Thanks for Sharing!

4-Website-Security-Mistakes-NonProfits-Must-Fix-NowThink hackers are only going after big corporations with mega-bucks? Think again. Every day, malicious hackers are trying to steal information from nonprofits just like you.

Earlier this year, Washington, D.C. think tank Urban Institute suffered a data breach that had the potential to impact as many as 700,000 nonprofits. Hackers stole usernames, passwords, IP addresses, and other sensitive information from nonprofits all over the country.

In many cases, cyber criminals target nonprofits because they often don’t have the robust security systems that private corporations and government institutions do.

If you’re site has already been hacked and you need a quick fix, we strongly recommend our partners at Sucuri Security as the world’s leading malware cleaning and scanning service.  You can check them out over here.


Even if you don’t get attacked by a hacker, security mistakes can still cause serious embarrassment and negatively impact your reputation among supporters. To make sure that your website and sensitive digital information are protected, you must avoid these common security mistakes made by nonprofits and other small organizations.

Looking to start a conversation with your web development provider about security? Check out this extra resource to get some inspiration.

An insufficient backup solution

Imagine what would happen if your organization permanently lost all of its data.

Broken into a cold sweat yet? You should: research shows that 40% of IT professionals at small organizations (less than 100 people) believe that if their company lost all of its files, they would go out of business.

[tweetthis]Backing up your files is one of the easiest and most important ways to protect your data.[/tweetthis]

Backing up your files is one of the easiest and most important ways to protect your data. Yet many nonprofits still don’t have a backup – and if they do, it’s handled by the office manager’s nephew who is “good with computers,” or some other equally careless method.

Not only do you need a backup, you’ve also got to ensure that it’s managed properly. There are two schools of thought when it comes to backups:

  • On-site backups are copied onto a hard drive or server that’s physically located in your office. This type of backup tends to be convenient and cost-effective: you can buy an external drive in many places, and if your data is lost or stolen, it’s easy to grab your backup and restore your system in just a few minutes. The downside of on-site backups is that they are just as vulnerable to theft and natural disaster as your primary systems. If a fire hits your office and destroys your main network and your backup solution, you’re still up the creek.


  • Off-premises backups are stored on a remote server located away from your main office. The benefit of off-premises backups is that if your primary system is damaged or stolen, you can immediately restore the data from the off-site backup. However, off-premises backups tend to be more expensive than on-site solutions, and require you to entrust your data to a third-party. Additionally, if your access to the internet goes down, there’s no way for you to restore your network from the backup.


Which solution is best for you? That depends on your location, the type of data you are backing up, and your budget. Consider using a combination of these two strategies: global technology nonprofit TechSoup advises creating multiple backups and rotating each set off-site once a week


The heartbleed bug is one of the most serious security exploits in recent years

Insecure forms

Maybe you’ve set up an online form to make it easier for donors to support your cause, or to build up your email subscriber list. These solutions are convenient – they cut down on clutter from paperwork and allow people to help your organization without physically mailing a check.

There’s also a chance that they’re putting you in serious danger.

Insecure forms pose a huge risk to nonprofit websites. One of the biggest mistakes you can make is to create a website with name, address, and e-mail forms that aren’t protected. When you ask for users to give you this information, you are asking them to trust you to keep it safe. Violating that trust can cause serious damage to your reputation and ability to attract supporters.

Data from your forms should be secured using the Secure Sockets Layer (SSL) encryption protocol. SSL encryption is especially important for login information on your website. Remember that even if you are using a security encryption, it must be up to date and patched to prevent security exploits like Heartbleed, the SSL vulnerability that cost Target over $250 million in 2013. If you are gathering data that is governed by other laws, such as medical records or social security numbers, there are legal standards that you must abide by. Talk to your web development provider for more details about your specific forms and how to keep them secure.

An Outdated CMS

Content management systems (CMS) like WordPress have made it a snap for organizations to easily manage individual pages, blogs, and graphics on their website. It’s also easy to find help for WordPress, since its popularity means there are many experts who specialize in the platform.

But if your CMS is not updated to its latest version, it can be bad news. Research shows that of the hundreds of millions of websites around the world that run WordPress, over 20% are using an outdated version, which makes them vulnerable to attacks from hackers. Even worse, if your CMS is compromised, it’s not hard for a skilled hacker to steal data from your users, which means the impact of your outdated CMS could spread throughout your entire donor base.

Whether you use WordPress or another CMS, make sure that it is always up to date. This is something that your web development provider should be handling for you. It’s a simple step, but it can save you from a significant amount of trouble over the long haul.


Storing Credit Card Information

To paraphrase Nike, just don’t do it. While it’s legally possible to store credit card information on your website for recurring payments, it requires Payment Card Industry Data Security Standard (PCI-DSS) compliance, which brings about a whole slew of other concerns.

Your best bet for no-frills card processing is to use a third-party provider that you know is PCI compliant. Most credit card providers publish a list of payment providers that are compliant and secure, like Visa’s Global Registry of Service Providers.

A common misconception among nonprofits is that PCI-DSS compliance is only required for vendors that process credit card payments regularly. This is false: any organization of any size that takes any amount of credit card transactions must be PCI compliant.

Not only can storing credit card information on your website lead to an expensive PCI violation, but if your users have their credit card information stolen from your website, it’s going to be difficult to regain their trust to convince them to continue supporting your organization.

If you really feel strongly about storing credit card information on your website, ask your web development provider if it’s possible to do so under PCI-DSS guidelines. If your provider understands e-Commerce and online payments, they should be able to outline the steps necessary to safely store credit card information on your site.

Don’t Risk it!

When it comes to securing your website, it’s much better to be safe than sorry. Yes, updating your CMS or making backups might cost you some time and a bit of money, but the protection you gain from these efforts cannot be overstated. By safeguarding your website, you are also securing your nonprofit’s reputation and ability to continue to attract supporters.

Can you really put a price on that?

Wondering how to talk to your web designer about security? We’ve got you covered, just check this list of sample questions.

Cody Landefeld

co-founder at Mode Effect. ECommerce consultant. Coram deo.

More Posts - Twitter - LinkedIn

Thanks for Sharing!

1 Comment

  1. Shivam Sahu on January 13, 2018 at 11:17 pm

    Hi Cody,

    Indeed a great list of common WordPress security mistakes.

    A couple of days back I faced a situation where there was some unwanted ads being displayed on my blog and that was something I did not install. When inspected I found that there was a lot of unwanted codes that were injected into the WordPress theme files and other main files.

    On further inspection I found out the following 3 things which were the reasons for this:

    1). Not updating the other WordPress installation, plugins and themes that are being run from the same hosting account if you are using a shared hosting
    2). Optimizepress 1.0 is known to have a security issue and they have released an update to it. This doesn’t update in the normal updates from your wordpress dashboard. You might want to update it manually, if you haven’t done it yet.

    3). Not Cleaning and optimizing your database periodically

    4). Leaving the default themes like twentyeleven etc. as it is and not updating them. This primarily happens if you are using a different theme and these default themes just remain there.

    5). Not uninstalling plugins that haven’t been updated for a long time by its creators.

    These are prone to attacks. A couple of solutions that I found was installing plugin like Wordfence or, Bullet Proof Security or, Better WP security.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.