If you’ve ever watched a website go down right before a big sale, you already know the scary part. The next scary part is finding out your backups don’t work. In 2026, ransomware, WordPress plugin hacks, and “quiet” malware infections are common enough that backups are no longer optional. They’re your emergency exit.
Backups 101 for small businesses is simple in theory: store copies, protect them, and test restores. In practice, most small teams mess up one of those steps. I’ve helped clean up compromised WordPress sites where the backup was either outdated, unencrypted, or too broken to restore without hours of extra work. Let’s fix that.
Backups 101 for Small Businesses: What a “good backup” really means
A good backup isn’t just a file you saved. A good backup is something you can restore fast, cleanly, and confidently. Backups 101 for small businesses starts with defining what “restore” means for your real situation: can you get your site back with the right content and the right database settings?
Backups 101 for small businesses also means understanding two key terms:
- RPO (Recovery Point Objective): how much data you can afford to lose. Example: 1 day of lost updates vs 1 hour.
- RTO (Recovery Time Objective): how fast you need the site back. Example: 4 hours vs 2 days.
If you don’t set these targets, you’ll choose “whatever is easiest” and end up with backups that fail when you need them most.
Choosing storage for backups: Local, cloud, and “the third place” you need
Picking storage is where most backup plans succeed or fail. If your storage can be deleted by mistake, encrypted by malware, or wiped during a hosting outage, it’s not truly separate.
Here’s how I think about backup storage for small businesses in 2026:
1) Local storage: good for speed, bad for disasters
Local storage means an external drive at your office, a NAS (network storage box), or a synced folder on a laptop. It’s fast, and it’s easy to check. But if your building floods, burns, or gets hit with theft, those backups are gone too.
Local backups are fine as a short-term layer. They should never be your only layer.
2) Cloud storage: good for offsite copies, watch the settings
Cloud backups mean your copies live on a provider’s servers. This is great for offsite recovery, especially when your hosting provider has an outage.
But cloud backups can still fail if:
- Access is shared too widely (everyone has admin access).
- Backups aren’t versioned (older copies get overwritten).
- Your account gets compromised (attackers can delete backups).
For cloud backups, I recommend turning on version history and multi-factor authentication (MFA). MFA is a simple extra step at login, not a complex setup.
3) The “third place” rule: why two copies are not enough
Many small teams follow “2 copies” like it’s a safety plan. In real life, two copies can still get wiped if they’re both controlled by the same account or the same malware run. So I like the third place rule: keep copies in at least two separate locations and systems.
Example setup for a WordPress business:
- Primary: automated WordPress backup to your server storage or plugin output.
- Secondary: automated backup to a cloud provider with versioning.
- Third: monthly export stored on a different system (like another cloud account, a different provider, or an external drive stored offsite).
You don’t need to buy something fancy. You need separation and versioning.
Backups 101 for WordPress: What you should back up (and what people forget)
For WordPress, your backup must include both files and the database. Files are your themes, plugins, uploads, and WordPress core files. The database holds posts, pages, product info, user logins (hashed), and many settings.
Common misses I see in audits:
- Only backing up uploads (great for media, but you lose pages and settings).
- Only backing up files (you restore the shell but not the content).
- Ignoring configuration like DNS records, email settings, and environment variables.
- Forgetting custom code in child themes or small mu-plugins.
And here’s a real-world detail: after a hack, malware often hides in theme or plugin files and leaves traces in the database (like injected admin users). If your backup is infected, restoring it just brings the problem back.
What about backups of emails and customer data?
Your email platform is usually separate from WordPress. If you run a small business, you may use Google Workspace or Microsoft 365. Those systems often have their own retention and backup options. But you should still confirm.
At minimum, export important forms submissions, order history, and customer lists from your store plugin. If you run WooCommerce, export orders monthly. It’s not romantic, but it saves you.
