Sign In

WordPress Security for Nonprofits: How to Keep Your Site Safe

As a nonprofit organization collecting donations online, security is an important and fundamental part of your organization’s success.
Images of security: cameras, locks, IT professional.

If you do your diligence to encourage donors to give, the last thing you want them to experience is broken trust because of security concerns.

According to the National Council of Nonprofits, it’s imperative that your organization takes steps to address risks if you a) process ecommerce transactions such as donations and event registrations, b) store and transfer personally identifiable information, and c) collect information about the preferences or habits of supporters, donors, website visitors, newsletter subscribers, and more.

WordPress Security for Nonprofits: Keeping Your Site Safe

Malicious redirects, JavaScript credit card skimmers, and other threats to your WordPress site pose the greatest risks. As such, it’s incredibly important to protect your site from being taken over by malicious attackers.

Protecting your site can be easy if you take a few simple steps. In this article, we review the basics of WordPress security for nonprofits, which can help you ensure that your online donations are adequately protected and that the trust with your donors remains strong. We’ll focus on some key areas to protect your site against brute force attacks and vulnerability exploitation.

Use SSL

Nearly every website online is using HTTPS or SSL (Secure Sockets Layer) these days. Thanks to services like Let’s Encrypt, which provides free certificates, it is quick and easy to ensure your site is secure. Knowledgeable donors are wary of entering their financial information on sites without a lock next to the domain name.

However, most hosting providers assist with SSL, ensuring that your site is secured. Having your site’s traffic encrypted between browsers and the server is also an important part of your website’s SEO profile, adding to its importance.

To see whether your WordPress site uses encrypted SSL connections, visit your WordPress site’s homepage. If the homepage URL begins with “https://” your site is using SSL. If the URL begins with “http://”, you’ll need to obtain an SSL certificate for your website.

Ensuring your site has SSL is one of the most basic WordPress security for nonprofits tips.

Strong and Unique Passwords

Your WordPress site probably suggested a long and complex password for you. Using the suggested password is a great option as it ensures your password is unique and not in use elsewhere.

If you don’t opt to use the suggested password, your password should at least include a combination of letters, numbers, and symbols. Avoid using common words or phrases as passwords, as they are likely already in databases of hacked passwords and possible dictionary-based brute force attacks.

Any password used elsewhere could eventually be involved in a breach and could be exposed, giving hackers a way to access your other password-protected accounts

For further information about credential stuffing or brute force attacks, you can review some of the data available on Have I Been Pwned. You can see how common brute force attacks are, what information of yours has been exposed in breaches, and even test your password strength.

Use Two-Factor Authentication

Another easy WordPress security tip for nonprofits is to enable two-factor authentication for all of your accounts whenever possible. Unfortunately, according to Verizon’s data breach report, less than 30% of users actually use 2FA.

This extra factor of security requires you to enter a unique code sent to your phone or email address in addition to your username and password when logging in. While this extra step adds friction to the login process, it provides additional security that can keep your accounts safe.

When protecting your website, bank accounts, or anything else, the second factor of complexity also makes it more difficult for hackers to brute-force your accounts and access your website. With Solid Security, you can ensure that your nonprofit is protected from the most common vulnerabilities.

Functionally Isolate Your WordPress Site

The site on which you accept donations should be the only site in your hosting account or, at the very least, functionally isolated from other sites. If there is another site in your hosting account—even a test or a staging site—it could be an intrusion vector for a malicious attack.

Malicious attackers can infect and take over your site if your test or staging site has a weak password or you forget to update the code base. By functionally isolating each WordPress site, you can protect against the risk of cross-contamination.

I’ve had numerous agencies question this advice due to concerns about how cost-prohibitive it can be to host each site in its own space. If you must put numerous sites under the same hosting account or cPanel user, then you’ll need to take extra steps to monitor all of them.

If one is hacked, you’ll need to assume that all are compromised. In the worst cases I’ve seen, one hacked site can very easily lead to 50 hacked sites being taken down with one malicious action.

Update WordPress, Theme, and Plugin Files Regularly

Vulnerabilities in WordPress core, theme, and plugin files are much less common than they were even a few years ago, but they can still happen. When patches are released, ensure you update your site quickly to ensure vulnerable code is patched and protected. Those interested in WordPress security for nonprofits should follow the iThemes Vulnerability Report weekly to see if the themes and plugins you use have known vulnerabilities that require immediate attention.

Additionally, if you have staging servers, it’s always a good practice to test your updates there first and then update on your production site. This ensures that your test environment stays in alignment with your main site.

Backups

Before you update, you should back up your site, whether staging or production. Backups can also be the first line of defense if you ever experience a site intrusion. Your hosting provider may already have backups available.

