The 3-2-1 backup rule explained

It’s a Monday morning. You sit down to check your WordPress site after the weekend, expecting to glance over your analytics. Instead, you’re met with a blank white screen – or worse, a ransom message asking for Bitcoin to get your files back.

We often think of data loss as something that happens to “other people”, until it happens to us. Whether it’s a failed plugin update that crashes your site, a malicious hack, or a server-side hardware failure, the threat is real. That is where the 3-2-1 backup rule comes in. It isn’t just technical jargon; it is a safety net that ensures no matter what happens to your website, you can bounce back and restore your site as if nothing happened.

• The 3-2-1 backup rule protects you from single points of failure by spreading your data across locations and storage types
• Relying only on your web host’s backups puts your site at risk if that account is compromised
• WordPress backups must always include both files and the database to be restorable
• Offsite, automated backups are essential for ransomware protection and recovery
• A reliable backup plugin makes the 3-2-1 rule practical, not theoretical

The 3-2-1 backup rule was originally coined by photographer Peter Krogh to protect digital assets. It has since become a widely accepted baseline for data protection. The concept is based on redundancy. If one backup fails, you have another. If a disaster wipes out your office or your server, you have a copy somewhere else.

Here is the breakdown:

You should always have three distinct copies of your website. This includes your live production data (the website people are visiting right now) and two additional backup copies. Why three? The chances of three separate locations failing at the same time are extremely low.

You should store your copies on at least two different types of storage media. In the old days, this meant having one copy on your computer’s hard drive and another on a CD or external hard drive.

For a modern WordPress user, “media” translates to different remote storage environments. For example, having one copy on your web server’s local disk and another copy on a remote cloud storage system like Amazon S3, Google Drive, or Dropbox. This protects you against platform-specific failures. If Google Drive goes down, your local server copy is safe. If your server crashes, your cloud copy is safe.

This is the most critical component. You must keep one copy of your data in a physical location separate from the others. If your office burns down and your computer and backup drive are on the same desk, you lose everything.

In the context of web hosting, “offsite” means “not on your web host’s servers.” If your hosting company suffers a massive data center failure or a hack that wipes their servers (and yes, this happens), your offsite copy in a separate cloud account is your lifeboat.

You might be thinking, “My host does daily backups, isn’t that enough?”

This is a common assumption, and it’s a risky one. Relying on your host for your only backup creates a single point of failure. If your hosting account gets hacked, the attacker often gains access to those backups and deletes them.
If you get locked out of your account due to a billing dispute, you lose access to your site and your backups instantly.

Furthermore, WordPress sites are complex. They are made up of two distinct parts:

1. The file system: This includes your themes, plugins, uploads (images/videos), and core WordPress files.
2. The database: This is where your actual content lives – your blog posts, page text, comments, user accounts, and settings.

I have seen people manually copy their “wp-content” folder via FTP and think they are safe. But if they didn’t export the database, all they have is a pretty design with no words. Conversely, having the database without the files means you have the text but no way to display it.

The 3-2-1 backup rule forces you to treat both of these elements as critical assets. You need to bundle them together and ship them off to different locations to ensure you can restore your site exactly as it was.

Now that we know the theory, let’s look at how this works in practice for a WordPress site owner. You don’t need to be a sysadmin to set this up. You just need a workflow.

Your live website is Copy #1. It lives on your web host’s server. This is the copy that is vulnerable to hacks, updates gone wrong, and user error.

You need a second copy that is easily accessible. Many people choose to store a backup on their local computer. Downloading a complete backup of your site once a month to a hard drive in your office or home fulfills the “different media” requirement perfectly.

This protects you against internet-wide issues. If the internet goes down or cloud services are unreachable, you still physically possess your data. It gives you a sense of ownership that the cloud cannot replicate.

This is where Copy #3 comes in, and this is where automation is essential. You need a copy sent automatically to a secure cloud location.

This is where a backup solution like UpdraftPlus fits into your strategy. Rather than manually logging in to FTP, zipping files, and dragging them to Dropbox every week, you can configure the plugin to do the heavy lifting for you. It can zip up your files and database and push them directly to remote storage locations like Google Drive, Amazon S3, or Microsoft OneDrive.

This separation essentially creates an “air gap.” If your website gets infected with malware, that malware cannot easily jump from your web server to your secure Google Drive account, keeping your third copy clean and ready for restoration.

We’re human – we forget things. If your backup plan relies on remembering to click “backup” every Friday at 5pm, it won’t hold up for long. The beauty of modern WordPress tools is that you can “set and forget” this backup schedule. A good rule of thumb is to back up as frequently as you update. If you post daily, back up daily. If you post monthly, a weekly backup might suffice.

