Short answer: If your hosting provider already runs daily off-server backups, you do not need a backup plugin – their snapshots are more reliable than anything WordPress can do from inside the application. If your host does not back you up (or only backs up the server, not your individual site), the safest free pick is UpdraftPlus, the safest paid pick is BlogVault, and Duplicator is the right choice if you also need migration. Most sites need belt-and-suspenders coverage: host-level backups for disaster recovery plus a plugin for off-site point-in-time copies of the database.
| Plugin | Free / Paid | Best for | Skip if |
|---|---|---|---|
| Host-level snapshots (your provider) | Included | Disaster recovery, full-server restore, ransomware protection | Your host does not offer them |
| UpdraftPlus | Free + paid ($70/year+) | Most sites – good free tier, off-site cloud destinations, large user base | You need real-time incremental backup |
| BlogVault | Paid ($89/year+) | High-stakes sites (e-commerce, membership) needing real-time backup + staging | You want a free option |
| Duplicator | Free + paid ($69/year+) | Backup and migration in one – cloning sites between hosts | You only need backup, not migration |
| Solid Backups (formerly BackupBuddy) | Paid ($99/year+) | Long-time iThemes/Solid Security users wanting a consolidated stack | You are not already in the Solid ecosystem |
| Jetpack Backup (formerly VaultPress) | Paid ($10/month+) | Sites already running Jetpack who want one-click activation | You do not want Jetpack installed |
| BackWPup | Free + paid | Technical owners who want full control over backup destinations and schedules | You want one-click setup |
The honest framing most backup-plugin roundups skip: a backup is only as good as your last successful restore test. The plugin you choose matters less than whether you have actually tried restoring from a backup in the last 90 days. A site running a $200/year premium backup plugin that has never been tested is more vulnerable than a site running free UpdraftPlus that has been restored at least once.
Why your host's backups matter more than the plugin#
Most managed hosts (Hostney, Kinsta, WP Engine, Pressable, SiteGround’s higher tiers, Cloudways, NameHero) take daily backups of every account and store them off-server. These backups capture the entire site – files, database, uploads, themes, plugins, configuration – at the filesystem level, not from inside WordPress.
The difference matters in three failure scenarios:
Database corruption. A plugin running inside WordPress cannot back up a database that WordPress cannot read. If wp_options gets corrupted during an update, the plugin’s scheduled backup either fails silently or backs up a broken database. The host’s filesystem-level snapshot captures the raw
.frm
and
.ibd
files regardless of whether MySQL can serve them.
Compromised site. If your site is hacked and the attacker installs malicious code, a plugin-based backup might back up the malicious code right alongside your real content. The attacker may also delete or modify backups stored in
wp-content/uploads/backups/
(a common default for free plugins). Off-server snapshots stored on a separate machine are out of reach for an attacker who only has access to your WordPress admin or your hosting account’s filesystem.
Server-level failure. If the server itself dies (hardware failure, disk corruption, accidental account deletion), there is no WordPress instance running to restore the plugin’s backup from. Off-server snapshots can be restored to a fresh server. Plugin backups stored locally cannot.
This is why, even if you install a backup plugin, you should not rely on it as your only line of defense. The plugin’s role is off-site point-in-time copies for granular restore – not full disaster recovery. Disaster recovery is the host’s job.
For a complete walkthrough of how WordPress backups should be structured (frequency, off-site storage, retention, restore testing) see how to back up WordPress manually – the principles apply whether you use a plugin or not.
How we picked these seven plugins#
The WordPress plugin directory has hundreds of backup plugins. Most of them are abandoned, broken on modern PHP versions, or thin wrappers around
mysqldump
and
tar
. We covered the seven that are still actively maintained, have meaningful user bases (50,000+ active installs or a credible commercial customer count), and offer architecturally distinct approaches.
What we deliberately skipped: BackUpWordPress (development stalled), WP Time Capsule (acquired and discontinued), VaultPress (rebranded to Jetpack Backup, covered separately), and the dozen “WordPress backup” plugins that are clearly hosting-company lead magnets with no real backup engine behind them.
For each plugin: what it does, when it is the right pick, when it is not, and what to expect after installing.
