Skip to content

WordPress Backups: Why Your Host’s Backup Isn’t Enough

Your WordPress host's backups are not a backup strategy. This guide covers the 3-2-1 rule, restore testing, and UK data compliance — everything a UK small business needs to build a proper WordPress backup setup.

Your host's backups are not your backup strategy — here's what a proper WordPress backup setup looks like in 2026.


Ollie Tigwell
Ollie Tigwell

7 min read


Fibre optic cables
Photo by Albert Stoynov on Unsplash

Most WordPress site owners sleep soundly knowing their host runs daily backups. Here’s the uncomfortable truth: your host’s backups are not your backup strategy. WP Engine’s own terms of service require customers to “maintain a complete and accurate copy of Customer Content in an offline location independent of the Services.” The company storing your backups is telling you not to rely on them as your only safety net.

This guide explains what a proper WordPress backup setup looks like for a UK small business in 2026. It sits within a broader picture of WordPress maintenance: what it is and what it should cover in 2026 — and backups are the component most often misunderstood.

Why your host’s backups aren’t enough

Managed WordPress hosts do back up your site. The problem is scope, retention, and liability.

WP Engine’s terms of service explicitly disclaim backup liability and require customers to keep an independent offline copy. They’re not being unreasonable — they’re being honest about the limits of what their infrastructure guarantees.

Kinsta’s base plan retains backups for 14 days, extending to 30 days on higher tiers. Hourly and six-hour backup intervals are paid add-ons. Pressable offers hourly database backups with 30-day retention, which is more generous — but still finite.

Now consider the compromise scenario. Sucuri’s 2023 research found a malicious admin user in 55.2% of infected WordPress databases, and a backdoor in 49.21%. These aren’t the kind of infections that announce themselves. If a backdoor sits quietly for three weeks and your host retains backups for 14 days, every available snapshot is already compromised.

Host backups also tend to be all-or-nothing. Need to restore a single database table or recover one page? Most host backup tools restore the entire site or nothing at all. That’s rarely what you need when something goes wrong.

The takeaway isn’t that host backups are useless — they’re a solid first layer. The problem is treating a single layer as a strategy.

The 3-2-1 rule for WordPress backups

The 3-2-1 rule is the industry standard for backup resilience: three copies of your data, on two different media types, with one copy stored offsite.

WordPress’s own developer documentation on backups recommends automated coverage of both files and database — the two components that together make up your entire site.

Here’s what 3-2-1 looks like in practice for a WordPress site:

  1. Copy one: your host’s daily snapshot. This is already running — it’s the backup you have today.
  2. Copy two: a backup plugin or service sending automated snapshots to an independent cloud provider — AWS S3, Google Cloud Storage, or similar.
  3. Copy three: a periodic downloaded archive held on a local drive or separate storage account, kept offline.

The word independent does the heavy lifting here. If your host, your backups, and your staging environment all live on the same provider, a single point of failure — an outage, a billing dispute, a security incident in the backup infrastructure — takes everything down at once. Separating your backup destination from your hosting provider eliminates that shared failure mode.

This doesn’t need to be expensive or complex. A decent backup plugin with cloud storage integration costs less than a monthly coffee subscription — and the return is the difference between a recovery measured in minutes and one measured in days.

How often should you back up?

Backup frequency should match two things: how often your site changes, and how much data you can afford to lose.

Three practical tiers based on the industry-consensus maintenance cadence:

  • Brochure site (content changes monthly): Daily full backups are sufficient. If the worst happens, you lose at most a day’s work — and for a static site, that’s likely nothing.
  • Active blog or content site (regular publishing, comments, form submissions): Daily full backups plus more frequent database snapshots. The database holds your posts, comments, and form entries — everything a file-system backup misses between runs.
  • E-commerce site (orders, customer data, stock updates): Hourly database backups at minimum. Pressable’s hourly DB backup capability sets the practical benchmark here. If your host doesn’t offer that frequency, a backup plugin can fill the gap.

The principle is straightforward: measure the gap between backups and decide whether you’re comfortable losing everything created in that window. For most UK small businesses running an active WordPress site, daily files plus six-hourly database snapshots strike a sensible balance.

Restore-testing — the step everyone skips

A backup you’ve never restored is a wish, not a strategy.

Quarterly restore testing takes roughly an hour. Spin up a staging environment, pull in a recent backup, verify the site loads and critical functions work — forms submit, payments process, logins authenticate. Document the date and outcome. That’s it.

Why bother? Because the alternative is discovering your backups are corrupted, incomplete, or incompatible at the worst possible moment — when your live site is already down.

The stakes are higher than a simple outage. Sucuri detected the Balada Injector on 100,470 WordPress sites in the first half of 2024 alone. Combined with the finding that malicious admin accounts appear in over half of infected databases, the pattern is clear: compromises often sit undetected well beyond default backup retention windows.

You need the ability to roll back further than your host’s standard retention — and you need confidence that the backup you’re rolling back to actually works. Restore testing gives you both.

A restore log also serves a compliance purpose. Under UK GDPR Article 32, the ICO and NCSC expect organisations to demonstrate “appropriate technical and organisational measures” for data security. A documented, tested backup process is one of the clearest ways to evidence that.

UK data rules and offsite storage

UK GDPR does not require your backups to sit in the UK. It requires a lawful transfer mechanism for any personal data leaving the country.

For backups stored in the US, the UK–US Data Bridge (SI 2023/1028, in force since 12 October 2023) covers transfers to US recipients certified under the Data Privacy Framework with the UK Extension engaged. If your cloud storage provider is on that list, you have a lawful basis — document it and move on.

Three practical steps for UK SMEs:

  1. Document the storage region. Know where your backup provider physically stores data. Most let you choose a region during setup.
  2. Record backup storage in your ROPA. Your Record of Processing Activities should list backup storage as a processing operation, including the provider, region, and transfer mechanism.
  3. Prefer a UK or EU region where practical. It sidesteps the international transfer question entirely and simplifies your compliance paperwork.

The ICO and NCSC’s joint Article 32 security outcomes guidance frames “appropriate” security as including active vulnerability management and tested backup procedures. Offsite backups aren’t just a technical best practice — they’re part of demonstrating compliance with your data protection obligations.

A sensible WordPress backup setup for UK SMEs

Here’s the practical checklist:

  1. Host backup running daily — your baseline. Confirm it’s active and check the retention period.
  2. Independent offsite backup via a plugin or service, sending automated snapshots to a separate cloud provider at a cadence matching your site’s rate of change.
  3. Quarterly restore test on staging, logged with the date, outcome, and any issues found.
  4. Documented transfer mechanism for any backup stored outside the UK, recorded in your ROPA.

Four steps. None requires a developer. All reduce your exposure from “hoping the host has it covered” to a documented, tested, compliant backup strategy.

If you’d rather not manage this yourself, our WordPress Hosting and Maintenance service includes offsite backups, quarterly restore testing, and compliance documentation as standard. Book a free 30-minute WordPress health check — we’ll audit your current backup setup and show you the gaps.

Get in touch

Ready to grow your business online?

Skip the forms. Have a real conversation with someone who can actually help.

Available now
01202 098850

Mon–Fri, 9am–5pm

— or —

24-hour response guarantee

We'll get back to you within one business day, every time.

No hard sell, ever

Just an honest conversation about whether we're the right fit.

Talk to the people who'll do the work

No account managers or middlemen. Meet your actual team.