Never underestimate the importance of WordPress disaster recovery, especially if you’re a small or growing business.
Data breaches are at an all-time high, rising by 72% between 2021 and 2023. Tempted to dismiss that
as a concern only for major corporations with millions of dollars’ worth of data?
Don’t.
Source: Identity Theft Resource Center
Security specialists Sophos describe ransomware attacks in particular as “the biggest existential threat to
small businesses,’ with 70% of such attacks targeting SMBs.
So, no matter whether you’re a fledgling startup, a stable small business, or a growing enterprise, it’s never been more crucial to get fully prepared for all eventualities.
Below, we’ll show you how to plan and execute a fail-safe WordPress disaster recovery plan so that you can get your website back online and fully operational in the event of an attack.
Ready? Let’s get to it:
Why is WordPress Disaster Recovery So Important?
Even with other tools and channels at your disposal, your website is still a vital asset and an integral part of your growth strategy.
So, like all of your valuable assets, your website needs protecting at all costs, especially when running a WordPress site means there are always threats looming in the background:
Human Error
Even the best of us make mistakes from time to time, but when your business relies on a fully operational WordPress site, those mistakes could be pretty expensive.
A mistyped code snippet, an incorrectly configured plugin, or even the simple absent-mindedness of leaving login credentials lying around in plain sight, they can all result in your
website crashing or breaking, costing you sales and revenue.
Need proof?
Cast your mind back to The Great Facebook Outage of 2021. In perhaps
The most famous example of human error in recent history, causing a digital disaster, an engineer sent a command that accidentally disconnected Facebook, Instagram, and Meta’s
messaging tools from the company’s data center.
Although an official figure was never released, experts suggested at the time that the error had cost Mark Zuckerberg’s company as much as $100 million.
Now, we get it. Very few of us are operating at Meta’s level, but the fact remains that even the most innocent of slip-ups could prove costly, and the longer it takes to get back online, the more it’s going to cost.
Server Crashes
Generating more traffic. It’s the obsession of every website owner, isn’t it?
Of course, and for good reason. More traffic means more eyes on your products or content, more ‘Add to Carts’, and more conversions.
Still, it’s worth noting that in the unrelenting pursuit of website traffic, you could get more than you bargained for:
So much traffic that your web hosting servers can’t handle it.
During the US primaries in August 2024, voters in Ottawa County, Michigan were left frustrated when the site used to display incoming election results crashed.
The cause? Excessive demand on the server as more people than anticipated tried to access the website.
Imagine those weren’t voters, but potential customers trying to access your online store or blog subscribers eager to check out your latest monetized content.
That’s a hit to both your reputation and your bottom line that few -if any- WordPress users can afford.
Power and Hardware Failures
If you want to take the most optimistic view, a server crashing because you’re too popular is kind of a nice problem to have.
A server crashing because the hardware bit the dust, however, isn’t.
Whether it’s due to a power cut, a natural disaster, or a simple technical malfunction, all sorts of issues could occur with the physical technology powering your website and, while some can be mitigated, few can be avoided altogether.
With that in mind, you’ll see why having a recovery plan is so important: It provides an effective process for getting back online when problems arise that are out of your control.
Hacking and Malicious Actors
A 2024 report by Mimecast notes that 74% of all cyber breaches are caused by human factors. While the aforementioned errors are included in that number, it also include social engineering, misuse of access privileges, and stolen credentials.
Even if you’ve taken every precaution to ensure credentials and access rights are managed effectively, there’s still the risk that some unknown bad actor could exploit some undetected vulnerability and force their way into your website.
Once there, they’re free to run amok, stealing personal data, replacing your site with offensive material, or holding your site hostage with ransomware until you agree to pay an expensive fee for it to be removed.
Should this worst-case scenario happen to you, you’ll need to move quickly to reclaim control of your site and get it back in good working order. A WordPress recovery plan allows you to do that.
Malware, Viruses, and Attacks
Not all cyber breaches are a result of human beings hacking their way into your site. Vulnerabilities in outdated or poorly coded themes and plugins can provide a backdoor through which automated systems such as botnets can inject malware, viruses, and other security threats.
“But surely that would never happen to me,” you argue. “I’m running the best WordPress security plugins money can buy.”
That’s a good point. A better point, however, is that these automated systems are constantly evolving in terms of stealth and sophistication.
Imagine what would happen if a particularly crafty bit of malware gets developed that sneaks into your site faster than your security plugin’s developers can release an update to catch it.
Your site goes offline, your visitor’s data is compromised, and the trust you once inspired in those visitors lies in ruins.
