Five WordPress Security Mistakes Your Nonprofit Is Making

#5 of 5: Not Backing Up Files

Five WordPress Security Mistakes Your Nonprofit Is Making #5: Not Backing Up Files

June 3, 2019

We’re at the final week learning about the five types of security mistakes your nonprofit is probably making with its WordPress website.

It’s important to close any doors that can make your site open to attacks.

Dealing with a hacked website is a time-consuming, expensive, and an emotionally draining experience for your organization. This problem can be prevented from happening in the first place.

Four key security tips to remember:

  • Regularly update your plugins - every month so there are no hidden pathways for attackers to gain access to WordPress.
  • Spend more on premium web hosting - you’ll get stronger security measures and better site performance compared to cheap providers.
  • Change the default “admin” username - to something unique so it prevents brute force guessing attempts through your WordPress login page.
  • Use long and complex passwords - that are six words or more so it’s difficult for an attacker’s software to guess.

This week, we’re wrapping the series with a final mistake you’re probably making which is not backing up your nonprofit’s WordPress website files.

You’re probably thinking: backing up our entire website sounds complicated. I’m skipping that.

If you’ve ever used a graphics program like Adobe Photoshop or Illustrator, one of the most convenient features is the History panel. Accidentally deleted a layer? No problem - just go back before the mistake happened and it’s fixed.

What if there was a way to make WordPress do the same thing? It would be like having a time machine built into your website.

Imagine if a hacker broke into your site and deleted your theme, pages, and plugins. You’d want a way to restore to your website to a previous state before the attack happened.

It’s possible if you’re regularly saving copies of your website’s files, known as “backups”.

Why website backups matter

Backups are duplicate copies of all your nonprofit’s important WordPress website files, which contain everything from the database to the plugins.

WordPress files you want to save:

  • Database - the circulatory system and brain of your site
  • Theme - the framework and visual presentation of your website content
  • Plugins - extra functionality that supports and extends WordPress
  • Uploads - photos and documents that bring the theme to life

How often should I save my website files?

To build a time machine into your WordPress site, you want to be backing up your website files every day. It’s especially important that all of your files are saved off-site on a completely different server.

If a hacker gets into your website, they can also compromise the backup files you’ve saved on the server. Be sure to avoid that mistake.


  • Back up your files every day - save everything! This means your database, theme, plugins, and uploads on a daily basis.
  • Back up files off-site - to prevent hackers from compromising files on the server where your site exists. Use a cloud-based service like Dropbox, Amazon S3, or Google.
  • Back up before adding plugins - Remember to back up first before adding any new plugins to your site so there’s a restore point in case something goes wrong or doesn’t work right.

If you’d like to start this website security mistake series from the beginning, head over to number #1: why it’s important to regularly update your WordPress plugins.

Data breaches that are both likely to happen and can result in serious harm fall in the “high priority” category. Many nonprofits collect and store sensitive personal information that is protected by law as confidential. When there is a breach of the confidentiality of those data, that poses a risk for the individuals whose data was disclosed, AND for the nonprofit that will now potentially be subject to liability for the breach."

~ National Council of Nonprofits

By Chuck Spidell, the Nonprofit WordPress Security Expert who helps communications teams free up their time and lock down WordPress from getting hacked.