Now that you understand the “why,” let’s look at the “how.” The reason UpdraftPlus is often the go-to recommendation
for this strategy is that it natively handles the separation of storage locations, which is the hardest part to script
manually.

The very first step is installing the UpdraftPlus plugin to your WordPress site. Once that is out of the way, here is
a step-by-step workflow to turn your WordPress dashboard into a 3-2-1 command center.

The most critical step is getting your data off the web server.

1. Navigate to Settings > UpdraftPlus Backups in your WordPress dashboard.
2. Click on the Settings tab.

3. Scroll down to Choose your remote storage.

4. Select a service distinct from your hosting. Storing backups on an alternative cloud service like
Google Drive, Dropbox, or Amazon S3 counts as “different media” (Cloud Object Storage vs. Block Storage) and satisfies the “Offsite” requirement.

5. Follow the on-screen prompts to authenticate and link your account.

You need consistent copies to ensure you always have enough copies.

1. In the same Settings tab, look for Files backup schedule and Database backup schedule.
2. Change them from Manual to a frequency that matches your posting schedule (e.g., Weekly for files, Daily for database).

3. Set “retain this many scheduled backups” to at least 2. This ensures you always have historical versions if a recent backup contains a corrupted error.

To strictly adhere to the 3-2-1 rule, you want a copy that isn’t on the internet at all. This protects you if both your web host and your cloud storage provider suffer outages simultaneously.

Option 1: The automated sync

Why work harder than you have to? If you use a cloud provider like Dropbox, Google Drive,
or OneDrive for Step 1, simply install their desktop app on your computer.

1. Configure the app to sync your remote backup folder to your PC.
2. Now, every time UpdraftPlus pushes a backup to the cloud, your desktop app automatically pulls a copy down to your hard drive.

This achieves a fully automated “set and forget” offline backup.

Option 2: The manual download

If you prefer total manual control, you can do this anytime from the dashboard:

1. Go to the Backup / Restore tab.

2. Scroll down to Existing Backups.

3. Click the buttons for Database, Plugins, Themes, Uploads, and Others.

4. Once UpdraftPlus prepares the files, click Download to your computer.

5. Move these zip files to an external hard drive or a dedicated folder on your computer.
Result:

• Copy 1: Live on your server.
• Copy 2: Safe in the Cloud.
• Copy 3: Safe on your hard drive.

You have now achieved full 3-2-1 compliance.

Even experienced site owners slip up with backups. These are some common mistakes I see.

It’s worth stressing at this point: do not leave your backup zip files in a folder on your web server. If you have a folder like /wp-content/backups/ full of zip files, you are simply filling up your hosting disk space.

More importantly, if the server fails, you lose both the site and the backups. Always send backups offsite immediately.

“I just have a small blog, I don’t need this.” I hear this often. But small sites are often more vulnerable because they typically have fewer security defenses.

It takes the same effort for an automated bot to attack a small site as it does a large one.
The 3-2-1 rule is scalable; it applies just as much to a personal recipe blog as it does to a corporate enterprise.

If your last backup was three months ago but you’ve published twenty articles since then, that backup is stale. Restoring from it means losing three months of work.

Always align your backup frequency with how often your content changes.

The 3-2-1 backup rule is still the foundation of good data protection, but it’s evolving in response to newer threats like ransomware and silent data corruption.

This is where the 3-2-1-1-0 model comes in. It builds on the original rule with two additional safeguards.

The extra “1” refers to immutable storage, a backup copy that’s locked and can’t be altered or deleted for a set period, even if an attacker gains access. The “0” stands for zero errors, meaning backups are regularly verified so you know they can actually be restored.

For WordPress site owners, this doesn’t mean you need to overhaul your setup overnight. It’s about understanding where best practice is heading. Some storage providers already support immutable backups (such as Amazon S3 Object Lock), which adds an extra layer of protection for high-value or frequently updated sites.

Think of 3-2-1-1-0 as the next step beyond the basics – not a replacement for 3-2-1, but an option to strengthen it as your site, traffic, or risk profile grows.

The 3-2-1 backup rule isn’t about ticking boxes; it’s about removing uncertainty. When something goes wrong (and eventually, something will), the difference between panic and a quick recovery comes down to how well your backups are set up.

For WordPress sites, that means having more than one copy, keeping backups off your hosting server, and ensuring both files and the database are included. Doing this manually might work once or twice, but it’s not sustainable long term.

This is where tools like UpdraftPlus earn their place. They take a proven backup strategy and make it realistic for everyday site owners by automating the process, separating storage locations, and reducing the chances of human error.

If you wait until a site goes down to think about backups, it’s already too late. Set things up properly now, automate what you can, and let your backups do their job quietly in the background.