Back to blog

Agency recovery

How to Prepare a WordPress Disaster Recovery Plan for a Client Site

A practical agency runbook for client WordPress recovery: who to call, what access you need, which backup to use, how to choose the right restore path, and how to report the work afterward.

Illustration of an agency recovery dashboard coordinating backups, secure storage, and restored client websites.
A client recovery plan should connect people, access, backups, restore decisions, testing, and reporting before the emergency starts.

When a client WordPress site breaks, the technical problem is only half the problem. The other half is operational: who can approve a restore, who has hosting access, which backup is safe to use, what data may be lost, who tells the client what is happening, and how the agency proves the site is healthy after the recovery. A WordPress disaster recovery plan answers those questions before the site is offline, infected, overwritten, or losing revenue.

For freelancers and agencies, disaster recovery planning is not just an internal convenience. It is part of client trust. A client may assume that "we have backups" means the agency can recover any issue quickly. In reality, a backup by itself does not decide whether to restore files, restore the database, roll back a plugin, clean malware, clone to staging, change DNS, or preserve recent orders before doing anything else. Those decisions need a plan.

This guide is written for agencies, freelancers, and site care teams responsible for client WordPress sites. It focuses on practical planning rather than vague disaster recovery theory. By the end, you should have a complete structure for a client recovery runbook: contacts, credentials, access, backup scope, recovery objectives, restore decision rules, incident communications, testing cadence, and client reporting. Use it as a checklist for one client site or as the basis for a repeatable agency process across many client sites.

The short version

A strong WordPress disaster recovery plan names the people, defines the recovery targets, maps every access point, confirms off-site backups, documents restore decisions, tests the process, and reports recovery results. The plan should be simple enough to use under pressure and detailed enough that another qualified person on your team can follow it when the usual developer is unavailable.

Why Agencies Need a WordPress Disaster Recovery Plan

A client site can look simple from the outside and still be complicated to recover. WordPress stores content, users, orders, settings, plugin records, menus, widgets, page builder data, theme options, media files, and configuration across both the database and filesystem. A broken plugin update may require a files-only rollback. A deleted page may require a database recovery. A malware incident may require file cleanup, database inspection, credential rotation, and a new clean backup. A WooCommerce issue may require preserving new orders before restoring anything.

The agency problem is that the person who knows the most about the site may not be the person available during the incident. The account manager may get the first client message. A junior developer may be on call. The hosting account may be under the client's email address. The DNS provider may be unknown. The backup plugin may be installed, but no one may know whether the latest recovery point is complete. Without a plan, recovery starts with discovery, and discovery is slowest when the client is already stressed.

A disaster recovery plan turns tribal knowledge into an operating document. It should make the first hour of an incident much more predictable. The plan does not need to be a 60-page compliance document. In most agencies, the best plan is a concise internal runbook supported by accurate access records, tested backups, and a client-facing summary that explains what is covered. The goal is not paperwork. The goal is faster, calmer, safer recovery.

There is also a commercial reason to build this process. Agencies that manage many WordPress sites need repeatability. If every client site has a different recovery process, every emergency becomes custom work. If each site has a standardized plan, your team can triage faster, onboard new staff more safely, quote maintenance retainers more confidently, and show clients that backup and recovery are managed services, not improvised favors.

What Counts as a Disaster for a Client WordPress Site?

The word "disaster" can sound dramatic, but in client work it means any incident where normal site operations are interrupted and recovery requires a controlled response. A disaster does not have to be a total server loss. It can be a smaller event that still affects revenue, reputation, security, or client confidence.

Common WordPress disaster scenarios include a white screen or fatal error after an update, a hacked site, a deleted landing page, corrupted database tables, missing media files, bad theme deployment, broken checkout, failed migration, hosting suspension, DNS misconfiguration, expired domain, damaged wp-config.php, accidental bulk deletion, malicious admin activity, ransomware on the hosting account, or an unavailable hosting provider. For agencies, a disaster can also be procedural: the site is fixable, but no one has the right login, backup access, or approval to act.

