Your WordPress database is the “brain” of your website. It contains every post you have ever written, every comment, your plugin settings, and—most critically—your users’ personal data and hashed passwords.
We all know we should backup our database. But few site owners realize that how you backup is just as important as doing it.
A poorly configured backup system can leave a complete copy of your database sitting in a public folder on your server. If a hacker finds this file (and they have bots scanning for it 24/7), they don’t need to break into your site—they can just download it.
In this guide, we will cover the security best practices for WordPress database backups, ensuring your safety net doesn’t become your biggest vulnerability.
The Risk: The “Public SQL Dump”
The most common database security failure looks like this:
- An admin installs a backup plugin or runs a manual export tool.
- The tool saves the file as
backup.sqlordb_dump.zipinside/wp-content/uploads/. - The admin forgets to delete it.
- A hacker’s bot scans
yoursite.com/wp-content/uploads/backup.sql. - Result: The hacker downloads your entire site’s history, user emails, and password hashes in seconds.
FunSentry’s Detection:
When FunSentry scans a site, we specifically “fuzz” (test) your directories for hundreds of common backup filenames like localhost.sql, users.sql, and wp_backup.tar.gz. You would be shocked at how often we find them.
Best Practice 1: Follow the 3-2-1 Backup Rule
This is the golden standard for data recovery, adapted for WordPress security.
- 3 Copies of your data: (e.g., Live site, Local staging, Remote backup).
- 2 Different media types: (e.g., Server disk, Cloud storage).
- 1 Off-site copy: (This is the most important one).
Never rely solely on backups stored on the same server as your website. If your server crashes or gets hacked, you lose both the live site and the backup.
Best Practice 2: Store Backups Off-Site (Cloud Storage)
Do not store backups in your public_html or /wp-content/ folder.
Instead, configure your backup plugin (like UpdraftPlus, BlogVault, or SolidWP) to send files directly to a secure, remote location:
- Amazon S3 (or compatible object storage)
- Google Drive / Dropbox (Enterprise versions)
- A dedicated SFTP backup server
Why? Even if a hacker gains full access to your WordPress file system, they cannot delete or corrupt your backups if they are stored on a separate, locked-down cloud account.
Best Practice 3: Encrypt Your Backups
If you are storing backups that contain user data (names, emails, addresses), you are legally required by regulations like GDPR to protect that data.
Encryption at Rest:
Ensure your backup tool encrypts the database file before sending it to storage.
- Good: A standard
.sqlfile (Readable text). - Better: A
.zipfile with a password. - Best: An encrypted archive (AES-256).
If an attacker manages to steal an encrypted backup, it is useless to them without the decryption key.
Best Practice 4: Block Access to Backup Extensions
Sometimes, storing a temporary backup on the server is unavoidable. You must ensure that your web server refuses to serve these files to the public.
For Apache (.htaccess):
Add this to your root .htaccess file to block anyone from downloading database exports:
Apache
<FilesMatch "\.(sql|sql\.gz|sql\.zip|tar|tar\.gz|bak|log|ini)$">
Order Allow,Deny
Deny from all
</FilesMatch>
For Nginx:
Add this to your server block:
Nginx
location ~* \.(sql|sql\.gz|sql\.zip|tar|tar\.gz|bak|log|ini)$ {
deny all;
access_log off;
log_not_found off;
}
This ensures that even if you accidentally leave backup.sql in your root folder, a visitor attempting to download it will get a 403 Forbidden error.
Best Practice 5: Automate Retention Policies
Data hoarding is a security risk. You do not need a daily database backup from 3 years ago.
Configure your backup schedule to automatically delete old backups:
- Daily backups: Keep for 14 days.
- Weekly backups: Keep for 8 weeks.
- Monthly backups: Keep for 6 months.
By deleting old data, you reduce the “attack surface.” If a breach occurs, the amount of historical data exposed is limited.
Best Practice 6: Test Your Restore Process
A backup is not a backup until you have successfully restored it.
Many site owners find out too late that their backup files are corrupted, incomplete (missing tables), or that they don’t know how to restore them.
The Drill:
- Once a month, create a staging site.
- Wipe the staging database.
- Try to import your latest backup.
- Check if the site loads and if recent posts are present.
Summary Checklist
| Action | Security Benefit |
| Off-Site Storage | Protects against server failure and hackers wiping files. |
Block .sql Files | Prevents public downloading of database dumps. |
| Encryption | Protects user data even if the file is stolen. |
| Retention Policy | Limits liability by removing obsolete data. |
| Exclude Tables | Exclude wp_options (transients) and cache tables to reduce size. |
Is your database currently exposed?
You might have an old db.sql file sitting in a forgotten folder from a previous developer. Don’t guess. Run a free scan at FunSentry to check if your site is leaking sensitive database files to the public.