6 Ways To Strengthen Your Nonprofit's WordPress Security
August 2, 2019
If your nonprofit has a website, someone is always looking for a way to get in.
Dealing with a hacked WordPress website can be time-consuming, expensive, and emotionally draining. It’s not something you want to experience.
Once inside your site, a hacker can delete pages, plugins, and themes without anyone knowing. Your website can be highjacked with ads or taken down for days to months. The attacker may also demand cash from your organization to bring it back online.
Most nonprofits can’t afford to pay a $10,000 ransom every month because a hacker planted a virus on their site.
In this article, you’ll learn six ways to strengthen your nonprofit’s WordPress website to keep attacks like this from happening in the first place.
Why Strong Security Matters for Your Website
Security breaches and ransomware attacks are on the rise for nonprofits. Whether you’re a comms team of one or a large organization, strong WordPress security matters.
On most nonprofit websites, sensitive data is being passed through or temporarily stored in WordPress: name, email, address, and credit card numbers. This usually happens when a user fills out a donation form, becomes a member, or purchases a product. Your visitor’s personal information is valuable to hackers because it can be sold in bulk online for a lot of money.
Nonprofits Are Being Targeted by Hackers
A nonprofit, The Red Barn, had its website become part of a larger, server-wide breach where it was hijacked by a group of hackers. The nonprofit was in the middle of a fundraising event and people were trying to purchase tickets during the attack.
The hack was so bad the organization had to remove their website, purchase a new domain name, and rebuild it from scratch in three days.
Imagine if you were a large organization that got its website hacked with hundreds of pages and thousands of documents. How many months would you lose trying to rebuild your site?
One of your goals should be to providing a great experience for the visitors on your website. If they have it, they’ll be loyal supporters and advocates of your mission.
Let’s dive into the six ways you can strengthen your website so you can protect your site from a breach in the first place.
1. WordPress Security Tip: Regularly Update Your Plugins
One of the simplest ways to close back doors to hackers is by updating all of your WordPress plugins every month.
Hackers use software that scans your website and makes a list of all of your plugins called "enumerating." They’ll hunt for the ones that are outdated and weak that can be easily compromised.
Security and maintenance fixes are released by WordPress every month. Developers who create the plugins also provide improvements and security patches.
Keep all of your plugins and core WordPress software up to date. It’s one of the best ways to keep your website is protected - and often gets overlooked when your team gets busy.
Tip: Every month, audit your WordPress plugins for weaknesses. Review the plugins installed on your website and delete anything that isn't essential or needed. This ensures there is no outdated and executable code that's vulnerable.
2. WordPress Security Tip: Spend More On Premium Web Hosting
A second way to improve the security on your website is by moving your website away from using generic hosting to a high-quality, managed WordPress hosting provider.
With technology, you get what you pay for.
It’s a good rule of thumb to spend a little more on your web hosting. You’ll get more extras for WordPress like faster speeds, strong security, and automatic daily backups.
Using a cheap hosting might seem like a great way to save money, but discount web hosting providers cut corners in their security measures to provide a low cost to you.
Advantages of using premium web hosting:
- Disk write protection - authorized users are only allowed to make changes to the web server which keeps your WordPress files safe and secure.
- Remote attack protection - anyone trying to make fake WordPress posts using something called XMLRPC gets automatically blocked.
- Uploads protection - WordPress files that allow your nonprofit’s team to upload files to the Media Library get an extra level of security to keep hackers out.
- Virus scanning - if something happens with your nonprofit’s site, deep level scans and malware cleaning are included.
Tip: Use a managed web host like WP Engine or Flywheel.
Consider using a premium web hosting provider like WP Engine. They have full security measures, documentation, and native support for WordPress websites.
Flywheel is also a great choice if your nonprofit is looking for a host that’s fast and secure. They also can migrate your website for free, saving you a lot of time.
Use nonprofit2019 to get 20% off all Flywheel plans, monthly or yearly.
3. WordPress Security Tip: Change the Default Username
A third way to protect your nonprofit’s WordPress from attacks is by changing the default username to something unique.
The WordPress login page is one of the first places an attacker will start looking for site weaknesses. They’ll use software that tries to guess your username (and password) many times, called a brute force attack.
If they do get in, code can be hidden inside your WordPress theme files and plugins. The attacker will be able to log in remotely and take over your website.