A good recovery plan classifies incidents by impact and urgency. A broken blog layout is not the same as a broken checkout. A staging site failure is not the same as a production malware redirect. A missing image on one page is not the same as database corruption. Classification helps your team choose the right response level instead of treating every issue as either "minor ticket" or "full emergency."

Incident type Typical impact Likely recovery path
Failed plugin or theme update Fatal error, broken layout, disabled functionality Files-only rollback, plugin disablement, restore from staging, or full restore if settings changed
Content deletion or bad edit Missing page, post, menu, media, or page builder content Database recovery, revision recovery, selective content recreation, or staging restore for comparison
Malware or suspicious redirects Security risk, search warnings, damaged trust Stabilize, preserve evidence, clean files and database, rotate credentials, restore only from known-clean points
Hosting or server failure Site unavailable, backups on same host may be inaccessible Restore to alternate hosting using off-site backup and DNS plan
WooCommerce data issue Orders, customer records, subscriptions, inventory, or payment workflow affected Careful database decision, export recent records, preserve order data, test checkout before reopening

Write these categories into the client plan. The wording can be simple: low impact, elevated impact, business critical, and security incident. The important part is that each category has an expected response time, escalation path, and restore approval rule. That prevents the team from making the same judgment calls from scratch during every incident.

Define RTO and RPO in Client-Friendly Language

Two terms matter in every disaster recovery plan: recovery time objective and recovery point objective. They sound formal, but the concepts are simple and useful for client conversations.

Recovery time objective, or RTO, is the target amount of time to get the site back to an acceptable working state after an incident. It answers: "How long can this site be down or degraded before the impact becomes unacceptable?" A brochure site might tolerate a next-business-day recovery target. A lead generation site may need same-day recovery. A high-volume store may need a much tighter target.

Recovery point objective, or RPO, is the maximum amount of data the client can afford to lose. It answers: "If we have to restore, how far back can the site go?" For a mostly static site, losing a few hours of edits may be acceptable. For a WooCommerce store, losing an hour of orders may be unacceptable. For a membership site, losing new registrations or course progress may create support problems even if the public site is back online.

The plan should translate RTO and RPO into clear service expectations. Avoid promising "instant recovery" unless the infrastructure, tooling, staffing, and contract actually support it. A realistic plan is more valuable than an optimistic plan. If the client wants a two-hour recovery target, the agency needs appropriate monitoring, backup frequency, access, staging or alternate hosting options, and after-hours coverage. If the client only pays for basic maintenance, a next-business-day target may be more honest.

Site type Reasonable RPO discussion Reasonable RTO discussion
Small brochure site Daily recovery points may be enough if content changes infrequently. Same day or next business day may be acceptable, depending on lead value.
Active publisher or blog Daily backups may work, but heavy editorial calendars may need more frequent database protection. Same day is often preferred because traffic and ad revenue may be affected.
WooCommerce store Short RPO is important because orders, customers, inventory, coupons, and subscriptions change often. Fast recovery matters because downtime directly affects revenue and support load.
Membership, LMS, or community Short RPO may be needed for registrations, profile changes, course progress, and private content. Recovery target depends on member expectations and contractual obligations.

The biggest mistake is discussing backup frequency without discussing acceptable data loss. "Daily backups" sounds fine until a client realizes that a restore could remove today's orders or form submissions. Put the tradeoff in writing. If the client chooses a lower-cost plan with daily backups, the plan should say what that means. If the client needs tighter recovery, recommend the backup frequency and operational coverage that matches the risk.

Create a Contact and Role Matrix

During a recovery event, you do not want to search email threads for the person allowed to approve a restore. Every client recovery plan should name the roles, the people currently filling those roles, and the escalation path if someone is unavailable.

