overlay Door with padlock

Website Security Best Practices

Most of the people visiting your organization’s website have the best intentions. They’re looking to learn about your programs, gain information from your resources, or find ways to get involved. But there are exceptions to every rule, and that’s where website security comes in. Whether your nonprofit is launching a new website, or just looking to protect its current one, here’s a rundown of steps you can take to keep things secure.


Keep your plugins up to date and make sure you’re running the latest versions. As hackers discover new ways to breach sites, plugin and version updates include security patches that counteract these efforts. You should get alerts when these updates are ready, but you can also schedule monthly reminders to manually check. We suggest setting up a testing version of your site where you can install these updates to make sure nothing goes awry. Once you know they don’t cause any functionality issues, you can make the updates to the live version of your website.

Hosting your website on a managed hosting solution like WP Engine means there’s someone doing the monitoring for you and will let you know if there’s a big issue. There are security monitoring plugins that can alert you as well.


It’s important to understand that the vast majority of hacking is just a bot that’s hitting your login page with the most common user names and passwords. First, never use ‘admin’ as your user name. That gives hackers half of what they need to gain access to your site. Second, use a secure password. The most important quality of a good password is length. We suggest a sentence with a few words that is easy to remember, as opposed to a confusing series of letters, numbers, and characters.

It may seem obvious, but don’t write your user name and password on a sticky note and leave it on your monitor. You never know who else has access to your office. If you are accessing your site on a public computer, make sure to use incognito or private mode so the browser doesn’t save and then autofill your user name and password when the next person uses the computer.


Even with passwords that are well thought out, you can take a few extra precautions to maintain website security. Installing Google reCAPTCHA on the login form is a great additional way to let administrators in and keep bots out. By requiring that users check a box or enter a series of letters and numbers shown on screen you can be extra sure that it’s real people who are signing in. For small teams with very few administrators it can also be useful to set up email alerts that are triggered when someone logs in. This can work for solo administrators too – if you’re not doing the work yourself at that very moment, and you get an alert, then you know something suspicious is going on.

Another easy step is limiting who has access to your site. Audit your admin access list regularly to make sure everyone with a login is still employed at your organization. By making sure the right people have the right permissions, and that old admins are removed, you reduce the number of accounts that can be compromised.

While nothing can guarantee complete website security, by following these guidelines you can reduce the risk that your site will be hacked and you can become a more informed administrator. If you want more information about keeping your website secure, reach out to the Firefly team today.



Subscribe to Our Blog

Post a Comment

Stay Connected