How often should I back up my WordPress site?

Daily for the database (posts, comments, settings — small and fast to back up). Weekly for full files (themes, plugins, uploads — larger). If you run WooCommerce or a membership site, consider real-time or hourly database backups. A sale or new member you can't restore is lost revenue.

Where should I store backups?

Never only on your server. If the server dies, your backups die with it. Use cloud storage: Google Drive (15GB free), Dropbox (2GB free), or Amazon S3 (~$0.023/GB/month). UpdraftPlus connects to all of these. I keep backups on both Google Drive and my local machine for important sites.

My host does daily backups — do I still need a plugin?

Yes. Host backups are your second line of defense, not your only one. I've seen two different hosts lose client backups during infrastructure issues — it's rare, but it happens. An independent backup to Google Drive or Dropbox is your insurance policy. Also: host backups usually can't restore individual files, just full site snapshots.

How do I test if my backup actually works?

Restore it. Set up a staging site or a local WordPress install (LocalWP is free), restore your backup there, and verify everything loads correctly. A backup you've never tested is a backup you can't trust. Do this once when you first set up your backup system, then periodically after that.

How big are WordPress backups?

Database: usually 5–50MB. Full site (with uploads): 500MB to several GB depending on media. UpdraftPlus backs up database and files separately, so daily database backups are tiny and fast. Your uploads folder is the bulk of most backups — if it's huge, consider excluding it from weekly full backups and only backing it up monthly.

What's the fastest way to restore after a hack?

Restore a backup from before the hack, not after. The tricky part: you need to know when the hack happened. Check your server logs or use a security plugin like Wordfence — it logs when malicious files were first created. Restore a backup from 24–48 hours before that timestamp, then immediately update all plugins, themes, and passwords.

Can I back up a WordPress site without a plugin?

Yes, via cPanel's backup tool or command line. In cPanel: Backup Wizard → Full Backup. Via SSH: mysqldump for the database, zip or tar for files. These work but require manual effort every time. For regular automated backups, a plugin is far easier for most people.

WordPress Backup Guide 2026: Free Tools, Schedules, and Recovery

I lost a client site once. A plugin update broke the database, no backup was configured, the host had no recent snapshots. Three months of content — gone. No recovery was possible. That was the last time I ever set up a WordPress site without configuring backups first.

Your site will break eventually. A bad plugin update, a hack, a host outage, or your own mistake. The only question is whether you have a backup to restore from. Here's how to set up bulletproof, automated backups for free — and what to do when disaster strikes.

By Jason Chen·Updated Feb 2026·12 min read

The 3-2-1 Backup Rule

3 copies of your data, on 2 different storage types, with 1 copy off-site. For WordPress: your live site (copy 1), your host's backup (copy 2), and UpdraftPlus to Google Drive (copy 3, off-site).

Most people stop at copy 1 and 2 — live site plus host backup. That's what every site I've ever had to recover had in common. The off-site copy is the one that saves you when your host has a catastrophic failure or when the hack affects the host's backup system too.

What Gets Backed Up

WordPress has two separate things you need to back up — treat them differently because they change at different rates and have different sizes.

Database (MySQL)

All posts, pages, and comments
User accounts and roles
Plugin and theme settings
WooCommerce orders and products
Widget configurations

Size: 5–50MB typically. Changes every time someone publishes, comments, or makes a purchase. Back up daily.

Files

wp-content/uploads (your images and media)
wp-content/themes (your theme files)
wp-content/plugins (your plugins)
wp-config.php (database credentials)
.htaccess (server rules)

Size: 500MB–5GB+. Changes mainly when you update themes/plugins or upload new media. Back up weekly.

Backup Tools Compared

UpdraftPlus

Free / $70/yr Pro

Schedule: ✅ AutomatedRestore: ✅ One-click

Best for: Best free backup plugin. Period.

Backs up files and database separately, stores to cloud, restores with one click. The free version does everything most sites need. Pro adds incremental backups, more storage destinations, and multisite support. I've used this on every WordPress site I manage.

Storage: Google Drive, Dropbox, S3, OneDrive, email

Duplicator

Free / $49.50/yr Pro

Schedule: Free: manual only / Pro: ✅ automatedRestore: ✅ Installer wizard

Best for: Best for migrations that double as backups.

Creates a complete site package (files + database) as a single archive. Originally a migration tool, but the packages work perfectly as backups. Free version is manual-only — Pro adds scheduled backups. Useful if you're already using it for migrations.

Storage: Local, Google Drive, S3, Dropbox (Pro)

BlogVault

$89/yr

Schedule: ✅ Real-timeRestore: ✅ One-click + staging

Best for: Best if you want off-site backups with zero server load.

Backs up to their own servers, not yours. Incremental backups mean minimal server load. Includes staging, migration, and malware scanning. Expensive but comprehensive — worth it for high-traffic or revenue-generating sites.

