Many nonprofit organizations sign up for WordPress so that they can create a professional-looking website to spread awareness about their cause. It is estimated that over 409 million people visit 20 billion WordPress web pages each month, which makes it one of the most popular content management systems in the world.
Because of this, it's not unusual for hackers to target sites built with WordPress and try to exploit their hidden vulnerabilities. Fortunately, there are various steps your nonprofit organization can take to make your WordPress site more secure. Here are ten tips that will make your website less vulnerable to users with a malicious agenda.
1. Backup Your Website Before Major Changes
Before you begin implementing different security measures, remember to make a backup of the website. It's always a good idea to back up your website's code as a general precaution whenever you plan to make major changes such as changing the theme or installing a complicated plugin. Besides creating manual backups yourself and storing the code somewhere safe, you can also contact the website hosting provider and ask if there is an option to automatically schedule routine backups as insurance.
2. Secure the WordPress Admin and Login
The best way to prevent someone from tampering with your nonprofit website is to secure the WordPress admin and login area. You can do this by limiting the number of failed login attempts and install a plugin that can track the IP address of the computer making each attempt. The plugin can later block the IP address if there are multiple failed attempts and the activity looks suspicious. You can also change the default wp-admin login URL to something more discreet since many hackers know the default login URL for almost every WordPress site is "domain.com/wp-admin".
3. Remove the WordPress Version From the Website
While you are renaming the admin section, you should strongly consider removing the specific WordPress version from the website if it's visible online. An older version of the software shows others that the website is outdated and could be a potential backdoor for hackers. If you don't know how to remove this from your nonprofit WordPress website, please consider hiring an experienced agency that specializes in your specific industry.
4. Rename the Website Database to A Unique Name
Another tip is to rename the website database and the table prefix so that no one else can gain access to the website's private database. Since it's widely known that 'wp_' is the default name, try to choose a unique combination of characters to replace it that would be extremely difficult for someone else to guess.
5. Setup and Enable Two-Factor Authentication
Two-factor authentication can add an extra layer of protection to your organization's website from outsiders. The authentication method is an additional step that can keep accounts secure by requiring the user to know a login password and a secondary key or code that's usually sent to a registered phone number or email address. The best part about this strategy is that even if someone correctly guesses your password, it'll be highly unlikely that they'll also have access to the contact information tied to the account. Once two-factor authentication is enabled, only people who are trusted with the website's login information and secondary code will be able to access the site.
6. Update and Restrict the Website's File and Server Permissions
Next, you can restrict user permissions so that only certain people can manage files and create folders on the server. Permissions dictate what users can do with a file and come in three different levels: execute, write, and read. Users with permission to execute have full access to the directory and can run scripts/programs inside a file or folder. A user who was granted permission to write can alter and edit files. Meanwhile, other people who were designated read only are simply allowed to view the contents of the directory without making any changes at all. Remember to update the permissions with caution since if the update is done incorrectly it can block WordPress from running certain scripts or opening folders.
7. Choose a Secure Website Hosting Company
Another way to protect your nonprofit organization's website against virtual threats is to use a hosting company that specializes in WordPress security. Ideally, the best website hosting vendor would have updated, high-quality servers and virtually no downtime. The service provider should also be configured with the safest networking, firewalls, and file transfer encryption protocols to prevent outsiders from accessing your organization's private content. Contact different vendors and compare their rates and service offerings before making a selection.
8. Update the Website's PHP (Hypertext Preprocessor) Version
WordPress is created with a programming and scripting language called PHP. It's generally recommended that an up-to-date, well-designed nonprofit WordPress website should use the 7.3, 7.4, or the latest 8.0 PHP version so that it's as fast and secure as possible. Websites that run on older versions may run more slowly and be more vulnerable to outside cyber threats.
9. Reset Your Passwords Often
When was the last time you changed the website's login password? Do you think it may be scribbled down on a note somewhere or in an area where people who are not in your organization may have access to it? If you can't remember, it's better to be safe than sorry and update it! If possible, try to reset the password at least every six months or once a quarter. You and the rest of your team can also decide if you'd like every user or staff account to change their own individual passwords as well.
10. Update the Website Themes and Plugins
Lastly, remember to update the website Plugins and Themes so you're only using the latest version. This will protect you from potential bugs or security issues due to outdated plugins. Very old plugins can also slow the website down and become a vulnerable entry point for hackers.
Please contact us today to learn more about how to keep your nonprofit's WordPress site secure.