Cybersecurity for Nonprofits: 9 Ways To Secure Your Site

Cybersecurity for nonprofits is a trending topic, especially as cyber attacks are getting more and more sophisticated. Cyber attacks use computers and networks for nefarious activities and include things like hacking and data breaches, phishing, malware, and ransomware attacks.

Is your nonprofit website secure enough to withstand cyber attacks?

Your website is the face of your nonprofit organization. It also contains valuable data that is irresistible to hackers and cyber terrorists. To protect this data and your reputation, you need to take steps to secure your website.

How important is cybersecurity for nonprofits?

Website security is important to every organization, no matter the size. A common myth is that small nonprofits don’t really need to worry about attacks since hackers want to go after big organizations for bigger payouts.

This mentality is a huge help to cyber thieves since it makes smaller organizations feel safe enough to ignore security. In reality, this just makes them easy targets – Almost half of cyber attacks are against small businesses.

Cyber attacks can have huge consequences for your organization. Even a small attack can make your supporters lose faith in your ability to protect their data, and opens you up to lawsuits, and a large attack can put an end to your organization altogether.

How do I make my nonprofit website more secure?

Nonprofit website security requires more than a one-step solution. You have to protect your website from multiple angles, and monitor your website over time to ensure it stays secure. We have created this list of nine ways to boost your nonprofit website’s cybersecurity to help guide you through the process.

1. Install an SSL certificate and use HTTPS

It wasn’t long ago that a Secure Sockets Layer (SSL) certificate was considered optional for websites. That is no longer the case. If your website collects email addresses, donations, or any other information from supporters, the SSL certificate is what wraps that sensitive information in a layer of encryption so that no one else can read it.

Understanding this, it is clear why you need SSL certificates. They are so important that Google penalizes websites without an SSL certificate by putting up a security warning to users who try to visit. Of course, search rankings are also dropped since Google is actively encouraging people away from unsecured websites.

Once the certificate is installed and working correctly, your website will begin with https instead of the old http. You will need to do a little additional setup on most sites to redirect traffic to the new https address. WordPress users can do this with a plugin.

2. Make it hard to login

The login page is a notorious weak spot on most websites. Especially for WordPress websites, since you can easily access the login page by adding /wp-admin to the end of the URL; you’re basically showing users the back door on your website. Following these steps to secure your login page goes a long way to creating a secure website:

  • Use hard to guess usernames – One of the first things you should do after creating your WordPress website is to change the “Admin” username. Instead, choose a unique username for each of your admins, and try to make it a little hard to guess.
  • Use strong passwords – Hackers and their bots are really good at cracking passwords. If your password is short, simple, or contains personal information, it won’t present any kind of challenge for hackers to guess. Instead, use strong password generators or memorable long phrases (i.e. The Bills are a Football team from Buffalo!)
  • Limit the number of times a user can attempt to login – One of the easiest ways to gain access to a website is to set a bot to try one password after another until they find the right one. By limiting the number of attempts, you prevent this attack from working.
  • Enable two-factor authentication – There are many ways to enable two-factor authentication that are easy for your actual admins to use, but make it almost impossible for unauthorized users to bypass.

3. Update your website software often

Over time, software of any kind will be outdated. When this happens, it creates cybersecurity holes that can be used to gain access to your website data. Just like updating Microsoft Office on your PC prevents hacking on your local computer, updating plugins will avoid hacking on your website. It is important to keep your website software and PHP version up to date to avoid this.

One word of caution: Make sure you backup your website before updating to prevent any unintended issues. For WordPress users, this also applies to updating plugins.

Need help keeping the plugins updated? Cornershop Creative, and other vendors, offer affordable maintenance services to keep your website updated and secure.

4. Monitor themes and plugins

Speaking of plugins, WordPress users need to take extra steps to secure their plugins and make sure they are only using safe plugins to begin with. Though plugins can add huge functionality to your website, they can also create security risks when not chosen and monitored carefully.

  • Be careful when installing plugins – It’s shady, but some plugins are made by cyber attackers, for cyber attacks. Make sure you only install plugins made by authors you trust.
  • Only install plugins you will actively use – Unused and outdated plugins become easy access points for hackers. Deleting unused plugins will help with security and overall site performance,
  • Update plugins along with your WordPress version – plugins should be updated regularly to remain secure and effective. Many plugins offer an auto-update option which you can enable. Before updating, be sure to check that the update will be compatible with the version of WordPress you are running.

The same tips can be applied when choosing and using themes. Themes need to be updated occasionally, and you should make sure you are only using themes from sources you trust.

5. Backup your website often

Ok, we admit that having backups of your website won’t really make your website more secure. What it will do is boost your nonprofit website’s security!

By creating backups on a regular basis you are securing yourself against having to start from scratch if anything happens to your website. If anything bad happens, be it due to an attack, a bad update, or even a content mistake, you can restore a backup and have your website up and running again in no time.

6. Prevent unwanted access to website files

This is another tip specific to WordPress users, but since WordPress is the most popular website builder, there’s a pretty good chance it applies to your website.

There are two files created with WordPress websites that need to be secured to protect your data. They are:

  • wp-config.php File – This file contains important information about your website, including the authorization keys. Your host should suppress this file automatically. You can check on this by searching [your URL]/wp-config.php. If you are able to view this file then the host is not doing a great job, and you should get a new host.
  • XML-RPC – This file allows access into your website. It can be helpful if you are using services like JetPack, but does present a cybersecurity concern. If you are not using it, this file should be disabled.

