Domain Search Form
£14.99
£33.98
£23.24
£41.99

Website Backups and Disaster Recovery: How to Prepare for Hacks, Mistakes and Hosting Problems

Written by Giraffe Hosting Limited
Published 23 June 2026
Website Backups and Disaster Recovery
Published: 23 June 2026
Category: 
Written by: Giraffe Hosting Limited
Website backups are not just a technical add-on. They are part of business continuity, helping small businesses prepare for hacks, accidental deletion, failed updates and hosting problems.

Table of Contents

For many small businesses, the website is where enquiries, bookings, sales, support requests and brand trust begin. If it is hacked, broken by an update, accidentally deleted or disrupted during a hosting move, the problem is not only technical. It can affect customers, staff, marketing and cash flow.

A sensible website backup and disaster recovery approach helps you reduce that risk. It does not guarantee that every incident will be simple or instant to fix, but it gives you a clearer route back to a working website when something goes wrong.

This guide explains what UK small businesses should back up, how often to take backups, why off-site storage matters, how to test restores, and what to include in a practical recovery plan.

Why this matters

Backups are often ignored until they are needed. Unfortunately, the moment you discover a missing backup is usually the worst possible time: after a hack, a failed plugin update, a deleted product catalogue, or a hosting migration that has not gone to plan.

A backup is a copy of your website data. A disaster recovery plan is the broader process for using that backup, deciding who does what, communicating with customers, verifying security, restoring services, and confirming the website is safe to use again. Several disaster recovery guides distinguish between backup copies and broader recovery planning, including recovery objectives, asset lists, responsibilities and regular drills or testing.

For small businesses, this does not need to be overcomplicated. The goal is to know what you have, where it is stored, how recent it is, how to restore it, and who to contact when time matters.

Common website incidents that backups can help with

Website incidents vary in severity. Some are minor mistakes; others may involve security issues, data loss, or prolonged downtime. Backups are useful in several common scenarios.

Hacked websites and malware recovery

If a website is compromised, a clean restore point may help you return to a known earlier version. However, restoring a backup is not the whole answer. You still need to identify how the attacker got in, update vulnerable software, change passwords, check user accounts and scan for malware. Otherwise, the same problem may return.

Giraffe Hosting's platform includes security features such as Web Application Firewall protection, malware scanning, and DDoS protection, along with daily backups. These measures can reduce risk and support recovery work, but no hosting or backup arrangement should be treated as a guarantee that incidents cannot happen.

Accidental deletion

A staff member, developer or site administrator might delete a page, media folder, product category, database table or form entry by mistake. In these cases, the best outcome is often a targeted restore from a recent backup, rather than rolling the whole website back unnecessarily.

Failed updates

WordPress core updates, plugin updates, theme changes and PHP version changes can occasionally cause layout, Checkout, booking or login problems. A recent backup gives you a fallback while the underlying compatibility issue is investigated.

Hosting migrations

Moving to a new host is a common time when problems arise, especially if files, databases, DNS records, SSL certificates, or email settings are overlooked. A pre-migration backup protects the original website before changes begin. If you are moving a WordPress site, see our guide to migrating an Elementor WordPress site to new hosting. For online stores, our WooCommerce migration SEO checklist includes additional considerations for URLs and product pages.

What should a good website backup include?

A useful website backup should include everything needed to rebuild the site in a working state. For a typical small business website, that means more than just visible pages.

  • Website files: theme files, plugin files, uploaded images, documents, scripts and other content stored on the server.
  • Database: pages, posts, product data, users, settings, orders, forms and other dynamic content, depending on how the site is built.
  • Configuration files: server and application settings that affect how the site runs.
  • Media library: images, PDFs, videos and downloadable files.
  • Application data: e-commerce settings, booking data, membership settings or other website-specific records.
  • Logs where relevant: logs can help with troubleshooting, security investigation and understanding what happened.

Some items may sit outside the website itself. For example, domain names, DNS records, email mailboxes, third-party payment systems, CRM integrations and analytics platforms may need separate documentation or export processes. If your website relies on these services, include them in your recovery planning even if they are not part of the hosting backup.

How often should a business website be backed up?

Backup frequency should reflect how often your website changes and how much data you can reasonably afford to lose. Disaster recovery guidance often refers to a recovery point objective, or RPO. In simple terms, this is the maximum amount of data you are prepared to lose if you need to restore from a backup.

Website typeTypical change patternPractical backup approach
Brochure websitePages change occasionally, with a few contact form enquiriesDaily backups are usually a sensible baseline, with manual backups before major edits.
Blog or content websiteNew articles, comments or uploads may be added regularlyDaily backups, plus a backup before theme, plugin or content structure changes.
WooCommerce or booking websiteOrders, bookings, customer records and stock levels may change throughout the dayMore frequent database protection may be needed, depending on order volume and the acceptable level of data loss.
Membership or learning websiteUser activity, payments and course progress may change frequentlyPlan backups around user activity and consider tighter recovery point requirements.

Giraffe Hosting includes daily backups as part of its hosting platform. For many small business websites, daily backups are an important foundation. For websites with frequent transactions or time-sensitive records, you should discuss whether additional backup frequency or application-level exports are appropriate.

It is also good practice to create a manual restore point before making higher-risk changes, such as major WordPress updates, new plugins, theme changes, PHP upgrades or migrations.

Off-site storage and the 3-2-1 principle

One widely referenced backup concept is the 3-2-1 backup principle: keep multiple copies of data, use more than one type of storage, and keep at least one copy off-site. The reason is simple: if all copies are stored in the same place or managed through the same account, one incident could affect both the live website and the backups.

For websites, off-site storage might mean backups stored away from the production server, cloud storage managed separately from the live hosting environment, or a managed backup system that maintains restore points outside the main website account.

