Webinar: How to Prevent Your Nonprofit’s Website from Getting Hacked in 2019

WordPress Security

October 29, 2019

This webinar was hosted on October 29, 2019 by Nonprofit Tech for Good who provides useful, easy-to-understand news and resources related to nonprofit technology, online communication, and mobile and social fundraising.

In case you registered but missed it, you're in luck because you can:

Webinar Notes: 6 Ways to Make Your Nonprofit's WordPress Site Secure from Getting Hacked

Why WordPress Website Security Matters

  • Your website is an investment that’s worth protecting because of how much time, energy, and resources your team has put into it.
  • Ignoring monthly WordPress software updates leaves hidden doors open for hackers to get inside your website.
  • If you continue to neglect your site's needs, it’s a matter of time before it will get hacked.
  • The core security goal is to prevent the risk of a website attack from happening to avoid dealing with an expensive, reoccurring problem like ransomware.

What Happens When You Get Hacked

  • Your site gets hijacked and tagged with a hacker group's logo, spam, or possibly pornography.
  • Depending on the type of hacker, they make take your website offline for days to months.
  • Pages, posts, themes, and accounts can be secretly deleted without you knowing about it.
  • Your donor's Personal Identifiable Information (PII) can be stolen and sold on the "dark web" for money: name, email, credit card, and addresses.
  • You might have to pay a ransom to get your files back and can be become an ongoing problem that won't go away.

What’s Currently Going On

  • Over the last five years, nonprofits of all sizes have become victims of cybercrime and it's proof that hackers don't discriminate.
  • Healthcare, financial, and governments are primarily being targeted with email phishing scams, data breaches, and ransomware.
  • 50 U.S. cities and small towns were attacked in 2019 with Baltimore paying $18.2 million to fix the problem on their own.
  • Hackers are targeting nonprofits because they know you are making security a low-priority, not implementing measures, and ignoring the issue.
  • Because nonprofit leaders have a lack of cybercrime knowledge, there's an industry-wide misbelief that you have nothing valuable to steal.
  • This thinking mistake has made many organizations nationwide unprotected and vulnerable to cyberattacks.

NTEN 2018 State of Nonprofit Cybersecurity Report

  • 68.2% of organizations nationwide do not have any documented policies and procedures for when a cyber attack happens.
  • 59.2% are not regularly training staff about cybersecurity awareness while email phishing scams and data breaches are increasing.
  • Only 17.1% of organizations are using some type of password management tool like LastPass or 1Password.

Nonprofits Case Study Attacks

  • In 2017, Save the Children was scammed by an email phishing scheme where a hacker posed as a staff member and sent fake emails. They lost $997,400 to a fraudulent business in Japan.
  • In 2014, the Girl Scouts (Texas Chapter) announced their website was hacked on Facebook. Users were registering and paying for camps during the attack.
  • In 2015, the Red Barn's website was hacked (server-wide on HostGator) during a fundraising event. The damage was so bad, the organization had to remove their website, purchase a new domain name, and rebuilt it from scratch.
  • Imagine if it was your organization's website got hacked website with hundreds of pages and documents. You would need to dedicate a lot of resources to deal with the problem.
Update your WordPress plugins

WordPress Security Tip No. 1: Regularly Update Your Plugins

  • Stay on top of the monthly updates to keep the front and back doors closed so a hacker’s software can't get in through outdated plugins.
  • Update your plugins at least once or twice a month. Also, make sure you're staying on top of the WordPress maintenance and security releases.
  • Audit and review the plugins that are being used on your website and try to reduce how many are installed.
  • Delete anything that’s not being used because it’s executable code on the server and another way hackers can find weaknesses on your website.
Flywheel backup dash

