How many WordPress backups should I keep?

The 3-2-1 rule is the practical baseline that works for most businesses: 3 copies of the site (the live production version on the server plus two backups), on 2 different media or services (for example: one backup at the hosting provider and another in external storage like S3, Backblaze B2, or business Google Drive), with at least 1 copy stored off-site from your primary provider. For retention, a rolling 30 days covers most operational incidents; for data protection compliance, keep at least one monthly backup archived for 12 months so you can reconstruct the processing trail if a regulator (or a CCPA/GDPR data subject request) requires it during an inspection.

Where should I store backups to comply with CCPA and GDPR?

Neither the CCPA nor the GDPR mandates storage inside a specific country, but both require the data controller to apply reasonable technical and organizational measures (CCPA §1798.150, GDPR Article 32). In practice that means choosing a provider with encryption at rest (AES-256), encryption in transit (TLS 1.2+), access controls, audit logging, and ideally recognized certifications (ISO 27001, SOC 2). Cloud services like AWS, Google Cloud, Azure, and specialized providers like BlogVault or Jetpack VaultPress meet these requirements. Storing the backup on the same server as the site is not a backup and does not satisfy the security duty.

How often should I back up my WordPress site?

Frequency depends on how much new content or how much personal data flows into the site between backups. For a static brochure site that changes monthly, a weekly backup is reasonable. For an active blog that publishes daily, a daily backup is the minimum. For an e-commerce store or any site that captures forms with personal data (customers, patients, leads), backups should be daily and the database ideally on incremental backup every 6 to 12 hours. If you lose 24 hours of personal data collected through forms, your RPO is 24 hours — and that needs to be documented in your privacy and data retention policy.

What happens if I lose my backup and a regulator audits me?

Losing the backup itself is not the violation; the violation is failing to implement reasonable measures to protect personal data under your responsibility. If a regulator (FTC, California Privacy Protection Agency, or an EU Data Protection Authority) opens an investigation after an incident, they will ask for evidence of your backup policy, execution logs, restore tests, and incident impact analysis. Without that documentation, fines under the CCPA can reach USD 7,500 per intentional violation, and GDPR penalties scale up to 4% of global annual turnover. Documented and tested backups are the difference between a mitigated outcome and a maximum penalty.

Do my WordPress backups also satisfy LGPD if I have customers in Brazil?

Partially. Brazil's LGPD (Lei Geral de Proteção de Dados) follows the same security and integrity principles as the GDPR, including the right to deletion (Article 18) and data portability. That means your backup policy must include mechanisms to delete or anonymize a subject's data across all copies within the legal window, which can be tricky with immutable backups. If you serve Brazilian or EU users, plan for backups with indexes that allow locating and deleting specific records, not only full restores. Likewise, if you serve Colombian customers, Ley 1581 (Habeas Data) also applies and follows the same security-of-processing principle.

WordPress backups & data protection: the 2026 business guide

If you run a business WordPress site and still don’t have a documented WordPress backup policy, you have a double problem: operational (a single failure can leave you without a site for days) and legal (the CCPA, the GDPR, and parallel laws across LatAm require you to protect the personal data you collect). This guide ties both sides together: how to build a serious backup plan and leave it audit-ready. No alarmism, with real USD pricing and the judgment to know when the free plugin no longer cuts it.

Why backups are a legal obligation in 2026 (not just a best practice)

Backups are not a nice-to-have for the IT team: they’re a concrete expression of the security of processing duty that modern privacy law imposes on data controllers. If you handle contact forms, customer records, patient data, or leads in your WordPress, you’re legally responsible for that data. And the question a regulator will ask in an audit isn’t “do you have backups?” — it’s “how do you prove it?”.

The California Consumer Privacy Act, as amended by the CPRA, requires businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information (§1798.100(e) and §1798.150). The GDPR sets the same duty in Article 32: “appropriate technical and organisational measures” against accidental loss, destruction, or damage. Unauthorized loss includes accidents — hardware failure, ransomware, or human error. Without backups, you can’t prevent it.