Testing restores: how to prove your backups work before you need them
Testing restores is the step that separates “backup plans” from real backup protection. A backup that can’t restore is just a file with false hope.
I strongly recommend a monthly restore test. If your site changes often (new products, frequent posts), test every 2 weeks. For small sites, monthly is usually enough to catch issues.
Step-by-step restore test (WordPress-focused)
- Pick a safe test site: create a staging environment or a temporary install on a different domain/subdomain.
- Restore files from a recent backup into the test site directory.
- Restore the database and confirm the database connection details match the restored settings.
- Log in and check the basics: homepage, one key page, a product page (if you sell), and site search (if you use it).
- Check security cleanup signals: verify admin users, plugin list, and that no new unknown admin accounts exist.
- Measure time: record how long it takes from “button press” to “site is working.” That’s your real RTO.
If the restore takes 6 hours the first time, don’t ignore it. Fix the problem now (permissions, plugin mismatch, missing database tables) instead of during an outage.
Test like an attacker, not like a website admin
This is the part many teams skip. When malware hits, you don’t just want “a site that loads.” You want a clean site that doesn’t reopen the door.
Here are quick checks I run after a restore from a backup:
- Review recent admin activity and user list.
- Confirm installed plugins match what you expect (no new “mystery” plugins).
- Scan your restored directory for unexpected files created recently (look at file timestamps).
- Check critical files for extra code blocks (especially in theme files and plugin entry points).
These checks take 20–40 minutes and often reveal whether you backed up an already-compromised version.
Avoiding backup traps: the mistakes that keep small businesses offline
Backup traps aren’t rare edge cases. They’re the most common reasons I see small businesses lose more time than they expected.
Trap #1: Backing up “clean” today, restoring “infected” tomorrow
If your site is already compromised and you keep taking backups, your backup set becomes a time capsule of the infection. When you restore, you restore the malware too.
Best practice: if you suspect a hack, stop restoring blindly. First, confirm the infection and remove it, then restore from a known-good point (often an earlier date). This is one reason why testing restores matters so much.
Trap #2: Keeping backups only in the same place as the site
If your hosting account is suspended, hacked, or deleted, your backups stored inside the same account are often lost with it.
That’s why the third place matters. It’s also why you should store backups outside the hosting provider whenever possible.
Trap #3: No version history (overwriting backups)
Many backup tools overwrite older backups by default. If you discover a hack on day 10, you might only have infected backups left.
Turn on versioning and retention rules. A common setup is 30–90 days retention with daily backups, plus weekly and monthly longer-term archives.
Trap #4: Restores that fail because of passwords and missing access
You’d be surprised how often the backup exists, but no one remembers the encryption password or cloud access details. The restore fails at the worst moment.
Write down backup credentials in a secure password manager and share access with two trusted people in your business. In many cases, you should also store recovery codes for MFA.
Trap #5: Ignoring storage cost and backup size
Backups can grow fast because of media. If you’re on a plan with limited storage, you may eventually stop backing up or start deleting older backups.
Do a quick check: how large are your backups per week? If uploads average 5 GB per month, your backup storage needs will rise. Plan for that in 2026, not after you run out.
What to use: backup tools and setups (without getting locked in)
I can’t tell you one magic tool for every small business, but I can tell you what to look for. Your backup system should be easy to restore, support database + files, and offer versioning.
Here are common approaches people use with WordPress:
| Approach | Pros | Watch-outs |
|---|---|---|
| WordPress backup plugin (files + DB) | Fast to set up, can send backups to cloud | Some plugins don’t handle restore well across hosts; test restores |
| Managed hosting backups | Convenient, often automated | Backups may be limited, and restore options can be slow during emergencies |
| Server-level backups (host tools) | Broad coverage | Still need DB and clean restore verification for WordPress content |
| Third-party backup services | Offsite storage, version history | Extra cost; confirm restore steps and permissions |
My recommendation for small businesses: use one backup method you can restore easily, and one offsite method that you can retrieve quickly even if the hosting account is down.
