How to make backups to undo security breaches and malware

Malware or a security breach could happen any time – today, next week or next month. Recovering from a serious problem is always a lot easier if you have a backup of your website. Here’s how.

There are two types of backup and one requires WordPress to restore and the other does not. Some backup/restore tools require you to log into WordPress and use a plugin to restore everything from a backup and an example is UpdraftPlus. It is technically possible, but difficult.

This is fine providing you can actually log in, but what if you can’t? What if WordPress is so messed up you cannot access the admin interface? How would you restore the backup?

Backup and restore that works from within WordPress is easy and convenient, and it solves many problems by rolling back to a previously saved copy of the site.

However, there may be occasions where you cannot get into WordPress and so a backup that does not require it to be running is required. Both types of backup can be used and are recommended.

Manual website backups

It may be possible to make a backup of your WordPress site without using a plugin, but it is a lot easier with one. Let’s take a look at how you would manually create a backup. See the related article Best backup options for your WordPress website.

Some web hosts provide access to the web server through Cpanel, which is a utility that is used to configure web hosting services and access the files and folders on the server.

From within Cpanel there is usually access to the drive where your site’s files are stored using a file manager. This can be used to create a zip file of everything on the server and then it can be downloaded and saved to your computer.

If there is ever a problem, you can upload the zip and extract the contents to put everything back the way it was. It files are lost or corrupted, they could be extracted from the zip file on your computer and uploaded.

Cpanel provides access to your web hosting account and tools and features

This cpanel has both Site Backup Pro and File Manager.

If you are not sure how to access your site using cpanel or even if cpanel is available, ask your web host. There is usually a special URL and you need a username and password. I can’t tell you what these are and you must find out from your web host.

Opening File Manager shows all the files and folders on the web server and there are toolbar buttons to compress them into zip files, download them and upload them. Everything you need to make a copy of the files on your site.

Cpanel File Manager shows the files in your web hosting space and enables you to perform file related tasks

WordPress is more than just files on a disk and some content is stored in a database. To make a complete backup of a site, both the files and folders must be saved and the database too.

Cpanel, or whatever your web hosting company provides, may have features that enable you to do this and there might be a backup utility that enables the WordPress database to be zipped and downloaded.

Here is Site Backup Pro.

Site Backup Pro enables you to download backups of a website's files and databases

It enables files and databases to be downloaded as zip files, and it enables you to restore them too. It is up to you to download backups and save them to your computer. This can be done weekly or monthly, depending on how often you update your website.

Not every web host uses Site Backup Pro but your web host may have an equivalent backup utility, so login to your hosting account and see what features and functions are available. Backup tools may be free or may require a subscription.

You need a bit of technical knowledge to carry out a manual backup, but it is certainly possible if you have access to the hosting back end of your site and have cpanel or something similar.

UpdraftPlus backup

UpdraftPlus is a great backup plugin for WordPress and there is a guide to using it here, Don’t get caught without a backup of your WordPress website so I won’t cover it again.

One of the best features of this plugin is that once it is set up, it will create backups and store them online online in Dropbox or some other online storage. One click on the backup button is all it takes to save a copy of your site. Restoring it is equally straightforward.

Install Duplicator plugin

Let’s look at a different backup plugin and see how it can be used to back up your WordPress site. A backup enables you to undo hacks, malware, and other problems.

Duplicator is a backup plugin for WordPress that it works in a different way to Updraft Plus, so it can be useful to use both. UpdraftPlus requires a working website in order to access the plugin and restore from a backup. It is great for undoing minor problems, but serious problems cannot be fixed.

Restoring a Duplicator backup does not require WordPress or anything else. In fact, to restore the site it is recommended that everything is deleted on the server – no files are required and no website.

One reason for this is feature is because Duplicator is designed for moving websites from one web host to another or for cloning them, perhaps from a test server to a live site. However, in the event of a serious problem you can delete everything on your web server and put your site back as it was with Duplicator.