How a regulator audits compliance

Neither the CPPA nor an EU Data Protection Authority audits the technical quality of the backup in a strict engineering sense: they audit whether you implemented reasonable measures and whether you can prove it. A signed backup policy, execution logs, and periodic restore tests change the outcome of an inquiry. Under CCPA §1798.150, businesses also have a private right of action when unencrypted personal information is exfiltrated — meaning the absence of reasonable security can trigger class actions, not only regulatory fines.

Fines and reputational cost of failing to protect personal data

CCPA penalties run up to USD 2,500 per unintentional violation and USD 7,500 per intentional violation, calculated per consumer per record — which scales fast in a breach involving thousands of records. GDPR fines reach the greater of EUR 20 million or 4% of global annual turnover. Beyond the dollar amount, reputational cost is usually worse: a public enforcement action gets indexed by Google, shows up when a prospect searches your brand, and opens the door to civil claims. A backup plan doesn’t eliminate the risk of an incident; it eliminates the aggravating finding that “the controller took no measures”.

The 3-2-1 backup rule (and why it matters for businesses)

The 3-2-1 rule has been the industry baseline for two decades. If your plan doesn’t meet it, it’s not a plan: it’s a wish. The good news is that applying it to WordPress is affordable even for an SMB, and it leaves a documentable paper trail that translates directly into evidence for any regulator.

3 copies, 2 different media, 1 off-site

Three copies: the live production version plus two complete, independent backups. Two different media: those copies don’t share infrastructure — a backup at the same hosting provider counts as a single medium even if it lives on different disks. One off-site copy lives outside the primary provider’s facilities, typically on S3, Backblaze B2, business Google Drive, or Wasabi. If the hosting datacenter goes down or suffers a coordinated attack, that off-site copy is what saves the business.

A backup on the same server isn’t a backup

The most common mistake: the client thinks they have “backups” because cPanel or Plesk drops a weekly .tar.gz on the same disk as WordPress. That’s a local copy. Any event that hits the server — ransomware, root compromise, RAID failure, suspension for non-payment — takes the site and the “backup” out in the same move. No regulator accepts that setup as a reasonable security measure either.

RPO and RTO: how much loss can your business tolerate

RPO (Recovery Point Objective) is how many hours of data you can afford to lose. RTO (Recovery Time Objective) is how long you can afford to be down. A static brochure site can tolerate an RPO of 7 days and an RTO of 24 hours. An e-commerce site with 50 orders a day needs an RPO of 1–6 hours and an RTO of 2–4 hours. Documenting your RPO and RTO isn’t bureaucracy: it defines backup frequency and the budget that’s actually justified.

Manual vs. automatic WordPress backup: honest criteria

Not every site needs a daily automatic backup. But every site that collects personal data needs a predictable, documented process. The gap between manual and automatic isn’t only about convenience — it’s about compliance.

When a monthly manual backup is enough

If your WordPress is a five-page institutional landing, no forms, no e-commerce, no login, and you only update it when you change the home page copy, a manual backup before each change can be reasonable. The conditions: documented process, off-site copy, and a restore test every quarter. If any of those fail, switch to automatic.

When you need a daily automatic backup

Any site with active forms, lead capture, e-commerce, customer area, or frequent publishing needs a daily automatic backup. The regulatory reason is direct: every form submission between backups is personal data you’re responsible for. If you lose it before processing, you’ve lost evidence of processing you were obligated to safeguard.

Incremental vs. full backup

Full: copies everything every time, simple, restores fast, eats disk space. Incremental: copies only what changed, saves 70–90% of space, but restoring requires rebuilding the chain. Practical rule: under 2 GB, daily full; between 2 and 20 GB, daily incremental with a weekly full; over 20 GB, incremental every few hours with monthly integrity verification.

The 5 most-used tools in 2026 (with real USD pricing)

The five tools that cover 90% of the WordPress market in 2026, with official pricing pulled from each product’s pages. Plans evolve, so verify before you buy; the ranges are for comparison.

