Which WordPress Files Should You Backup and the Right Way to Do It

Table of Contents#

Why WordPress Backups Matter: The Risks of Skipping Them
Which WordPress Files & Data Must You Backup?
Why You Should Not Backup Everything
The Right Way to Backup WordPress: 4 Proven Methods
Best Practices for Bulletproof WordPress Backups
Troubleshooting Common Backup Issues
Conclusion: Don’t Wait for Disaster
References

Why WordPress Backups Matter: The Risks of Skipping Them#

Before diving into the “what” and “how,” let’s underscore why backups are non-negotiable. Here are the most common threats that make backups essential:

Hacks & Malware: Over 45,000 websites are hacked daily, and WordPress sites (powering 43% of the web) are prime targets. Malware can delete files, deface pages, or steal data.
Human Error: Accidentally deleting a post, overwriting a theme file, or misconfiguring a plugin happens to even the most careful users.
Update Failures: A faulty WordPress core, theme, or plugin update can break your site (e.g., white screen of death, broken layouts).
Server Crashes: Hosting servers can fail due to hardware issues, DDoS attacks, or provider errors, leading to data loss.
Data Corruption: Database errors, file system issues, or corrupted uploads can render parts of your site unusable.

Without a backup, recovering from these scenarios can take hours (or days) of work—or even result in permanent data loss. With a backup, you can restore your site in minutes.

Which WordPress Files & Data Must You Backup?#

Not all files on your WordPress site are equally important. Focus on these critical components to avoid wasting storage on unnecessary data.

2.1 The WordPress Database: Your Site’s Brain#

What it is: The database is a structured collection of data stored separately from your files. It contains all dynamic content and settings, including:

Posts, pages, and custom post types (e.g., products, testimonials).
Comments, user profiles, and passwords (hashed).
Theme and plugin settings (e.g., widget configurations, SEO metadata).
Taxonomies (categories, tags), menus, and permalinks.

Why it’s critical: Without the database, your site is just an empty shell. All your content, user data, and configurations live here.

How to identify it: WordPress databases are typically managed via MySQL or MariaDB. Your database name and credentials are stored in wp-config.php (see Section 2.3).

2.2 The `wp-content` Directory: Your Site’s Heart#

What it contains: The wp-content folder is where all user-generated and custom content lives. Key subdirectories include:

themes/: Active and inactive themes, including custom child themes and theme modifications.
plugins/: All installed plugins (active and inactive), including custom plugin code.
uploads/: Media files (images, videos, PDFs) uploaded via the WordPress dashboard (organized by year/month).
mu-plugins/: Must-use plugins (auto-activated, often used for site-wide custom code).
languages/: Translation files for themes, plugins, or WordPress core.
upgrade/: Temporary files during updates (less critical but worth including).

Why it’s critical: Unlike WordPress core files (which can be redownloaded), wp-content contains unique, irreplaceable data: your custom theme code, plugin settings, and media library. Losing this directory means rebuilding your site from scratch.

2.3 The `wp-config.php` File: Your Site’s Blueprint#

What it is: A core configuration file in your site’s root directory. It contains:

Database credentials (name, username, password, host).
Security keys and salts (for encrypting cookies and user sessions).
Critical settings (e.g., debug mode, table prefix, WordPress address).

Why it’s critical: Without wp-config.php, WordPress can’t connect to the database, and your site won’t load. While you can recreate this file manually, having a backup saves time and avoids typos (e.g., incorrect database credentials).

2.4 The `.htaccess` File: Your Site’s Traffic Cop#

What it is: A hidden server configuration file in your site’s root directory (for Apache servers). It controls:

Permalinks (e.g., yourdomain.com/blog/post-title instead of yourdomain.com/?p=123).
Redirects (301/302 redirects for SEO).
Security rules (e.g., blocking malicious IPs, preventing directory browsing).
Cache control (e.g., browser caching for static files).

Why it’s critical: Missing or corrupted .htaccess files can break permalinks (leading to 404 errors), disable security rules, or disrupt caching. While you can regenerate permalinks via the WordPress dashboard, custom redirects or security rules will be lost without a backup.

2.5 Should You Backup WordPress Core Files?#

WordPress core files include the wp-admin/, wp-includes/ directories, and root files like index.php, wp-load.php, and readme.html. These files are part of the official WordPress software and can be downloaded for free from wordpress.org.