How Does a Disaster Recovery Plan Help?
The longer each of these problems persists, the more damage it does to your brand.
Creating a disaster recovery plan means you can be confident that as soon as a problem arises, you’ll be notified and can spring into action to fix it, ultimately getting your site back in good working order as quickly as possible.
The next question then, is simply where to start. Below, you’ll find step-by-step instructions on creating a fail-safe, fool-proof strategy for WordPress disaster recovery.
How to Create Disaster Recovery Plan For WordPress: Step-by-Step
1. Complete a Site Security Audit
Later, we’ll show you how to back up and restore WordPress. It’s a vital part of the process to recover your site from disaster. Before we get to that, there’s something important you need to know:
There is absolutely no point backing up a copy of your website that is riddled with the same security issues that caused you to have to restore that copy in the first place.
All that’s going to do is reintroduce the very same issues back into your site, leading to further crashes and calamity.
So, before you go rushing ahead, take the time to conduct a thorough audit of your website’s current security features.
Go through your site and ask:
- Is everything up to date? Are you running the latest versions of your themes, plugins, and core files?
- Is a malware scanner installed? Is it properly configured? Are notifications going somewhere they’ll be seen the second they arrive?
- Are you running a web application firewall (WAF)? Is that set up correctly to only allow good traffic through?
- Is your secure password policy being followed? You do have a secure password policy for your company, don’t you?
- Is two-factor authentication enabled? Is it proving effective in keeping uninvited users out of your site?
- Are you managing user permissions effectively? Are you confident that only authorized users have access to the necessary directories and privileges?
- Is SSL/TLS configured? Do your URLS start with HTTPS?
To help you answer these -and other- important questions, we’ve put together the following WordPress security checklist for you to copy. There’s even a column for you to check off each part of the audit so that you can be sure you’ve covered everything.
| Security Measure | To check: | Checked? (Y/N) |
| Software Updates | Core files up-to-date | |
| Theme files up-to-date | ||
| Plugin files up-to-date | ||
| Automatic updates are enabled. | ||
| Malware Scanner | Malware scanner installed. | |
| Scanner configured to scan regularly. | ||
| Notifications set up correctly | ||
| Web Application Firewall (WAF) | WAF in place. | |
| WAF is configured to block malicious traffic effectively. | ||
| Good’ traffic can still get through | ||
| Password Policy | A secure password policy is in place | |
| Employees adhere to the policy | ||
| Policy is regularly reviewed and updated as necessary | ||
| Two-factor authentication (2FA) | 2FA enabled for all relevant accounts. | |
| 2FA is effective in preventing unauthorized access. | ||
| General File Permissions | Files: 644 (Owner can read/write, others can read only) | |
| Directories: 755 (Owner can read/write/execute, others can read/execute) | ||
| User Permissions | User roles and permissions are assigned appropriately. | |
| User permissions are regularly reviewed and updated. | ||
| SSL/TLS Encryption | SSL/TLS is configured. | |
| SSL certificates are valid and up-to-date. |
As you go through this list, take notes of any updates or tasks you need to take care of. You’ll need them for the next step:
2. Strengthen Site Security
Step one was about identifying weak spots in your WordPress security setup. Step two is about strengthening those weak spots. That way, when it comes time to back up your site, you’ll be sure that you’re backing up the strongest and most secure version.
So, go through the notes from your security audits and start taking care of anything that needs to be done.
If it’s updating plugins, update the plugins, or if it’s no longer being supported, look for an alternative that is.
If it’s creating a password policy because the audit made you realize everyone is logging in with ‘123456!’ as their password, create the policy. Get together with whoever needs to be involved from relevant departments such as IT and HR, and roll out a policy that will make it harder for lazy hackers to simply guess login credentials for your site.
In other words, do whatever you have to do to beef up security and avoid creating compromised backups
3. Create a Regular Cloud Backup
You’ve gone into every nook and cranny of your WordPress security and you couldn’t be more confident:
This is the most secure your site has ever been.
Great. Your next task is to create a backup of that Fort Knox version of your site so that, should the worst happen, you can launch into WordPress site restoration with that same confidence.
Here’s what to do:
A. Research WordPress Backup Solutions
For the most part, there are three main solutions for backing up and restoring WordPress sites:
I. FTP
File Transfer Protocol is a means of accessing your server directories via a tool known as an FTP Client.
On the plus side, this manual process gives you full control over the ‘when, what, and, where’ of backup management.
On the downside, it involves downloading the software, getting FTP details from your hosting provider, and then entering them into that software.