UpdraftPlus (free + paid, $70-399/year)#
UpdraftPlus is the most popular WordPress backup plugin by a wide margin – over 3 million active installs. The free version handles full-site backups (files + database), scheduled backups, and remote storage to Dropbox, Google Drive, S3, and a handful of others. That alone covers what most sites need.
The paid version adds incremental backups, more storage destinations (OneDrive, Backblaze, SFTP, WebDAV), database encryption, multi-site support, automatic backup before WordPress and plugin updates, and a one-click “clone and migrate” feature that competes with Duplicator. The pricing is per-site for the cheapest tier; mid and top tiers cover unlimited sites.
Use it if: You want the safest mainstream choice. The free version is enough for most sites, the paid version is reasonably priced for what it adds, and the user base is large enough that you can find a tutorial or support thread for any problem you hit.
Do not use it if: You need real-time incremental backups (BlogVault is better here), or you need backup + migration in one workflow (Duplicator is better).
What you get from the free version: Manual and scheduled backups (daily minimum), one off-site destination, restore from any backup file, basic email notifications. No incremental backup, no encryption, no premium support.
Common gotcha: The default backup destination is
wp-content/updraft/
– on the same server as your site. This is not a backup. Configure an off-site destination (Google Drive’s free tier is fine for small sites) before treating UpdraftPlus as a real backup solution. Better hosts may also put
wp-content/updraft/
outside the publicly accessible web root – double-check.
BlogVault (paid, $89-499/year)#
BlogVault is the premium “set it and forget it” backup service. Backups run on BlogVault’s servers, not yours, which means they consume zero server resources during the backup process. The system is incremental – only changed files are uploaded after the first full backup, so daily backups complete in minutes even on large sites. Restores work the same way: only the changed files are pushed back, not the entire site.
Beyond backup, BlogVault includes a full staging environment (one-click clone to a free staging site on their infrastructure), site management for multiple WordPress installs, malware scanning, uptime monitoring, and a migration tool. It is closer to a full WordPress operations platform than a backup plugin.
Use it if: You run a WordPress site where downtime or data loss has direct revenue impact (e-commerce, membership, lead generation). The combination of real-time incremental backup, free staging, and one-click restore is genuinely useful for production sites.
Do not use it if: You want a free option, or your site is low-stakes enough that daily backups via UpdraftPlus are sufficient. The price gap between $70/year UpdraftPlus Premium and $89/year BlogVault Personal is small, but $89/year for a low-traffic blog is not justified.
What makes it architecturally different: Backups happen externally. UpdraftPlus runs
mysqldump
and
tar
on your server – if your server is overloaded, the backup struggles. BlogVault pulls data via its own client and processes it externally. Your server provides data; BlogVault processes it.
The hidden value: Free staging. Most managed hosts charge for staging or limit it to higher tiers. BlogVault includes one-click staging in every plan, which is a $20-50/month feature on its own at most managed hosts.
Duplicator (free + paid, $69-799/year)#
Duplicator is built around a different mental model – “backup as a portable archive of your site.” A Duplicator package is a
.zip
of your site’s files plus an installer script. You can drop the package on any new server, run the installer, and you have a working clone of the source site at the destination. This makes Duplicator the standard tool for migrations – if you have ever moved a WordPress site between hosts, you have probably used Duplicator (or Duplicator Pro).
The free version handles the package creation and installer flow. The paid version (Duplicator Pro) adds scheduled backups, off-site storage destinations (Dropbox, Google Drive, S3, OneDrive, FTP, SFTP), email notifications, multisite support, and a streaming backup mode that handles very large sites without exhausting PHP memory.
Use it if: You need to migrate WordPress sites between hosts regularly (agencies, freelancers, anyone running test/staging/production environments) or you specifically want backup files that double as deployment archives.
Do not use it if: You only need backup, not migration. UpdraftPlus does scheduled backups better, and BlogVault does premium backups better. Duplicator’s strength is the package format, not the scheduling.
The migration angle: A Duplicator package is essentially the same artifact you would create manually with
tar -czf site.tar.gz wp-content/ wp-config.php
plus a database dump – just packaged with a friendly installer GUI. For a deeper look at when manual migration is preferable to a plugin, see how to migrate WordPress to another hosting provider.
Common gotcha: Free Duplicator does not schedule. Many users install free Duplicator thinking it will run automated backups, then discover they need to manually trigger every package. If you want automated backups, you need Duplicator Pro or a different plugin entirely.
