Introducing ShieldBACKUPS – Secure WordPress Backups from Shield Security

May 16, 2025 by Paul G. | Backups, Blog, Features, Shield Pro, Shield Security

Throughout our site and almost any time we provide “how-to” guidance related to WordPress, we suggest that you… “make a backup of your WordPress site“.

That tiny statement urging WordPress backups, however, encompasses a vast array of complexities. For WordPress backups alone, there are 100s of competing services dedicated to solving that problem.

WordPress backups is a huge consideration for WordPress administrators. Just like WordPress security…

Our Shield Security service is dedicated to a single purpose – protecting your WordPress sites from many areas of attack, and recovering a site if its been compromised.

There is a good argument to be made that the 2nd half of that purpose – recovering a WordPress site – involves data recovery from a WordPress backup.

Until now, we’ve kept out of the backup arena and focused on WordPress security protection, and provided tools, such as malware scanning and repair, to aid in the recovery process.

The reason is simple – the effort of protecting WordPress is far less, for you the administrator, than the effort to recover a hacked website.

But the worst really does happen, sometimes, despite our best efforts. When our WordPress sites are compromised or broken, there’s nothing else for it but to recover the site from a backup.

Common WordPress Backup Questions

Before we go into specifics about ShieldBACKUPS and how we’ve tackled WordPress backup, I’m going to explore some fundamental questions, and then return to our objectives for ShieldBACKUPS.

Feel free to skip this section if you’re already familiar with these question, and jump to our ShieldBACKUPS section further down.

What Is A WordPress Backup?

I’m sure most readers already know how WordPress works and what constitutes a WordPress site. But in case not everyone is familiar, WordPress sites are made up of 2 types of data:

Files (WordPress Core, plugins, themes, images & uploads, and more)
Database (options storage, configurations, posts, products, comments, etc.)

WordPress won’t work properly if either of these are missing or corrupted in any way.

A WordPress backup will make a copy of both the files and the database, and you can restore a working site by copying back all, or parts, of these. Of course, you can only restore to a specific point-in-time, so you’ll inevitably lose some data with a website restore.

Typically a WordPress backup only covers the site “data”. It doesn’t take anything to do with your webhost, the server, network, DNS, SSL, etc.

How Is A WordPress Site Backed Up?

There are 3 primary methods to backup a WordPress site:

WordPress Backup Plugin (that runs within the WordPress site).
Webhost level backups – a services on the webhosting server.
Manual – you manually export the data as required (not recommended as a standalone solution)

Where Are WordPress Backups Data Stored?

Where backup data gets stored depends on the nature and configuration of the backup provider. Here are some of the most common strategies:

on-site (typically backup plugins) – data is stored in a directory within your WordPress site.
off-site – most premium WordPress backup plugins can be configured to copy your site data to a cloud provider, such as AWS S3, Google Cloud, Dropbox, etc.
server – this would usually be used by your webhost and the specifics depend on your host.

As you might imagine, there are security implications to each of these options, which we’ll cover later.

How Is A WordPress Backup Restored?

Restoring a WordPress site is technically complex, and how exactly this is done depends on:

exactly what data needs to be restored – DB, files, or specific sub-components of these
to where is the data being restored:
- a completely blank hosting site
- an “empty” WordPress site
- a partially functioning WordPress site.
where the data is coming from – is it being restored from data accessible locally or remotely?

The complexity really explodes because you can have any combination of the above. The backup provider will offer guidance on how a site can be restored from their backup data.

How Often Should You Backup A WordPress Site?

The answer here depends on how often your critical site data changes, and how disasterous losing any data would be for you. For most purposes, we recommend backing up your WordPress site at least once every 24 hours. For busier business sites, such as high-traffic WooCommerce, we’d definitely recommend more frequent backups.

Why ShieldBACKUPS, and What Makes It Different?

When we set about creating ShieldBACKUPS, we did so to solve for a very specific problem:

How can we always ensure easy access to fast, reliable, regular, tamper-proof, WordPress backups?

We’ll break down each part of this to highlight the problems we see with existing WordPress backup solutions, and what we did differently when we designed ShieldBACKUPS.

“easy access”

Depending on your backup service provider, accessing backup data ranges from easy to mind-bogglingly difficult. In many cases, it’s unclear where exactly the backup data is actually being stored.

Our target was that for a 2GB site, you’d get a link to download a backup ZIP in under 2 minutes.