At minimum, define a client business owner, client technical contact if one exists, agency incident lead, agency technical lead, hosting contact, DNS/domain contact, backup system owner, and billing contact for service interruptions caused by expired cards or suspended accounts. For larger clients, add communications, legal, security, and ecommerce operations contacts. For small clients, one person may fill several roles, but the role still needs to be clear.

Separate authority from awareness. Some people should be informed but should not approve technical changes. Some people can approve emergency restore actions. Some people can approve downtime windows. Some people can approve DNS moves. Some people can approve work that might affect orders or customer data. If that authority is vague, the agency may either wait too long or act too aggressively.

Role Purpose Plan details to record
Client business approver Approves disruptive restores, downtime windows, and tradeoffs involving data loss. Name, phone, email, backup approver, normal hours, after-hours rule.
Agency incident lead Owns coordination, client updates, and final recovery notes. Primary person, backup person, escalation threshold.
Agency technical lead Runs diagnosis, restore, validation, and technical cleanup. Primary person, backup person, areas of expertise.
Hosting owner Can access server, backups, logs, PHP settings, database tools, and support. Provider, account owner, support PIN rules, control panel URL.
DNS and domain owner Can change DNS, nameservers, domain renewal settings, and emergency routing. Registrar, DNS provider, account owner, renewal status.

Keep this information in your agency's secure client record, not in a public project management comment. The disaster plan can reference where credentials live, but it should not expose raw passwords in plain text. Use a password manager or secure client vault, enforce two-factor authentication where possible, and make sure at least two authorized agency people can access emergency credentials. A recovery plan that depends on one developer's personal login is a weak plan.

Build an Access Map Before You Need It

Access is the most common non-technical blocker in client recovery. The backup might exist, but the person responding may not have the login. The host might have file backups, but the account may be under the client's former employee. The domain might be registered somewhere separate from DNS. The site might use Cloudflare, a transactional email service, object storage, a CDN, a security firewall, and a payment gateway, each with different credentials. The disaster plan needs a map.

For every client site, record where the agency can access WordPress admin, hosting control panel, SFTP or SSH, database management, DNS, domain registrar, CDN, web application firewall, transactional email, payment gateway settings, backup dashboard, license keys for critical plugins, and any external services used by the site. You do not need to put secret values directly in the plan. You do need to document the provider, account owner, access method, privilege level, and where the credential is stored.

Privilege level matters. A WordPress administrator login is not the same as hosting access. SFTP access is not the same as database access. DNS access is not the same as registrar access. A developer may be able to disable a plugin but unable to restore a database. An agency may have a backup dashboard but no DNS control to move the site if the host is down. The plan should make these gaps visible before an incident.

  • WordPress admin: confirm at least two agency-controlled admin accounts or an agreed emergency account process.
  • Hosting: confirm control panel, SFTP or SSH, database, logs, cron, PHP settings, and support access.
  • Domain and DNS: confirm registrar, DNS provider, nameservers, renewal status, and who can approve changes.
  • Backups: confirm backup dashboard access, restore permissions, download permissions, retention, and latest backup status.
  • External services: confirm CDN, firewall, SMTP, payment, search, CRM, forms, membership, LMS, and license access.

For agencies with many clients, standardize the access map as part of onboarding. Every new maintenance client should go through the same access checklist before the agency promises recovery support. If the client refuses to provide certain access, document that limitation. It may be reasonable, but it changes what you can recover and how fast you can recover it.

Inventory the WordPress Site Like You Will Have to Rebuild It

A recovery plan should include a practical inventory of the site. This does not mean documenting every setting in WordPress. It means recording enough information to understand what must be restored, what must be excluded, what must be tested, and what services must be checked after recovery.

Start with the basics: production URL, staging URL if one exists, WordPress version, PHP version, database type and version if available, active theme, child theme, critical plugins, ecommerce or membership components, custom code locations, cron jobs, cache layers, CDN, DNS provider, email sending method, search integration, analytics, consent tools, and forms. Record whether the site has custom tables, mu-plugins, composer dependencies, build steps, object caching, custom uploads directories, symlinks, or server-level redirects. These details decide whether a simple restore is enough.

