Hello Enrico,
Akeeba Backup Professional does indeed offer several automation features. You can use CRON jobs on your server (regular and URL-only), Joomla's scheduled tasks, a third party service such as Watchful or BackupMonkey, or even any server or computer under your control to trigger the scheduled backups.
Backups are always taken on your web server. There is no other way to back up your database. The files, while they can be read remotely, would take too long to transfer to be a practical form of backup — and the overhead in data transfer would eat away your available monthly bandwidth in no time. That's why, even though it's technically feasible, we never implemented this. When I tried that, a backup that normally takes 10' would take close to two hours.
What you can do is have the backups automatically uploaded to remote storage. If you're primarily defending against malware I recommend using Amazon S3 with a write-only user account (there are instructions for this in our documentation), and possibly a small application such as CloudBerry Explorer to download the backup archives to local storage as well. This means that whatever happens you have a backup. The backups can be further encrypted with AES-128 (JPS format) for additional security in transit and at rest.
If you are tight on disk space you can choose your backup to be split into smaller archive part files, each part immediately transferred to the remote storage once it's ready. The space you need on your site is twice the part size plus 20 Megabytes. So, if you choose a 100MiB part size you need 220MiB free disk space on your server.
Regarding scanning your backups, you should instead be focusing on protecting your site and scanning your files in situ. Admin Tools Professional offers a triple layer of protection:
- A security-optimised .htaccess file which prevents the bulk of malicious requests from reaching your site at all, managed with the .htaccess Maker feature of Admin Tools Professional. Furthermore, the generated .htaccess file neutralises almost all malicious file uploads by preventing them from executing over the web (the requisite second step in an attack for the attacker to gain a foothold on your site).
- A Web Application Firewall which monitors incoming requests to the Joomla application and prevents the vast majority of malicious requests from having an effect on your site and its extensions.
- The PHP File Change Scanner which can be automated to periodically scan your site's .php files, detect any changed / added files, and provide an automated security assessment of these files. If you follow the documentation instructions on using it you will at the very least catch attacks very early on, preventing them from doing anything truly harmful to your site.
You can buy both Akeeba Backup Professional and Admin Tools Professional by purchasing the Essentials bundle. It costs 75 Euros (plus VAT, if applicable).
Beyond that, I recommend using a third party service which sits between your server and the Internet such as CloudFlare, or Sucuri. These services serve a double role. First, they filter out a lot of malicious requests before they even reach your server. Second, they act as a content delivery network (CDN) which speeds up your site.
Finally, I also recommend using the Multi-factor Authentication built into Joomla 4.2, or Akeeba LoginGuard on older versions of Joomla. In fact, both are the same: I contributed Akeeba LoginGuard to Joomla and it's now called Multi-factor Authentication.
With all of these on your site and a modicum of security consciousness —such as only using long, randomly generated passwords which are kept in a password manager such as 1Password, BitWarden, etc; updating Joomla and its extensions; following up on the security procedures such as using the PHP File Change Scanner; and so on— your site will be as safe as it realistically can be.
Remember, nothing can make your site “impenetrable”. Whoever sells a product on this promise is selling you a lie. The best you can do is make your site very hard to break into, therefore deterring an attacker. This is the fundamental truth of all forms of security, from protecting one's personal blog to securing a highly sensitive military installation. It's always all about making the trouble of breaking in far more expensive / risky to the attacker than what they stand to gain. Keep that fundamental truth in mind and you will find that practical security is achievable without undue effort.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!