Backup Series: Where Should I Store My Backups?

A map with pins in it

It’s time for the third and final post in our series on website backups. If you’re just jumping in now, take a few minutes to review part one here and part two here.

So far, we’ve talked why you need to be backing up your website, and not relying on your web host or server provider. Second, we’ve talked about how often you should be backing up your site. Now, it’s time to explore where the best place is to store your backups. This is a critical decision and the good news is you have lots of options, including free and paid options.

Let’s talk about them from worst to best, in my opinion.

Not The Best

When using your backup plugin or script, you may see email as an option for your automatic backups. You shouldn’t send your website backups to your email address.  First, email can be insecure. You could leave your data exposed as it travels the internet. Also, some email providers may block the reception of large backup files. Only use this as a last resort.

Slightly Better

Storing your backups locally on your server is also an option. This is fine for quick backups before you test or upgrade a plugin, for example, but it’s not a good long-term location to store your backups. If something happens to your web hosting server, your files may also be affected. It doesn’t take much to break a server, especially on a shared hosting provider, where resources are oversold and security is lax. If a drive fails, or a site is hacked, your backups could be, at best, lost and and at worst, compromised. Don’t store them on your hosting server.

You may also run into issues if you are trying to migrate or copy your site. I was recently working with a client and we needed to make a copy of their site. I was surprised to find a dump I made of their site was over 25GB, even with excluding the media folder of WordPress. It turns out, they were storing their backups locally, so the plugin I was using to migrate the site was including those local backups.

Getting Better

Setting up the files to automatically send to another server or service such as Dropbox is a good first place to get your backup plan going.

Several plugins like Updraft will allow you to store your backups in a service such as Dropbox, Microsoft OneDrive, or Google Drive. These are good places to store your files as you start on your backup journey. However, services like Dropbox may offer only a certain amount of free space, so keep an eye on your quotas. You should also be aware that if you use something like Dropbox, you are giving your site access to all of your Dropbox files. If your key or login is compromised, the attacker will have full access to your Dropbox or Google Drive.

The Best Option

To best protect your data and yourself, I would recommend storing your backups in a cloud-based storage provider. These providers would include Amazon Web Services’ Simple Storage Service (S3), DigitalOcean’s Spaces, BackBlaze’s B2 product, or Rackspace Cloud Files.

These systems are built to store files and offer finely tuned permissions and controls. This gives you full control over how, where and who the files are accessed.

The Process

Amazon S3 LogoHere’s an example of how I set up Amazon S3 for our client’s sites backups:

First, I create a new Amazon S3 bucket for each client’s site. This helps our team not only keep track of where the backups live, but also allows us to make sure we don’t cross the streams in terms of login keys. I then set these new buckets to not be publically viewable. This is different than if you were hosting web content for use by the world by the site’s editors. For our backup needs, we want a secure home where no one can even see our files.

Next, I create a new Amazon IAM user for each site. That’s a lot of acronyms, but it’s a username and password (in the form of two long keys) for each new site we’re backing up. Here’s a good IAM tutorial post.

I then tell Amazon that the only person that can access our new bucket is this new user. That’s it — our backup files are protected and need a username and password to view and download. No one can stumble upon them or download them. This is often how large chunks of data is compromised – permissions aren’t set correctly and world-read access is granted  by default. Here’s a story on this practice.

A similar setup and process will work for Backblaze, Rackspace, Azure and DigitalOcean as well. The big difference will be how to set up the accounts and secure the storage containers.

In the end, backing up your WordPress website needs to be a critical part of your web strategy. If you’re unsure on how to get backups set up and configured correctly, let us know and we’d be glad to help you.

Map photo by Capturing the human heart. on Unsplash