WordPress sites often hide business-critical data inside plugins. A form plugin may store leads in the database before sending email. An LMS plugin may store course progress. A booking plugin may store appointments. A membership plugin may store subscription state. A multilingual plugin may store translations across many tables. A page builder may store layouts in post meta. Your inventory should identify which plugins hold data that the client cares about, because restoring the database can affect all of it.

The inventory should also identify what does not need to be restored. Cache directories, generated image caches, temporary files, local backup archives, debug logs, and build artifacts can slow backups and restores. If a site contains huge video files, raw design files, old staging exports, or backup zips inside wp-content, decide whether they belong in the backup set. A recovery plan is easier to trust when the backup scope is intentional.

Inventory rule

Document the parts of the site that would surprise a new developer during recovery. If the site needs a special rewrite rule, background worker, license key, server extension, external webhook, or plugin-specific restore step, it belongs in the disaster recovery plan.

Design the Backup Strategy Around Recovery, Not Storage

Backups are the foundation of the plan, but the plan should be written from the recovery side. The question is not only "Are backups running?" The better questions are: can the agency reach the backup if production hosting is down, can the backup be restored to another environment, does the backup include the right database and files, how old is the latest verified recovery point, how long are recovery points retained, and who can approve deletion or restore actions?

For client sites, off-site backups are especially important. If backups exist only inside the same hosting account, they may be unavailable during the exact incidents where the agency needs them most: hosting outage, account suspension, disk failure, compromised control panel, destructive malware, or accidental deletion. Same-server backups can be useful for convenience, but they should not be the only copy in a client disaster recovery plan.

A complete WordPress backup strategy usually includes the database, uploads, themes, plugins, key configuration files, and any custom code required to run the site. It should exclude files that make recovery slower without adding value, such as caches, temporary files, old local backup archives, and generated exports. The plan should name the backup system, backup frequency, retention period, storage location, encryption expectations, restore method, download method, and alerting process for failed or missed backups.

Backup frequency should follow the client's RPO. A daily backup may be fine for a site that changes weekly. It may be inadequate for a store, membership site, LMS, directory, marketplace, or busy form-driven lead site. For high-change sites, consider more frequent database protection, order exports, transaction logs, or platform-specific safeguards. The plan should state the known gap. If the most recent recovery point is from 2:00 AM and the incident happens at 3:00 PM, the team needs to know what data may have changed during that window.

Retention should follow the risk of delayed discovery. A bad plugin update is usually noticed quickly. Malware, content mistakes, SEO spam, hidden redirects, and accidental deletion may be discovered days or weeks later. If the client only has seven days of history, a problem discovered on day ten may have no clean restore point. Longer retention is not always required, but the decision should be deliberate and documented.

Backup setting Question the plan should answer Why it matters
Frequency How often are database and file recovery points created? Defines likely data-loss window during restore.
Retention How far back can the agency recover? Helps with delayed malware, accidental deletion, and client rollback requests.
Storage location Are backups off-site from production hosting? Protects recovery access if the host or account fails.
Restore scope Can the agency restore files, database, or both separately? Reduces unnecessary data overwrite during targeted incidents.
Verification How does the agency know a backup is usable? Prevents false confidence in incomplete or failed backups.

The recovery plan should also say what happens when backups fail. Missed backup alerts should go somewhere monitored. Repeated failures should become a ticket, not background noise. If a site exceeds a storage limit, changes file count dramatically, or starts producing partial backups, the agency should investigate before the client needs a restore.

Write a Restore Decision Tree

The most dangerous recovery mistake is using a full restore when a targeted restore would be safer. A full restore can be exactly right after a failed deployment, major corruption, or server loss. It can also overwrite good recent data. A decision tree helps the responder choose a recovery path based on what broke.

