Five WordPress Security Mistakes Your Nonprofit Is Making

#1 of 5: Not Regularly Updating Your plugins

Five WordPress Security Mistakes Your Nonprofit Is Making #1: Not Regularly Updating Your Plugins

You’re probably thinking: we’re a nonprofit. Why would anyone want to hack into our website?

If you have a website, someone is always trying to get inside through an open door.

As of April 2019, Lookout reports that tech, health, retail, and government industries are affected the most. Earlier this year, 37 million of Panera Bread’s website users had their personal data stolen: names, addresses, birthdates, and credit card numbers.

Four years ago, a nonprofit food bank in Salt Lake City, Utah was also hacked. 10,000 visitors who donated through their website lost their personal info to thieves.

We live in a world where our personal lives are open on the web. Getting a hold of your personal information is a hacker’s main goal.

Think about the security on your website:

  • When was the last time someone updated your plugins?
  • How do you know if your users are creating strong passwords?
  • Are you using “admin” for a user account?

Whether you’re a comms team of one or a large organization, having strong security matters the most. No one trusts a website that’s been hacked.

One of your goals should be to providing a great experience for the visitors on your website. If they have it, they’ll be loyal supporters and advocates of your mission.

In this five-part series, you’ll learn about some of the mistakes your organization might be making with your WordPress site and some tips on how to get unstuck.

Once you’re familiar with how attacks happen, you’ll understand why it’s important to protect your site from a breach in the first place.

This week, I'm kicking it off with one of the easiest ways your site can be targeted, which is through outdated WordPress plugins.

#1 Mistake: Not regularly updating your plugins

One of the easiest ways to open your nonprofit’s website to a security hack is by forgetting to always update your plugins, along with the WordPress core.

Like a garden, if you stop watering your plants they’ll wilt and eventually will die. You wouldn’t treat your WordPress website and its plugins the same way, right?

As mentioned in my Why Monthly WordPress Care Matters article, the WordPress team publishes security and maintenance releases every month. Along with these updates, software developers also provide new versions of their plugins. These usually contain usability fixes and security improvements.

If someone on your team isn’t taking care of the plugin updates every month, you’re organization is welcoming hackers inside.

What happens once they’re inside

An attacker will use software to scan your WordPress site for outdated plugins. Once they find one that’s old and vulnerable, they’ll add hidden code inside the plugin folders to the files. Sometimes, core WordPress files are changed too.

This code will let a hacker download sensitive user information from your website and store it on their own network. Your website user’s personal data usually gets sold in bulk on a black market known as the “dark web”.

Trying to deal with a website on your own that’s been hacked can be a frustrating and time-consuming experience. Depending on the severity of an attack, it can be a very expensive problem and the site can be down for a few hours to several days.

So remember to stay on top of your monthly plugin updates!


  • Research before installing plugins - read WordPress community user reviews to see if there are any recent issues, relative to your site’s needs.
  • Only install regularly maintained plugins - that have been updated within the last few weeks to two months. Don’t take the risk with your site unless it’s a well-known plugin that you’re familiar with.
  • Audit your plugins every month - deactivate and delete anything that you’re not using and do not store plugins if they are disabled since hackers can find them.

What’s the topic for next week?

You'll learn why it's not a good idea to go cheap with hosting for your nonprofit’s website.

Also, the next time a volunteer offers to host your site for free, you’ll want to pass because it can become an expensive security problem.


I hope you found this useful

Did you learn something new about WordPress and want more helpful advice? Get on my list below.

Please feel share with your friends, I'd appreciate it.

Happy WordPressin’ and keep doing what matters the most.

Chuck Spidell

Stay in the loop and receive weekly WordPress security tips.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.
Chuck Spidell

By Chuck Spidell, Nonprofit WordPress Strategist

Stay in the loop about WordPress security

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.