Solid Backups (formerly BackupBuddy, paid, $99-249/year)#
Solid Backups was BackupBuddy until 2023, when iThemes rebranded its entire suite (BackupBuddy, iThemes Security, iThemes Sync) to “Solid” branding. The plugin itself is one of the oldest in the WordPress backup space – BackupBuddy launched in 2010, predating UpdraftPlus and most current competitors.
Feature-wise, Solid Backups handles scheduled backups, off-site storage (Stash Live, Amazon S3, Dropbox, Google Drive, Rackspace, FTP, SFTP), full-site restore, individual file or table restore, and migration. The “Stash Live” service is iThemes/Solid’s own cloud storage destination, included with Pro and higher tiers.
Use it if: You are already running Solid Security, Solid Central, or another Solid-branded plugin and want a consolidated stack from one vendor.
Do not use it if: You are not already in the Solid ecosystem. There is no architectural advantage that justifies picking Solid Backups over UpdraftPlus or BlogVault as a standalone purchase.
What you get: Mature codebase, well-documented, stable. The Pro tier ($99/year) covers one site; higher tiers cover more.
The honest assessment: Solid Backups is good software, but the rebrand has not given it any new technical advantage. It is competitive with UpdraftPlus and BlogVault, not differentiated from them. If you do not already own a Solid bundle, the value calculation favors the competitors.
Jetpack Backup (formerly VaultPress, paid, $10/month+)#
Jetpack Backup is Automattic’s backup product, sold as a standalone Jetpack module or as part of the Jetpack Security or Complete bundles. It runs as a real-time incremental backup – every database write and file change is captured on a rolling log, not just snapshotted on a schedule.
Restores happen through Automattic’s cloud, not from your server. You pick a moment in time (literally to the second on the higher tiers), and Jetpack restores your site to that exact state via Activity Log integration. The granularity is the strength: if a customer placed an order at 3:42:15 PM and a database corruption happened at 3:42:30 PM, you can restore to 3:42:20 PM and keep the order.
Use it if: You already run Jetpack for other features (CDN, Akismet, Stats), and adding backup to the bundle is cheaper than buying it standalone.
Do not use it if: You do not want Jetpack installed. Jetpack is one of the heavier WordPress plugins in terms of code footprint and database calls. Installing it just for backup is overkill.
The Activity Log advantage: Jetpack Backup integrates with Jetpack’s Activity Log, which records every change to your site (post published, plugin activated, user logged in). When a backup restore is needed, you can scroll the Activity Log to see exactly when something went wrong before picking a restore point.
The pricing reality: $10/month for backup alone is high. The value comes from bundling – if you are paying for Jetpack Security ($16.95/month) or Complete ($79.95/month) anyway, backup is included. As a standalone purchase, BlogVault offers a similar feature set for less.
BackWPup (free + paid, $69-249/year)#
BackWPup is the “for technical users” pick. The free version supports more backup destinations than UpdraftPlus’s free tier (Dropbox, S3, Microsoft Azure, Rackspace, SugarSync, FTP), and the configuration UI is closer to a system administrator’s control panel than a one-click installer. You define backup jobs, each with its own schedule, contents, and destination.
The paid version adds Google Drive, OneDrive, Amazon S3 Glacier, multisite support, email reports, encrypted backup archives, and priority support.
Use it if: You want fine-grained control over what gets backed up where. Multiple backup jobs to multiple destinations (database to S3, files to Dropbox, full site weekly to Google Drive) is BackWPup’s natural workflow.
Do not use it if: You want one-click setup. The configuration is significantly more complex than UpdraftPlus, and the documentation assumes you know what
wbz
versus
tar.gz
means and why you would care.
What it does well that competitors do not: Multi-destination jobs, encrypted archives in the free tier, and the flexibility to run backup-only-database jobs separately from backup-only-files jobs. This matters for sites where the database and files need different retention policies.
Common gotcha: Backups stored in
wp-content/uploads/backwpup-XXXXXX-backups/
by default. Same warning as UpdraftPlus – configure a real off-site destination or you do not have a backup.