Start with three questions. First, is the site currently unsafe, unavailable, or losing money? Second, what changed immediately before the problem appeared? Third, does recovery require changing files, database records, or both? The answers usually point toward one of several paths: disable a plugin, roll back files, restore database, restore both files and database, restore to staging for comparison, rebuild manually, clean malware, or move hosting.

A files-only restore is often appropriate when the incident involves plugin files, theme files, WordPress core files, or accidentally deleted media. It may fix a failed update without overwriting orders or form submissions. A database-only restore may be appropriate when content, settings, menus, widgets, page builder layouts, users, or plugin records were deleted or corrupted. A full restore may be appropriate when the files and database need to return to the same point in time, such as after a botched migration or widespread compromise.

The plan should explicitly warn that database restores are business decisions, not just technical actions. The database may contain recent orders, new users, comments, leads, appointments, inventory changes, subscription renewals, support records, and admin edits. Restoring yesterday's database might bring back a deleted page, but it may also remove today's transactions. The agency should identify what changed after the chosen recovery point and get approval before overwriting data that may matter.

Symptom First recovery option to consider Approval note
Fatal error after plugin update Disable plugin, roll back plugin files, or restore files only. Usually low data-loss risk if database did not change.
Deleted page or page builder layout Check revisions, restore to staging for copyout, or database restore. Database restore may overwrite newer content or transactions.
Malware redirect Contain, identify clean point, clean files and database, rotate credentials. Do not restore from a point that may already include the infection.
Host account unavailable Restore off-site backup to alternate hosting and update DNS if approved. Requires DNS authority and client approval for provider change.
Broken checkout on active store Stabilize checkout, capture recent order data, test payment flow, avoid old database restore if possible. Client should approve any restore that could affect orders or inventory.

When in doubt, restore to staging first. A staging restore lets the team inspect files, compare content, recover a deleted page, test plugin behavior, or confirm whether a backup is clean without touching production. Staging is not a substitute for production recovery, but it is a powerful safety step when the right action is unclear.

Create the Incident Workflow

The incident workflow is the step-by-step process your team follows when something goes wrong. It should be clear enough to use in a real emergency and flexible enough to handle different incident types. The best workflows start with stabilization, then diagnosis, then recovery, then validation, then reporting.

Step 1: Acknowledge and classify. Confirm the report, record the time, identify the affected URL or feature, assign an incident lead, and classify the impact. Is the whole site down? Is checkout broken? Is there a security warning? Is the client reporting data loss? This first classification determines urgency and who needs to be notified.

Step 2: Stabilize before making changes. Avoid frantic clicking. Capture screenshots, error messages, logs, recent update history, and current backup status. If the site is actively causing harm, put it in maintenance mode, disable a broken integration, block suspicious traffic, or pause scheduled jobs as appropriate. If malware is suspected, preserve enough evidence to understand the entry point before wiping clues away.

Step 3: Confirm backup availability. Check the latest recovery point, the last known clean point, the backup scope, and whether files and database can be restored separately. If backup health is unclear, do not assume the newest backup is usable. Identify at least one primary recovery point and one fallback point.

Step 4: Decide the recovery path. Use the decision tree. Choose files-only, database-only, full restore, staging restore, manual fix, malware cleanup, or host migration. If the action can affect business data, get client approval and record the approval. Include the expected data-loss window, downtime estimate, and validation checklist.

Step 5: Execute carefully. Make one controlled change at a time when possible. If you are restoring production, consider taking a final current-state backup first, even if the current state is broken. That gives you a way to recover anything created after the chosen recovery point. Keep a log of actions, times, and results.

Step 6: Validate the site. Do not declare recovery complete because the homepage loads. Test the actual business functions: checkout, forms, login, search, key landing pages, admin access, media, menus, scheduled tasks, email sending, tracking scripts, caching, SSL, redirects, and mobile layout. The validation checklist should be specific to the client site inventory.

