If your website is the front door to your church, then having your website hacked or defaced is like someone coming and spray painting all over your church’s front door or sign. You wouldn’t want that to happen. Unfortunately, there are many people who would love to hack your church’s site, whether to simply vandalize it, try to steal information, or to use the server as part of a botnet.
WordPress is a fantastic and very popular platform for hosting your church website, but because it’s so popular, it’s a big target for hackers. (See this article from Ars Technica for more information on a WordPress botnet.) Fortunately, there are some simple things you can do to help secure your church’s WordPress website.
1. Keep WordPress Updated
WordPress is open-source software, meaning that many people are invested in finding vulnerabilities. When security holes are found – as they will be in any large piece of software – security patches are released. You can update WordPress from your website’s admin panel. Look under the Dashboard link on the left side and if there’s a circle with a number in it next to “Updates”, then a plugin, theme, or WordPress itself needs updating. Updating should be a quick and
painless process. Absolutely keep your WordPress installation, active theme, and any activated plugins up to date.
2. Use Good Passwords
This goes for everything you do online! If you’re using insecure passwords anywhere, everything you do online is potentially vulnerable, particularly if your email is hacked. Make sure you’re using a good password for accessing your website. Your church name, pastor’s name, or city name are all excellent examples of bad passwords. Sadly, so is “JesusLovesYou.” Same goes for your email accounts and your account with your hosting company, since if someone hacks these, they get the ability to reset your website password and other passwords from there.
3. WordPress Security Plugins
If you’re using WordPress to host your church website, there are two plugins in particular that are a good idea for security. First, Limit Login Attempts. This will help to stop brute force attacks on your site where a computer or person simply keeps entering passwords over and over until they get it right and gain access. Oddly, WordPress doesn’t do this on its own, but this plugin is quite straightforward and easy to set up.
Second, you should install Better WP Security. This plugin is much more comprehensive. It takes about 20 minutes to set up, but it closes a lot of potential holes in your WordPress installation. It walks you through the setup, including backing up your database. There’s a whole list of things that this plugin patches, some of which are essential and some of which might potentially conflict with certain themes or plugins, so be sure to read the directions carefully as you’re going through setup.
Thirdly, it’s also a good idea to be regularly backing up your entire WordPress site. There are many plugins that can do this, but I’m personally using one called WordPress Backup to Dropbox (WP2DB). Assuming you have a Dropbox account (and if you don’t, you should! Sign up here.), WP2DB automatically puts a copy of your entire website into a folder in your Dropbox. You set when and how often you want it backed up, and you can exclude some files from being backed up if you want. Even if you’re not hacked, this is great security against you accidentally messing something up!
There are many other tips on WordPress security available online, but hopefully these will get you started. Remember, the time to take care of security and backups is before something goes wrong!