Here is the uncomfortable truth about WordPress backups: most people do not think about them until they need them. And by then, it is often too late.
Studies suggest that 87% of website owners never test their backups. They assume the backup is there, working, and that they can restore from it if something goes wrong.
These assumptions can be catastrophic.
At FatLab, we have literally restored websites from the Wayback Machine because proper backups did not exist. That is as good as it gets when there is nothing else to work with. And it is a nightmare we have seen too many times.
Backups are about the most important maintenance aspect you can enable for your website. They are absolutely mandatory, no questions asked.
The question is not whether you need them. The question is whether your backup strategy will actually work when you need it.
Two Purposes of Backups
Before talking about plugins and services, it helps to understand what backups are actually for. They serve two distinct purposes, and each requires a different strategy.
Catastrophic Destruction
This is the scenario most people do not think about: hard drives crash, servers become corrupted, and data centers suffer physical damage from fire or flooding.
These events are rare, but they happen. We have seen it.
Catastrophic protection requires off-site backups stored in a completely different geographic region. If your backup is on the same server as your website, it will be destroyed along with your data in the event of a disaster.
Human Error
This is what clients actually worry about.
Someone lets a junior employee into the WordPress admin area, and they accidentally hit the wrong button. Someone decides to "clean up" old pages and accidentally deletes core functionality. A user does not understand the content management system and removes important data.
Human error is the more common scenario and requires rapid recovery. When someone breaks something at 9 AM, you need the site restored by 9:15 AM, not by tomorrow.
A solid backup strategy addresses both scenarios. You need quick-access backups for recovering from human error and off-site backups for protecting against catastrophic loss.
The Three Tiers of Backup Solutions
Not all backup solutions are created equal. They fall into three distinct tiers, each with different reliability characteristics. Understanding the critical difference between plugin and server-level backups helps you choose the right approach.
Tier 1: WordPress Backup Plugins
Plugins like UpdraftPlus, BackWPup, BackupBuddy, and Duplicator run inside WordPress. WordPress backup plugins create backup archives of your database and files and, optionally, push them to cloud storage such as Dropbox or Google Drive.
UpdraftPlus is the most popular option with over 3 million active installations. It offers a capable free version and premium tiers ranging from $70 to $195 per year, depending on how many sites you manage. BackWPup has over 500,000 installations and offers a robust free tier, with a Pro version starting at around $69 per year.
The appeal is obvious: they are affordable, often free, and give you control over where your backups are stored.
The problem is that they run inside WordPress.
That means they depend on WordPress cron jobs actually running, which does not always happen. They can break when WordPress updates. They can conflict with other plugins or themes.
Unless you manually configure cloud storage, backups often default to the same server as your website. That provides zero catastrophic protection.
We have seen plenty of sites where someone installed UpdraftPlus, thought they were protected, and later discovered the last successful backup was from two years ago.
Tier 2: SaaS Backup Services
Services like BlogVault and Jetpack VaultPress Backup improve on plugins by automatically handling cloud storage. Backups run on their servers and are stored on their infrastructure, which simplifies the process considerably.
BlogVault starts at $149 per year and stores backups on their own encrypted servers with 90 days of backup history. They claim a 100% restore success rate and can handle sites up to 500 GB in size. Their backups run externally, so there is no load on your hosting server.
Jetpack VaultPress Backup starts around $60 per year and stores backups on the same Automattic infrastructure that powers WordPress.com. They have performed over 269 million site backups over the past decade. Real-time backups are included on all plans.
If you are doing cloud storage versus local storage, you are way ahead of the game. That is the major advantage of these services.
But here is what most people do not realize: even SaaS backup services still rely on a WordPress plugin to connect to your site.
That plugin is still susceptible to cron jobs not running, update issues, plugin conflicts, and theme conflicts.
They are better than straight plugins, but they still have a fault that truly server-based solutions cover.
Tier 3: Server-Level Backups
This is what we use at FatLab and what quality-managed hosts like Kinsta, WP Engine, and Pantheon provide. Backups run at the infrastructure level, completely independent of WordPress.
You do not have to do anything. The backups just run.
Engineers monitor them and get alerts if anything fails. They fix problems before you even know there is an issue.
This is the gold standard because there is no plugin dependency. No cron jobs to fail. No authentication tokens to expire. No configurations to break during updates.
