By Heather Mansfield, founder and editor-in-chief of Nonprofit Tech for Good


According to the 2023 Nonprofit Tech for Good Report, 27% of nonprofits worldwide have experienced a cyberattack (email phishing, website hacking, ransomware, social media attack, etc.). Cybersecurity at your nonprofit must be a priority in 2023. Below are five simple best practices for your nonprofit to ensure that your staff and your digital marketing and fundraising campaigns are safe and protected.

1) Use a premium hosting service for your website.

Inexpensive website hosting is tempting for nonprofits on a limited budget, but eventually, the high price of low-cost website hosting becomes evident. Security practices by budget website hosting companies are often poor and lack basic firewalls, malware protection, and limited protection against DDoS attacks. Customer service can be unreliable and slow to respond. If your website has been taken offline or your data compromised in a cyberattack, you are going to need fast-responding, knowledgeable customer service.

For many years Nonprofit Tech for Good used a budget website hosting company for $12 a month, but by 2020 our website downtime became significant and our email opt-in forms overrun with spam bot subscribers. We had to move to a premium website hosting company and upgraded to a $96 a month plan. Since then, our site has experienced zero downtime, no more bot email subscribers, and customer service is exceptional.

Budget website hosting also guarantees slow load times which is detrimental to your nonprofit’s search engine optimization (SEO) and a poor user experience for your donors and supporters. Since our upgrade to a premium website hosting service, the speed of Nonprofit Tech for Good has improved to 98/100 in Google PageSpeed Insights for desktop and as a result, Google Search is once again our top source for referral traffic.

A screenshot of Google PageSpeed Insights reflecting a performance score of 98 out of 100.

Another benefit of premium website hosting is automatic daily backups of your website. If necessary, the restoration of a previous version of your website can be done with one click. A faulty WordPress plugin, for example, that “breaks” part of your website may require you to restore your website to a version before the plugin was installed.

Finally, the monthly fees of premium hosting almost always include SSL certificates and CDNs which are essential to hosting a website on today’s internet. Safety, speed, and peace are mind are the hallmarks of premium website hosting.

2) Require a double opt-in subscription process for your email list(s).

Hubspot defines the double opt-in email subscribe process as a user signs up for email marketing, then confirms the subscription via a separate email or landing page to officially be added to an email list. If your nonprofit is still using a single opt-in process, there are three very important reasons why your nonprofit should enable double opt-in:

  1. Email subscribers that have been added to your list(s) via double opt-in are much more likely to receive your emails in their Inbox rather than filtered into spam.
  2. Spam bots subscribing to your email list(s) is unlikely because bots can not complete the double opt-in process, thus reducing the costly and time-consuming fiasco of an email spam bot attack.
  3. A low click rate due to fake or unengaged subscribers harms your email sender reputation.

Nonprofit Tech for Good uses MailChimp for our email marketing and we have enabled double opt-in. If you are not already subscribed to our list, you can subscribe to experience the double opt-in process.

An example of a MailChimp double opt-in confirmation for nonprofits

3) Enable two-factor authentification for all social media accounts.

Two-factor authentication, also known as two-step verification, is a security process that requires individuals to enter a security code each time they try to access a social media site from an unrecognized browser or mobile device. 2FA is the easiest way to prevent your social media accounts from being accessed by unauthorized users.

Every social media platform offers 2FA, as do most digital marketing platforms, such as WordPress, MailChimp, Windows 365, etc. While 2FA may seem cumbersome at first, the process becomes normalized. In reality, the chances of your social media accounts getting hacked are slim, but rendered nearly impossible with two-factor authentification enabled.

To begin, go to your personal profile on Facebook.com > Settings & privacy > Protecting yourself and your information > Two-factor authentification and set it up for Facebook and Instagram. Once completed, visit the security settings on all other social media platforms that you and your nonprofit are active on and turn on TFA.

A screenshot of Meta new Privacy Settings for Facebook and Instagram

4) Use a password management tool.

True confession: Nonprofit Tech for Good neglected our passwords for many years. We used simple passwords that could have been easily guessed by AI and we had the bad habit of using the same password for multiple websites. It was just a matter of time until a problem would arise.

In December, we spent multiple days updating our passwords for 50+ websites using a password management tool. It was tedious, but now our passwords are complex and no one password is repeated. In an age of rapidly increasing cybercrime, your passwords are your first defense against a data breach.

Sign up for a password management tool and though nonprofits tend to be too thrifty when it comes to tech, signing up for a premium version at a cost of $4-8 a month per user is an excellent investment.

Screenshot of the home page of 1Password

5) Update your software often and backup your data daily.

Most constituent relationship management (CRM) software is cloud-based, thus software updates and the backup of your donor data is automatic and secured by the CRM software company. In fact, most software used by nonprofits is safely hosted in the cloud i.e., Dropbox, Canva, Gmail, etc., and requires no maintenance.

The files on your computer(s), however, do require subscribing to a backup service, such as Carbonite or iDrive. Once configured, daily backups are automatic. It’s also wise to subscribe to an anti-virus software for your computer(s), such as Bitdefender or Norton, to protect yourself from malware (viruses, spyware, phishing scams, etc.).

In conclusion, these five cybersecurity best practices are a good start, but they mostly focus on the individual side of cybersecurity. Your organization needs a deeper understanding of the current threats, a written cybersecurity plan, and training and education to get all staff on board. No easy task, but an essential one for all nonprofits in the years to come.


Our Certificate in Digital Marketing & Fundraising program covers the fundamentals of website design, email marketing, online fundraising, and social media for nonprofits.

The program requires the completion of three webinars and costs a total of $100 USD. To earn the certificate, you can attend the webinars live or view the recordings – or a combination of both. Learn more & register!