Tool	USD price	Storage	Restore	Best for
UpdraftPlus	Free; Premium from USD 70/year (1 site)	Your own S3, Drive, Dropbox, Backblaze	Manual from the plugin panel	SMBs with technical judgment that already have S3 or business Drive
BackWPup	Free; Pro from USD 69/year (1 site)	Your own S3, Azure, Rackspace, FTP	Manual; improved restore on Pro	Sites where the team controls the storage infrastructure
Jetpack VaultPress Backup	From USD 4.95/month (annual plan)	Jetpack’s own cloud (Automattic)	One-click; real-time on higher tiers	E-commerce and critical sites that value simplicity and support
BlogVault	From USD 7.40/month (annual plan)	Independent cloud, decoupled from hosting	One-click; staging included	Agencies and businesses that want backup off the server
ManageWP	From USD 2/month per site (backup add-on)	ManageWP cloud (GoDaddy)	One-click from the central dashboard	Agencies running 10+ installs

UpdraftPlus and BackWPup win on storage flexibility: you choose the destination, which helps the security-of-processing duty if you already have a certified cloud provider. Jetpack and BlogVault win on operations: one-click restore drops RTO sharply. ManageWP is the right call when you administer several WordPress sites at once.

Restore: a backup you never tested isn’t a backup

This is the section most people skip and the one that costs the most when an incident hits. A daily backup you’ve never tested is a fire extinguisher with no pressure check: on the day of the fire, you find out whether it works, and by then it’s too late.

How and how often to test the restore

Monthly for critical sites, quarterly for standard sites. The test is to restore the latest backup into staging (most decent hosts offer this for free), validate home, customer area, forms, and cart, and leave a signed log with date, owner, and result. That log is what a regulator asks for in an audit.

Partial vs. full restore

Full when the entire site is compromised (mass hack, database corruption, datacenter outage). Partial when an editor accidentally deleted 30 products, an update broke a plugin, or an attacker modified a single theme file. One-click tools handle the full case; partial requires granular access (BlogVault, Jetpack, and UpdraftPlus Premium handle this well).

Incident response and data protection

When the incident affects personal data, restoring isn’t enough: GDPR Article 33 requires notifying the supervisory authority within 72 hours, the CCPA mandates breach notification to affected California residents under Cal. Civ. Code §1798.82, and most US states have parallel breach-notification laws. If the incident is an active hack, before you restore you need to contain — see what to do if your WordPress was hacked — because restoring on top of compromised infrastructure just leaves you with a fresh site that falls again in hours.

Data protection policy: what to document

The difference between having backups and being able to defend them in an audit is a two-page document. You don’t need a full ISO 27001 manual; you need a traceable minimum.

Frequency, retention, and location: the documentable minimum

Your policy should clearly answer: frequency (daily / weekly / event-driven), retention (rolling 30 days plus one monthly for 12 months is a reasonable baseline), where each copy lives (provider, region, encryption at rest), who has access to keys, and how they’re rotated. Three pages with that information are worth more than ten pages of legal theory.

Internal owner and evidence for regulators

The policy should name the internal owner (role, not person, so it survives turnover), the technical provider if backups are outsourced, and the evidence channel (logs, screenshots, run book). Backups are part of a wider plan — see the WordPress maintenance guide for businesses — because regulators evaluate the program as a whole, not isolated pieces. If you serve Colombian customers, Ley 1581 (Habeas Data) also applies and the SIC will look for the same artifacts.

Three 2026 investment tiers for your backup plan

Sorted by scale, with verified 2026 official USD pricing:

DIY (USD 0–5/month). UpdraftPlus or BackWPup free, with destination on personal Google Drive or pay-as-you-go Backblaze B2. Works for small institutional sites without sensitive personal data. Requires team discipline: nobody automates the verification.
Pro plan (USD 7–15/month). Jetpack VaultPress, BlogVault, or UpdraftPlus Premium with a dedicated S3 destination. One-click restore, professional support, accessible logs. This is the right range for SMBs with e-commerce, active forms, or real responsibility over personal data.
Enterprise (USD 50+/month). Managed multisite plan, hourly incremental backup, cross-region replication, extended retention, documented monthly restore tests, and integrated incident response. It makes sense when the site moves six- or seven-figure revenue or when you have contractual obligations with large customers.

If your site collects personal data and you’re still on the DIY tier, your plan isn’t savings: it’s regulatory debt with compound interest. If you want to review your current policy or build the plan from scratch, talk to Overnatic about your backup and compliance plan and we’ll run the first audit together.