Discover the Best Ways to Backup Your Website: A Comprehensive Guide

The conclusion first: the "best way" to back up a website isn't a single tool; it's a setup that does six things at once: regular, multi-version, off-site, recoverable, sustainable, and secure. Miss any one of these and the whole thing falls apart. The article walks through all six using the analogy of a single important notebook.

Discover the Best Ways to Backup Your Website: A Comprehensive Guide
A reliable website backup isn't defined by how many tools you use; it's defined by whether six conditions are met at the same time. Miss one and "best" doesn't apply.

Who should read this?

If your business depends on a website, an app, or any other digital asset, this article is for you. It helps you judge whether your current backup approach is actually reliable. If your business runs entirely offline and isn't tied to a website or online orders, feel free to skip this one.

One-sentence conclusion: six conditions, all required

For a Vancouver SME website, the best backup setup is one that satisfies all six of the following at the same time:

  1. Regular: runs automatically on a schedule, not "when I remember"
  2. Multi-version: keeps several copies from different points in time, not just the latest
  3. Off-site: copies don't live in the same place as the original
  4. Recoverable: you can not only write the backup but also actually restore from it (and you've tested that recently)
  5. Sustainable: runs by itself, not on someone's willpower
  6. Secure: the place the copies sit only accepts incoming files; no one outside can read or delete what's already there

The rest of this article walks through these six using a single analogy.

Why is this more urgent in 2025-2026 than ever before? According to the Canadian Centre for Cyber Security's Ransomware Threat Outlook 2025-2027, the median ransom demand against Canadian SMEs in 2025 was CAD $46,000, but the total recovery cost (including downtime, forensics, legal, and customer notification) averaged CAD $190,000. An off-site backup costing a few dollars a month is the cheapest insurance against that number.

Picture your website as a notebook full of important information

Your website isn't a pile of loose files; it's a notebook full of business-critical information: customer list, order history, product details, configuration settings, written content, all kept inside one volume. Backing up the website is, in essence, periodically photocopying that notebook. The "best" backup setup is the answer to a single question: how, where, and under whose control should those copies be made, so that if the original is lost, tampered with, or burned, you still have a copy that restores the original faithfully?

1. Regular: not "when I remember"

Many businesses photocopy the notebook "when they remember" or "after the first disaster." If the last copy was made three months ago, every new order, customer, or piece of content added in the last three months is unrecorded. Regular means a fixed cadence (typically once a day) that runs automatically. In the worst case you've only lost a day.

2. Multi-version: one latest copy is not enough

This is the condition most often missed. Suppose the original notebook was tampered with two months ago (say, a malicious script got injected into your site, or a few customer rows in the database were quietly corrupted), and you only notice it today. If your only copy is "the latest one," it copied the already-tampered version. Restoring from it brings back the corruption. You may as well have no backup.

The fix: keep multiple copies at different time depths: for instance, 7 daily copies, 3 weekly, and 12 monthly, 22 in total. When something is wrong, you dig back until you find a copy that's still clean.

3. Off-site: copies can't sit beside the original

If you store the photocopied notebook in the drawer next to the original, a fire, a burst pipe or a break-in at the office would take both at once. But if copies are sent on a regular schedule to an office in another city for safekeeping, then even a fire at your office, a burglary, or a city-wide natural disaster cannot destroy the complete copy held elsewhere. For a website, this means the backup file can't live only on the server that runs the website itself; it has to be stored on a different provider's infrastructure.

4. Recoverable: you can write the backup, but can you actually use it?

Roughly 90% of businesses skip this. If a year later you discover the photocopied notebook's pages have stuck together and the ink has faded, the "backup" isn't a backup. A backup exists for the day something goes wrong; discovering it's broken that day is too late. Every month, actually open one of the copies and run a recovery drill. Confirm it's still readable and complete.