When to backup core files: Only if you’ve modified them directly (e.g., edited wp-includes/formatting.php to customize a function). However, modifying core files is strongly discouraged:

Updates will overwrite your changes.
It increases security risks (core files are audited by WordPress developers).

When to skip them: If you haven’t modified core files, skip backing them up. This reduces backup size and avoids storing potentially outdated or malware-infected core files (since you can redownload a fresh copy from WordPress.org).

Why You Should Not Backup Everything#

Backing up every file on your server wastes storage space and slows down backup/restore processes. Avoid these non-essential items:

Cache files: Plugins like WP Rocket or LiteSpeed Cache generate cache files that can be regenerated.
Old backups: Storing backups on your server wastes space and puts them at risk if the server fails.
Log files: Server logs, error logs, or plugin logs (e.g., debug.log) are temporary and non-critical.
Core files (if unmodified, as discussed above).

The Right Way to Backup WordPress: 4 Proven Methods#

Now that you know what to backup, let’s explore how to do it.

4.1 Manual Backups: Free but Labor-Intensive#

Manual backups require downloading files and exporting the database yourself. They’re free but time-consuming and error-prone for regular use.

Step 1: Backup Your Database via phpMyAdmin#

Log into your hosting control panel (e.g., cPanel, Plesk).
Find the “Databases” section and click phpMyAdmin.
Select your WordPress database from the left sidebar (check wp-config.php for the name, e.g., user_wp123).
Click the Export tab.
Choose Quick export method and SQL format, then click Go. Save the .sql file to your computer.

Step 2: Backup Your Files via FTP or File Manager#

Using FTP:
- Install an FTP client (e.g., FileZilla).
- Connect to your server using FTP credentials (from your host).
- Navigate to your WordPress root directory (e.g., public_html/).
- Download the wp-content folder, wp-config.php, and .htaccess to your computer.
Using File Manager (cPanel):
- In cPanel, go to File Manager.
- Navigate to your WordPress root directory.
- Select wp-content, wp-config.php, and .htaccess.
- Click Compress (choose ZIP format) and download the ZIP file.

Step 3: Store Backups Offsite#

Save the database .sql file and file ZIP to an external drive, cloud storage (Google Drive, Dropbox), or another secure location.

4.2 Automated Plugins: The Easiest Option for Most Users#

Backup plugins automate the process, schedule backups, and store files offsite. Here are two top options:

UpdraftPlus (Free/Premium)#

UpdraftPlus is the most popular WordPress backup plugin (5+ million active installs).

Features:

Scheduled backups (daily, weekly, monthly).
Supports offsite storage (Dropbox, Google Drive, Amazon S3, etc.).
Separate file and database backups (save space).
One-click restore.

Setup Steps:

Install and activate UpdraftPlus from the WordPress Plugin Directory.
Go to Settings → UpdraftPlus Backups.
Under the Settings tab:
- Choose backup Schedule (e.g., “Files: Weekly, Database: Daily”).
- Select Remote Storage (e.g., Dropbox) and authenticate your account.
- Click Save Changes.
To run an immediate backup, click Backup Now (check “Include database” and “Include files”).
To restore, go to the Existing Backups tab, select a backup, and click Restore.

Pricing: Free for basic features; Premium ($70/year) adds incremental backups, priority support, and advanced tools.

BackupBuddy (Premium)#

BackupBuddy is a premium plugin with robust features for power users.

Features:

Scheduled backups, offsite storage, and one-click restores.
Staging site creation (test changes before going live).
Malware scanning and backup encryption.

Pricing: Starts at $80/year (1 site).

4.3 Hosting-Provided Backups: Convenient but Limited#

Most web hosts offer automated backups (e.g., SiteGround, Bluehost, WP Engine).

Pros:

No setup required (often enabled by default).
Integrated with your hosting (easy to restore via cPanel).

Cons:

Limited retention: Hosts typically keep backups for 7–30 days (e.g., Bluehost retains 30 days).
No offsite storage: Backups are stored on the same server (risky if the server fails).
Restore limitations: Some hosts charge for restores or only offer full-site restores (not partial).

