Aller au contenu principal

Backup Recovery Case Study: 6 Hours Back

· 5 minutes de lecture
Customer Care Engineer

Published on July 10, 2026

Backup Recovery Case Study: 6 Hours Back

At 02:14 UTC, the storefront stopped writing orders to the database. By 02:19, the site was still serving cached pages, but checkout had already become fiction. This backup recovery case study follows what happened next on a production VPS for a small e-commerce business, what we restored, what we did not restore blindly, and why the service was stable again before sunrise.

The customer ran a fairly standard stack for a growing online store - Nginx, PHP-FPM, MariaDB, Redis, and a control panel used by two non-sysadmin staff members. Traffic was not huge, but the timing was painful. A sale campaign had pushed order volume up, database writes were peaking, and a storage issue at the filesystem layer started corrupting active database tables. Not dramatic in Hollywood style, but serious enough that every minute mattered.

The first job was not restoration. The first job was to stop damage from spreading. We placed the application in maintenance mode, preserved current disk state for review, and checked whether replication, snapshots, or logical dumps gave us the cleanest recovery point. This matters more than people like to admit. Fast recovery is good. Fast recovery to damaged data is only fast disappointment.

What failed and how we knew

The logs were telling the same story now. MariaDB began reporting InnoDB page checksum errors, followed by table crashes on write-heavy order and session tables. The hypervisor itself was healthy. CPU, RAM, and network behavior stayed normal. This narrowed the event away from a broad platform outage and toward guest-level storage integrity.

We verified three things before touching backups. First, whether the issue was isolated to a small set of tables and could be repaired in place. Second, whether recent backups were valid and mountable. Third, whether any transactions completed after the last known good backup could be reconstructed from application logs, email confirmations, or payment gateway records.

That third check often gets skipped. It should not. Restoring a backup is not the whole recovery. Businesses care about missing orders, customer records, and invoice state, not just whether MySQL starts again.

The recovery path we chose

This backup recovery case study is useful because the obvious option was not the best option. We had three candidate paths.

A full VM snapshot rollback would have been the quickest in click-count terms, but it would also discard several hours of legitimate content changes, plugin updates, and customer account edits. Repairing tables in place carried too much risk because corruption had already touched core transactional data. The better route was a file-level and database-level restore into a fresh instance, followed by selective data reconciliation.

So we provisioned a clean recovery environment first. Same VPS size, same OS family, same panel version, same PHP branch. Rebuilding into a parallel instance gives breathing room. It also protects the original system for forensic review, which is useful if the customer needs to understand root cause or verify that the issue was not caused by application behavior.

We pulled the last successful automatic backup from 23:00 UTC. Then we tested it before cutover. This sounds basic, but many teams only discover backup problems during the worst possible hour. The archive mounted correctly, checksums matched, database import completed without errors, and the application came up in isolation. Good. Calm begins there.

Restoring the service without making new problems

Recovery had four stages. First, infrastructure. We rebuilt the web stack, applied system updates that were already approved, and matched runtime versions so the application would not fail because of a surprise dependency mismatch.

Second, data. The database restore completed in 11 minutes. Web files restored in under 4 minutes. Media assets were intact, which spared the customer from broken product images and angry browser boxes. Redis was not restored from backup because cached data is disposable by design. Bringing stale cache back into a fresh environment is one of those small mistakes that makes a big mess later.

Third, validation. We checked application login, checkout flow, admin writes, cron execution, SSL validity, outbound mail, and payment gateway callback behavior. We also compared record counts across orders, customers, and catalog tables against expected growth curves from the prior week. Numbers do not need to be perfect poetry, but they should not look strange.

Fourth, reconciliation. Between 23:00 UTC and 02:14 UTC, a handful of successful payments had been processed. Those records did not exist in the restored database because they happened after the backup point. We rebuilt them from payment provider confirmations, email order notifications, and web access logs. This is where an experienced operator saves a lot of business pain. A technically successful restore that loses paid orders is not really a success.

By 03:41 UTC, the application was available for internal customer review. By 04:06 UTC, DNS and edge routing pointed production traffic back to the recovered instance. Total customer-facing disruption for checkout was just under two hours, while read access to most of the site remained available for much of the incident.

What made the recovery fast

It was not luck, and it was not one magical backup button. Speed came from preparation and from reducing decisions during the incident.

The customer already had automatic scheduled backups with retention, monitored server behavior, and a support path that did not disappear into ticket silence. That changed the shape of the night. We were not debating whether a backup existed. We were choosing the safest restore point and validating it.

Environment consistency also mattered. Because the hosting stack was standardized, we did not spend 45 nervous minutes discovering that the restored app wanted an old PHP extension or a missing system library. People often underestimate how much recovery time gets burned on configuration drift.

There was also one less-visible win - separating what is stateful from what is disposable. Database contents, uploaded media, configuration, and SSL assets were treated carefully. Cache, temp files, and generated sessions were rebuilt cleanly. This keeps recovery lean and avoids carrying old noise into a new boot.

What this backup recovery case study teaches

The main lesson is not simply back up your server. Most businesses already know that sentence. The harder lesson is to design recovery around business function, not just infrastructure objects.

A VM snapshot is useful, but it may be too blunt. A database dump is useful, but not enough if uploaded files are separate. A control panel backup is convenient, but convenience should still be tested. The right backup strategy depends on how the application behaves, how often data changes, and what amount of loss is actually acceptable.

For an e-commerce site, product images can usually tolerate slightly older recovery points than order records. For a SaaS application, customer database state may matter more than local filesystem content. For a digital agency hosting multiple client sites on one server, isolation becomes critical because one noisy site should not turn recovery into a whole-rack headache.

Testing also deserves more respect. Backups are promises until they are restored. After they are restored, they become evidence. The difference is expensive.

What changed after the incident

We did not treat recovery as the finish line. After service stabilization, we reviewed storage behavior, filesystem health, database integrity checks, and backup policy timing. The immediate technical cause pointed to guest-level disk inconsistency under write pressure, but the wider question was how to reduce blast radius next time.

Backup frequency was adjusted for the database tier to shorten recovery point exposure during campaigns. Alerting thresholds for I/O wait and database error patterns were tightened. The customer also moved from a single restoration mindset to a layered one - automatic backups, verified restore routines, and clearer handling for transactional reconciliation.

This is where managed operational support earns its keep. Not because incidents never happen, but because when they do, someone already knows where to look first and what not to break while fixing it. That small difference is often the whole difference.

If you are running revenue-producing workloads, the useful question is not whether you have backups. The useful question is whether, at 2 a.m., you can restore the right data to the right place, verify it fast, and account for what happened after the backup was taken. If the answer is uncertain, the system is still asking for attention. Better to answer it on a quiet afternoon than during checkout failure.

Andres Saar Customer Care Engineer