Step 7: Communicate and document. Tell the client what happened, what was done, what data may be affected, what remains to monitor, and what changes you recommend. Add internal notes to improve the plan. If the incident exposed a missing access path, too-short retention, poor monitoring, or unclear approval rule, fix the plan while the lesson is fresh.

Plan Differently for Stores, Membership Sites, and High-Change Sites

Not all WordPress sites carry the same recovery risk. A small marketing site may be easy to restore. A WooCommerce store, membership site, online course, booking site, directory, marketplace, or community can be much harder because the database changes throughout the day. The plan should identify these special cases and define extra safeguards.

For WooCommerce, the biggest issue is transactional data. Orders, customers, subscriptions, coupons, refunds, stock changes, payment statuses, tax records, and shipping workflows may all change after the last backup. A full database restore can remove or alter records that the client needs. Before restoring a store database, export recent orders, check payment gateway records, identify subscription events, and decide how post-backup records will be preserved or recreated. If possible, use a targeted fix that avoids rolling back the whole database.

For membership and LMS sites, the risk is user state. New registrations, profile updates, subscriptions, access rules, course progress, quiz attempts, certificates, and private content may live in plugin tables and post meta. A restore can create confused members even if the public site appears normal. The plan should include post-restore member validation, login testing, access testing, and support messaging if user records may be affected.

For lead generation sites, form submissions matter. Many form plugins email submissions and also store them locally. If email delivery failed during the incident or the database is restored, leads may be lost or duplicated. The plan should identify where form data lives, how to export recent entries, how to test notification delivery, and whether leads are also sent to a CRM.

For multilingual, multisite, or heavily customized builds, test restores are especially important. These sites can involve custom tables, domain mapping, language-specific URLs, shared plugins, network settings, and object cache behavior. The disaster plan should document the restore order and validation points. A multisite network may need site-level decisions rather than a single global restore.

For sites with compliance or privacy obligations, be careful with backup access and restore copies. Staging environments should not expose private data publicly. Downloaded archives should be handled securely. Access to backups should be limited to authorized people. The plan should reflect the client's data sensitivity and your agency's contractual obligations.

Set a Testing Schedule That Matches the Risk

A disaster recovery plan is only theoretical until it is tested. Testing does not always mean a full production restore. It can include backup health checks, access checks, staging restores, file download tests, database import tests, and tabletop exercises where the team walks through a scenario. The right cadence depends on the site risk and the client's plan level.

At minimum, review backup status monthly for managed client sites. Confirm that backups are running, recent recovery points exist, storage is healthy, and alerts are going to the right place. For important sites, run a quarterly restore test to staging or a controlled environment. For critical ecommerce, membership, or high-traffic sites, consider more frequent validation and a deeper annual drill that includes access, DNS, alternate hosting, and client communications.

Testing should prove more than "a backup file exists." A useful test answers whether the team can access the backup, select a recovery point, restore the database, restore files, load the site, log in, verify key functions, and document the result. If the restore is slow, incomplete, or dependent on one person's knowledge, the test found a real problem. That is the point.

Cadence Test What to record
Monthly Backup health and access review. Latest recovery point, failures, storage warnings, alert recipient, access changes.
Quarterly Staging restore or backup download validation. Restore duration, missing files, database issues, login status, validation checklist result.
Before major work Fresh backup and rollback plan. Recovery point time, deployment scope, rollback owner, client approval if needed.
Annually Full disaster recovery drill for critical sites. RTO result, RPO result, access gaps, communication timeline, plan updates.

Testing also improves estimates. If your team has never restored a 45 GB media library, you do not know how long it takes. If you have never moved the site to alternate hosting, you do not know whether DNS, SSL, email, cron, and caching will work cleanly. A test turns assumptions into evidence.