The less you pay for managed hosting, the more backup responsibility you take on yourself. That is the fundamental trade-off.
FatLab's Backup Infrastructure
At FatLab, our backups are server-based, automatic, and non-negotiable. Regardless of what plugins, themes, or configurations a client has installed, we maintain backups.
We keep 30 days of backups: both files and daily database snapshots. For critical applications where data changes frequently, we can do hourly snapshots.
Our two-tier approach maps to the two purposes of backups:
On-server backup for recovering from human error. This is the most recent backup, stored on the server with the website. We can restore a site from this in about 10 minutes. Fast recovery for when someone breaks something.
Off-site cloud backup for catastrophic protection. Thirty days of backups are stored in a completely different geographic region. Restores in about an hour and protects against physical damage, hardware failure, and data center disasters.
We do not rely on plugins.
Plugins freeze. Cron jobs do not run. Updates break things. Third-party connections to services like Dropbox or Google Drive can break or become unauthorized, and you might not notice the problem until you need to restore your data.
When a client migrates to FatLab, we actually remove their backup plugins unless they specifically want to keep them. Our systems are more reliable, and the plugins just take up space and resources at that point.
When a WordPress Backup Plugin Makes Sense
If you are not on a managed hosting system that provides automatic backups, then a plugin makes sense for you.
But let us be clear about what that means.
If you are on a budget host like GoDaddy, Bluehost, HostGator, or similar providers, you get what you pay for.
On a five-dollar-a-month plan, you cannot expect much in the way of quality service. And because backups are sometimes treated as an add-on service, you cannot rely on these cheap services to provide solid, redundant, off-site backups.
Even if budget hosts tell you they have backups, even if you turn them on yourself, even if you configure them, even if they say they are cloud-backed and redundant: do not trust them.
We have seen it too many times.
Users become confused during the setup process, and the configuration is not set up correctly. Or people mistake marketing language for something it does not mean.
Here is a common trap: hosting companies maintain backups, but that does not mean you can access them.
Those backups are for the hosting company, in case their data center experiences a catastrophic event. They are backing up server images, not your individual website. This is incredibly confusing marketing language.
Best WordPress Backup Plugin Recommendations
If you need a backup plugin, the best WordPress backup plugin, in our experience, is UpdraftPlus, with BackWPup as a solid alternative.
Both have been around for years. Both offer a relatively easy configuration. And critically, both let you download your backups directly from the interface.
UpdraftPlus offers more cloud storage options in its free version, including Dropbox, Google Drive, and Amazon S3. It also has a reported 96% restore success rate based on their testing.
BackWPup includes database optimization and repair tools alongside backup functionality. Its Pro version adds a standalone restore app that continues to work even when WordPress is inaccessible.
When a backup runs, you can go right into the interface and download it. Download that zip file and open it.
If it opens, it means it is not corrupted. If you see the SQL file and all the site files inside, and the file size matches what you would expect for your site, then you know you have a working backup.
But understand the trade-off: by not using a managed host that handles this for you, you take on the responsibility of maintaining these systems.
You need to make sure cloud connections are still working. You need to check that authentication tokens have not expired. You need to verify that backups are actually running.
If you are going to pay a low dollar amount for hosting, then backup maintenance becomes your responsibility. And if you do not do your job, it could mean catastrophic results.
The "Having Backups" vs "Being Able to Restore" Problem
The most dangerous WordPress backup problem is not failed backups that trigger error notifications. It is successful backups that silently create unusable restore files.
Until you have tested a restore, you do not actually know if your backups work. See our guide on WordPress disaster recovery for real scenarios of what happens when backup systems fail.
Common Failure Scenarios
The assumption problem. People assume backups are automatic when they are not. Some hosting plans require you to enable backups manually. Some count backup storage against your quota. Some charge extra.
The biggest problem we see is people who assume they have backups and are blown away when they do not.
Corrupt backups. Sometimes something goes wrong at the host level. They are backing up corrupt files that cannot be reinstated. You do not discover this until you try to restore.
Authentication expiration. This is particularly common with Google Drive.
Your authentication expires. You see a notice in WordPress that needs attention, but you skip it, thinking backups are in place. But they are not, because the authentication token expired.
Misconfigured plugins. Due to incorrect settings, the plugin is backing up the wrong folder, or only partial data. We have seen all of these scenarios.