5. Sustainable: manual photocopying isn't a plan

If your plan is to log in every week, download the backup, organise the files, and upload them to a cloud drive, nobody can keep that up for six months. Every client who's tried tells us the same story: enthusiastic for the first few weeks, then it slips, then suddenly "I last did it six months ago." A sustainable backup is one a machine handles end-to-end, like an automatic photocopier that scans and archives the whole notebook on a fixed schedule, with no human in the room.

6. Restrict read/write access: depositing and retrieving need two different keys

This is the condition that decides whether a backup actually saves you in the worst case, and it matters more than it looks. Continuing the notebook analogy: suppose the copies in the other city's office are all opened with a single master key. That key makes filing new copies easy, but it makes mischief just as easy for anyone who gets hold of it. One stolen key, and a vandal walks into the archive and either reads or destroys every notebook there.

The better setup: the remote office only accepts copies dropped through a one-way chute. To take anything back out, you need a different key, held independently by the remote office's own administrator. Even if the keys to your own office are stolen, the backups stay safe: the thief can drop more material into the chute, but can't touch anything already filed.

In website terms, this depositing-only key is what the remote-storage industry calls a write-only account — it can only push files into the archive, never list or delete what's already there. Even when an attacker holds every key to your website server and encrypts the live files for ransom, they cannot touch the off-site archive.

Do the common backup approaches actually do all six?

Measured against the six conditions, each common approach has a specific weak spot:

  • Manual backup: fails condition 5 (sustainable). Nobody runs it long enough.
  • WordPress backup plugins (UpdraftPlus, BackWPup, etc.): handle regular + multi-version, but in the free tiers the remote destination is usually tied to the same login as the hosting account. An attacker who gets that one credential wipes both. Fails condition 6 (secure). Also consumes server resources every run.
  • Custom backup scripts: a developer can satisfy all six, but the setup bar is high (cron, rsync, encryption, key rotation, monitoring). Most SMEs can't sustain it internally.
  • Host-provided backups (cPanel JetBackup, Plesk, etc.): handle regular + multi-version (30-day retention is the industry norm), but the copies sit on the same server as the live site. Fails conditions 3 (off-site) and 6 (secure). Useful as the floor, but never as the only backup.

The takeaway: no single approach is sufficient. The "best way" is to combine host-provided backup (the floor) + an off-site write-only archive (the last line of defence), with the whole process automated and tested.

How 5U Website does this for managed clients

5U Website has built and restored backups for hundreds of Vancouver-area sites over the past 17 years. We recommend every Vancouver SME with a website treat the six conditions above as a floor; most SMEs don't need to learn plugins or write scripts themselves, but they do need to confirm someone is running this whole setup. The setup we run for our managed clients hits all six conditions:

  • 22 restore points spread across time depths: 7 daily + 3 weekly + 12 monthly, giving a year of recovery options.
  • Off-site write-only archive: the backup process on the client server holds write-only permission, with no ability to list or delete what's already in the archive.
  • Monthly recovery drill: we restore a backup into an isolated environment and confirm it's complete, so the insurance is actually claimable on the day you need it.

The deeper write-up, particularly from the angle of why "off-site + write-only" is the layer that survives a ransomware event, is in our companion article, When ransomware hits your website server, will your backup survive?. For the broader context of why website attacks are getting more frequent in the AI era, see AI and Cybersecurity: The Internet Is Getting More Dangerous.

Let us handle it

Backups aren't conceptually complex, but getting all six conditions right and keeping them right takes ongoing effort. 5U Website packages this into our website design, development and hosting service. Clients don't need to learn plugin trade-offs, configure cron jobs, or run their own restore drills. You focus on the business; we keep the website and the data safe. If something does go wrong, we typically restore from a clean restore point within 4-8 hours, with no ransom and no rebuild from zero.

Last updated:

Get a 5U® Website Consultation

Free Quote

778-883-9222

1-day reply, guaranteed
2-hour, free consultation

WeChat

WeChat Us

Get a 5U® Website Consultation

WeChat Us

778-883-9222

1-day reply, guaranteed
2-hour, free consultation