We beat this target in our tests, and it doesn’t take much longer for larger sites. For extra large sites, the time taken to prepare the download ZIP will naturally increase. There’s no way around this.

“fast”

Copying all the data needed to backup a site is a lot of work. We learned that there’s very little optimisation with many existing backup solutions. For nearly every backup archive created, ALL FILES AND ALL DATABASE DATA are copied by most WordPress backup plugins.

That’s a lot of work.

ShieldBACKUPS is designed from first principles to be fiercely efficient. Every backup (except the 1st) uses the details of the previous backup to optimise transfers so that only “new” files are ever copied.

The database, of course, is a different story, and all database data is always copied in-full.

ShieldBACKUPS is fast. In our tests, some sites complete a backup in under 7 seconds, start-to-finish.

The faster a backup runs, the lower the impact on your systems, and we have designed one of the fastest WordPress backup solutions in the world.

“reliable”

A WordPress backup system that depends solely on WordPress is inherently unreliable. What does unreliable look like?

automation breaks, as it relies on the WordPress Cron.
errors on a site, regardless of severity, can interrupt WordPress operations (and backups).
credentials for off-site storage expire, or the target is offline, or isn’t accepting connections.
high-load on the site can prevent backups running and can induce them to timeout and fail.
backup data processing & offload to storage can impact normal site operations when the load exceed web hosting limits.
remote offsite storage becomes “full” (metered storage).

Our backup schedules run independently of your WordPress site, and ensures that a backup runs at least once every 24hrs assuming your site is online (you can’t backup an offline site).

There are no secure credentials (more on that later) stored on your site either, and you don’t have to setup, configure, and manage storage providers in any way.

“regular”

As mentioned already, ShieldBACKUPS ensures that at least 1 backup is peformed every day.

We may provide backup schedules in the future that perform backups more often. If this is something you’re be interested in, please reach out to our support team.

“tamper-proof” – this is critically overlooked

Consider the following 2 approaches by most WordPress backup plugins..

On-Site Storage

Many WordPress backups store data on-site. This applies both to storage within the WordPress site itself (most common) and to server-level backups, that are stored on the same hosting server.

If your webhosting provider goes dark, or is compromised, then everything is lost.

If your WordPress site is compromised, then all data on that site is suspect, too. That includes your backup data. Can you 100% trust your backup data hasn’t been tampered with if it’s stored on a site that has been hacked?

The simple answer is “no”.

Off-Site Cloud Storage

What about off-site backups that are sent to a cloud storage provider by a WordPress backup plugin?

While it’s not an identical issue, the risk is similar. The authentication tokens/credentials used to access off-site cloud storage must be stored on the WordPress site that’s being backed-up. If that site is compromised, the credentials used to access that backup space are also compromised.

This puts the entire storage area of your backups at-risk. Furthermore, it’s common for multiple sites to share this cloud storage to backup their data, too. When 1 site is compromised, all backups for all sites that share this space are compromised.

We wanted WordPress backups that can’t ever be tampered with, if a site is hacked.

If your site is ever hacked, your ShieldBACKUPS won’t be.

ShieldBACKUPS copies your site data off-site to our servers and it’s then archived to a secure location. We enforce valid TLS(SSL) for all client sites to ensure integrity of the connection and the data. The credentials to access the data storage are never available on your clients sites, not for even an instant.

To put it simply, if your WordPress site is hacked, there’s no way from there to your ShieldBACKUPS data.

“secure”

Secure is a broad term, but the parameters in this case are:

stored off-site (covered above)
transferred securely (covered above)
access credentials are not available on-site (covered above)
data at rest (the actual stored data) is secured – all data is encrypted using AES-256 encryption
only the account owner may access the data – your Shield Security PRO account credentials are used to access your sites and backups. We strongly recommend switching-on 2FA on your account.

Security is our business, and when we design and build anything, security is baked-in from the outset, not a “feature” added later.

We’re dedicated to ensuring that your backup data is safe, secure, but still easily accessible when you need it.

How Can You Get ShieldBACKUPS For Your WordPress Site?

We’re making it easy to get ShieldBACKUPS. There isn’t an extra plugin/extension to install and there’s no hoops to jump through – you just need an active Shield Security PRO PLUS Edition license.

If you’re on one of our legacy plans – where your pricing for ShieldPRO has been guaranteed and grandfathered – access to ShieldBACKUPS isn’t included. You’ll always, of course, continue to have full access to ShieldPRO Security features from our primary Shield Security plugin.