7. Make sure your hosting is secure

There are a lot of website services where you can safely look for a bargain – Your hosting is not one of them. Having a secure server is one of the most important factors in having a secure website. After all, what good does it do for you to make all the security upgrades to your website, only to have your host open the door wide to attackers?

You can find secure hosting through careful research: read reviews, talk to an expert, and talk to other website owners. You can also chat with the support desk at a host you are considering. If they can’t or won’t offer good answers to security questions, take your money elsewhere.

8. Reduce risks for SPAM and malware

A website, like a house, has plenty of potential entry points. Your goal is to close as many of these as possible. Preventing SPAM and malware with these tips will help:

  • Disable comments – SPAM comments aren’t just annoying, they are a serious risk. Every link left on your website is like a bridge for search engine crawlers like Google. If you have too many SPAM links, your website will drop in rank by association. Unless you are actively engaging and monitoring comments, it is best to disable them completely.
  • Add captcha or other verification to forms – Bots are great at filling out forms. Shut them out by adding simple verification to each of your forms.
  • Restrict file uploads – Only trusted — i.e. logged-in — users should be allowed to upload files on your website. If you are accepting files from users, you should have a screening process in place to check files before they become available on your website.
  • Use a firewall – A firewall provides an extra layer of protection by preventing certain types of traffic from reaching your website. There are different types of firewalls available, so do your research to find the best one for your host and website. At Cornershop, we are a fan of the WordFence Security plugin, though there are great products from Cloudflare and Sucuri.

9. Use security scanning and monitoring tools

Though most of the tips in this list are for prevention, this one is all about follow up and monitoring. To maintain their cybersecurity over time, nonprofits need to constantly monitor their website activity.

WordPress users can install security plugins like WordFence. Once installed, it will monitor your website activity and send alerts about anything suspicious.

There are also security monitoring software options for non-WordPress websites. Make sure to do careful research to find the best option for your needs.

Some of these things are easy for you to implement yourself internally. For the more technical cybersecurity tasks, remember you can always contact Cornershop for help and support!

How can my nonprofit afford cybersecurity upgrades?

Website security upgrades are incredibly important, but sometimes come with a large price tag. It can be tempting to skimp on security to save these costs, but that mindset puts your entire organization at risk.

You have a responsibility to protect your data, including your users’ information. Data breaches can result in a loss of important information, damage to the credibility of your organization, and even lawsuits from supporters who have their information stolen. The best thing you can do is take proactive action to prevent attacks of any kind.

Luckily, nonprofit security is a recognized issue, and several grant programs have been created to help.

Recently, Governor Hochul announced that $96 million would be dedicated to helping New York based nonprofits improve security, including cybersecurity and security training. Nonprofits in New York can submit proposals for up to $50,000 each. These funds are made available through the Federal Emergency Management Agency’s (FEMA) Nonprofit Security Grant Program.

Other programs are in place through FEMA, including a State and Local Cybersecurity Grant Program (SLCGP) which allows the federal government to distribute funds to local states or territories, which in turn distributes funds to eligible nonprofits.

Once you lock in a grant, our Complete Security package can help you use it to make sure your site (and your community, organization, and staff by extension) is safe and secure for the long term. It includes:

  • A Security Audit where we investigate the backend of your site to identify security vulnerabilities and give you an actionable list of fixes
  • Security Improvements, including up to 20 hours of addressing security vulnerabilities that are identified during the audit
  • User account maintenance to review your administrator accounts each quarter and ensure the right people have access
  • Configuration of Two Factor Authentication to improve security on your website, hosting, and domain accounts
  • 1Password Setup & Configuration so you can start storing secure passwords with ease
  • Website Security Training & 1Password Training to teach you how to implement web security best practices and use your new 1Password account
  • Cloudflare Web Application Firewall (WAF) + Super Bot Fight Mode to take your website security a step further and protect your site from SQL injection, cross-site scripting, bot traffic, and zero-day attacks
  • Ongoing Maintenance of your WordPress website to ensure your site is never compromised with outdated tools
  • Monthly DMARC Monitoring. Did you know that others could be spoofing your domain and claiming to send email on your behalf? We’ll work to make sure that isn’t happening and resolve it, if it is.

Already have some of the above implemented on your site? Well done! We can help you level up by helping out with any of the above services through an à la carte approach.


Cybersecurity is essential for nonprofits, since it is what keeps you from getting hacked, losing valuable data, and getting into legal troubles. With more and more grant programs being created to help nonprofits, it’s a great time to submit your grant proposals and make plans to upgrade security throughout your organization.


Ira is the cofounder of Cornershop Creative. With more than twenty years of experience, Ira is an expert in nonprofit online communications and digital fundraising. Ira has worked with hundreds of nonprofit organizations to improve their websites, increase engagement, and bolster fundraising support. Ira oversees all operations at Cornershop, while working with clients to effectively meet their goals. Prior to founding Cornershop, Ira previously worked in communications and fundraising with Firefly Partners, Free Press, Grassroots Campaigns, the Fund for Public Interest, and American Jewish World Service.