Off-site does not mean "set and forget". You still need to know:

  • how long backups are retained;
  • whether old restore points are overwritten;
  • who can access or delete backups;
  • whether backups include both files and databases;
  • how a restore is requested or performed;
  • Whether backup access depends on the same login used for the website.

These details matter because ransomware, account compromise, human error and hosting problems can all affect availability. Separating copies helps reduce single points of failure.

Backup versus disaster recovery plan

A backup answers the question: "Do we have a copy of the website?" A disaster recovery plan answers a broader question: "How do we get back to an acceptable working position after an incident?"

A practical disaster recovery plan for a small business website should include:

  • Key assets: the website, domain, DNS, email, database, payment systems, booking tools and third-party integrations.
  • People and responsibilities: who contacts the host, developer, payment provider, internal staff and customers.
  • Recovery objectives: how quickly you need the site back online and how much recent data loss is acceptable.
  • Backup locations: where backups are stored, how to access them and who has permission.
  • Restore procedure: the steps for restoring files, databases, DNS, SSL and application settings.
  • Communication plan: what to tell staff, customers or suppliers if the site is unavailable.
  • Security actions: password resets, malware checks, software updates and access reviews after an incident.
  • Testing schedule: when restores are tested and how results are recorded.

Disaster recovery sources commonly refer to recovery time objectives, recovery point objectives, inventories, personnel roles, communication plans and regular drills. Small businesses can adapt these ideas into a concise document rather than a complex corporate manual.

How to test whether backups can be restored

A backup that has never been tested is only an assumption. Restore testing is the process of proving that a backup can actually be used.

For a website, testing might involve restoring to a staging area or temporary environment rather than overwriting the live site. You can then check whether pages load, forms work, images appear, user logins behave correctly, and key business functions still operate.

A simple restore test checklist might include:

  1. Choose a recent backup and an older backup to test.
  2. Restore to a safe staging or test environment.
  3. Check the homepage, key service pages, forms, product pages, and Checkout or booking flows where relevant.
  4. Confirm the database content is present and recent enough for your recovery objective.
  5. Check media files, menus, redirects, SSL behaviour and admin login.
  6. Record any errors, missing files or manual fixes needed.
  7. Update the recovery plan based on what you learned.

Testing should be repeated after major website changes, migrations or platform changes. It is also worth testing before high-risk periods, such as a large campaign, a seasonal sales period or an important product launch.

What to ask your hosting provider about backups

Before you need a restore, ask clear questions. A good hosting conversation should cover practical details rather than vague reassurance.

  • Are backups included, and how often are they taken?
  • Do backups include both website files and databases?
  • How long are backups retained?
  • Are backups stored separately from the live hosting environment?
  • Can individual files or databases be restored, or only the whole account?
  • How do I request a restore?
  • Is support available if the website is hacked or broken after an update?
  • Should I take a manual backup before major changes?
  • What backup responsibilities remain with me as the website owner?

Giraffe Hosting has provided UK hosting services since 2007 and offers web hosting, WordPress hosting, managed cloud hosting, VPS hosting, domain registration and domain transfer services. Its platform includes daily backups, autoscaling resources, Web Application Firewall protection, malware scanning and DDoS protection, 24/7 support, onboarding assistance, free migration support, and a knowledge base. For growing websites that need more flexible resources, you may also find our guide to autoscaling WordPress hosting useful. If you are weighing up infrastructure choices, our article on cheap hosting versus VPS hosting explains the trade-offs.

A simple recovery planning checklist

Use this checklist as a starting point for your own website backup and disaster recovery planning:

  • List your website platform, hosting provider, domain registrar, DNS provider and key logins.
  • Confirm what is backed up: files, databases, media, settings and application data.
  • Check backup frequency and retention.
  • Keep at least one backup copy away from the live server where appropriate.
  • Take a manual backup before updates, migrations or major content changes.
  • Document who to contact: the host, the developer, the internal owner, and any third-party provider.
  • Define your acceptable recovery time and acceptable data loss.
  • Test a restore to a staging environment.
  • Review user accounts, passwords and security settings after incidents.
  • Update the plan after every major change to the website or hosting.

This does not remove all risk, but it gives your business a more controlled way to respond when something breaks.

Frequently Asked Questions

Why are website backups essential for security?

Backups help you recover to an earlier restore point after incidents such as malware infections, accidental deletions, or failed updates. They should be combined with security checks, software updates, and access reviews because restoring a backup alone may not fix the root cause of a compromise.

What should a good website backup include?

A good website backup should include the website files, database, media uploads, configuration settings and relevant application data. For some businesses, logs and separate records for DNS, domains, email, and third-party systems should also be documented as part of recovery planning.

How often should a business website be backed up?

Backup frequency should depend on how often the website changes and how much recent data the business can afford to lose. Daily backups are a useful baseline for many small business websites, while e-commerce, booking, and membership sites may need more frequent backups to protect changing database records.

What is the difference between a backup and a disaster recovery plan?

A backup is a copy of data. A disaster recovery plan explains how the business will respond after an incident, including recovery objectives, responsibilities, communication steps, restore procedures and testing.

How should businesses test whether backups can be restored?

Businesses should test restores in a safe staging or temporary environment, then check pages, forms, media, logins, database content and key customer journeys. Any issues found during testing should be recorded and used to improve the recovery plan.

Choose Giraffe Hosting Limited for your Domain Registration, Cloud Hosting, WordPress Hosting, and Virtual Private Server Hosting; Powered by renewable energy, contributed to sustainable growth.
Copyright © Giraffe Hosting Limited. 2007 – 2026 All rights reserved.
Explore
Services
Support