Disaster recovery is something everyone hates to discuss, but something that everyone needs to be aware of.

A disaster recovery plan is more complicated than just pressing the restore button on your backup plugin, and is definitely something you want to be familiar with before you actually need to put it into action on your WordPress site.

We’ve compiled an ultimate checklist, covering the circumstances that lead up to the disruption or break in service. You need to know What, Where, and When before you can determine How and Why. In today’s more complicated technical world, you also need a checklist that can help you determine the Who.

This is not just another article listing software tools – we already have lots of great “best of breed” plugins and themes articles. We have instead summarized best practices that will help guide you to a successful recovery of your WordPress site. We recommend old-fashioned, low-tech methods that complement excellent software.

What Features Do Disaster Recovery Tools Have?

In general, disaster recovery tools include:

  • Scheduled backups to a choice of locations, including cloud-based storage.
  • Maintenance of a backup archive, with options for planned disposal.
  • Simple (and optionally advanced) settings for restoration.
  • Audit log files.

You need to know the What, Where, and When before you restore yesterday’s backup file. Audit log files, mentioned in the above feature list, are the kinds of information you use to begin the process towards a successful recovery of your system.

What Should You Know Before You Restore Your System?

Plugins and themes extending WordPress’ functionality can, unfortunately, also expose it to vulnerabilities. Any weakness increases the risk of software breaking and limiting access to your website. These are the kind of situations where you depend on separate hard copy lists of information to help you return to normal operation.

Years ago it was not uncommon for spinning computer hard disk platters to crash into one another. Those events were described as disasters because they resulted in “physical downtime”. Catastrophic events are less likely to occur today because of changes in hardware, software, and system design.

Distributed networks and redundant systems don’t often “catastrophically fail” in today’s online world; they only experience occasional “service breaks”. Understanding details about the What, When, and Where are critical in repairing a vulnerability and preventing its future occurrence.

Where Are You Most Exposed?

Successful recovery from a break in service requires accurate, up to date information. While some points of failure have predictable locations, the origin of a service break can pop up anywhere. A disaster recovery procedure begins by locating the source of the service disruption. You need a map.

Ultimate Checklist For WordPress Disaster Recovery

Exhibit 1 is a simplified view of your WordPress website. The “Home” folder – marked #3 – holds core and include files (wp-admin and wp-includes). The wp-content/themes and wp-content/plugins folders hold theme and plug-in components that support these core system files. Unfortunately, sometimes a combination of either internal or external sources can cause service breaks. External agents have access to your WordPress installation at #1 and #2 (themes and plugins). The Home folder at location #3, in comparison, is more likely to be exposed to random internal failures than outside factors.

Adding to this situation, premeditated attacks from outside sources using techniques like SQL injection can bypass your software files (and most internal security systems) and directly access data files at #5.

Back to the Who, What, When, and Where

As software flaws and security vulnerabilities are uncovered, updates to WordPress system files and security patches are released to protect website installations. Unfortunately, people often do not apply these critical security hotfixes and updates to their websites. Developers of WordPress (or your hosting platform) have begun doing it for you by forcing an auto-update on your installation software. This relatively new industry practice of auto-updating your WordPress files has complicated the online world.

Any new WordPress update or patch can potentially break a previously working plugin or theme. Third-party developers must upgrade their proprietary code often to maintain compatibility with new software changes. The frequency and complexity of changes affect the reliability of an entire WordPress installation. A developer’s slow or incomplete update to their code potentially limits your software’s delivery of promised features, security, and website recoverability in the event that something causes a break in service. Ecosystems, whether in nature or online, are a subtle balance of all working parts.

The Ultimate Checklist

An Ultimate Checklist for WordPress Disaster Recovery starts and ends with your business objectives. Both your business plan and website design serve your business goals. Are you an e-commerce service business or information subscription service? Are clients paying for AdWords on your site? How would a service break affect on your business?

1. Background Tracking Features

You need to track all background events in your software installation. Remember the recommendation that good backup software has log files? Audit logs provide diagnostic information that help identify events leading to a service break. WordPress Security Audit Log (current v2.0.1) and its premium report generator are useful tools. An alternative example is WordPress Simple History (current v2.1.4).


Audit logs typically record every event that occurs in the installation – from bootup to shutdown. A best practice is to read these files like a diary, tracking the Who, What,Where, and When occurring every day in your installation.

Why read your logs? The best way to identify suspicious events is to know what “normal” looks like on a daily basis.

2. Plugin and Theme Revision Dates

Keep a separate inventory of plugins that add functionality to your website. WordPress Plugin Organizer (current v.6.0.4) is an example of software that not only lists these third party components but can selectively enable or disable their use.


Since plugins can cause service breaks – especially after an unannounced automatic update of your installation – tracking how well a developer supports their product is becoming increasingly important. Select plugin and theme component software in terms of their popularity and the developer’s support history – both of these aspects will reveal a lot about the state of the software you’re looking into.

Consider ordering your plugins based on “most recent update age”. You can list the most current software products on your website at the top of the list, much like the “Freshness” scores under the Support tab at WordPress.org. Consider replacing software products that don’t maintain a reasonable revision schedule.

3. Catalog All Your “Personal” Online Assets

Do you realize that your online presence is your “brand”? There are all kinds of online “belongings” unique to your website that define who and what you are. Compile a list and keep separate inventories of objects (intellectual property) such as graphics, articles, e-books, and posts that define you. There are database files that catalog this information so that WordPress can find it. Your “brand” graphics and publishable items are usually stored in separate folders.

Remember location #5 in Exhibit 1 above? WordPress TablePress (current v1.6) is an example of software that generates lists from these database tables.


Keep copies of all your “brand” assets off-site in case a catastrophic event blocks or deletes the file directories on your host platform.

4. Document Disaster Events With Time-Date-Stamped Pictures

When a service break occurs, take pictures to document the event. Premium tools likeTechSmith’s Snagit (current v12.3.0), freeware snipping tools, or even your smartphone have many useful features like automatic time-date stamps.


This enables you to record any irregularities, alert messages, or system events associated with a disruption in service.

5. Keep Emergency Contact Information Current

When strange stuff happens, who are you “gonna” call? Keep an accessible list of all emergency contacts like your hosting service, theme/plug-in developers, etc. Add information such as a website address, phone number, and email address as active hyperlinks to enhance accessibility on, for example, a smartphone.

If an audit report lists a plugin, you have the specific developer’s contact information and, in a separate source, your plugin’s version number, immediately accessible to you! Imagine a situation where you use your smartphone to take a screenshot of an error message, and you want to share it with that developer via SMS or email. The more you help a support person, the faster they can help you.

Wrapping It Up

To prepare and be in the best possible position when disaster strikes, follow our simple five-point checklist:

  1. Track all background events within your software with audit logs. Monitor them daily to enable you to quickly spot any deviations.
  2. Keep a list of your plugins, tracking version numbers and “last revision dates”. This will provide clues that possibly explain a service break.
  3. Keep copies of ‘brand-defining’ items offsite. Replacing software is relatively easy; replacing old graphics, articles and posts is an entirely different matter.
  4. Procure software that enables you to take screenshots with time/date stamps. They are a very efficient way to describe an irregularity to a support person.
  5. Create a report to house all important contact information. If something goes wrong, you’re going to know exactly who you should contacting, and how.


Article by: Tom Ewer for Elegant Themes