.webp)
On 18 November 2025, roughly 20% of the internet went dark. X, Discord, Spotify, Shopify, PayPal, ChatGPT and countless other services became unreachable. The culprit wasn't a sophisticated cyberattack or a natural disaster. A routine database change at Cloudflare triggered a cascading failure across its global network.
The outage lasted nearly six hours. Analysts at Forrester Research estimated losses across affected businesses at $250 to $300 million. And the fix? Engineers deployed a known good previous version of the configuration file. In other words, they restored from backup.
If one of the world's most sophisticated infrastructure companies needed a rollback to save the day, what does that mean for the rest of us?
The real cost of not having a backup
For small business owners, the stakes are different but no less significant. You might not be serving 35% of Fortune 500 companies, but your website represents your livelihood, your reputation, and often years of accumulated content, customer data and hard work.
The statistics paint a concerning picture. According to 2024 research, 58% of small businesses admit to being unprepared for data loss. Meanwhile, 67.7% of companies experienced significant data loss in the past year. The leading cause isn't hackers or ransomware. Hardware failure accounts for 67% of all data loss incidents, followed by human error at around 30%.
What happens after data loss is even more sobering. Research from the National Archives and British Chambers of Commerce found that 93% of companies that lose data centre access for 10 or more days file for bankruptcy within one year.
When backups didn't exist: three cautionary tales
The Cloudflare incident had a happy ending because they could restore it quickly. Others weren't so fortunate.
CloudNordic, August 2023
Danish cloud provider CloudNordic suffered a ransomware attack during a data centre migration. The attackers gained access to administration systems and, crucially, both primary and secondary backup systems through a network misconfiguration. The result was 100% customer data loss. Every website, email server and database hosted with them was permanently destroyed. The company's official statement was stark: they could not recover or recreate any customer data.
OVHcloud, March 2021
When Europe's largest cloud provider lost its Strasbourg data centre to fire, 3.6 million websites went offline. Many customers discovered their backups were stored in the same building as their production servers. The video game Rust announced the total loss of all EU servers. Medical firms lost patient records permanently. OVH now faces class action lawsuits exceeding €10 million and has been ordered to pay €400,000 to just two affected customers.
Rackspace, December 2022
A ransomware attack on Rackspace specifically targeted small and medium businesses. The company was forced to permanently shut down its Hosted Exchange environment, affecting approximately 30,000 customers. Only 50% of email data was eventually recovered after weeks of effort, and the company reported $11 million in losses to the SEC.
What proper backups actually look like
The difference between recovery and ruin often comes down to backup strategy. The industry standard is the 3-2-1 rule:
Component | What it means | Why it matters |
3 copies | One original plus two backups | Redundancy against single point of failure |
2 media types | Local server plus cloud storage | Protection if one system fails entirely |
1 offsite | Different physical location or cloud | Survives fire, flood, or physical disaster |
Modern security experts now recommend extending this to 3-2-1-1-0: the same framework plus one immutable backup that ransomware cannot encrypt, and zero errors verified through regular recovery testing.
For website owners specifically, backup frequency should match how often your content changes:
Static or brochure sites: Daily backups with weekly full backups
Blogs and content sites: Daily backups, ideally automated
Ecommerce stores: Hourly or real time backups (every transaction matters)
All sites: Always backup before updates, plugin installs, or theme changes
If you're running a WordPress site, managed WordPress hosting typically includes automated daily backups as standard. This removes the burden of remembering to backup manually and ensures you always have a recent restore point.
The hidden costs of downtime
Beyond permanent data loss, there's the cost of simply being offline. Research puts small business downtime at $137 to $427 per minute, which translates to roughly $6,500 to $20,000 per hour for a typical small business.
The damage extends beyond immediate revenue. According to recent studies, 88% of consumers are less likely to revisit a website after experiencing downtime, and 32% will never return after just one bad experience. For ecommerce sites, even a one second delay in page load results in a 7% drop in conversions.
Search rankings take a hit too. Google's John Mueller has confirmed that even short downtime causes one to three weeks of ranking fluctuation before normalising. Prolonged outages can result in pages being completely deindexed.
This is why uptime commitments matter when choosing a hosting provider. But equally important is how quickly you can recover when something does go wrong.
Small businesses are increasingly targeted
There's a common misconception that cybercriminals only go after large enterprises. The reality is quite different. The Verizon 2025 Data Breach Investigations Report found that small and medium businesses are targeted nearly four times more frequently than large organisations. Why? They often have valuable data but weaker defences.
WordPress sites face particular pressure, with research showing 90,000 attacks per minute targeting WordPress installations. In 2024 alone, nearly 8,000 new vulnerabilities affecting the WordPress ecosystem were reported, with 97% originating from plugins.
Proper website security includes keeping WordPress core, themes and plugins updated, using strong passwords and two factor authentication, and choosing hosting with built in security features. But even with robust defences, backups remain your last line of protection.
The success stories prove it works
Not every incident ends in disaster. Organisations with proper backup strategies recover quickly without paying ransoms or losing data.
Yuba County in California was hit with ransomware that encrypted 100 servers. Using immutable backups, they recovered 100% of data without paying a penny. A county official stated that knowing their backups were secure meant they never had to consider the ransom demand.
The City of Durham faced a ransomware infection across their entire network, including 911 emergency systems. They restored 200 virtual machines without paying ransom, bringing critical services back online in under 30 hours with zero data loss.
The pattern is consistent: organisations with immutable, off-site, regularly tested backups recover in hours. Those without may never recover at all.
What you should do today
The Cloudflare outage serves as a timely reminder that no system is immune to failure. The question isn't whether something will go wrong with your website. It's whether you'll be able to recover when it does.
If you're not sure about your current backup situation, here's where to start:
Check what backups you actually have by logging into your hosting control panel or asking your provider
Verify backups are stored separately from your main hosting environment
Test a restore to confirm your backups actually work
Automate the process so you're not relying on memory
For WordPress users, managed hosting solutions typically handle backups automatically and include one-click restore functionality. If you're on VPS hosting or managing your own server, you'll need to configure backup routines yourself or use a plugin solution.
The businesses that survive data disasters aren't necessarily the ones with the most significant budgets or the most sophisticated technology. They're the ones who took backups seriously before they needed them.
As Cloudflare's CEO, Matthew Prince, put it in his post-incident apology, any outage, given the importance of their systems, is unacceptable. The same applies to your website. When something goes wrong, the difference between a minor inconvenience and a business-ending catastrophe is having a recent, working backup ready to deploy.
