Know-how

WordPress Backups — Backup Strategies, Retention, and Restore Testing

Q: How often should I back up WordPress?

Frequency depends on the site's activity. Static sites: once a week. Blogs and business sites: daily. WooCommerce stores: daily or real-time. Always before updates and major changes.

Q: What should a WordPress backup contain?

A complete backup includes files (WordPress core, wp-content, wp-config.php, .htaccess) plus the MySQL database (content, settings, users, orders). Both parts are essential for a full site restoration.

Q: How do I test a WordPress backup?

Restore the backup to a staging environment or locally. Check: homepage, subpages, login, forms, cart, and search. Test at least once per quarter and after every major update.

Published: March 20, 2026 · Author: Marcin Szewczyk-Wilgan

Backups are the last line of defense for a WordPress site. Server failure, a breach, database corruption, a bad update — any of these scenarios can wipe out years of work in seconds. Yet estimates suggest that fewer than 5% of WordPress site owners have ever tested a full restore from backup. Having a backup you have never tested is a false sense of security. In this article, we describe how to build a backup strategy that actually protects — from the 3-2-1 rule, through automation and retention, to regular restore testing.

What Does a WordPress Backup Consist Of?

WordPress has two separate components that together form a working site. Backing up one without the other will not allow a full site restoration.

WordPress filesWordPress core (system files), the wp-content directory (themes, plugins, media/uploads), wp-config.php (database configuration, security keys), .htaccess or Nginx configuration. These files reside on the server disk and form the “body” of the site — without them WordPress will not start.

MySQL databaseAll content: posts, pages, comments, users, WordPress and plugin settings, WooCommerce orders, form data. The database is the “brain” of the site — without it, WordPress files are an empty skeleton without content. A database export creates an .sql file that must be imported into MySQL during restoration.

Full vs. partial backupA full backup (files + database) allows restoring the entire site. A partial backup (e.g. database only) restores content but not themes or plugins. An incremental backup saves only changes since the last backup — faster and lighter, ideal for daily copies.

The 3-2-1 Strategy — Data Protection Standard

The 3-2-1 strategy is a recognized data security standard that protects against every type of failure — from disk damage, through a breach, to a data center fire.

3 copies

Three copies of data

The production site plus two backup copies. One copy is not enough — if the backup is corrupted (which happens more often than you think), you have no plan B. Three copies provide redundancy and a safety margin.

2 media

Two different media types

Backups on two different types of storage: server disk + cloud storage (S3, Google Cloud Storage, Backblaze B2), or server + external drive. If one medium fails — the other survives. Copies on the same disk are not two media — they are two files on one point of failure.

1 offsite

One copy off-server

At least one backup copy outside the server where the site runs. If the server is breached, catches fire, or the hosting provider has an outage — the offsite copy remains untouched. Cloud storage (AWS S3, Google Cloud) is the most practical option for offsite backup.

Backup Frequency and Retention

How often to back up and how long to keep copies — depends on the nature of the site and how much data you are willing to lose in the worst-case scenario.

Static / business sitesRarely updated business sites: backup once a week. Retention: minimum 30 days (4 weekly copies). An additional backup before every WordPress, plugin, or theme update.

Blogs and content sitesDaily backups. Retention: 30–90 days. If publishing several articles per day — consider more frequent than daily backups. Incremental copies minimize server load.

WooCommerce storesDaily backups at minimum — for high traffic: real-time backup or hourly backup. Every order is data whose loss means direct financial loss. Retention: 90 days. Separate backup of the WooCommerce database.

Before updatesAlways perform a full backup (files + database) immediately before updating WordPress, plugins, or theme. An update that breaks the site is reversible in minutes — but only if you have a fresh backup from before the change.

Restore Testing — The Most Important Step

A backup that has never been tested is Schrödinger’s backup — it simultaneously works and does not work until you try to restore it. Regular restore testing is the only way to be sure that a backup is usable.

Staging environmentRestore the backup to a staging environment (a site duplicate on a separate server or subdomain). Check: homepage, key subpages, login, forms, cart, search. Staging allows testing without risk to the production site.

Test frequencyAt least once per quarter. Additionally: after every major WordPress update, after migration, after backup configuration changes. For WooCommerce stores — once a month. Document every test: date, result, issues discovered.

Restore checklistWrite down the exact restoration steps: where to download the backup, how to import the database, how to restore files, what to update in wp-config.php, how to clear cache. Documentation allows any team member to restore the site — not just the person who configured the backups.

Summary

Backups are not optional — they are a necessity. Automatic, regular backups stored according to the 3-2-1 strategy and regularly tested — that is the only strategy that actually protects. The best backup is one you never have to use. The worst — one you need but have never tested.

At WebOptimo, daily backups with offsite storage and regular restore testing are a standard part of every WordPress care plan. You do not have to think about it — we take care of it. If you want certainty that your site is safe — contact us or check our WordPress care offer.

Frequently Asked Questions About WordPress Backups

How often should I back up WordPress?+

Frequency depends on site activity. Static sites: weekly. Blogs and business sites: daily. WooCommerce stores: daily or real-time. Always before updates and major changes.

What is the 3-2-1 backup strategy?+

A data protection standard: 3 copies of data, on 2 different media types, with 1 copy offsite. Protects against server failure, breach, and single-medium damage simultaneously.

Does my hosting provider back up automatically?+

Most providers offer automatic snapshots, but these should not be your only backup. Copies on the same server may be unavailable during failure. Hosting snapshots have limited retention and do not always allow restoring individual elements.

What should a WordPress backup contain?+

A complete backup: files (WordPress core, wp-content, wp-config.php, .htaccess) plus MySQL database (content, settings, users, orders). Both parts are essential for full restoration.

How do I test a WordPress backup?+

Restore the backup on staging or locally. Check: homepage, subpages, login, forms, cart, search. Test at least quarterly and after every major update.