Storage: BlogVault cloud (off-site)

WP-CLI + cron (manual)

Free

Schedule: ✅ Via server cronRestore: Manual (but fast with the right scripts)

Best for: Best for developers who want full control.

wp db export for database, rsync or tar for files, cron job for scheduling. No plugin overhead. You need command-line access (VPS or SSH) and basic scripting knowledge. Once set up, it's the most reliable option.

Storage: Anywhere you script it

Setting Up UpdraftPlus (5 Minutes)

The Google Drive authentication step trips up a lot of people — there's a note about that below.

1
Install and activate UpdraftPlus
Go to Plugins → Add New, search "UpdraftPlus", install and activate. It adds a menu under Settings.
2
Go to Settings → UpdraftPlus Backups → Settings tab
This is where you configure schedules and storage.
3
Set file backup schedule: Weekly, retain 4 copies
This covers your themes, plugins, and uploads. Weekly is usually enough unless you upload media constantly.
4
Set database backup schedule: Daily, retain 14 copies
Your posts, comments, and orders change daily. Retaining 14 copies gives you 2 weeks of history to restore from.
5
Choose remote storage: Google Drive
Click the Google Drive logo. UpdraftPlus opens an authentication window — log in with your Google account and click "Allow". You'll be redirected back to WordPress. Important: if the redirect doesn't work, copy the authorization code from the Google page and paste it into the UpdraftPlus settings box manually.
6
Click "Save Changes"
UpdraftPlus is now configured. The first backup runs automatically on your schedule.
7
Test immediately: click "Backup Now"
Run a manual backup, then click "Restore" to verify the backup is actually restorable. Don't skip this step — the point of a backup is that you can use it.

Which Hosts Include Backups?

Bluehost and GoDaddy both charge extra for backups — that's a legitimate reason to switch hosts. Everyone else below includes them free.

Host	Daily Backups?	Retention	One-Click Restore?	Extra Cost?
SiteGround	✅	30 days	✅	Free
WP Engine	✅	30 days	✅	Free
Cloudways	✅	7 days (configurable)	✅	Free
InterServer	✅	7 days	✅	Free
Hostinger	✅	7–30 days	✅	Free
Bluehost	✅	—	—	$2.99/mo add-on
GoDaddy	✅	—	—	$2.99/mo add-on

When Disaster Strikes: Step-by-Step Recovery

This is the section most backup guides skip. Knowing how to restore is as important as having the backup. Here's the exact process:

Scenario 1: Site is down after a plugin update

1.Try wp-admin first. If it loads, go to Plugins → deactivate the recently updated plugin.
2.If wp-admin doesn't load, use FTP/SFTP or cPanel File Manager to rename the plugin folder (e.g., bad-plugin → bad-plugin-disabled). WordPress deactivates it automatically.
3.If that doesn't fix it, restore the database backup from before the update. In UpdraftPlus: Settings → UpdraftPlus Backups → choose the backup → Restore → Database only.

Scenario 2: Site was hacked

1.Identify when the hack happened. Install Wordfence (free), run a scan — it shows file modification timestamps. Or check your server logs for the first 404/attack patterns.
2.Restore a backup from 24–48 hours before that timestamp, not after. A post-hack backup contains the malware.
3.After restoring: update all plugins and themes. Change WordPress admin password, database password, and FTP credentials. The vulnerability that was exploited is still there unless you patch it.

Scenario 3: Full restore via UpdraftPlus

1.Install a fresh WordPress and UpdraftPlus on the new server or current one if you're doing a clean restore.
2.Go to Settings → UpdraftPlus Backups → "Upload backup files" or reconnect to Google Drive.
3.Select the backup you want → click Restore → check all boxes (Database, Plugins, Themes, Uploads, Others) → click Restore.
4.UpdraftPlus restores everything and redirects you to the restored site. Total time: 10–30 minutes depending on backup size.

Backup Mistakes That Bite People

Storing backups only on the same server

UpdraftPlus defaults to storing backups locally. If your server has a disk failure or the host loses data, your backups are gone. Always configure remote storage (Google Drive is free and easy) as the primary destination.

Never testing a restore

A backup that's never been restored is a backup you don't know works. Files can be corrupt. The database can have errors. Test your restore in LocalWP or a staging environment at least once. It takes 20 minutes and saves you hours of panic later.

Backing up only the database, forgetting uploads

Your posts are in the database, but your images are in wp-content/uploads — separate from the database. A database-only restore brings back your content but without images. Always back up both.

Keeping too few copies

If you only keep 2 daily backups and your site was hacked 3 days ago, both backups contain the malware. Keep at least 7–14 daily database backups. They're small (5–50MB each) — storage cost is negligible.

Relying entirely on your host's backups

Host backups are not guaranteed. Most hosts' terms of service explicitly say backups are "best effort" and not guaranteed. I've had two clients lose data because their host's backup infrastructure failed during the same incident that took their site down. Off-site backups are non-negotiable.

FAQ

Jason Chen·Lead Reviewer & Founder

Testing hosting since 2009. 60+ accounts across major providers. Former web dev turned full-time reviewer.

Updated Mar 2, 2026·12 min read𝕏 LinkedIn

Last updated: 2026-03-08

Share:Twitter Facebook LinkedIn