A hacker can do serious damage to your website without you knowing it:
- Delete pages, blog posts, or your theme
- Take your site down and demand a ransom to bring it back online
- Steal personal data from users
- Install software that records what you type on your keyboard
The most common username their software will try using is “admin” or “administrator”.
Remember to change the default username to something unique so a hacker’s software won’t have a way to get inside.
Tip: Install a plugin that controls attempts on the WordPress login.
Consider using a plugin that limits how many times someone can use the WordPress login page. For example, if a user fails at logging in 10 times over five minutes - chances are it’s a hacker’s bots. If it has to wait 20-30 minutes, it’ll give up and move onto the next website. This will help reduce the number of brute force attacks that might happen.
4. WordPress Security Tip: Use Long and Strong Passwords
A fourth way to keep hackers from finding a hidden way into your nonprofit's WordPress website is by using strong passwords.
Hackers will use the same scanning software that can find your username to also sniff out short and weak passwords. Don’t make it easy for bots to guess yours and get inside.
Password examples to avoid:
Remember to create complex passwords so your nonprofit’s WordPress website has double the amount of protection at the login page.
Tip: Use a free generator so you don't have to memorize long passwords.
Use a generator, like Diceware, that creates passwords that are made up of six or more words. This technique makes it very difficult for a hacker’s software to guess because the words are random and unique - making them resistant to attacks.
To create a password that’s long but also easier to remember, use a combination of words with numbers that are spelled out. Use words that have a personal meaning to you. Separate each word with hyphens or underscores.
Examples of long passwords:
5. WordPress Security Tip: Back Up Your Website Files Every Day
A fifth way to strengthen your WordPress website security is by making regular backups of your website files.
In case your website is ever compromised, you want to be able to go back and restore it before the incident happened. Making daily copies of your WordPress files off-site is almost like having a built-in security time machine.
WordPress files you want to save every day, off-site:
- Database - the brain and circulatory system of your site
- Theme - the look and feel of your website’s content
- Plugins - components that another level functionality
- Uploads - photos and documents that bring the theme to life
Remember to back up files off-site either onto your computer or use a cloud-based service like Dropbox. The files will be safe since they’re not on the same web hosting server as your website.
Also, before adding new plugins to your website, make a back up so there’s a restore point in case something goes wrong or doesn’t work right.
Tip: Use a plugin to schedule and automate your backups.
To make the backup process simple, use a free plugin like Updraft Plus. You can set a schedule and choose which files are backed up. Use an external service like Dropbox, Amazon S3, or Google.
6. WordPress Security Tip: Use a Firewall
The sixth and final way to add an extra layer of security to your nonprofit’s WordPress website is using a firewall.
The main purpose of using a firewall is to block any suspicious activity from happening before it reaches your site.
How it a firewall helps keep your website safe:
- Blocks hackers in real-time
- Mitigates and prevents distributed denial-of-service (DDoS) attacks
- Adds virtual patching and hardening to WordPress
- Stops brute force attempts from happening on the login page
Tip: Monitor the daily user activity on your website for anything unusual.
If you’re a large organization and have a lot of active users on your WordPress website, consider using a security plugin that monitors WordPress activity. You’ll be able to know what’s been changed, troubleshoot, and behavior that looks suspicious to keep hacks from happening.
Recap of the six security measures
One of your goals should be providing an excellent and consistent browsing experience for your visitors. It doesn’t matter what size your organization is - strong security is important for the success of your nonprofit’s WordPress website.
Remember to close back doors and pathways a hacker might use to gain access to your website. Your visitors will thank you and be loyal supporters of your mission.
Here’s the six security tips to remember:
- Regularly update your plugins - every month so there are no hidden pathways for attackers to gain access to WordPress.
- Spend more on premium web hosting - you’ll get stronger security measures and better site performance compared to cheap providers.
- Change the default “admin” username - to something unique so it prevents brute force guessing attempts through your WordPress login page.
- Use long and strong passwords - that are six words or more so it’s difficult for an attacker’s software to guess.
- Back up your files every day - use a cloud-based service so you can restore your website in case an attack happens.
- Install a firewall on your website - to add an extra layer of website protection and blocks attacks from even happening in the first place.
By Chuck Spidell, the Nonprofit WordPress Security Expert who helps communications teams free up their time and lock down WordPress from getting hacked.