What about backup-as-a-service tools (not plugins)#
Several backup tools operate from outside WordPress entirely:
- ManageWP / GoDaddy Pro – SaaS dashboard for managing multiple WordPress sites with included backup
- MainWP – self-hosted dashboard for the same job
- WPVivid – free with a backup-to-cloud paid tier
- iControlWP – similar SaaS dashboard model
These compete with BlogVault on architecture (external backup, no server load) but have less polish on the backup-specific feature set. If you manage many sites, a SaaS dashboard often makes sense regardless of backup needs – check whether the dashboard’s included backup is sufficient before adding a separate plugin.
How long does a WordPress backup take#
Backup time depends mostly on database size, file count, and your hosting provider’s I/O performance. The numbers below are typical for a backup running from inside WordPress (plugin-based) – external backup services like BlogVault are usually faster because they pull data over the network without consuming server resources.
| Site size | Database | Backup time (plugin-based) | Restore time |
|---|---|---|---|
| Small blog (10-50 posts, basic theme) | <100 MB | 1-3 minutes | 2-5 minutes |
| Medium business site (100-500 posts, media library) | 100-500 MB | 5-15 minutes | 10-20 minutes |
| Large content site (1000+ posts, heavy media) | 500 MB-2 GB | 20-60 minutes | 30-90 minutes |
| WooCommerce store (active orders, customer data) | 1-5 GB | 1-3 hours | 2-4 hours |
| Large WooCommerce or membership site | 5-20 GB | 3-8 hours | 4-12 hours |
| Enterprise WordPress (multisite, custom data) | 20+ GB | Plugin-based becomes impractical | Depends on infrastructure |
Two patterns to watch for:
- Backup time growing faster than your site grows. This usually means transient bloat in
wp_options, expired cron jobs accumulating, or unused database tables left behind by deleted plugins. A clean site that is genuinely 5 GB backs up faster than a 2 GB site bloated with autoload junk. For cleanup steps, see WordPress database optimization: how to clean up and speed up your database. - Backup completes but restore fails. A backup is only complete if it can be restored. Test restoring to a staging environment at least quarterly. UpdraftPlus, BlogVault, and Duplicator all support test restores; use them.
Common backup mistakes#
The mistakes are predictable and they come up in every WordPress recovery thread.
Storing backups on the same server as the site. If the server fails or gets compromised, both the site and the backup are lost together. Backups must live somewhere your site cannot reach. Cloud storage (S3, Google Drive, Backblaze, Dropbox), off-server snapshots (your host’s own backup system), or a separate backup service – any of these works.
wp-content/uploads/backups/
does not.
Backing up only the files or only the database. A WordPress site needs both to be functional. Files without the database give you a static archive of your themes and uploads. The database without files gives you content but no themes, plugins, or media to render it. Always back up both, even if some plugins make it easy to back up only one.
Not testing restores. A backup that has never been restored is a hopeful guess, not a backup. Schedule a quarterly restore to a staging site. Most hosts let you create a free staging environment, and BlogVault includes one with every plan. The first time you discover your backups do not actually restore is not when you want to discover it.
Backing up before updating, but not before risky operations. Many backup plugins offer “automatic backup before WordPress core update” or “before plugin update.” That covers the routine case. The non-routine cases – bulk database operations, switching themes, importing thousands of products, manually editing wp_options – usually do not trigger an automatic backup. Take a manual backup before any change you are not sure you can undo.
Trusting the host’s daily backup as the only line of defense. Host-level backups are excellent for disaster recovery but typically have 24-hour granularity. If something breaks at 11:55 PM and the daily backup runs at midnight, you cannot restore to 11:50 PM. Plugin-based backups (or external services like BlogVault) give you finer granularity for the cases where 24 hours of lost data is unacceptable.
Using a backup plugin that has not been updated in over a year. Backup plugins touch every part of your site – database, files, sometimes the WordPress core itself. A backup plugin that has not been updated for a major WordPress release is risky. Check the plugin directory’s “Last updated” field before installing.
Ignoring backup encryption. Backups contain passwords (hashed but still sensitive), API keys, customer data, and order history. If you store backups in cloud storage, the storage provider can technically read your backup unless it is encrypted. UpdraftPlus Premium, BackWPup Pro, and BlogVault all support encrypted backups. Free tiers usually do not.
