Design magic that changes the world

Resources to keep your nonprofit's WordPress site protected

6 Ways to Make Your Nonprofit's WordPress Site Secure from Getting Hacked

Webinar Notes

Key Security Points

  • Think about your website as an investment that’s worth protecting. Your team puts a lot of time, energy, and resources into it.
  • Not prioritizing WordPress plugin updates or backups leaves hidden doors open for hackers to get inside. It’s a matter of time before your website will get hacked.
  • Your comms team leaders need to have a mindset shift. Strong website security should be a priority and not an afterthought.
  • Include cybersecurity into your annual budget. The #1 goal is to prevent the risk from a website attack from happening in the first place.

Why Strong Security Matters

  • Your visitor’s site data (Personal Identifiable Information) needs to be protected because it’s valuable to hackers and can be sold on the dark web.
  • When it happens, your site can be hijacked or taken offline. User accounts, pages, posts, plugins, and your theme can get secretly deleted.
  • Dealing with a hacked site is exhausting, time-consuming, and expensive. You especially want to avoid ransoms which can be a recurring problem.

What’s Currently Going On

  • Hackers are targeting smaller nonprofits because they know organizations commonly use cheap web hosting and are not staying on top of monthly updates.
  • Healthcare, financial, and city governments are being targeted for data breaches but nonprofit attacks are also on the rise.
  • Ransom amounts have increased in the last couple of years from $1K to $10K per incident. Most organizations can’t afford to pay this.

Tip #1: Regularly Update Your Plugins

  • Stay on top of the monthly updates to keep the front and back doors closed to hacker’s software from trying to get in.
  • Update your plugins a minimum of twice a month along with WordPress maintenance and security releases.
  • Perform regular monthly audits of your WordPress plugins. Delete anything that’s not being used because it’s executable code on the server.

Tip #2: Spend More On Premium Web Hosting

  • With technology in general, you get what you pay for. Cheap hosting companies like Bluehost don’t invest in their infrastructure and cut corners on security practices.
  • You get better performance, security, and daily automatic file backups with premium hosting. Use their staging sites feature to make a duplicate copy of your website for testing new plugins or features.
  • WP Engine is serious about security and has solid practices that are built-in to their plans. See their disallowed WordPress plugins list. Recommended for small to medium nonprofits and get three months free with annual prepay.
  • Flywheel offers free website migrations and was bought by WP Engine. They’re ideal for small nonprofits and have strong security practices. To get 20% off all plans, monthly or yearly, use the code "nonprofit2019” on checkout.
  • Pantheon offers three staging sites (dev, test, live) and is for medium to large nonprofits with high-traffic and thousands of pages. They have enterprise-level security so budget for paying a little more than WP Engine.
  • Kinsta is also another high-quality WordPress hosting company worth checking out. All of their plans include free website migrations, login attempt limiting, two-factor authentication, and a hack-free environment. If you pay yearly, you get credited for two months.

Tip #3: Change the Default Username

  • Never use the default “admin” username and make sure you change it to something unique to avoid hacking attempts.
  • Hackers use software that will brute force attack your WordPress login page to try and guess both the username and password many times until it gets in.
  • Install a plugin like Limit Login Attempts Reloaded to restrict the number of times a user can try logging into your website.

Tip #4: Use Long and Complex Passwords

  • When creating passwords for WordPress, don’t use short and weak ones that can be easy for a hacker’s bots to guess. Close the front door to their software.
  • Create passwords that are unique and six words or more. This will strengthen your security and provide a double level of protection for brute force attempts.
  • Use a password generator like Diceware, along with a password software like LastPass or 1Password so it’s easy for your comms team to manage them.

Tip #5: Back Up Your Website Files

  • It’s good practice to back up your website’s files every day. They contain the database, theme, plugins, images, PDFs, etc.
  • Back up your files off-site so hackers can’t compromise the files that are on your web hosting provider’s server. Double to triple copies for the win.
  • Use a backup plugin like UpdraftPlus that automatically copies your files to Dropbox, Google Drive, or a cloud service like Amazon S3.
  • Backups are like having a built-in time machine for your website. In case your site is ever hacked, it can be restored to a point before the attack happened.

Final Tip #6: Use a Firewall

  • For larger organizations with a website that has heavy traffic, accepts memberships, and donations - consider Sucuri’s firewall to lock your website down from hacking attempts.
  • A firewall will monitor all of the visitor traffic and stop brute force attacks before they happen. It includes an antivirus and keeps your website running fast.
  • WP Security Audit Log lets you see who is logged into your WordPress website, what they are doing in real-time, and block any suspicious behavior.

About the presenter

Chuck Spidell is a Nonprofit WordPress Security Expert who helps women-led communications teams free up their time and lock down WordPress from getting hacked. His articles cover best practices, tips, and mistakes communication teams can avoid making with their WordPress security.

He also guest posts for Nonprofit Tech for Good, a leading technology resource for nonprofit professionals with over 50K monthly visitors and more than one million followers on social networks.