Webinar: How to Prevent Your Nonprofit’s Website from Getting Hacked in 2021

WordPress Security

April 27, 2021

This webinar was hosted on April 27, 2021 by Nonprofit Tech for Good who provides useful, easy-to-understand news and resources related to nonprofit technology, online communication, and mobile and social fundraising.

In case you registered but missed it, you're in luck because you can:

  • Watch a replay of the video recording
  • View the slides that were presented
  • Review the webinar notes

Key Security Points

  • You have to think about your website as an investment that’s worth protecting because of how much time, energy, and resources your staff and volunteers put into it.
  • It's important to keep it maintained and approachable for your constituents and audience.
  • Ignoring monthly plugin updates creates a growing security risk in the background that you don't see that's developing.
  • It’s a matter of time before your website will get hacked.
  • The goal is to prevent website attacks from happening in the first place.
  • Dealing with a hacked website is expensive, time-consuming, and stressful.

What Happens When You Get Hacked

  • Your site most likely will get hijacked - the home page or all of the pages on it.
  • Depending on the hacker's goal, they make take your website offline for days to months.
  • Sometimes a hacker wants to deface it and other times they may want a ransom.
  • Pages, posts, themes, and accounts can be deleted in the background without you noticing.
  • Personal Identifiable Information (PII) can be stolen and sold on the "dark web" for money: name, email, credit card, and addresses.
  • When you do get hacked, there's a very good possibility you'll have to pay a ransom to get your files back.
  • Chances are, they won't fully remove hidden code and it'll be a reoccurring ransom.

Hacker's Don't Discriminate

  • It really doesn't matter what size your organization is. All orgs small and large are on the map.
  • Hackers know that smaller organizations are leaving their websites vulnerable to attacks.
  • The donor data is what they're looking for to sell on the dark web.
  • You really want to be taking security seriously and don't ignore possible threats.

What’s Currently Going On

  • Cyberattacks are out of control (up by 92%), especially the last two years since the onset of COVID in 2020.
  • The average data breach costs close to $4 million now.
  • Between 2019 and 2020, I found 18 different security incidents that happened to nonprofits: website attacks, email phishing, data breaches, and ransomware.
  • Organizations nationwide are still largely unprotected and vulnerable to cyberattacks.

NTEN 2018 State of Nonprofit Cybersecurity Report

  • About 70% of organizations don't have any type of policy or procedure for when a cyberattack happens - no documentation.
  • About 60% are not training their staff about cybersecurity. Staff and volunteers wouldn't know what to do about email phishing.
  • Only 17% of organizations are requiring a password management tool.

Nonprofits That Have Been Attacked

  • Northshore Hebrew Academy: had their website hacked and defaced with Nazi propaganda throughout the entire website.
  • It's not something you want your donors or constituents to see. They will be offended and will lose trust with your audience.
  • Jewish Federation of Greater Washington: hackers broke into one of the staff's computers during the pandemic. About $7.5 million dollars was stolen from the organization's endowment fund and funneled into an offshore account.
  • Special Olympics of New York: had their email server hacked and it was used to launch a fake email campaign.
Update your WordPress plugins

Tip #1: Regularly Update Your Plugins

  • You want to be regularly updating your plugins because it's one of the main ways hackers try to get into your website. Outdated plugins are a back door for hackers.
  • It's really important to stay on top of the core updates for WordPress as well.
  • It's a good idea to do a monthly audit of your plugins. Delete old ones that are not being used on the website.
Flywheel backup dash

Tip #2: Spend More On Premium Web Hosting

  • You really want to get your mindset into spending more money on website hosting. Avoid paying $3-$5 per month. Instead, consider closer to $30 per month on managed hosting.
  • Cheaper hosting companies cut corners to give you a low price. They don't put money back into the company and instead try to upsell you different services.
  • You're going to get much better speed, daily backups, and staging sites with managed hosting. Staging websites can be used to test different plugins.
  • Bonus tip: use one of the top four managed WordPress hosting providers: WP Engine, Flywheel, Kinsta, and Pantheon. With the exception of Pantheon, all these providers offer nonprofit discounts.
Website security hacking passwords

Tip #3: Change the Default Username

  • The default username is "admin" or "administrator" and you want to change it to a different username to avoid hacking attempts.
  • Hackers have software that they'll use to guess the username (and password) many times, known as a brute force attack.
  • Bonus tip: Use the Limit Login Attempts Reloaded plugin to keep hackers out of your website. It limits the number of attempts someone can try to login to your website.
WordPress add new user

Tip #4: Use Long Passwords

  • When it comes to passwords, you want to create long ones because hackers use a wordlist with software to guess short passwords.
  • Don't use "password" for a password!
  • Don't make the mistake of using something short because it's easier to remember. You want to keep the hacker's software guessing.
  • Don't reuse the same password on different websites.
  • Bonus tip: use a password generator like Diceware to create a password that's five or six random words, and use a password manager like LastPass or 1Password.
Updraft Plus for backing up WordPress files

Tip #5: Back Up Your Website Files

  • In a lot of ways, backups are a method of being proactive. It's less about trying to keep hackers out of your website.
  • It's like building a time machine into WordPress.
  • You want to make sure you're backing up your theme files, database, plugins, and uploads.
  • If your website does get attacked, you can go back in history before it happened. You can restore a previous state before it got hacked.
  • Managed hosting providers have a one-click option where you can restore the website.
  • Make sure you're backing up the files off-site onto a different server (or your computer).
  • Bonus tip: use the UpdraftPlus plugin to create off-site backups to Dropbox, Google Drive, Amazon, etc.
Sucuri WordPress Firewall

Tip #6: Use a Firewall

  • This is optional and mostly if you want the icing on the cake for your website.
  • You can purchase a firewall from Sucuri. They're one of the most well-known companies when it comes to WordPress security.
  • The firewall monitors all of the traffic coming to your website in the background. It tracks activity for anything that's suspicious and blocks it.
  • Also blocks brute force and distributed denial-of-service (DDoS) attack attacks.
  • Bonus tip: Use the 2FAS Light plugin to add two-factor authentication to your website. It generates random numbers called a token to add an extra layer of security to the login page.

Security Recap

  • Regularly update your plugins - every month so there are no hidden pathways for attackers to gain access to WordPress.
  • Spend more on premium web hosting - you’ll get stronger security measures and better site performance compared to cheap providers.
  • Change the default “admin” username - to something unique so it prevents brute force guessing attempts through your WordPress login page.
  • Use long and strong passwords - that are six words or more so it’s difficult for an attacker’s software to guess.
  • Back up your files every day - use a cloud-based service so you can restore your website in case an attack happens.
  • Install a firewall on your website - to add an extra layer of website protection and blocks attacks from even happening in the first place.

Connect with Me

By Chuck Spidell, the Nonprofit WordPress Security Expert who helps communications teams free up their time and lock down WordPress from getting hacked.