Report Recovery Readiness to the Client

Clients do not need every technical detail, but they do need confidence that recovery is managed. A simple recurring backup and recovery report can make your maintenance service more tangible. It also creates a record of warnings, limitations, and recommendations before an incident happens.

A useful client report should include whether backups are current, the date and time of the latest recovery point, retention coverage, any recent backup failures, whether restore access was tested, major changes to the site, known risks, and recommended upgrades. For agency clients, it can also include a plain-language recovery summary: "Your site has off-site daily backups with 30 days of history. The latest backup completed successfully. A staging restore test was completed on June 20. No action is required."

When there are issues, say so clearly. "Backups are failing because the site exceeds storage limits" is uncomfortable but valuable. "We do not have DNS access, so a host outage may require client action before recovery can proceed" is a useful limitation. "Your store changes throughout the day, so daily database backups may not meet your data-loss expectations" is a strategic conversation, not a technical footnote.

After an incident, send a post-recovery report. Include the timeline, symptoms, root cause if known, recovery point used, restore scope, validation steps, data-loss assessment, current status, and prevention recommendations. Keep blame out of the report unless it is necessary for a business decision. The goal is a factual record the client can understand and your team can learn from.

WordPress Client Disaster Recovery Plan Template

Use the following structure as a starting point for each client. Keep it short enough to maintain. A stale 20-page document is worse than a current 3-page runbook.

1. Client and Site Summary

  • Client name, production URL, staging URL, and primary business purpose of the site.
  • Site type: brochure, lead generation, WooCommerce, membership, LMS, publisher, multisite, or custom application.
  • Business-critical functions: checkout, forms, login, bookings, member access, search, donations, subscriptions, or integrations.
  • Normal maintenance window and after-hours emergency policy.

2. Recovery Objectives

  • Target RTO for low, elevated, and critical incidents.
  • Target RPO and what data could be lost between recovery points.
  • Approval requirement for files-only, database-only, full restore, DNS move, or host migration.
  • Known limitations, such as missing DNS access or backup frequency constraints.

3. Contacts and Authority

  • Client business approver and backup approver.
  • Agency incident lead and technical lead.
  • Hosting, DNS, domain, security, and ecommerce contacts.
  • Communication channels and update frequency during an incident.

4. Access Map

  • WordPress admin access location and emergency account process.
  • Hosting, SFTP or SSH, database, DNS, registrar, CDN, firewall, SMTP, payment, and backup access.
  • Credential storage location in the agency password manager.
  • Two-factor authentication and backup code owner.

5. Backup and Restore Details

  • Backup provider, storage location, frequency, retention, and alerting.
  • What is included: database, uploads, themes, plugins, configuration, custom code, and special directories.
  • What is excluded: caches, temporary files, old backup archives, generated exports, or other agreed exclusions.
  • Restore options: files only, database only, full restore, download archive, staging restore, or alternate host restore.

6. Restore Decision Rules

  • Failed update: disable plugin or theme, then consider files-only restore.
  • Content deletion: check revisions, restore to staging for copyout, then consider database restore.
  • Malware: contain, identify clean point, clean, rotate credentials, and avoid restoring infected backups.
  • Hosting failure: restore off-site backup to alternate hosting if approved and DNS access is available.
  • Ecommerce issue: preserve orders and payment records before any database rollback.

7. Validation Checklist

  • Homepage, key landing pages, navigation, mobile layout, and media load correctly.
  • WordPress admin login works and critical plugins are active.
  • Forms submit and notifications arrive.
  • Checkout, payment, account, subscription, booking, or member workflows pass if applicable.
  • SSL, redirects, cache, CDN, search, analytics, consent tools, and transactional email are working.
  • Backups resume after the incident and a new clean recovery point is created.

8. Testing and Reporting Schedule

  • Monthly backup health review.
  • Quarterly staging restore or backup download test for managed sites.
  • Pre-update backup before major WordPress, theme, plugin, or hosting changes.
  • Annual full drill for critical sites.
  • Client-facing readiness report and internal plan update after each test.