Ensure that backups are being taken regularly, at least daily, and stored in a secured location somewhere off of your server. Remember, if there ever is an intrusion, everything on your server should be suspect, including backups.

Storing backups in a publicly accessible location exposes critically important information. If your database is exposed in a publicly accessible location, your donor information is also exposed. When donor information is exposed, it requires a breach notification to inform your donors that their personally identifiable information has been compromised.

This hurts the trust you want to establish with donors.

Additionally, your database password is also stored in backups, so steps should be taken to guard backups with the utmost care.

Prepare for When An Incident Might Happen

Have an incident response plan so that you know what to do in the event of a breach or intrusion.

  • Who needs to be notified and when?
  • What are the legal requirements in your jurisdiction?
  • Where are backups stored?
  • When was the last time backups were tested?

Going through the process of preparing an incident response plan can uncover potential security risks in your site, your processes, or your organization. A healthy incident response preparation plan is a great exercise in identifying effective communication strategies that ensure the trust of your donors is a primary concern when handling any kind of security incident.

Phishing Awareness

With numerous breaches affecting the services we use regularly, much of our personally identifiable information has already been compromised and exposed to malicious attackers.

Many of these attackers take our data and use it to craft surprisingly effective attacks by using our data against us.

These types of attacks can either be very generic. For instance, an attacker may tell you that your PayPal account has been compromised and you need to change your password. They then direct you to strange sites where they capture your password information. Or, they can be very specific targeted “spearphishing” attacks that use our data against us.

To protect against these types of attacks, it’s important to educate yourself (and anyone involved with your donation program) about how to spot suspicious emails or messages that may be phishing attempts.

Common signs of phishing include:

  • Misspelled words or strange URLs
  • Requests for personal information like bank account numbers
  • Offers that seem too good to be true

There is often some kind of time pressure or alarmist messaging in phishing attacks, such as:

  •  “Your account is compromised”
  •  “Take action now or you lose” with something valuable in the balance

The best line of defense against phishing is slowing down -use a critical and discerning eye, and be wary of links. It’s always best to go directly to a site to enter credentials of any kind.

With phishing, your nonprofit should be vigilant against seemingly realistic messages that prey upon the very human sense of urgency and desire to help those less fortunate.

Social Engineering Awareness

Humans are always going to be the weakest link in any digital security. However, the tools you use—such as plugins, firewalls, and password managers—are there to help you make better decisions about your security. But, it will always boil down to your own decision-making.

Social engineering is one of the more fascinating aspects of information security. Attacks based on social engineering prey upon the human element – they are built based on how people think and act.

Being aware of social engineering is a critical part of any business as cyber criminals become more creative in their approach. These attackers operate by gaining personal information about you and then crafting an attack that takes advantage of your trust and exploits your weaknesses.

Blackmail threats to pay funds via cryptocurrency, ransomware threats, DDOS threats, and other attacks can all be considered social engineering attacks as they scare people into taking actions they normally wouldn’t.

Consistent Vigilance

Staying safe from malicious attacks requires constant vigilance. Every attack is different—hackers are incredibly creative, persistent, and patient. They expect smaller nonprofits to not have sophisticated defenses against attacks, and as such, you may be more of a target than a larger organization with more resources.

At the end of the day, protecting your website from cyberattacks is essential for keeping both you and your donors safe when collecting online donations through WordPress sites. By following some basic WordPress security guidelines, your site and your donation forms will remain safe, establishing trust in the minds of everyone who visits your site.

Join Us for the February Give LIVE with Kathy Zant of SolidWP

In this webinar, we’ll talk about why cybersecurity is so important for nonprofits, how to protect your website, tips to prevent phishing and other socially engineered attacks, and what to do if you are hacked.

iThemes is now SolidWP! Learn more about the rebrand.

About the Author

Kathy Zant

Kathy Zant

Kathy is the Director of Marketing for KadenceWP and has been working with WordPress for over a decade. She has both technical and marketing experience and has worked with a number of brands in the WordPress space focused on security. She’s helped organize both WordCamp Phoenix and WCUS. She currently lives outside of Denton, TX where she can often be found walking golden retrievers or hanging out in horse barns.

Share this post

You might also like

Stripe Verified Partner
Cloudflare

Join Our Newsletter

Get fundraising insights directly in your inbox. Plus a 15% discount off all plans.

  • This field is for validation purposes and should be left unchanged.

Policies

Resources

About US

Copyright © 2024 Liquid Web, L.L.C.

GiveWP™ is a trademark of Liquid Web, L.L.C.

A Liquid Web Brand

© 2024 All Rights Reserved.

StellarWP
Nexcess