Security scanning finds the problem. Backups fix it. Without reliable recovery points, even the best malware detection is incomplete — because cleaning a heavily infected site can sometimes take longer than simply restoring a clean snapshot.
Why backups matter for security
Backups aren't just for hardware failures. In a security context, they serve three critical functions:
- Rapid recovery — Restore a clean version of your site while you investigate the breach
- Forensic baseline — Compare current files against a known-clean backup to identify exactly what was changed. This pairs well with file integrity monitoring for pinpointing compromised files
- Insurance — If a cleaning attempt goes wrong (accidentally deleting a critical file), you can roll back
Setting up recovery points in WO Security Shield
From the SaaS Dashboard
- Log in to your WO Security Shield dashboard
- Navigate to the site you want to configure
- Click "Backup" in the overview section (or go to the Backups tab)
- Click "Create recovery point"
The command is queued and your WordPress plugin will create the backup on the next sync cycle (typically within 5 minutes).
What gets backed up
A WO Security Shield recovery point includes:
- All WordPress files — core, plugins, themes, uploads
- Database — all tables including posts, users, options, and custom tables
- Configuration — wp-config.php and .htaccess
What doesn't get backed up
- Server configuration outside WordPress (nginx/Apache configs)
- Files outside the WordPress root directory
- Email accounts and DNS settings
Best practices
How often to back up
| Site type | Recommended frequency |
|---|---|
| Blog (updated weekly) | Weekly |
| WooCommerce store | Daily |
| Membership site | Daily |
| Brochure site (rarely changes) | After each content update |
Backup before risky operations
Always create a manual recovery point before:
- Updating WordPress core
- Updating or installing plugins
- Making theme changes
- Running a malware cleanup (see our incident response guide)
In the WO Security Shield dashboard, click "Create recovery point" and wait for it to complete before proceeding.
Test your restores
A backup you've never tested is a backup you can't trust. At least once a quarter:
- Create a staging environment
- Restore your latest backup to it
- Verify the site works correctly
Restoring from a recovery point
If your site is compromised:
- Go to the Backups tab in your dashboard
- Find the recovery point from before the infection
- Click "Restore"
- The plugin will restore all files and database to that point
Important: After restoring, immediately run a security scan to verify the backup itself was clean. If the infection predates your oldest backup, you'll need to clean manually.
Backup storage and retention
Recovery points are stored securely on your WordPress server. The number of retained backups depends on your plan:
| Plan | Retention |
|---|---|
| Starter | 3 recovery points |
| Agency | 10 recovery points |
| Enterprise | 30 recovery points |
Older backups are automatically rotated when the limit is reached.
Backups are your safety net. Every other security measure is about preventing and detecting attacks — backups are about surviving them. Configure yours today at wosecurity.com.
Setting Up Your First Backup
After installing WO Security Shield, here's how to configure automated backups:
Step 1: Navigate to Backup Settings
In your WordPress admin, go to WO Security Shield → Backups → Settings.
Step 2: Choose What to Back Up
| Option | What's included | Recommended for |
|---|---|---|
| Full backup | Files + Database | Weekly schedule |
| Database only | All WordPress tables | Daily schedule |
| Files only | wp-content, wp-config, .htaccess | After major plugin/theme changes |
Best practice: Run a daily database backup and a weekly full backup. Database backups are small and fast; full backups are larger but capture everything.
Step 3: Set Your Schedule
Recommended backup schedule:
├── Daily at 3:00 AM (server time)
│ └── Database only — completes in 30-60 seconds
├── Weekly on Sunday at 2:00 AM
│ └── Full backup — completes in 2-10 minutes
└── Before any major update
└── Manual full backup — triggered from dashboard
Choose a time when your site has the least traffic. Backups temporarily increase server load, so running them during peak hours can slow your site.
Step 4: Configure Retention
How many backups to keep depends on your plan:
| Plan | Daily retention | Weekly retention | Total stored |
|---|---|---|---|
| Starter | 3 days | 1 week | ~4 backups |
| Agency | 7 days | 4 weeks | ~11 backups |
| Enterprise | 14 days | 12 weeks | ~26 backups |
More retention means you can restore from further back — critical if an infection went undetected for days.
Restoring from a Backup
When you need to restore (and eventually you will), follow this process:
Quick Restore (from Dashboard)
- Go to WO Security Shield → Backups → Recovery Points
- Find the backup dated before the incident
- Click Preview to verify the backup contents
- Click Restore and choose what to restore:
- Database only (fastest, fixes most content-level hacks)
- Files only (fixes file-level infections)
- Full restore (nuclear option — restores everything)
- The plugin creates a backup of your current state before restoring (so you can undo the restore)
Manual Restore via Command Line
If you can't access your WordPress admin (common during serious compromises):
# 1. Find your backup files
ls -la /var/www/html/wp-content/uploads/wss-backups/
# 2. Extract the file backup
tar -xzf wss-backup-2026-04-10-files.tar.gz -C /var/www/html/
# 3. Import the database backup
mysql -u wp_user -p wordpress_db < wss-backup-2026-04-10-db.sql
# 4. Fix permissions after restore
chown -R www-data:www-data /var/www/html/
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
Post-Restore Checklist
After any restore, always:
- Verify the site loads correctly
- Run a full malware scan
- Check that the vulnerability that caused the incident is patched
- Change all passwords (the backup may contain compromised credentials)
- Clear all caches (page cache, CDN, OPcache)
- Test critical functionality (forms, checkout, login)