How to Actually Test Your Backups
Testing does not have to be complicated. At minimum:
- Download the backup zip file
- Unzip it
- Verify you see a SQL file and all the files that belong to your site
- Check that the file size makes sense
If your site is several hundred megabytes, the backup should not be just a few megabytes of random system files.
For more thorough testing, stand up the backup on a staging server and verify that everything works. It depends on your technical ability and the importance of the information on your site.
The point is: do something. Check your backups. Make it part of your regular maintenance routine.
The worst time to discover your backups do not work is when you desperately need them.
Two Stories: Disaster vs Success
The contrast between having backups and not having backups is stark. Here are two real scenarios from our experience.
The Drupal Disaster
Years ago, we worked on a legacy Drupal site displaying products. The site had a ghost-in-the-machine problem: products kept disappearing randomly.
We would think everything was working, and then the client would call, saying the products had vanished again.
We suspected database corruption because standard database operations were failing. Tables would not migrate or export properly. The database was essentially unusable for migration, likely because it was running on an outdated database server that the client was unaware of.
And there were no backups.
The site had been running for years without problems, so nobody thought about backups until a catastrophic issue occurred.
We ended up migrating the tables we could salvage and using the Internet Archive's Wayback Machine to reconstruct the rest.
Something that should have taken an hour took weeks.
We kept going back and forth with the client about what should and should not be on the site, because the Wayback Machine is not perfectly accurate.
It was an absolute disaster, all because backups did not exist.
The Real Estate Recovery
In late 2025, we got a panicked call from a large real estate company specializing in condominiums.
Their website had complex third-party integrations for floor plans, rental inventory, and tour reservations. These integrations were built as special templates that appeared "empty" in the WordPress admin but still contained critical functionality.
Someone at the company decided to clean up the website and deleted all these "empty" pages.
When they realized the core functionality was gone, they tried to fix it by recreating pages, but they did not understand the site structure. They created pages in the wrong locations, breaking the site's navigation.
By morning, they finally called us, embarrassed about the mess they had created.
Our answer: "Would you like us to roll back a backup? We can restore a backup from before you made your changes."
Five minutes later, the site was up and running exactly as it was before.
The client admitted she wished she had called us immediately instead of trying to fix it herself. She kept thinking "one more thing" would fix it.
That is human nature. But with proper backups in place, a multi-day disaster became a five-minute recovery.
Red Flags We See When Taking Over Sites
When we take over maintenance of a site, certain backup-related red flags appear repeatedly.
Backups off or frozen. We cannot count how many sites we have taken over from budget hosts that simply do not have backups running.
We go into the control panel and find that backups are off, or that there is an UpdraftPlus plugin with a backup from two years ago.
Multiple backup plugins. This happens when organizations have multiple administrators who do not communicate with each other.
Two different people thought backups were their responsibility and configured them completely differently. This is not just redundancy; it signals that no one actually knows what the organization has.
There is no data strategy, and that is a massive red flag.
Authentication warnings ignored. We log in and see notices such as "Google authentication needs renewal" or "Dropbox connection lost."
Someone did the right thing at one point, but the system stopped working, and nobody noticed.
"I'm not sure what we have." This is honestly the most common scenario.
During sales calls, we mention backups, and the client says, "Oh yeah, we probably need those too. I'm not sure what we have."
They just assumed backups came with their hosting.
As we explain our backup strategy and philosophy, clients often realize for the first time that backups require deliberate planning. It is not as automatic as they thought.
Real-Time Backups: When They Matter and When They Do Not
Some backup solutions market "real-time backups" where every change gets saved instantly. BlogVault offers this for WooCommerce sites. Jetpack VaultPress includes real-time backups on all plans.
This sounds impressive, but for most sites, it is overkill.
When Real-Time Actually Matters
Real-time backups are critical if the website is your source of truth for data you cannot afford to lose.
Consider a busy WooCommerce store getting orders every hour or every minute.
If something happens and you need to restore from the midnight backup, you lose all orders placed since midnight. That means matching payment gateway transactions to customers, contacting customers to ask what they ordered, and recreating orders manually.
It can be an absolute disaster.
For high-transaction sites where the website is the sole record, real-time protection makes sense.
When Real-Time Is Overkill
For a WooCommerce store getting a couple of orders a week or a couple of orders a day, real-time backups might not be worth the hassle.
For brochure websites that update occasionally, daily backups are more than sufficient.