To get access to ShieldBACKUPS, you’ll need to upgrade your plan with us. You can reach out to our team to discuss your upgrade options at any time.

We may also offer ShieldBACKUPS as a separate add-on, but if this is something which interests you, please let our team know.

ShieldBACKUPS will be released in beta in late June 2025, and requires Shield Security plugin v21.0+

What Are The Storage Limits, Schedules, Retention Polices for ShieldBACKUPS?

On our ShieldPRO Plus plan, we commit to the following retention and schedule:

1x full daily backup performed.
All backups retained for the most recent 7 calendar days.
12x weeks of weekly backups retained.

This assumes that your website is online and fully accessible by our servers/services. Our server will try to access your site remotely, but some webhosts and service providers may block our IP addresses.

When this happens, it will be your responsibility to work with your hosts to resolve, but we’ll help where we can with the information you’ll need about actions your host need to take.

Regarding storage limits, we have a fair use policy and any website that doesn’t adhere to this will have their backups paused. A high-level guide is this: on average, all sites on your account should be no larger than 10GB. This should comfortably cover 99.9% of sites, but if your sites are extraordinarily large, please contact us to discuss this further.

Is there anything that ShieldBACKUPS doesn’t backup?

The backup system will automatically filter files that are not considered part of a normal WordPress site. Some of these include:

Archives, such as: .zip / .gz / .bz / .gzip / .tar
Backup archives from other backup plugins
Version control directories, such as .git / .svn
SQL export dumps, such as .sql files
Logs and error log files
Cache, temporary files and known temporary folders for plugins.
Database logs that are known to be large for certain plugins (Shield’s Activity Logs are excluded, for example)
Transient options in the WP options table
Any files over 200MB – large data files shouldn’t be stored on webhosts.

This isn’t an exhaustive list, but it covers most of the file types excluded.

The goal is to provide a backup solution that will allow anyone to fully backup and restore the vast majority of WordPress websites. If your sites doesn’t fit with these restrictions, it probably requires a special backup service anyway and ShieldBACKUPS isn’t going to be compatible. If you’d like to discuss this with our team, please reach out at any time.

What Features Does ShieldBACKUPS Not Have (currently)?

This is our first release of ShieldBACKUPS, and more features and improvements will follow. As it stands, the following features are not part of ShieldBACKUPS:

staging sites – such services are more aptly provided by webhosts.
automatic site migration – again typically provided by webhosts.
automatic site restore (we provide a guide on how to restore your site)

We plan to build out an automated site restore feature, but this isn’t available for our first release. You can, of course, restore a WordPress site a ShieldBACKUPS archive, but it’s not automated.

Our primary goal with ShieldBACKUPS has been what we said above – ensuring we have easy access to secure backups of our data, knowing that should disaster ever strike, we know we have the data, and we can recover.

Final Words

As we mentioned earlier, WordPress backups is a massive topic and an area filled with many solutions and approaches to the challenge of ensuring you have backups for your WordPress site.

ShieldBACKUPS was born of the need that if absolutely everything went away, from our WordPress site, the files, the database, and even the web hosting server and the web host provider itself, we’d always have something to fallback on… that some backup is stored security and within easy reach.

The recovery itself might not always be easy, as they’re usually quite stressful incidents. And technical challenges can make things even more difficult. But, knowing that our data is safely stored out of harm’s reach, and that we can access it, is the reassurance we’re looking for.

If that reassurance is also something you want to have, and the peace-of-mind that follows is worth having, then we invite you to get ShieldBACKUPS for your WordPress sites today.

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials

@fitwarrior

Good options, great support

I esp like the ability to hide/rename the wp-admin login page. Couldn’t even guess the # of millions of fake requests stopped just by this feature.

@petros381

Excellent plugin

Very nice, it works perfectly. The pro version is very affordable. Five stars

@dcnotpc

Our go to plugin for security

Security is a big deal these days. Shield provides the flexibility to lock things down as tight as you like.

@1stmasterofhealth

Great Security for WordPress Sites!

I’ve been using Shield Security plugin for several months. It has performed at a par excellence level beyond any other plugin I’ve tried (many). Thank you!

ESSENTIAL WORDPRESS SECURITY NEWS

Get ShieldNOTES, our excellent weekly WordPress security newsletter!