The safest way to automate WordPress backups

(Partial answer as I’m familiar with AWS, not Google Drive.)

Having a WordPress DB stored somewhere on a cloud service is, in my opinion, no worse that hosting the site on a virtual or cloud server (given virtualisation platforms all allow you to reset the server’s root password – albeit typically with a reboot – so your entire machine is at risk if someone discovers your control panel logon.)

Make sure you’ve followed basic security precautions for your server and also consider the two-factor-auth plugin that, even with at it’s lowest security, will send a one-time password to the user’s email address when they login (a user’s email would need to be hacked as well for the hacker to gain access to the WordPress dashboard.)

Personally, many of my sites use Linode. I use their backup service as a precaution, but you can only fully restore the entire drive, so it’s no help if you accidentally deleting a single file or directory and want to leave everything else that has changed on the machine since the backup was taken intact.

backup2l is a free/simple/reliable command line backup utility that lets you recover files individually. It uses well known Linux commands like tar and gzip. (There are packages for it in most distributions, no need to install manually.)

By default it runs daily, but it does incremental backups so you can configure as often as you like.

I use the following code in my /etc/backup2l.conf to automatically dump the SQL databases before the backup runs:

# This user-defined bash function is executed before a backup is made
PRE_BACKUP ()
{
    # e. g., shut down some mail/db servers if their files are to be backup'ed

    # On a Debian system, the following statements dump a machine-readable list of
    # all installed packages to a file.

    echo "  writing dpkg selections to /root/.dpkg-selections.log..."
    dpkg --get-selections | diff - /root/.dpkg-selections.log > /dev/null || dpkg --get-selections > /root/.dpkg-selections.log

    echo " dumping databases"
    for i in /var/lib/mysql/*/; do
        name=`basename $i`

        # get username + password
        user=$(grep user /etc/mysql/debian.cnf | awk '{print $3}' | head -n 1)
        pass=$(grep pass /etc/mysql/debian.cnf | awk '{print $3}' | head -n 1)

        # do the dump
        mysqldump --user="$user" --password="$pass" --ignore-table=mysql.event $name | gzip > /var/backups/mysql/$name.gz
    done

}

Then in POST_BACKUP, I upload the backup files to an Amazon S3 bucket with s3cmd:

# This user-defined bash function is executed after a backup is made
POST_BACKUP ()
{
    # e. g., restart some mail/db server if its files are to be backup'ed/
    /usr/bin/s3cmd sync -c /home/myhomedir/.s3cfg --delete-removed /var/backups/localhost/ s3://my-bucket-name/
}

AWS has “Versioning” which means that if someone gained access to your server and used the IAM credentials to delete the backup files from your bucket, you’d still be able to get them back.

Related Posts:

  1. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  2. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  3. Are WordPress Plugins essential?
  4. What are the common security flaws I need to look for? [closed]
  5. How Can I Securely Implement a Password-less Login Feature?
  6. Security and .htaccess
  7. Why “Contact Form 7” doesn’t update PHPmailer library?
  8. Secure WordPress paid plugin
  9. How to make media upload private? [duplicate]
  10. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  11. What does a security risk in a plugin look like?
  12. WordPress Capabilities: edit_user vs edit_users
  13. How to check plugins for malicious code?
  14. How to properly secure my WordPress installation?
  15. Plugin for automatic database backup? [closed]
  16. Where should my plugin POST to?
  17. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  18. Should I use RIPS tool to test my themes and plugins?
  19. Why users disable the WordPress update?
  20. How many security plugins are too many? [closed]
  21. Will WordPress username displayed somewhere in the site?
  22. Upgrading WordPress 4.0 asks for FTP password
  23. Is revealing just the AUTH_KEY a security issue?
  24. How Restrict access to admin dashboard by specific static ip?
  25. Protecting against malicious code in WordPress plugin updates
  26. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  27. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  28. How to expire all wordpress user passwords instantly?
  29. How to limit WordPress pages during updates?
  30. rms_unique_wp_mu_pl_fl_nm.php
  31. Security issues with WP sites
  32. Security checking in meta_box save is reluctant?
  33. Should you escape hardcoded URLs?
  34. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  35. What is the correct way to update both WP/plugins/themes without breaking the site?
  36. wp_create_nonce function doesn’t work inside a plugin?
  37. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  38. Headers Content-Security-Policy CSP Major Issue
  39. How to block plugin activations with no known user or coming from unknown IP address range?
  40. Nonce failing on form submission
  41. Check for security updates
  42. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  43. Malicious File Upload [closed]
  44. Malware installation during plugin update?
  45. I should enable automatic updates?
  46. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  47. Security and Must Use Plugins
  48. Prevent direct access to WordPress plugin assets?
  49. UpdraftPlus installed malware – scared to download or update plugins now! [closed]
  50. How to protect WordPress from security scanner [closed]
  51. Too many login attempts
  52. Website show Google Ads when we have no Google Ads linked to our website
  53. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  54. Custom API plugin to execute 3rd party API to retrieve data
  55. how do I secure my WP website from hackers? [closed]
  56. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  57. Can I restore a plugin that was accidentally deleted? (on localhost)
  58. Do I need a backup plugin if I’m already backing up via cPanel?
  59. Webservice credential storage [duplicate]
  60. Regarding plugin security
  61. How do I determine if the user who registered is not spam?
  62. Is this plugin safe to run?
  63. Is the Block Bad Queries Plugin Still Relevant?
  64. Automatic WordPress Backup Plugin works, but says it’s not
  65. 404 errors when updating options in admin dashboard
  66. Hide plugins and theme from public
  67. Is it possible to restore a deleted WordPress plugin I deleted from WordPress admin menu?
  68. Security of a WordPress Plugin
  69. Can I disable xml-rpc by setting it to false?
  70. How can I disable new plugin and theme install, but allow updates?
  71. how long do restored versions take to go live?
  72. Help to Create a Simple Plugin to make a post
  73. Validating ajax search
  74. WordPress disable direct access of files in WordPress installation path
  75. Asking help regarding potential malware
  76. prevent anonymous access to WordPress site (non-admin site)
  77. Bing/msn bots is heavily requesting random of my website
  78. Securing a plugin pop-up window
  79. Redux framework somehow added to my site, can’t locate in plugins
  80. Being hacked. Is there a list of WordPress security holes I can check against?
  81. wp_verify_nonce fails always
  82. Inactive Plugin Files
  83. How can i see/log all requests coming from a registration form (not from the UI)?
  84. Write mysql credentials in plugin
  85. Site is continuously accessing by several IPs
  86. Validating values using Settings API?
  87. SWF in wordpress post
  88. Unwanted Links and Spam WordPress Pages and Posts
  89. Backup Buddy Questions
  90. Problem with permissions in wp-content/plugins
  91. File permissions for wp-minify plugin
  92. What is the recommended way to be notified of security updates to my plugins? [closed]
  93. My WP site and password was hacked, what to do? [closed]
  94. how to restore wordpress backup(.rar) manually?
  95. How to resolve these findings from security audit
  96. How to Move a production WordPress site to local environment [closed]
  97. How to rename files during upload to a random string?
  98. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  99. Oxygen plugin wordpress stuck in loading sequence forever when trying to edit a page [closed]
  100. Block Root REST API Route using custom &/or iThemes