At best, that’s cumbersome, at worst, it’s a time drain you can ill afford.
II. Hosting Tools
A number of leading WordPress hosting providers offer backups and restorations either as part of their core service or as an additional service.
Hostinger, for example, has free weekly backups, with daily backup options available on higher-priced plans.
On the one hand, features like this offer the best of both worlds; the convenience of an automated, done-for-you service with the level of control needed to do things manually when you need to.
On the other hand, you’re essentially relying on the same company to host both your live site and its backup. Hostinger even notes that backups are stored on its own databases, which begs the question:
What if there’s a problem with your host and neither your live site nor your backup are accessible?
III. WordPress Plugins
The third option is to use a plugin such as BackupBuddy, All-In-One WP Migration, and Jetpack’s VaultPress backup add-on. For the rest of this tutorial, we’ll be using one of our favorite WordPress backup solutions, UpDraftPlus.
Our reasons are simple: It combines all the advantages of the other options into one quick and convenient solution that you have full control over.
You can use it to:
- Create a fully automated backup process scheduled for a time that suits you
- Configure which file types are backed up
- Automatically send backups to leading cloud storage providers.
If you decide to use a different plugin, you can still follow the rest of the steps in this tutorial. However, the interface and navigation of your preferred plugin may be different from UpdraftPlus.
B. Install and Activate Your Backup Plugin
Install the free version of UpdraftPlus from your dashboard by going to Plugins – Add New and searching for UpdraftPlus.
Click Install Now followed by Activate.
C. Select a Cloud Storage Solution
Once the plugin is activated, navigate to UpdraftPlus – Settings – Choose your remote storage.
UpdraftPlus integrates with several well-regarded cloud storage solutions, as well as its own UpdraftVault service. By connecting your storage account to WordPress, your backups can automatically be sent to and stored on that account.
Upgrade to the premium version, and you can simultaneously create several backups in multiple cloud locations for extra security.
Each storage option will have its integration process which you can manage via the UpdraftPlus dashboard.
Follow the integration steps for your cloud storage provider, and move on to the next steps.
D. Configure Backup Options
With that done, tap on the Backup / Restore tab and click Backup Now.
Clicking that button will bring up the backup options, where you can select which parts of your site are backed up.
By default, this includes everything. We recommend keeping it that way to ensure you’re getting a comprehensive copy of your entire site.
Finally, hit Backup Now.
Tapping that button kickstarts the process of backing up your files and delivering them to a safe, secure cloud location of your choosing.
E. Create and Test Your First Backup
If you were paying close attention to the screenshots above, you may have noticed that we haven’t yet scheduled backups regularly.
We’ll certainly show you how to do that in the next step, but first, it’s important to test that your initial backup worked correctly.
After all, what’s the use in scheduling a faulty backup that loses or damages files?
Open up your cloud storage account and check that the backup has been saved correctly.
- Is it in the right location?
- Are all the files and databases included?
To be really thorough, you’ll find it helpful to download that initial backup and run it in a secure stage environment to ensure that your backup works just as well as your live site.
F. Create a Backup Schedule
Once you’re certain that things are being backed up correctly, head to Settings – File backup schedule.
Here, your first job is to set a regular backup schedule for both files and databases.
By default, each option is set to ‘manual,’ but you can use the dropdown menu to set an automated process to run at specific intervals, racing from every hour to every month.
You can also determine how many backups should be retained.
In the example above, we’ve decided to keep two backups for a small yet growing blog website. This gives us enough copies to manage disaster recovery on this scale without taking up too much storage space.
However, if you run a large-scale site with lots of frequent updates, it would be wise to save more backups.
4. Create an Offline Backup
Backing up to the cloud means that you’ll always have a good backup copy stored in a secure, remote location that you can access at any time.
At least, that’s the theory.
Yes, cloud storage provided by the likes of Amazon, Google, and Microsoft should be 100% reliable, but with the headline-making Microsoft Cloudstrike outage still fresh in the memory, it’s worth mentioning that even major brands suffer setbacks.
This is why it’s just as important to create a second WordPress backup stored on a secure, physical device.
For example, you may decide to save a backup on a password-protected external hard drive that stays locked away until needed, a kind of “in case of emergency, break glass” kind of scenario, only for your WordPress site.
You can do this via UpDraftPlus by going to Backup / Restore – Existing Backups.
From there, click Download to Your computer and save the backup to your device.
Creating Secondary Physical Backups
When you’re done, you might want to consider repeating this process to create a second physical backup, this one to be stored off-site.
