If you do your diligence to encourage donors to give, the last thing you want them to experience is broken trust because of security concerns.
According to the National Council of Nonprofits, it’s imperative that your organization takes steps to address risks if you a) process ecommerce transactions such as donations and event registrations, b) store and transfer personally identifiable information, and c) collect information about the preferences or habits of supporters, donors, website visitors, newsletter subscribers, and more.
WordPress Security for Nonprofits: Keeping Your Site Safe
Protecting your site can be easy if you take a few simple steps. In this article, we review the basics of WordPress security for nonprofits that can help you ensure that your online donations are adequately protected and that the trust with your donors remains strong. We’ll focus on some key areas to protect your site against brute force attacks as well as vulnerability exploitation.
Nearly every website online is using HTTPS or SSL (Secure Sockets Layer) these days. Thanks to services like Let’s Encrypt, which provides free certificates, it is quick and easy to ensure your site is secure.. Knowledgeable donors are wary of entering their financial information on sites without a lock next to the domain name.
However, most hosting providers assist with SSL, ensuring that your site is secured. Having your site’s traffic encrypted between browsers and the server is also an important part of your website’s SEO profile, adding to its importance.
To see whether your WordPress site uses encrypted SSL connections, visit your WordPress site’s homepage. If the homepage URL begins with “https://” your site is using SSL. If the URL begins with “http://”, you’ll need to obtain an SSL certificate for your website.
Ensuring your site has SSL is one of the most basic WordPress security for nonprofits tips.
Strong and Unique Passwords
Your WordPress site probably suggested a long and complex password for you. Using the suggested password is a great option as it ensures your password is unique and not in use elsewhere.
If you don’t opt to use the suggested password, at a minimum your password should include a combination of letters, numbers, and symbols. Avoid using common words or phrases as passwords as they are likely already in databases of hacked passwords and possible dictionary-based brute force attacks.
Any password used elsewhere could eventually be involved in a breach and could be exposed, giving hackers a way to access your other password protected accounts
For further information about credential stuffing or brute force attacks, you can review some of the data available on Have I Been Pwned. You can see how common brute force attacks are, what information of yours has been exposed in breaches, and even test your password strength.
Use Two-Factor Authentication
Another easy WordPress security for nonprofits tip is enabling two-factor authentication for all of your accounts whenever possible. Unfortunately, according to Verizon’s data breach report, less than 30% of users actually use 2FA.
This extra factor of security requires you to enter a unique code sent to your phone or email address in addition to your username and password when logging in.While this extra step adds friction to the login process, it provides additional security that can keep your accounts safe.
When protecting your website, your bank accounts, or anything else, the second factor of complexity also makes it more difficult for hackers to brute force your accounts and get into your website.
Functionally Isolate Your WordPress Site
The site on which you accept donations should be the only site in your hosting account, or at the very least functionally isolated away from other sites. If there is another site in your hosting account – even a test or a staging site – it could be an intrusion vector for a malicious attack.
Malicious attackers can infect and take over your site if your test or staging site has a weak password or you forget to update the code base. By functionally isolating each WordPress site, you can protect against the risk of cross contamination.
I’ve had numerous agencies question this advice due to concerns about how cost-prohibitive it can be to host each site in its own space. If you must put numerous sites under the same hosting account or cPanel user, then you’ll need to take extra steps to monitor all of them.
If one is hacked, you’ll need to assume that all are compromised. In the worst cases I’ve seen, one hacked site can very easily lead to 50 hacked sites taken down with one malicious action.
Update WordPress, Theme and Plugin Files Regularly
Vulnerabilities in WordPress core, theme, and plugin files are much less common than they were even a few years ago, but they can still happen. When patches are released, ensure you update your site quickly to ensure vulnerable code is patched and protected. Those interested in WordPress security for nonprofits should follow the iThemes Vulnerability Report weekly to see if the themes and plugins you use have known vulnerabilities that require immediate attention.
Additionally, if you have staging servers, it’s always a good practice to test your updates there first and then update on your production site. This ensures that your test environment stays in alignment with your main site.
Before you update, you should backup your site, whether staging or production. If you ever do experience a site intrusion, backups can also be the first line of defense. Your hosting provider may already have backups available to you.
Ensure that backups are being taken regularly, at least daily, and stored in a secured location somewhere off of your server. Remember, if there ever is an intrusion, everything on your server should be suspect, including backups.
Storing backups in a publicly accessible location exposes critically important information. If your database is exposed in a publicly accessible location, your donor information is also exposed. When donor information is exposed, it requires a breach notification to inform your donors that their personally identifiable information has been compromised.
This hurts the trust you want to establish with donors.
Additionally, your database password is also stored in backups, so steps should be taken to guard backups with the utmost care.
Prepare for When An Incident Might Happen
Have an incident response plan so that you know what to do in the event of a breach or intrusion.
Going through the process of preparing an incident response plan can uncover potential security risks in your site, your processes, or your organization. A healthy incident response preparation plan is a great exercise in identifying effective communication strategies that ensure the trust of your donors is a primary concern when handling any kind of security incident.
With numerous breaches affecting the services we use regularly, much of our personally identifiable information has already been compromised and exposed to malicious attackers.
Many of these attackers take our data and use it to craft surprisingly effective attacks by using our data against us.
These types of attacks can either be very generic. For instance, an attacker may tell you that your PayPal account has been compromised and you need to change your password. They then direct you to strange sites where they capture your password information. Or, they can be very specific targeted “spearphishing” attacks that use our data against us.
To protect against these types of attacks, it’s important to educate yourself (and anyone involved with your donation program) about how to spot suspicious emails or messages that may be phishing attempts.
Common signs of phishing include:
There is often some kind of time pressure or alarmist messaging in phishing attacks, such as:
The best line of defense against phishing is slowing down -use a critical and discerning eye, and be wary of links. It’s always best to go directly to a site to enter credentials of any kind.
With phishing, your nonprofit should be vigilant against seemingly realistic messages that prey upon the very human sense of urgency and desire to help those less fortunate.
Social Engineering Awareness
Humans are always going to be the weakest link in any digital security. But the tools you use – such as plugins, firewalls, and password managers -are there to help you make better decisions about your security. But it will always boil down to your own decision-making.
Social engineering is one of the more fascinating aspects of information security. Attacks based on social engineering prey upon the human element – they are built based on how people think and act.
Being aware of social engineering is a critical part of any business as cyber criminals become more creative in their approach. These attackers operate by gaining personal information about you and then crafting an attack that takes advantage of your trust and exploits your weaknesses.
Blackmail threats to either pay funds via cryptocurrency, ransomware threats, DDOS threats, and attacks that can all fall into social engineering attacks as they scare people into taking actions they normally wouldn’t.
Staying safe from malicious attacks requires constant vigilance. Every attack is different – hackers are incredibly creative, persistent, and patient. They expect smaller nonprofits do not have sophisticated defenses against attacks and as such, you may be more of a target than a larger organization with more resources.
At the end of the day, protecting your website from cyberattacks is essential for keeping both you and your donors safe when collecting online donations through WordPress sites. By following some basic WordPress security guidelines, your site and your donation forms will remain safe, establishing trust in the minds of everyone who visits your site.
Join Us for the February Give LIVE with Kathy Zant of iThemes
In this webinar, we’ll talk about why cybersecurity is so important for nonprofits, how to protect your website, tips to prevent phishing and other socially engineered attacks, and what to do if you are hacked.
This content was originally published here.