Five WordPress Security Mistakes Your Nonprofit Is Making

#1 of 5: Not Regularly Updating Your plugins

Five WordPress Security Mistakes Your Nonprofit Is Making #1: Not Regularly Updating Your Plugins

May 3, 2019

If you have a website, someone is always trying to get inside through an open door.

As of April 2019, Lookout reports that tech, health, retail, and government industries are affected the most. Earlier this year, 37 million of Panera Bread’s website users had their personal data stolen: names, addresses, birthdates, and credit card numbers.

Four years ago, a nonprofit food bank in Salt Lake City, Utah was also hacked. 10,000 visitors who donated through their website lost their personal info to thieves.

You’re probably thinking: we’re a nonprofit. Why would anyone want to hack into our website?

We live in a world where our personal lives are open on the web. Getting a hold of your personal information is a hacker’s main goal.

Think about the security on your website:

  • When was the last time someone updated your plugins?
  • How do you know if your users are creating strong passwords?
  • Are you using “admin” for a user account?

Whether you’re a comms team of one or a large organization, having strong security matters the most. No one trusts a website that’s been hacked.

One of your goals should be to providing a great experience for the visitors on your website. If they have it, they’ll be loyal supporters and advocates of your mission.

In this five-part series, you’ll learn about some of the mistakes your organization might be making with your WordPress site and some tips on how to get unstuck.

Once you’re familiar with how attacks happen, you’ll understand why it’s important to protect your site from a breach in the first place.

This week, I'm kicking it off with one of the easiest ways your site can be targeted, which is through outdated WordPress plugins.

#1 Mistake: Not regularly updating your plugins

One of the easiest ways to open your nonprofit’s website to a security hack is by forgetting to always update your plugins, along with the WordPress core.

Like a garden, if you stop watering your plants they’ll wilt and eventually will die. You wouldn’t treat your WordPress website and its plugins the same way, right?

As mentioned in my Why Monthly WordPress Care Matters article, the WordPress team publishes security and maintenance releases every month. Along with these updates, software developers also provide new versions of their plugins. These usually contain usability fixes and security improvements.

If someone on your team isn’t taking care of the plugin updates every month, you’re organization is welcoming hackers inside.

What happens once they’re inside

An attacker will use software to scan your WordPress site for outdated plugins. Once they find one that’s old and vulnerable, they’ll add hidden code inside the plugin folders to the files. Sometimes, core WordPress files are changed too.

This code will let a hacker download sensitive user information from your website and store it on their own network. Your website user’s personal data usually gets sold in bulk on a black market known as the “dark web”.

Trying to deal with a website on your own that’s been hacked can be a frustrating and time-consuming experience. Depending on the severity of an attack, it can be a very expensive problem and the site can be down for a few hours to several days.

So remember to stay on top of your monthly plugin updates!


  • Research before installing plugins - read WordPress community user reviews to see if there are any recent issues, relative to your site’s needs.
  • Only install regularly maintained plugins - that have been updated within the last few weeks to two months. Don’t take the risk with your site unless it’s a well-known plugin that you’re familiar with.
  • Audit your plugins every month - deactivate and delete anything that you’re not using and do not store plugins if they are disabled since hackers can find them.

By Chuck Spidell, a Nonprofit WordPress Security Expert who helps women-led communications teams free up their time and lock down WordPress from getting hacked.