How to Back Up Your WordPress Site the Right Way in 2026 (And Actually Restore It Later)

I lost a WordPress site once. Not a test site. A real one. Seven years of posts, custom theme, thousands of images. It went down on a Saturday morning because my hosting company had a storage failure. No warning. I had no backup. I spent the whole weekend trying to recover fragments from Google Cache and the Wayback Machine.

That was in 2019. Since then I back up every site I touch. If you are reading this, you probably have not lost a site yet. This post is here to make sure you never do. If you are just getting started with WordPress, this complete beginner’s roadmap is a great place to begin before setting up your backup system.

---

Why Backups Matter More in 2026 Than They Did Five Years Ago

WordPress powers about 43% of all websites. That makes it the most popular CMS on the planet and also the most attacked one. Here are four things that happen to WordPress sites every single day.

• Ransomware and malware injections. Attackers do not always delete your site. Sometimes they encrypt it or inject code that is only noticed weeks later. By then your clean backup might be 30 days old if you even have one.
• Bad plugin or theme updates. A plugin update that has a PHP conflict can take your site down in under a second. This happens to experienced developers, not just beginners.
• Accidental deletes. You meant to delete a draft. You deleted a published post with 200 internal links pointing to it. Without a backup, that post is gone.
• Hosting failures. Even good hosts have hardware failures, data center fires, and botched migrations. Managed hosting platforms are not immune either.

The rule I follow: your host’s backup is their liability protection, not yours. You need your own copy somewhere they do not control.

There is also a less obvious risk: theme or plugin conflicts after a WordPress core update. Core updates push out automatically on many installations. If a plugin has not been tested against the new version, things break. I have seen whole sections of a site go missing after a routine core update because a page builder plugin was not compatible. With a backup taken just before the update, recovery takes five minutes. Without one, you are digging through error logs hoping to figure out which of your 12 active plugins is causing the issue.

---

What a Complete WordPress Backup Includes

Before covering the three methods, you need to know what you are actually backing up. Many tutorials say “back up your site” and then only show you how to export the database. That is half a backup at best.

The Files Side

Your WordPress installation has a folder structure. The parts that matter for a backup are:

• wp-content/uploads/ — Every image, PDF, and video you have ever uploaded. This folder is irreplaceable.
• wp-content/themes/ — Your active theme plus any child themes with custom CSS or template files.
• wp-content/plugins/ — Your installed plugins. Most can be reinstalled from the WordPress.org repository, but custom or premium plugins cannot.
• wp-config.php — This file in your root folder contains your database credentials and security keys. Back it up separately.

You generally do not need to back up the WordPress core files (wp-admin and wp-includes) because those can be re-downloaded at any time. Focus on wp-content and wp-config.php.

The Database Side

Your database holds everything that lives in WordPress: posts, pages, comments, user accounts, plugin settings, theme customizer settings, menu structure, and widget configurations. Without the database, your files are a shell.

A database backup is a single .sql file. It is usually small (under 100MB for most sites) but it contains everything. Back up all tables with the wp_ prefix (or whatever prefix your install uses).

One thing beginners often miss: plugin settings live in the database, not in the plugin files. If you back up your plugins folder but not the database, you lose all your plugin configuration. You would have to reinstall and reconfigure each plugin from scratch. Always back up both.

---

Method 1: Host-Level Backup (Easiest, But Not Enough Alone)

Most hosts offer automatic backups. Managed WordPress hosts like WP Engine, Kinsta, and Cloudways run daily backups and store them for 14 to 30 days. Budget shared hosts often run weekly cPanel backups stored on the same server.

How to Access Your cPanel Backup

1. Log in to cPanel (usually yoursite.com/cpanel).
2. Find the Backup Wizard or Backup tool under Files.
3. Click Download a Full Website Backup or choose Home Directory + MySQL Databases separately.
4. Wait for the backup to generate, then download the .tar.gz file.
5. Move that file off the server immediately. Do not leave it on the same host.