This is especially crucial if you’re a large or growing business whose WordPress site is a mission-critical asset, that way, you’re in doubt that all the bases are covered.
Think about a probable worst-case scenario:
Your website gets hacked. You eliminate the problem, but now you need to restore WordPress to get things back to normal.
So, you go to your cloud backup provider, but they’ve been hacked too, and are offline.
You turn to your physical backup, but the key to access the hard drive is missing or the password has been forgotten.
Every minute that passes, your business is losing money and loyal customers.
We’re not saying it’s likely that all three things would go wrong at the same time, but you can at least sleep easier at night knowing that if they did, you’d still have an accessible backup in another location.
And if that location suddenly became inaccessible at the exact same time as the rest of this recovery management nightmare is going on? Well, extra-cautious website owners always have the option of creating a third backup.
5. Monitor Uptime and Test Notifications
You could have the most efficient and effective recovery plan in the world, but it’s useless if you don’t know if and when it’s needed.
Imagine working hard on a fire escape plan for your office but never bothering to set a smoke alarm. You’d be all set to respond to an emergency that you may not even know is happening until it’s too late.
The same applies to your WordPress website. How can you begin disaster recovery if you’re unaware there’s a disaster to recover from?
If you’ve been following this guide to the letter, you’ll have already ensured you’re monitoring for malware, but you also need to be monitoring your uptime so that you can be alerted should your site go down.
Some WordPress security plugins like All in One Security (AIOS) and Jetpack’s security tools come with uptime monitoring features. So your first point of call should be to check whether you can enable this feature in your security suite.
If not, you can use services such as Pingdom and UptimeRobot to generate uptime reports and set notifications to alert you when your site goes down.
Here’s how to do it with Uptime Robot.
A. Create Your First Monitor
Create an UptimeRobot account (free and paid plans are available) and log in to your dashboard.
Once there, click Create your first monitor.
B. Enter Your URL
Ensure the HTTP monitoring option is selected. You may want to establish ping monitoring separately later, but stick with HTTP for now as it provides the most accurate data on your website’s overall availability.
Next, simply enter your web address in the URL to monitor the field.
C. Select Notification Options
One thing we love about Uptime monitoring is that it’s easy to set multiple types of notifications so that your team never misses an important downtime alert.
By default, notifications are only sent to your email. That’s great for those office hours when you’re at your desk with an email client ready to flash up your alerts the second they land, but what about the rest of the time?
Fortunately, you can also choose to receive alerts via text message, voice calls, and mobile push notifications.
Here, you’ll need to make important decisions about who receives those notifications.
Is there one person (possibly you), solely responsible for managing disaster recovery, in which case all notifications go to them?
Should the CEO receive an email while the website manager gets both SMS and voice notifications and the manager’s team receives push alerts?
Speaking of teams, upgrading to UptimeRobot’s paid plans allows you to integrate the service with a host of messaging apps and third-party tools to ensure that anyone who needs to get the message gets it.
Finally, use the Monitor interval bar to determine how frequently your site should be checked, then click Create monitor.
D. Test Notifications
While you wait for UptimeRobot to process your first uptime status report, we suggest using your time wisely to test that your notifications are working.
Click Test Notification, configure the options to your liking, and hit Send test notifications.
You can now go about your day, confident in the knowledge that your website is being regularly monitored to ensure it’s online and that you’re notified as soon as it isn’t.
6. Define Roles and Responsibilities
Unless you’re a solo operation, the person receiving any uptime or malware notifications won’t be the only person carrying out your recovery plan.
Think about:
- What does the notified point-of-contact do after receiving an alert? Who do they contact first? What is the protocol for setting this plan in motion?
- Who is responsible for fixing the problem? Is it the main point of contact? An engineer? A WordPress agency you outsource to? Who contacts them? What is their first task, and their second, and so on?
- How will you handle site visitors during the recovery process? Are your customer support agents ready? Have you assigned someone from marketing to send out an email and handle socials while your tech team works frantically behind the scenes?
- Who is responsible for backups? Where are the backups stored? Who has access to them? What steps must they take to ensure a successful WordPress site restoration?
Essentially, any time your recovery plan requires an action, clearly define who is responsible for taking it. While you’re at it, documenting the steps they need to take serves as a solid contingency plan.
If Sarah from marketing isn’t answering her phone at 2 AM when your global eCommerce site suddenly goes offline, at least you’ve got written instructions on where to find her ‘In case of emergency’ assets and how to implement them.
7. Test Your WordPress Recovery Plan
You’ll notice that every major stage of your recovery plan involves testing that it actually works.