How to use: Check your host’s documentation for details. For example, in cPanel:

Go to Backup Wizard or Site Backup.
Choose “Download a Backup” to save files/databases, or “Restore a Backup” to recover.

4.4 Cloud-Based Backups: Secure and Scalable#

Cloud-based backups store your data on external services (e.g., AWS, Google Cloud, Backblaze) for maximum security. They’re ideal for large sites or users who want full control.

Option 1: Use a Plugin with Cloud Integration#

Plugins like UpdraftPlus or BackupBuddy let you send backups directly to cloud storage (Dropbox, Google Drive, Amazon S3).

Option 2: Scripted Backups with WP-CLI#

For developers, use WP-CLI (WordPress Command Line Interface) to automate backups and push them to the cloud.

Example WP-CLI Backup Script:

#!/bin/bash
# Backup database
wp db export /tmp/backup_$(date +%Y%m%d).sql --path=/path/to/wordpress
 
# Backup wp-content, wp-config.php, .htaccess
zip -r /tmp/files_$(date +%Y%m%d).zip /path/to/wordpress/wp-content /path/to/wordpress/wp-config.php /path/to/wordpress/.htaccess
 
# Upload to Amazon S3 (requires AWS CLI)
aws s3 cp /tmp/backup_$(date +%Y%m%d).sql s3://your-bucket/backups/
aws s3 cp /tmp/files_$(date +%Y%m%d).zip s3://your-bucket/backups/
 
# Cleanup temporary files
rm /tmp/backup_$(date +%Y%m%d).sql /tmp/files_$(date +%Y%m%d).zip

Schedule this script to run daily via cron (Linux) or Task Scheduler (Windows).

Best Practices for Bulletproof WordPress Backups#

Follow these rules to ensure your backups are reliable when disaster strikes.

5.1 Backup Frequency: How Often Should You Backup?#

High-traffic sites/e-commerce: Daily backups (or even hourly for critical transactions).
Blogs with regular updates: Weekly backups (plus before major updates).
Static sites (rarely updated): Monthly backups (plus before any changes).

Pro tip: Use “event-based” backups: Always backup before updating WordPress, themes, or plugins (in case the update breaks your site).

5.2 Storage: Offsite, Multiple Locations, and Security#

Offsite storage: Never store backups only on your web server. If the server crashes or is hacked, your backups will be lost too. Use cloud storage (Dropbox, Google Drive), external hard drives, or dedicated backup services (e.g., Backblaze).
Multiple locations: Follow the 3-2-1 rule: 3 copies of your data, 2 different storage media, 1 offsite. For example: local computer + Dropbox + AWS S3.
Security: Encrypt backups with a strong password (most plugins offer encryption). Use secure storage with 2FA (e.g., Google Drive with 2FA enabled).

5.3 Test Your Backups (Or They’re Useless)#

A backup is only useful if it works. Test restores regularly (e.g., quarterly) to ensure your backups are intact.

How to test:

Set up a staging site (use a plugin like WP Staging or a local environment like XAMPP).
Restore your backup to the staging site.
Verify:
- All posts, pages, and media load correctly.
- Themes and plugins work as expected.
- User accounts and comments are intact.

If something breaks, investigate why (e.g., corrupted backup, missing files) and fix your backup process.

5.4 Automate Everything#

Manual backups are easy to forget. Use plugins, hosting tools, or scripts to automate:

Scheduled backups (daily/weekly).
Offsite storage (auto-upload to Dropbox/Google Drive).
Backup retention (auto-delete old backups to save space).

Troubleshooting Common Backup Issues#

Backup fails: Check for server limits (PHP memory, execution time) or plugin conflicts. Increase PHP memory via wp-config.php (define('WP_MEMORY_LIMIT', '256M');).
Large backup files: Exclude cache, logs, or unmodified core files. Use incremental backups (only backup changed files) with premium plugins like UpdraftPlus Premium.
Restore errors: Ensure file permissions are correct (755 for directories, 644 for files). If the database won’t import, split large .sql files using tools like BigDump.

Conclusion: Don’t Wait for Disaster#

WordPress backups are your safety net against hacks, crashes, and human error. By focusing on critical files (database, wp-content, wp-config.php, .htaccess), using automated tools, and following best practices (offsite storage, testing, automation), you can ensure your site is always recoverable.

Don’t wait until it’s too late—set up your backup system today.