My practical rule for WordPress backup reliability
If a backup tool or host says “automated,” ask this question: “How long does a restore take, and can I test it without breaking the site?” If they can’t answer clearly, test it yourself on staging within the first week.
Also, don’t forget this simple check: after restoring, verify a page loads and a logged-in user can access the dashboard. Broken admin sessions often point to database mismatch or missing environment settings.
People Also Ask: Backup questions small business owners ask me all the time
How often should a small business test a backup restore?
Test at least once a month. If your site changes weekly (new posts, new products, new leads), test every 2 weeks. The point isn’t to be paranoid—it’s to catch broken restore steps early.
When I audit sites, I often see backups taken daily, but restores never tested. That means the team doesn’t know whether the last 30 backups are actually usable.
Should I back up my WordPress site daily or weekly?
Daily backups are best for sites with frequent updates, especially WooCommerce stores and marketing sites that publish weekly. Weekly can be enough for very small sites that rarely change.
But don’t pick the schedule based only on comfort. Pick it based on your RPO target—how much data loss you can tolerate.
What’s the safest place to store backups for a WordPress site?
The safest approach is offsite storage with versioning, plus a separate third place. In plain terms: one backup copy should live outside your hosting account, and one extra copy should exist somewhere else.
Use MFA and limit access. If attackers get your backups, you’re back to square one.
Can I restore from a backup after a malware attack?
Yes, but only from a known-clean backup. If the compromise happened before the backup date, restoring will bring malware back.
In many real incidents, the fastest path is: stop the spread, clean the site, then restore from the last verified clean point. If you’re dealing with a public-site infection, this can also reduce downtime.
If you suspect malware, you’ll want the same kind of step-by-step recovery approach we cover in our post on WordPress malware cleanup and hack recovery.
Connect backups to security: the missing link in many WordPress plans
Backups are your recovery tool. Security is your prevention tool. If you treat backups like a replacement for security, you’ll keep landing back in the same mess.
Here are practical security steps that pair well with backups:
- Strong admin passwords and fewer admin accounts.
- Updated WordPress, themes, and plugins. Old plugins often become the entry point.
- Limit login attempts using a login protection tool or built-in host controls.
- Two-factor authentication for your WordPress admin.
These steps reduce the chance your backups will be contaminated. If you want a checklist that goes beyond basics, our WordPress hardening tips post fits well with backup planning.
Build your backup plan: a simple checklist you can follow in 30 minutes
Write this down. A backup plan on paper beats a backup plan only in someone’s head.
Use this checklist:
Backup plan checklist (small business version)
- Choose your backup frequency based on RPO. Daily is common for active sites.
- Confirm backups include files + database (WordPress requires both).
- Set retention and version history (example: daily for 30 days, weekly for 90 days).
- Store backups offsite and keep at least one “third place” copy.
- Turn on MFA for backup storage accounts and password protect access.
- Run a monthly restore test on staging or a test domain.
- Log restore results: date tested, time to restore, and what you checked.
- Keep recovery details in a password manager (including encryption passwords and MFA codes).
- Pair backups with security: update plugins, limit logins, enable 2FA.
Conclusion: your goal isn’t backups—it’s a restore you can trust
The best time to learn your backups don’t work is never. Your goal with backups 101 for small businesses is a restore you can trust: clean data, fast recovery, and backup copies stored safely away from the site.
If you do just three things this week, do these: set version history, store backups offsite (with a third place copy), and run one restore test you can prove. Then keep it going with monthly checks. That’s how you protect your online presence when the next threat hits.
If you’re already dealing with suspicious behavior—unexpected admin users, strange redirects, or sudden traffic drops—don’t wait for “the next backup.” Our blog’s threat alerts and WordPress hack signs can help you spot issues early, before you lose clean restore points.
Featured image alt text (for your CMS)
Backups 101 for small businesses: testing WordPress backup restores on a staging server