So, if you’ve tested that your backups work, your malware scanner and security tools work, and all your notifications work, surely the whole plan should work, right?
You’d think so, yes, but this is your business we’re talking about. Do you really want to take it for granted?
Of course not, so it’s time to rigorously test your website.
Consider cloning your WordPress site to a staging environment and simulating a disaster. Start from the moment you’re alerted of the problem and carry out your plan as if the whole thing were real.
Again, if you’ve been testing as you go, everything should run smoothly, but this is a golden opportunity to identify overlooked steps or areas for improvement.
After the drill is over, gather feedback from those involved, adjust accordingly, and test again until it’s as fail-safe as can be.
How to Implement Your Disaster Recovery Plan
After all that, we truly hope that you never actually need to use your new recovery plan, but, should the worst happen, here are the key priorities you’ll need to address.
1. Enable Maintenance Mode
The first step in effective disaster recovery is damage control. That starts with switching your site into maintenance mode to prevent visitors from accidentally stumbling across a broken website.
2. Manage Customer Concerns and Expectations
The sooner you can use your social and email marketing tools to tell your customers what’s going on, the more likely you are to retain their loyalty and trust.
Ensure that your maintenance page directs users to those other channels and provides customer service contact details where appropriate.
3. Redirect to a Secondary Server
If budget and resources allow, you’ll benefit from uploading a WordPress backup to a secure secondary server and using redirects to send visitors there while you tackle the issue on your main server.
4. Fix The Problem
This might mean anything from removing malware to fixing or replacing broken hardware. It might even mean that you’ve no alternative but to wipe the slate clean and start again by restoring your last known good backup.
5. Test and Test Again
Whatever you need to do to solve the problem, don’t go live again until you’ve checked that:
- The website is fully accessible
- Navigation and other functions work correctly
- There are no malware or other security threats
- Any other issues that caused the disaster have been fully resolved.
When you’re good to go, direct URLs back to your main server, disable maintenance mode and let your audience know that you’re back in business.
Post-Recovery: How to Prevent a Second Disaster
Disaster recovery is all about preparing for the worst, but with a little extra work, you can avoid a number of WordPress emergencies altogether.
Review and Update
If you’ve just been through a genuine website crash or security breach, now is the perfect time to sit down and review what went wrong.
What were the weak links in your WordPress armor that allowed this disaster to happen?
What parts of the recovery process were successful?
What could be improved?
If you’re fortunate enough to have not gone through that whole ordeal for real, schedule drills that will allow you to answer those same questions.
Plan for Traffic Spikes
Planning a major sale or online event? If so, check that your hosting server is capable of handling the extra traffic.
If it’s not, consider a temporary upgrade. Companies like Kinsta, Hostinger, and Cloudways offer ‘scalable hosting’ solutions whereby you can increase and decrease your server resources as needed. This means that you only have to pay for things like extra bandwidth when you know these traffic spikes are on their way.
Stay on Top of WordPress Maintenance
Last but not least, it’s the little things that make a big difference when it comes to avoiding WordPress disasters.
Stay on top of theme, plugin, and core updates, or enable auto-updates where possible. Check that whatever WordPress backup solution you’re using is working correctly, and keep a close eye on those monitoring tools so that you’re ready to spring into action should the worst occur.
WordPress Disaster Recovery: Your Key Takeaways
So, there you have it; your ultimate, all-in-one guide to WordPress disaster recovery, complete with every step you’ll need to take and every tool you’ll need to be fully prepared for website crashes and cyber attacks.
Need a quick recap before you dash off to create your plan? Here are the key takeaways from this guide:
- Disaster recovery is essential, especially for those whose business runs on WordPress – A hacked or offline website isn’t contributing to your business goals. A recovery plan ensures you get back online quickly to minimize disruptions.
- Backups are the cornerstone of successful disaster recovery – Use tools like UpdraftPlus to save backup copies of your website to multiple locations. You can use these backups to restore your site in case of a problem.
- Don’t backup until you’ve audited your site security – If there’s a chink in your armor that poses a security threat, fix it first. That way, you avoid creating a backup of an already compromised site.
- Test everything – When developing your plan, test everything at every stage. Remember, human error is a big cause of security problems, and it only takes one small typo or misstep to open up a world of trouble.
Running an agency and want to provide clients with the peace of mind that comes from knowing their site is fully backed up and protected?
Don’t have the infrastructure to provide disaster recovery services in-house?
Talk to us today to discover how our white-label WordPress maintenance services can help.
The post Your All-in-One Guide for WordPress Disaster Recovery appeared first on E2M Solutions.