By Chuck Spidell, a Nonprofit WordPress Security Expert with ILLUSIO. He helps women-led communications teams free up their time and lock down WordPress from getting hacked.


If your nonprofit has a website, someone is always looking for a way to get in.

Dealing with a hacked WordPress website can be time-consuming, expensive, and emotionally draining. It’s not something you want to experience.

Once inside your site, a hacker can delete pages, plugins, and themes without anyone knowing. Your website can be highjacked with ads or taken down for days to months. The attacker may also demand cash from your organization to bring it back online.

Most nonprofits can’t afford to pay a $10,000 ransom every month because a hacker planted a virus on their site.

In this article, you’ll learn six ways to strengthen your nonprofit’s WordPress website to keep attacks like this from happening in the first place.

Why Strong Security Matters for Your Website

Security breaches and ransomware attacks are on the rise for nonprofits. Whether you’re a comms team of one or a large organization, strong WordPress security matters.

On most nonprofit websites, sensitive data is being passed through or temporarily stored in WordPress: name, email, address, and credit card numbers. This usually happens when a user fills out a donation form, becomes a member, or purchases a product. Your visitor’s personal information is valuable to hackers because it can be sold in bulk online for a lot of money.

Nonprofits Are Being Targeted by Hackers

A nonprofit, The Red Barn, had its website become part of a larger, server-wide breach where it was hijacked by a group of hackers. The nonprofit was in the middle of a fundraising event and people were trying to purchase tickets during the attack.

The hack was so bad the organization had to remove their website, purchase a new domain name, and rebuild it from scratch in three days.

Imagine if you were a large organization that got its website hacked with hundreds of pages and thousands of documents. How many months would you lose trying to rebuild your site?

One of your goals should be to providing a great experience for the visitors on your website. If they have it, they’ll be loyal supporters and advocates of your mission.

Let’s dive into the six ways you can strengthen your website so you can protect your site from a breach in the first place.

1) Regularly update your plugins

One of the simplest ways to close back doors to hackers is by updating all of your WordPress plugins every month.

Hackers use software that can scan your website and make a list of all of your plugins. They’ll hunt for one that’s weak and can be easily compromised.

Security and maintenance fixes are released by WordPress every month. Developers who create the plugins also provide improvements and security patches.

Remember to keep all of your plugins and theme up to date. It’s one of the best ways to keep your website is protected.

Tip: delete unused plugins

Log into your WordPress dashboard to look for any plugins that are disabled and aren’t being used. Delete them so nothing is stored on your website that might provide a way for hackers to get inside.

2) Spend more on premium web hosting

A second way to improve the security on your WordPress website is by switching from using cheap hosting to a high-quality provider.

With technology, you get what you pay for. It’s a good rule of thumb to spend a little more on your hosting service. You’ll have security extras for WordPress, faster speeds, and automatic daily backups.

Using a cheap hosting might seem like a great way to save money, but discount web hosting providers cut corners in their security measures to provide a low cost to you.

Advantages of using premium web hosting:

  • Disk write protection: authorized users are only allowed to make changes to the web server which keeps your WordPress files safe and secure.
  • Remote attack protection: anyone trying to make fake WordPress posts using something called XMLRPC gets automatically blocked.
  • Uploads protection: WordPress files that allow your nonprofit’s team to upload files to the Media Library get an extra level of security to keep hackers out.
  • Virus scanning: if something happens with your nonprofit’s site, deep level scans and malware cleaning are included.

Tip: use WP Engine or Flywheel for hosting

Consider using a premium web hosting provider like WP Engine. They have full security measures, documentation, and native support for WordPress websites.

Flywheel is also a great choice if your nonprofit is looking for a host that’s fast and secure. They also can migrate your website for free, saving you a lot of time. Use nonprofit2019 to get 20% off all Flywheel plans, monthly or yearly.

3) Change the default username

A third way to protect your nonprofit’s WordPress from attacks is by changing the default username to something unique.

The WordPress login page is one of the first places an attacker will start looking for site weaknesses. They’ll use software that tries to guess your username (and password) many times, called a brute force attack.

If they do get in, code can be hidden inside your WordPress theme files and plugins. The attacker will be able to log in remotely and take over your website.

A hacker can do serious damage:

  • Delete pages, blog posts, or your theme
  • Take your site down and demand a ransom to bring it back online
  • Steal personal data from users
  • Install software that records what you type on your keyboard

The most common username their software will try using is “admin” or “administrator”.

