Five WordPress Security Mistakes Your Nonprofit Is Making

#2 of 5: Going with Cheap or Free Website Hosting

Five WordPress Security Mistakes Your Nonprofit Is Making #2 of 5: Going Cheap with Web Hosting

May 10, 2019

Last week, we learned how not updating your WordPress plugins can leave a back door open to getting your nonprofit’s site hacked.

Having your visitor’s personal data shared on the dark web is something you want to keep from happening, right? Remember to stay on top of the monthly updates to stay protected.

This week, we're learning about a second way your nonprofit might be compromising its website security which is using cheap or free hosting.

You’re probably thinking: we save a lot of money by only spending $3 per month for our hosting.

With technology, a good rule of thumb to spend a little more. The product or service you’re purchasing will be designed to a higher standard and will generally last longer.

Spend less and you’re compromising on the build quality. You’ll be lucky if what you bought lasts more than a few months. People spend thousands of dollars on Apple products because they’re willing to pay for the quality.

It's the same with web hosting. You get what you pay for.

At first, using cheap hosting might seem like a great way to save cash but you’ll end up with a service with holes in its security.

Discount web hosting providers like Bluehost, Namecheap, or Hostinger cut a lot of corners to provide a low cost to you. Making a profit is more important than ensuring your WordPress website is safe and secure from hackers.

Problems with going cheap on your WordPress hosting:

  • Little to no security measures for WordPress
  • Lack of WordPress security practices, resources, and documentation
  • No malware or virus scanning
  • Tech support team is limited at fixing WordPress security issues

Busting a myth: nonprofits have don’t have anything of value to hackers

Most nonprofits regardless of their size, mission, and geographic reach handle some type of valuable user data every day.

According to Conscious Governance, data security breaches and ransomware attacks have steadily been increasing and becoming very common for nonprofits worldwide.

Many nonprofits and charities are at an even higher risk of a security or data breach because they often rely on free software, inexpensive website hosting and, in many cases, lack the expertise to adequately protect themselves."

~ Conscious Governance

Think about how many donors and members that are actively involved in your organization in some capacity. This is the gold hackers are mining for on your website so they can sell it in bulk on the dark web.

This is why you want strong security practices in place when it comes to your web hosting to protect that valuable information.

What’s it like to get your website hacked?

If your organization has ever experienced getting its website hacked, you lose a lot of time, energy, and money - trying to fix the problem that could have been prevented in the first place.

Depending on how bad the infiltration is, you might have to spend a lot of money hiring a security specialist to help get your website back online. Once inside your site, hackers can secretly delete pages, posts, plugins, and even your themes without you knowing until they suddenly disappear off the site.

Your website can also be pulled offline anywhere from hours to months. And the attacker could possibly demand a ransom from you to bring it back online.

In 2018, the healthcare industry was hit hard with ransomware demands averaging about $10,000 per victim. This is quite an increase compared to amounts in 2016, which were only $1,000 per victim.

Even after your site is back online, it may never be fully free of spam and malware. Attackers will target and infect distribute files throughout your website. It can be difficult to figure out which ones have been compromised so they can be quarantined and replaced with a fresh copy of the original file.

This is really where your choice to use cheap hosting can hurt the most. You’ll have to spend another expense to get your website cleaned by a professional.

If it’s important for your nonprofit to be protected from online attacks, premium web hosting should be on your “must have” list.

Here’s what premium WordPress hosting looks like:

  • Disk write protection - authorized users are only allowed to make changes to the web server which keeps your WordPress files safe and secure.
  • Remote attack protection - anyone trying to make fake WordPress posts using something called XMLRPC gets automatically blocked.
  • Separate databases - security information of users and passwords are automatically connected to the correct database.
  • Uploads protection - WordPress files that allow your nonprofit’s team to upload files to the Media Library get an extra level of security to keep hackers out.
  • Virus scanning - if something happens with your nonprofit’s site, deep level scans and malware cleaning are included.
  • Built-in security practices - premium hosting providers are always making their platform impenetrable from hackers and have extremely high standards.
  • Security documentation - for example, WP Engine’s security practices are very clear, specific, and transparent - see for yourself.

Problems with free website hosting from a friend

Sometimes one of your organization’s volunteers, staff members, or board members will offer the use of their web server at home for free.

It’s going to be better for you to kindly thank them and say no.

Think about your nonprofit’s website security needs and requirements and ask important questions:

  • What kind of security software is installed on the web server?
  • What type of security measures are in place to prevent attacks?
  • If your nonprofit’s website gets hacked, can they help?
  • Can you call or email this friend 24/7 for support related to security?
  • Do they have a support ticket service in place for tracking website issues?

Hopefully, you learned how going cheap or free with website hosting will have its trade-offs. Now you’re aware that nonprofits are increasingly being targeted for ransomware and online attacks.

Fixing a hacked site can be expensive, frustrating, and a time suck. No one at your nonprofit should ever have to go through this kind of experience.


  • Spend a little more on web hosting - consider including premium web hosting in your nonprofit’s annual budget. WP Engine is great because they have rock-solid security, documentation, and support for WordPress websites.
  • Use a website monitoring service - if you want to know whether or not your WordPress site is online, use a free service like Uptime Robot. It checks your site every five minutes and you’ll receive a notification if it’s ever offline.

By Chuck Spidell, a Nonprofit WordPress Security Expert who helps women-led communications teams free up their time and lock down WordPress from getting hacked.