Quick reference - which plugin for which situation#
| Situation | Recommendation |
|---|---|
| Your host runs daily off-server backups (Hostney, Kinsta, WP Engine, BlogVault-equivalent) | None required – host’s snapshots are sufficient. Add UpdraftPlus free if you want extra granularity |
| Low-traffic blog or personal site | UpdraftPlus free + Google Drive destination |
| Small business site, no e-commerce | UpdraftPlus Premium ($70/year) |
| WooCommerce store with active orders | BlogVault ($89/year+) for real-time incremental backup |
| Membership or LMS site | BlogVault for real-time + your host’s daily snapshots as a second layer |
| Multiple WordPress sites under management | ManageWP, MainWP, or BlogVault’s site management features |
| You need backup AND migration regularly | Duplicator Pro |
| You already pay for Jetpack | Jetpack Backup as part of your existing bundle |
| You are technical and want full control | BackWPup Pro |
| You are running on a VPS without managed backups | UpdraftPlus Premium minimum, BlogVault if budget allows |
How long do backups need to be retained#
Retention is the dimension most plugins handle poorly. The defaults are usually “keep the last 5 backups” which is dangerously short for problems that take longer than 5 days to surface (corrupted database not noticed for a week, malware infection from 30 days ago, customer dispute about an order from 60 days back).
A reasonable retention policy:
- Daily backups: keep 7-14 days
- Weekly backups: keep 4-12 weeks
- Monthly backups: keep 6-12 months
- Yearly backups: keep 3-7 years (compliance, taxes, audit)
Most plugins do not support multi-tier retention out of the box. UpdraftPlus Premium does. BackWPup Pro does. BlogVault handles it automatically with 365-day retention on standard plans. If your plugin only supports a single retention number, set it to 30 and supplement with manual quarterly archives stored separately.
For sites with regulatory requirements (GDPR, HIPAA, PCI-DSS), retention is dictated by the regulation, not by your preference. Check what your industry requires before settling on a number.
How Hostney handles backups#
Hostney runs daily off-server backups for every account. Backups are taken as ZFS filesystem snapshots, which means they capture the entire site – files, database, configuration, mail – at the block level, not from inside WordPress. The snapshot is then archived to Cloudflare R2 (object storage), so the backup lives on completely separate infrastructure from the production server.
What this means in practice:
- Daily granularity is the default. Each day’s backup is retained according to your plan’s retention policy.
- Restores happen at the platform level. When you trigger a restore from the control panel, the snapshot is downloaded from R2 and your account is restored from the snapshot. WordPress does not need to be running for this to work.
- Your account is isolated. Each account runs in its own container, and snapshots are per-account. Another account being restored does not affect yours.
- No plugin required. You do not need UpdraftPlus or BlogVault for the disaster-recovery use case. The snapshots already cover that.
What Hostney’s snapshots do not replace:
- Sub-daily granularity. If you need point-in-time restore down to the minute (some e-commerce or membership sites do), pair the host backup with a real-time backup service like BlogVault. The plugin handles the fine-grained recent history; the host snapshot handles disaster recovery.
- Cross-host portability. A Hostney snapshot can be restored to a Hostney account. If you need a backup that can be deployed to a different host, use Duplicator or a manual export.
- WordPress-aware export. If you specifically need a
.zipof your wp-content folder plus a database dump that you can hand to a developer, you still want a plugin or manual export over SSH.
The honest framing: Hostney’s backups cover the case where the server is gone and you need your site back. A WordPress backup plugin covers the case where you accidentally deleted a post yesterday and want it back without restoring the whole site. Both layers have a place; neither replaces the other.
Summary#
For most WordPress sites in 2026, the best backup setup is your hosting provider’s daily snapshots plus UpdraftPlus free as a second layer. If your host does not back you up, UpdraftPlus Premium or BlogVault are the right paid picks depending on whether you need real-time incremental coverage. Duplicator is the right pick if you also need migration. The rest are situational – Solid Backups for ecosystem buyers, Jetpack Backup for sites already running Jetpack, BackWPup for technical owners.
The mistakes that hurt sites most are not picking the wrong plugin – they are storing backups on the same server as the site, never testing a restore, and ignoring backup retention. A correctly tested backup with a generic plugin beats an untested backup with a premium one. For the broader recovery picture (manual backup options, off-site storage, restore testing) see how to back up WordPress manually and how to restore WordPress manually.