How to Restore from a cPanel Backup

1. Go back to cPanel Backup Wizard and choose Restore.
2. Upload your home directory archive for files, and your .sql.gz file for the database.
3. cPanel handles the extraction. When done, visit your site to confirm it loads correctly.
4. If pages look broken, go to Settings > Permalinks in WordPress and click Save Changes to flush rewrite rules.

The Limitation You Cannot Ignore

Host backups are stored on the same infrastructure as your site. If your host has a catastrophic failure, both your site and their backup copy can disappear at the same time. I have seen this happen. Treat your host’s backup as a convenience feature, not your primary safety net.

There is also the issue of retention. Many shared hosting providers only keep 7 to 14 days of backups. If you get hacked and the malware is not noticed for three weeks, every backup your host has could already include the infected files. This is why off-site, independent backups with a longer retention window matter so much.

---

Method 2: Plugin Backup (Best for Most People)

Backup plugins automate everything. You set them up once, point them at an off-site storage location, and they run on a schedule without you thinking about it. This is what I use on every site I manage. For a comparison of other essential WordPress plugins, see our roundup of the best WordPress caching plugins which covers how to evaluate plugin quality before installing.

UpdraftPlus

UpdraftPlus is the most installed WordPress backup plugin, with over three million active installs. The free version covers everything most sites need.

• Setup: Install from the WordPress plugin directory. Go to Settings > UpdraftPlus Backups. Under the Settings tab, pick your remote storage (Google Drive, Dropbox, S3, FTP, and more). Connect your account.
• Schedule: Set a separate schedule for files and database. For an active site, daily database + weekly files is a good starting point.
• Restore: Go to Settings > UpdraftPlus, click the Existing Backups tab, and click Restore next to any backup. You can restore files, database, or both independently. It handles everything inside WordPress with no FTP needed.

The paid version adds multisite support, incremental backups, migration tools, and better scheduling. For most small to medium sites, the free version is enough.

One thing to check after setting up UpdraftPlus: go into your Google Drive (or whichever storage you connected) and confirm the backup files actually appear there after the first scheduled run. It takes under a minute to verify. Do not assume the connection worked just because there was no error message in the plugin.

Duplicator

Duplicator started as a migration tool and evolved into a solid backup solution. The free version is good for manual point-in-time backups before a big update. The Pro version adds scheduled backups and cloud storage.

• Best for: Creating a backup package before a major plugin update or site migration.
• Restore: Duplicator creates a package file and an installer.php script. You upload both to a server, run installer.php in your browser, and it walks you through restoring the site step by step. Very beginner-friendly restore process.
• Limitation: Free version requires manual scheduling. Not ideal as your only automated solution.

BlogVault

BlogVault is a premium cloud backup service (starts around $89/year for one site). It is not a plugin in the traditional sense. You install a lightweight connector plugin, and all the backup processing happens on BlogVault’s servers instead of yours.

• Best for: Sites where performance during backup matters, WooCommerce stores, and anyone managing multiple sites.
• Standout feature: Incremental backups (only changed data is synced) and a staging site feature built in.
• Restore: One-click restore from the BlogVault dashboard. Works reliably even when your WordPress admin is unreachable.

Plugin	Free Tier	Scheduling	Off-site Storage	Best For
UpdraftPlus	Yes	Automated	Google Drive, Dropbox, S3, FTP	Most sites
Duplicator	Yes (manual)	Pro only	Pro only	Pre-update snapshots
BlogVault	No	Automated	BlogVault cloud	WooCommerce, agencies

---

Method 3: Manual Backup via FTP and phpMyAdmin

Manual backup is what you do when plugins break, when you are locked out of WordPress, or when you want to understand exactly what you are backing up. It takes longer but teaches you a lot about how WordPress is structured.

Step 1: Download Files via FTP

1. Download FileZilla (free FTP client) from filezilla-project.org.
2. Get your FTP credentials from your host’s control panel (usually under FTP Accounts).
3. Connect to your server. Navigate to your site’s root folder (often public_html or your domain name).
4. Download wp-content/ and wp-config.php to a folder on your computer.
5. The wp-content/uploads/ folder can be large. Be patient on slow connections.

