ChecklistLab

Small Business

Website Backup Checklist

A backup that has never been restored is only a hope. This checklist helps you define what gets backed up, where it is stored, who owns it, how often it runs, and how to prove it can actually restore the website after an incident.

Use when: A live website needs a reliable recovery process for updates, hacks, hosting failures, mistakes, or content loss.

Best for: Small business owners, freelancers, agencies, and site maintainers responsible for keeping a website recoverable.

Start with: Backup scope. Files-only backups are not enough if your website depends on a database, uploads, plugins, or configuration.

Then review: Website Maintenance Checklist to make backups part of recurring operations.

Copy workflow

Backup scope

Define exactly what must be recoverable. A partial backup can still leave the site unusable.

  • Back up website files, database, media uploads, theme/template files, plugins/extensions, and configuration.
  • Include DNS records, hosting settings, redirects, and environment variables where relevant.
  • Document third-party dependencies that are not included in the backup.
  • Separate production backups from staging or test-site backups.
  • Confirm e-commerce orders, memberships, bookings, or form entries are included if the site depends on them.

Schedule and retention

Backup frequency should match how often the website changes and how much data loss is acceptable.

  • Set daily backups for active content, lead generation, or e-commerce sites.
  • Use weekly backups only for static or rarely updated sites.
  • Keep multiple restore points so a corrupted backup does not overwrite the last clean copy.
  • Define retention periods: daily, weekly, monthly, and pre-launch snapshots.
  • Take a manual backup before major updates, redesign launches, migrations, or plugin changes.

Storage and access

Backups should survive the same incident that takes the website down.

  • Store at least one backup outside the production hosting account.
  • Use cloud storage, backup service storage, or another independent location.
  • Restrict backup access to people who need recovery responsibility.
  • Protect backup storage with strong passwords and two-factor authentication.
  • Encrypt backups when they contain customer, order, membership, or sensitive form data.

Restore testing

Restore testing is the difference between a backup policy and a recovery capability.

  • Test a restore on staging or a temporary environment before relying on the backup process.
  • Confirm the restored site loads, forms work, media appears, and key pages render.
  • Check database-driven content, user accounts, orders, or bookings after restore.
  • Document restore steps, expected time, and who can perform them.
  • Retest after changing backup tools, hosting, CMS, or major site architecture.

Alerts and ownership

Backups fail quietly unless someone is responsible for watching them.

  • Assign a backup owner and a backup reviewer.
  • Send backup success and failure alerts to a monitored inbox or support channel.
  • Review backup logs during monthly maintenance.
  • Track backup tool subscription renewals and storage quota limits.
  • Record backup status in the maintenance log.

Incident recovery

When something breaks, the recovery process should already be written.

  • Define what triggers a restore versus a manual fix.
  • Keep hosting, DNS, backup service, and developer contacts in one recovery note.
  • Document how to take the site offline or enable maintenance mode during recovery.
  • After recovery, log root cause, restore point used, data lost, and prevention steps.
  • Update the backup process after every incident or failed restore test.
WEBSITE BACKUP CHECKLIST

SCOPE
[ ] Back up files and database
[ ] Include uploads and configuration
[ ] Document third-party dependencies
[ ] Confirm transactional data coverage

SCHEDULE
[ ] Set frequency by change rate
[ ] Keep multiple restore points
[ ] Define retention periods
[ ] Take manual backups before major changes

STORAGE
[ ] Store off-host backups
[ ] Restrict access
[ ] Use 2FA
[ ] Encrypt sensitive backups

TEST
[ ] Restore to staging
[ ] Check pages, forms, and media
[ ] Document restore steps
[ ] Retest after architecture changes

RECOVER
[ ] Assign owner
[ ] Monitor alerts
[ ] Define restore triggers
[ ] Log incidents and improvements

Next step

Use this next

Once backups are reliable, fold them into the site's recurring maintenance cadence.

Small Business

Checklist

Website Maintenance Checklist

Use this to schedule recurring backup reviews, updates, security checks, and content freshness checks.

If you are handing the site to someone else, include backup ownership in the Website Handover Checklist.

Website Backup Checklist FAQ

How often should a website be backed up?

Back up active sites daily and transactional sites more frequently if possible. Static or rarely updated sites may be fine with weekly backups plus manual backups before changes.

Where should website backups be stored?

Store at least one backup outside the production hosting account. If the hosting account is compromised or suspended, on-host backups may be inaccessible when you need them most.

Why test restores if backups already run automatically?

Automatic backup success only means a file was created. It does not prove the backup is complete, uncorrupted, compatible with the current environment, or usable under pressure.