We’ve all heard it a million times before – backups are important. Still, the reality is that even today, a website backup strategy remains one of the most overlooked and underutilized precautions we can take to protect our vital data.
Why Are Backups So Important
Put simply, a good set of backups can save your website when absolutely everything else has gone wrong. If a malicious attacker decides they want to wipe all your site files, or if your web server has a catastrophic hard drive failure, all the damage can be easily undone by restoring from your backups. The idea is simple. In order to make sure our data is safe, you make a copy of it. If something happens to the original copy you can always use your backup copy.
Simple right? Unfortunately, it isn’t that simple at all and there are a number of factors that determine whether your backups will be useful, practical, and secure.
Worse than having no backup?
Working with client sites, I frequently see backups of their website being stored in the public web directory (public_html, http-docs). In my opinion, these backups are actually worse than having no backups at all.
One of the things we stress here at Sucuri is the need to keep all the software on your website up to date and fully patched (even if you are behind a website application firewall with virtual patching, like CloudProxy). Backups stored on the web server are a massive potential security risk because they often contain old unpatched software with vulnerabilities, and due to their publicly-accessible location, anyone can exploit them!
Smart Website Backups
If some backups are worse than having no backups at all, what is the correct backup strategy? To be sure your backups have been made successfully and kept safe from hackers or hardware failure, there are four key requirements:
1 – Location: Location, Location
Your backups should be stored offsite and not on the same server as your website. Storing backups on the web server is a very bad idea because it is all too easy for the backup files to be destroyed or infected with malware. If a malicious attacker has access to your web space, they can easily infect or delete the backup copies as well as the live site. Not only do off-site backups help protect your data from attackers but it also helps protect against hardware failure. If your web server hard drive fails, you can easily lose all your data, live site, and the backups.
When it comes to easy off-site backups there are a large number of options. Of course, there is the Sucuri backup service which existing customers can take advantage of, but there are also a plethora of WordPress and Joomla backup plugins that work in conjunction with the big cloud providers such as Dropbox and Amazon.
2 – Automatic: For the People
Another very important feature of any backup system is that it should be completely automated. If you can’t automate the backups then you can’t guarantee the backups will get made. It’s all too easy for people to forget or get lazy when it comes to making backups, especially when your site is fine and running well. If you must, make sure you schedule a time to do it regularly.
Even so – you can’t guarantee that something will never go wrong, and while Sucuri specializes in cleaning malware from website files and databases, sometimes malware can be destructive, either writing over required custom files or just deleting them entirely. In situations like this, it may not possible to restore the files unless an up-to-date backup is available.
3 – Redundancy: Seeing Double
Schofield’s Second Law of Computing states that data doesn’t exist unless there are at least two copies of it. This means that your backup strategy has to include redundancy, or in other words, backups of your backups. I know that might sound like a hassle or over the top but if you aren’t 100% sure the data will be there when you need it, what’s the point of making backups in the first place?
Our customers can use the Sucuri website backup service, which is built with redundancy in mind – using RAID 1 with backups duplicated in multiple locations.
4 – Testing: Is This Thing On?
The final task in establishing a secure and reliable backup process is to test to make sure that the backup and restore actually works. Start with an empty web directory and then make sure you can use those backups to get all your data back and the website back online (with a test domain of course) using nothing but the files from the backup. You would be surprised how many times people don’t test their backups… only to discover in a time of need that their backups don’t actually work and are worthless.
So there you have it. While there are a few key issues to consider when making your backup plan, the correct way of doing things is already well known and you don’t have to learn the hard way. As long as the backup plan is automatic, off-site, provides redundancy and has been tested, you can rest easy and forget about them… until you need them.