Here is something the marketing does not mention: real-time backups create a lot of backups.
With daily backups, you have 30 to look through when trying to find when something went wrong. With real-time backups, you have potentially thousands.
If you do not have sophisticated systems to cherry-pick changes and pinpoint exactly when data went bad, all those backups become a headache.
"Real-time backups mean you never lose anything," sounds great, but try putting that back together when you need to restore. It becomes a massive coordination problem.
The Data Strategy Alternative
If you feel you need real-time backups, you probably need a comprehensive data strategy.
We worked with a political donations organization that collected contributions in compliance with FEC requirements. We used to do hourly backups for them.
Today, we architected a better solution: donations are stored in a third-party system via an API, and the website interfaces with that system rather than serving as the source of truth.
Now, if we need to restore from a backup, we are restoring only the website's database and files. The critical financial records live elsewhere.
This approach transforms the question from "how frequently do we back up?" to "where does critical data actually live?"
For most organizations, daily backups are sufficient. The sites that genuinely need real-time protection are rarer than the marketing suggests.
Considerations for Associations and Nonprofits
FatLab works with many associations and nonprofits, and backup criticality varies based on one key question: Is the website the source of truth for your data?
Website as Source of Truth
Some organizations use WordPress as their de facto CRM or association management system.
Plugins like WP Membership Pro store all member data, donation records, and event RSVPs directly in WordPress.
For these organizations, the website database contains the only up-to-date record of critical information. Backups are essential because losing that data means losing your membership rolls, donation history, and event registrations.
Website as Interface
Other organizations handle membership, donations, and events through third-party providers.
The WordPress site connects to these systems through plugins, widgets, or API integrations, but the actual data lives elsewhere.
For these organizations, backup strategy changes. The website is important, but it is not the single point of failure. Critical records are protected by the backup systems maintained by the third-party providers.
The key question for associations: where does your critical data actually live?
If it is only in WordPress, your backup strategy must be bulletproof.
What to Look For in a Backup Strategy
Whether you are evaluating hosting providers, choosing a WordPress backup solution, or auditing your current setup, here is what matters.
Minimum Requirements
Frequency: Weekly backups at the absolute bare minimum. Daily is our minimum standard at FatLab.
Retention: At least 30 days of daily backups. Problems are not always discovered immediately. You need the ability to go back far enough to find clean data.
Off-site storage: Backups stored on the same server as your website do not protect against catastrophic events. You need backups in a completely different location.
Tested restores: At some point, someone needs to verify that backups actually work. This is non-negotiable.
What Managed Hosting Should Include
If you are paying for managed WordPress hosting, backups should be automatic, off-site, monitored by engineers, and included in your plan without per-site fees.
Do not trust marketing language that just says "backups." Verify specifically:
- Are backups automatic, or do you have to enable them?
- Are they stored off-site or on the same server?
- What is the retention period?
- Can you actually access and restore them, or are they only for the host's disaster recovery?
Go with a managed host that explicitly promises at least 30 days of daily backups, handles everything automatically, and provides real support when you need to restore.
If You Use Plugins or SaaS
If budget constraints mean you are using a backup plugin or service, accept that maintenance becomes your responsibility.
Make checking your backups part of your routine.
When you log in to update plugins, verify your backup system is still running. Check that authentication tokens have not expired. Occasionally, download a backup and verify that it opens correctly.
The less you pay for managed solutions, the more responsibility you take on. There is no way around this trade-off.
Choosing the Best WordPress Backup Solution
Backups are both a maintenance task and a security measure. For step-by-step implementation guidance, see our complete guide on how to back up WordPress.
They protect against catastrophic events like hardware failure and data center disasters. They also protect against hacks and malware; rolling back a website after an exploit and patching that version is often faster and cheaper than a full cleanup.
If there is absolutely anything on your website that would be catastrophic for your business or association to lose, you need backups.
Even if all that means is: if something happened to your website, it would be a real pain and take a lot of time to recreate. That is enough reason to have backups.
The biggest problem with backups is that you do not think about them until you need them. And unless you gave them proper care beforehand, it might be too late.
Do not be part of the 87% who never test their restores.
Do not assume your hosting provider has you covered without verifying.
Do not let authentication tokens expire unnoticed.
Backups are mandatory. Tested backups are what actually protect you.
If you need help implementing a reliable backup strategy or want to stop worrying about backups entirely, explore our website maintenance services.