — put it in the calendar like a tax deadline.
Here is a simple four-step drill that takes about an hour:
- Create a staging environment — a subdomain like
staging.yoursite.comon the same hosting account, or a free local environment on your laptop. - Restore your most recent backup into staging — files first, then database. Update the site URL inside the database to match the staging domain.
- Walk the critical paths — homepage loads, login works, a key product page loads, the contact form sends, and (for WooCommerce) you can add an item to cart and reach checkout.
- Document what worked and what did not — note any missing files, broken images, lost configuration, or steps that needed manual fixing. Fix those gaps in your live backup configuration before the next quarter.
If your live site is ever hacked, you will be glad you ran this drill — and our recovery guide for hacked WordPress sites walks through the rest of the response.
7 backup mistakes that quietly break recovery
Every one of these is fixable in an afternoon. Most WordPress owners are guilty of at least three.
- Storing the backup on the same server as the live site. Lose the server, lose both.
- Backing up files but not the database. Your content, users, and orders all live in the database.
- Never running a restore test. A backup that has never been restored is an assumption.
- No off-network copy. Ransomware that reaches networked storage will encrypt your cloud backups too.
- One-day retention. A malware infection from two weeks ago is already in your only backup.
- No monitoring. Silent backup failures can run for months before anyone notices.
- No pre-update snapshot. Updates break sites — a 30-second snapshot lets you roll back instantly. Pair this habit with our plugin security audit before every update window.
Backup realities for businesses in Ghana, Nigeria, and Kenya
Generic backup advice assumes always-on power and unlimited bandwidth. Neither is a given here. A few practical adjustments make a big difference.
- Schedule large file backups for off-peak hours. A 5GB upload over mobile data in the middle of the day costs you bandwidth and customers. Run nightly backups when both are quiet.
- Plan around power cuts. If your office uploads cold copies to an external drive, do it from a laptop on battery — a power cut mid-write can corrupt the archive.
- Use cloud storage with regional access. Google Drive, Backblaze B2, Wasabi, Amazon S3, and Dropbox all work reliably across Ghana, Nigeria, and Kenya. Pick one and stick to it.
- Keep one local copy. International cloud restores can be slow over mobile data. A local archive on a drawer drive lets you start a recovery the same hour, not the next day.
- Pair backups with login hardening. A backup is worthless if an attacker keeps wiping the server before you can restore — close the entry point with a strong login security guide first.
Putting it together: a starter 3-2-1 plan you can deploy this week
Pick the row that matches your site, then deploy these three layers in order:
- Confirm your host runs daily server-side backups. If they do, that is layer one. If not, change hosts.
- Schedule plugin backups to an off-server cloud account. Database hourly or daily, files weekly. That is layer two and your off-site copy in a single move.
- Download a monthly archive to a local drive — the one that lives in a drawer, not on the network. That is layer three and your ransomware insurance.
Then put the quarterly restore drill in your calendar. That is the entire strategy.
You now have the full WordPress security mesh
This post completes the LuminWeb WordPress security cluster. You now have a full strategy stack: a WordPress security checklist as the master plan, a plugin security audit for the biggest attack surface, login security and brute-force defence at the front door, a recovery guide for hacked sites for the worst day, the best WordPress security plugins compared for tooling decisions, and now a backup strategy that lets every other layer fail gracefully.
Get started with LuminWeb WordPress hosting — automated server-side backups are included on every plan, so the host-side layer of your 3-2-1 strategy is covered from day one. Pair that with the off-server and off-network layers in this guide, and you are running a backup strategy most enterprises would sign off on.