Duplicator backup plugin for WordPress

How to install Duplicator plugin in WordPress:

  1. Click Plugins in the WordPress sidebar
  2. Click the Add New button
  3. Enter ‘duplicator‘ into the search box
  4. Click Install Now next to Duplicator
  5. Click Activate to enable it
  6. Click Duplicator in the sidebar to use it

Create a new package

Duplicator WordPress backups are called packages. Create one to start a backup

When Duplicator is selected in the sidebar it displays the Packages page. These are backups and obviously there will be none the first time the plugin is used. You need to create some. Click the Create New button in the top right corner.

Duplicator package settings

Create a new package using the Duplicator WordPress backup plugin

The setup options appear and there are three sections, Storage, Archive and Installer. Expand each of these sections and take a look at them if you want, but the default settings are fine and most people do not need to change anything. Just click the Next button in the bottom right corner.

Check for Duplicator notices

Duplicator backup plugin for WordPress warning notice

Duplicator scans the site to see the size, the number of files and directories, and if there are any problems. If there are any notices highlighted in red, read them.

In the screenshot above it says that compressing large sites on budget hosts can cause timeout problems. This is because making a backup is quite an intensive process and the server has to work hard.

Build your backup

Duplicator WordPress backup plugin warning message

If you see a notice about budget sites, try continuing anyway, most probably it will work fine. Tick the box at the bottom to say you have read the notice and then click the Build button.

If you see a message stating that Duplicator has stopped responding or something similar, ignore it. It is probably still running in the background and will continue and finish the backup. Just let it run.

Save your backups

Download the website backup created by Duplicator plugin

There is a paid Pro version of Duplicator WordPress plugin and it enables backups to be saved to online storage like Dropbox, Google Drive, MicrosoftOneDrive and other places.

With the free version of the plugin the backups are saved to your web server. A backup consists of two files, a zip archive of your site and an installer. Click each button and save the file to your computer. Keep them safe.

View backup packages

View or delete Duplicator website backup packages

Select Duplicator > Packages in the sidebar and your new backup is listed. It can be left on the server, but after it has been downloaded and saved to disk I always delete it off the server because:

  1. Each backup uses storage space and several backups of a large site use a lot
  2. Other backup tools will probably back it up thinking it is part of WordPress
  3. Having a complete backup of everything online is a security risk

I worked out where the backup is stored and tried to access the folder in an incognito browser, you couldn’t. However, hackers are clever people and I would rather not add to the security problems of WordPress because there are enough already.

Restore a website backup

Restoring a backup is very easy provided you can access your web server using a file manager through cpanel or an ftp program. Some web hosts, such as the free wordpress.com allow neither and so Duplicator is not suitable for them. Usually the web host provides some sort of hosting account access.

Restore a Duplicator backup:

  1. Delete all the files on your web server
  2. Upload the installer and archive created by Duplicator
  3. In a web browser, go to www.yoursite.com/installer.php
  4. Follow the instructions to extract the archive
  5. Follow the instructions to install the database and then test it

It takes several minutes to install the backup, but once it has finished, delete the installer and archive you uploaded. Don’t leave them on the server.

There are lots of help files at the developer’s website, go to the Duplicator Pro Documentation.

WordPress security Course Contents

  1. How to change the WordPress admin user to something different
  2. Make your website more secure by using strong passwords
  3. How plugins damage the security of your WordPress website
  4. How to use and customise user roles in WordPress
  5. How to recover from website problems with a WordPress backup
  6. How to increase website security with a plugin for WordPress
  7. How to make your WordPress website secure and deal with threats

Get great web hosting: Basic $2.95/mo, Plus $4.95/mo, Choice Plus $4.95/mo. See Bluehost plans. Limited time offers. (Affiliate link):


About Roland Waddilove 397 Articles
Roland Waddilove is interested in technology: Computers, phones, gadgets, software and internet. Long ago he worked on computer magazines, but is now mostly a tech writer for the web.