Step 2: Export the Database via phpMyAdmin

1. Log in to cPanel and open phpMyAdmin.
2. On the left sidebar, click the database that belongs to your WordPress site. If you are unsure of the name, open wp-config.php and look for define(‘DB_NAME’, ‘…’).
3. Click the Export tab at the top.
4. Leave the method on Quick and the format on SQL. Click Go.
5. A .sql file downloads to your computer. Store this alongside your FTP files.

How to Restore from a Manual Backup

1. Upload your wp-content/ folder back via FTP, overwriting the existing files.
2. Upload wp-config.php to the root.
3. In phpMyAdmin, select your database, click the Import tab, choose your .sql file, and click Go. This will overwrite all existing tables.
4. If the site URL changed (for example, you are restoring to a new domain), use a search-replace tool like Better Search Replace plugin or WP-CLI: wp search-replace 'oldsite.com' 'newsite.com' --all-tables

Manual backups are also the best way to verify what you actually have. When I download a site manually for the first time, I almost always find something unexpected: a plugins folder 3x larger than it should be because old plugin versions were never cleaned up, or an uploads folder with gigabytes of auto-generated image sizes that could be trimmed. It forces you to actually look at what your site contains.

---

Off-Site Storage: Where to Actually Store Your Backups

A backup stored on the same server as your site is not a backup. It is a copy. Off-site means a completely separate system that your host cannot accidentally delete or take down.

• Google Drive: 15GB free. Supported natively by UpdraftPlus. Easy to set up for non-technical users. Good option if your site is under 5GB total.
• Dropbox: 2GB on the free plan. Works with most backup plugins. Better choice if you already pay for Dropbox storage.
• Amazon S3: Extremely cheap storage (pennies per GB per month). Requires more setup but scales infinitely. Good for large sites or agencies managing many backups.
• Your local computer: Valid as a secondary copy, but if your computer dies or is stolen you lose this too. Never use local disk as your only off-site storage.

The rule I follow: keep three copies. One on the server (host backup), one in cloud storage (plugin backup to Google Drive or S3), and one quarterly download to an external drive.

For backup retention, I keep 30 days of daily database backups and 12 weeks of weekly full backups. This gives me enough history to go back before a hack or bad update that was not discovered immediately. Most backup plugins let you set a retention count. For UpdraftPlus, set your database backup retention to 30 and your files backup retention to 12. Older backups get deleted automatically to keep your storage clean.

---

How Often Should You Back Up?

The answer depends on how often your site changes. A site that publishes new posts every day and takes WooCommerce orders needs more frequent backups than a brochure site that gets updated once a month.

• Active blog or ecommerce site: Daily database backup, weekly full backup.
• Brochure or portfolio site: Weekly database backup, monthly full backup.
• Before any update: Always take a manual backup before updating WordPress core, themes, or plugins. This is non-negotiable. Takes two minutes and has saved me probably 20 hours of recovery work over the years.
• Before a major code change: Any time you edit functions.php or install an unfamiliar plugin, run a backup first.

If you run a WooCommerce store that processes orders around the clock, daily database backups are not enough. You want real-time or near-real-time database backup. BlogVault’s incremental backup handles this well. Some managed hosts also offer database backup on shorter intervals (hourly or every few hours) at higher tiers.

---

The Step Most People Skip: Testing Your Restore

This is the part that almost no tutorial covers. A backup you have never restored is a backup you cannot trust.

I have seen backup files that were corrupted. Backup sets missing the uploads folder. Database exports that were blank because the plugin ran out of memory mid-export. You discover these problems during a test restore at 10am on a Tuesday. Not at 2am when your site is down and a client is calling.

Here is how to test without touching your live site:

1. Use a staging environment. Most managed hosts (WP Engine, Kinsta, Cloudways) offer one-click staging. Restore your backup there.
2. Use a local environment. Tools like LocalWP let you run WordPress on your laptop. Download your backup, restore it locally, and browse the site to verify posts, images, and plugins all load.
3. Check the restore once per quarter. Set a calendar reminder. Spend 20 minutes confirming that your current backup actually restores to a working site.

