Skip to main content

Backup .env and wp-config.php

.env files and wp-config.php usually contain database credentials, salts, and API keys. You should back them up, but not in a way that exposes them to web users, logs, or offsite storage without encryption.

Quick Summary
  • Treat config files as secrets.
  • Back them up into a locked-down directory.
  • Prefer encrypting secrets before offsite upload.
  • Verify permissions on the entire path.

Decide where secrets live

Use a separate folder:

create-secrets-backup-dir.sh
sudo install -m 700 -d /backups/secrets

Copy wp-config.php

copy-wp-config-into-secrets-backup.sh
sudo install -m 600 /var/www/html/wp-config.php "/backups/secrets/wp-config-$(date +%F).php"

Copy a .env file (if used)

Not every WordPress setup uses .env, but many do (Docker, custom deployments).

copy-env-into-secrets-backup.sh
sudo test -f /var/www/html/.env && sudo install -m 600 /var/www/html/.env "/backups/secrets/env-$(date +%F)" || true

Encrypt secrets before offsite upload

Example: symmetric GPG encryption.

encrypt-secrets-folder.sh
tar -C /backups -cf - secrets \
  | gpg --symmetric --cipher-algo AES256 --output "/backups/secrets-$(date +%F).tar.gpg"

Verify decryption and listing:

verify-encrypted-secrets-archive.sh
gpg --decrypt "/backups/secrets-$(date +%F).tar.gpg" | tar -tf - | sed -n '1,40p'
warning

If you lose the passphrase/private key, you lose access to these secrets. Document key management and recovery.

Permissions verification

verify-secrets-permissions.sh
namei -l /backups/secrets
ls -lah /backups/secrets | sed -n '1,60p'

Next steps

  • GPG encryption basics: opt/docker-data/apps/docusaurus/site/docs/server/linux-server/10-backup-disaster-recovery/gpg-encryption.mdx.