WordPress Security Tip No. 2: Spend More On Premium Web Hosting

  • With technology, you get what you pay for so get out of the "cheap is better" mindset and consider leveling up to managed WordPress hosting.
  • Low budget hosting companies like Bluehost and HostGator don’t always invest profits back into their infrastructure so there will always be security and speed issues.
  • To give you a lower price, they will cut corners and will constantly upsell you with services or products you don't need.
  • With managed hosting providers, you get more for your money: performance boosts, solid security, daily backups, staging sites, WordPress resources, and excellent customer service.
  • With a staging site, you can test new plugins or features by making a duplicate copy of your website that's hidden from the public and search engines.
  • Bonus tip: use one of the top four managed WordPress hosting providers: WP Engine, Flywheel, Kinsta, and Pantheon.
Website security hacking passwords

WordPress Security Tip No. 3: Change the Default Username

  • Never use the default “admin” username and make sure you change it to something unique to avoid hacking attempts.
  • Hackers use software that will try to break into your WordPress login page by guessing the username.
  • This software will search for the usernames that you're using and will "brute force attack" your site also for passwords so don't make it easy to guess.
  • Bonus tip: Install the Limit Login Attempts Reloaded plugin to restrict the number of times the software can try logging into your website.
WordPress add new user

WordPress Security Tip No. 4: Use Long Passwords

  • A hacker's software will also try to repeatedly guess your password by using a wordlist of short ones people have commonly used.
  • Don't make the mistake of creating short passwords that are weak to save time.
  • Create passwords that are long and strong so it makes it very difficult for hacker’s software to guess.
  • Use six random words or more in your password, separated by hyphens or underscores.
  • Bonus tip: use a password generator like Diceware, along with a password manager like LastPass or 1Password so it’s easy for your team to share.
Updraft Plus for backing up WordPress files

WordPress Security Tip No. 5: Back Up Your Website Files Off-site Everyday

  • It’s good practice to back up your website’s files every day. They contain the database, theme, plugins, images, PDFs, etc.
  • Back up your files off-site so hackers can’t compromise the files that are on your web hosting provider’s server. Double to triple copies for the win.
  • Backups are like having a built-in time machine for your website.
  • In case your site is ever hacked, it can be restored to a point before the attack happened.
  • Bonus tip: use a backup plugin like UpdraftPlus that automatically copies your files to Dropbox, Google Drive, or a cloud service like Amazon S3.
Sucuri WordPress Firewall

WordPress Security Tip No. 6: Use a Firewall

  • For larger organizations with a website that has heavy traffic, accepts memberships, and donations - consider Sucuri’s firewall to lock your website down from hacking attempts.
  • A firewall will monitor all of the visitor traffic and stop brute force attacks before they happen. It includes an antivirus and keeps your website running fast.
  • Bonus tip: Install a plugin like WP Security Audit Log which lets you see who is logged into your WordPress website, what they are doing in real-time, and block any suspicious behavior.

Recap of the six security measures

It doesn’t matter what size your organization is because hackers don't discriminate so cybersecurity should be a high priority on your radar.

One of the goals with your WordPress website should be providing a positive and consistent browsing experience for donors and constituents.

Trust is everything online.

The last thing you want to be doing is going on Facebook and apologizing to your audience about getting your website hacked.

Dealing with a hacked website and doing damage control is not a solution to your problem but preventing it is.

Implementing these six security measures will keep your site protected from attacks and will close back doors and pathways a hacker might use to gain access to your website.

Here’s the solution:

  • Regularly update your plugins - every month so there are no hidden pathways for attackers to gain access to WordPress.
  • Spend more on premium web hosting - you’ll get stronger security measures and better site performance compared to cheap providers.
  • Change the default “admin” username - to something unique so it prevents brute force guessing attempts through your WordPress login page.
  • Use long and strong passwords - that are six words or more so it’s difficult for an attacker’s software to guess.
  • Back up your files every day - use a cloud-based service so you can restore your website in case an attack happens.
  • Install a firewall on your website - to add an extra layer of website protection and blocks attacks from even happening in the first place.

By Chuck Spidell, the Nonprofit WordPress Security Expert who helps communications teams free up their time and lock down WordPress from getting hacked.