Remember to change the default username to something unique so a hacker’s software won’t have a way to get inside.

Tip: control login page attempts

Consider using a plugin that limits how many times someone can use the WordPress login page. For example, if a user fails at logging in 10 times over five minutes – chances are it’s a hacker’s bots. If it has to wait 20-30 minutes, it’ll give up and move onto the next website. This will help reduce the number of brute force attacks that might happen.

4) Use long and complex passwords

A fourth way to keep hackers from finding a hidden way into your nonprofit’s WordPress website is by using strong passwords.

Hackers will use the same scanning software that can find your username to also sniff out short and weak passwords. Don’t make it easy for bots to guess yours and get inside.

Password examples to avoid:

  • admin123
  • Ilovemydog
  • pass
  • letmein

Remember to create complex passwords so your nonprofit’s WordPress website has double the amount of protection at the login page.

Tip: use a password generator

Use a generator that creates passwords that are made up of six or more words. This technique makes it very difficult for a hacker’s software to guess because the words are random and unique – making them resistant to attacks.

To create a password that’s complex but also easier to remember, use a combination of words with numbers that are spelled out. Use words that have a personal meaning to you. Separate each word with hyphens or underscores.

Examples of complex passwords:

  • momentum-beach-walking-three-hundred-steps
  • looking-happier-smile-faces-eighty-three-times
  • twenty-nineteen-sunsets-midnight-summer-river

5) Back up your website files every day

A fifth way to strengthen your WordPress website security is by making regular backups of your website files.

In case your website is ever compromised, you want to be able to go back and restore it before the incident happened. Making daily copies of your WordPress files off-site is almost like having a built-in security time machine.

WordPress files you want to save:

  • Database – the brain and circulatory system of your site
  • Theme – the look and feel of your website’s content
  • Plugins – components that another level functionality
  • Uploads – photos and documents that bring the theme to life

Remember to back up files off-site either onto your computer or use a cloud-based service like Dropbox. The files will be safe since they’re not on the same web hosting server as your website.

Also, before adding new plugins to your website, make a back up so there’s a restore point in case something goes wrong or doesn’t work right.

Tip: automate your backups

To make the backup process simple, use a free plugin like Updraft Plus. You can set a schedule and choose which files are backed up. Use an external service like Dropbox, Amazon S3, or Google.

6) Use a firewall

The sixth and final way to add an extra layer of security to your nonprofit’s WordPress website is using a firewall.

The main purpose of using a firewall is to block any suspicious activity from happening before it reaches your site.

How it a firewall helps keep your website safe:

  • Blocks hackers in real-time
  • Mitigates and prevents distributed denial-of-service (DDoS) attacks
  • Adds virtual patching and hardening to WordPress
  • Stops brute force attempts from happening on the login page

Tip: monitor your website

If you’re a large organization and have a lot of active users on your WordPress website, consider using a security plugin that monitors WordPress activity. You’ll be able to know what’s been changed, troubleshoot, and behavior that looks suspicious to keep hacks from happening.

Recap of the six security measures

One of your goals should be providing an excellent and consistent browsing experience for your visitors. It doesn’t matter what size your organization is – strong security is important for the success of your nonprofit’s WordPress website.

Remember to close back doors and pathways a hacker might use to gain access to your website. Your visitors will thank you and be loyal supporters of your mission.

Here’s the six security tips to remember:

  • Regularly update your plugins: every month so there are no hidden pathways for attackers to gain access to WordPress.
  • Spend more on premium web hosting: you’ll get stronger security measures and better site performance compared to cheap providers.
  • Change the default “admin” username: to something unique so it prevents brute force guessing attempts through your WordPress login page.
  • Use long and complex passwords: that are six words or more so it’s difficult for an attacker’s software to guess.
  • Back up your files every day: use a cloud-based service so you can restore your website in case an attack happens.
  • Install a firewall on your website: to add an extra layer of website protection and blocks attacks from even happening in the first place.

ILLUSIO’s custom WordPress Security Plans save you time and empower your team so you can focus on what matters the most.

If you’re a busy communications teams leader that can’t keep up with managing your WordPress site, ILLUSIO can help you get unstuck:

  • Take the monthly website updates off your long to-list and free up your time
  • Lock down WordPress to keep your website safe from attacks
  • Provide ongoing support with WordPress so you’re not on your own
  • Monthly one-on-one video training so your team feels confident using WordPress