When you do a test restore, check these things specifically: the homepage loads, a few posts load correctly, images are visible, the admin area is accessible, and any key plugin (WooCommerce, contact forms, membership) works the way it should. If all of those pass, your backup is valid.

A backup you have never tested is a hypothesis, not insurance.

---

Common Backup Mistakes and How to Avoid Them

After helping dozens of site owners recover from data loss, here are the mistakes I see most often.

• Relying only on the host’s backup. Covered above. It is better than nothing but not enough on its own.
• Backing up to the same server. UpdraftPlus, by default, can store backups in a wp-content folder on your own server. This is fine as a secondary copy but it should never be your only off-site destination.
• Forgetting to check that the remote storage connection still works. Google Drive authorization tokens expire. Dropbox API connections can break after password changes. Check your backup logs monthly to confirm backups are completing and being sent to the right place.
• Not backing up before a plugin or theme update. This is the most common cause of recoverable disasters I see. Most issues happen within 5 minutes of clicking Update. A fresh backup before you click takes 60 seconds.
• Using a plugin with no recent updates. Backup plugins that have not been updated in over a year may not support the current WordPress version. Check the plugin’s tested-with version in the WordPress repository before trusting it with your site.

---

Quick Recap: The Backup Setup I Recommend for Beginners

1. Install UpdraftPlus (free).
2. Connect it to Google Drive.
3. Set database to back up daily, files to back up weekly.
4. Run a manual backup right now and confirm the files appear in your Google Drive.
5. Do a test restore to a staging or local environment within the next 7 days.
6. Set a quarterly calendar reminder to test the restore again.

That is it. You do not need to buy anything or spend more than 30 minutes setting this up. The steps above will protect your site against most of the failures that take WordPress sites down every day.

---

Need a Professionally Built WordPress Site?

If you are building or managing a WordPress site and want professionally designed themes and plugins built with real users in mind, check out WBcom Designs. They build BuddyPress and community-focused WordPress products that are used by tens of thousands of sites worldwide. Their plugins are actively maintained and include the kind of documentation that makes setup straightforward even if you are not a developer.

---

Frequently Asked Questions

Is my web host’s automatic backup good enough?

Not on its own. Host backups are stored on the same infrastructure as your site. If your host has a serious failure, both can disappear together. Always maintain at least one independent off-site backup.

How large will my backup files be?

For most small to medium WordPress sites: the database is usually 10MB to 100MB, and the full file set including uploads ranges from a few hundred MB to several GB depending on how many images and media files you have uploaded.

Can I back up a WordPress site for free?

Yes. UpdraftPlus free + Google Drive free (15GB) covers most sites at no cost. The only limitation is that automated off-site backup requires setting up the Google Drive connection, which takes about 10 minutes.

What if my WordPress admin is down and I cannot access UpdraftPlus?

This is where the manual method (FTP + phpMyAdmin) becomes essential. You can access your files and database directly through your host’s control panel without needing WordPress to be working at all. This is another reason to know all three methods, not just the plugin approach.

How do I know if my backup actually worked?

Log in to your off-site storage (Google Drive, Dropbox, etc.) and confirm the files are there with today’s date. Then do a test restore to a staging or local environment at least once per quarter to confirm the backup is valid.

Does backing up slow down my WordPress site?

A full backup can use server resources while it is running, which may slow a shared hosting environment briefly. Schedule backups for low-traffic hours, typically between 2am and 5am. BlogVault runs backups on their own servers so there is no performance impact on your site. UpdraftPlus gives you control over the schedule so you can set it to run at night.

Do I need to back up WordPress core files?

No. WordPress core files (wp-admin and wp-includes) can be re-downloaded from wordpress.org at any time. You only need to back up wp-content (your uploads, themes, and plugins) and your database. wp-config.php in the root is also worth keeping in your backup.

Beginner WordPress Tips Essential WordPress settings Plugin Comparison

Last modified: April 18, 2026