Common Mistakes to Avoid

Mistake 1: Treating the backup plugin as the plan. A tool can create backups, but it does not define contacts, approval, access, communication, RTO, RPO, validation, or reporting. The plan connects the tool to the agency's operating process.

Mistake 2: Restoring the database too quickly. Database restores can solve content and settings problems, but they can also remove new business data. Always identify what changed after the recovery point, especially on stores and membership sites.

Mistake 3: Depending on one person. If only one developer knows where credentials live or how to restore the site, the agency does not have a reliable client recovery process. At least two qualified people should understand the plan.

Mistake 4: Ignoring DNS and domain access. Hosting outages and migrations often require DNS changes. If the agency cannot access DNS or the domain registrar, recovery may wait on the client during the worst possible moment.

Mistake 5: Never testing the restore path. Untested backups create false confidence. A quarterly staging restore can reveal missing files, broken credentials, slow downloads, plugin license issues, and unclear validation steps.

Mistake 6: Sending vague client updates. "We are looking into it" is fine for the first acknowledgment, but ongoing updates should say what is known, what is being done, what is waiting on approval, and when the next update will arrive.

Frequently Asked Questions

What should a WordPress disaster recovery plan include?

It should include site inventory, client contacts, agency roles, access map, backup details, recovery objectives, restore decision rules, incident workflow, validation checklist, testing schedule, and reporting process. For agencies, it should also name who can approve disruptive actions such as database restores, DNS changes, or host migration.

Is a backup enough for client disaster recovery?

No. A backup is a necessary recovery asset, but the plan decides how to use it. Without a plan, the agency may not know whether to restore files, restore the database, use staging, preserve recent data, change DNS, clean malware, or ask for approval.

How often should agencies test client WordPress backups?

For managed sites, monthly backup health reviews are a sensible baseline. Quarterly staging restore tests are better for sites that matter to the client's revenue or reputation. Critical ecommerce, membership, LMS, and high-change sites may need deeper and more frequent drills.

Who should approve a database restore?

A named client business approver should approve database restores when recent business data may be affected. The agency should explain the recovery point, the expected data-loss window, the alternative options, and the validation plan before proceeding.

Should every client have the same recovery plan?

The structure can be standardized, but the details should vary by site risk. A small brochure site, active WooCommerce store, membership platform, and multisite network have different RTO, RPO, backup frequency, access, and validation needs.

What is the first thing to do when a client site goes down?

Acknowledge the incident, classify the impact, assign an owner, capture the current symptoms, and stabilize the situation before making major changes. Then confirm backup availability and choose the least destructive recovery path.

How should agencies handle malware recovery?

Do not blindly restore the newest backup. Determine when the compromise likely started, identify a clean recovery point, inspect files and database, remove malicious code, patch the entry point, rotate credentials, and create a new clean backup after validation.

What should be in a client-facing recovery report?

Include the incident timeline, impact, likely cause if known, recovery point used, restore scope, validation steps, data-loss assessment, current status, and recommendations. Keep it factual and understandable.

Final Thoughts

A WordPress disaster recovery plan is not about predicting every possible failure. It is about making the most important recovery decisions before pressure, downtime, and client anxiety are involved. For agencies and freelancers, the plan protects both the client site and the client relationship.

The strongest plans are practical. They name the people. They map the access. They define RTO and RPO. They keep backups off-site. They explain when to restore files, database, or both. They protect recent business data. They test the restore path. They report clearly. Most importantly, they are maintained as the site changes.

If your agency manages WordPress care plans, disaster recovery planning can become one of the most valuable parts of the service. Clients may not think about recovery when everything is working, but they will remember how prepared you were when something breaks.

Agency WordPress recovery

Centralize backup health across client sites.

MyWPBackups helps agencies protect WordPress sites with automatic off-site backups, verified recovery points, restore controls, downloadable archives, and centralized backup visibility.

Talk to sales