Charities are more likely to have poor website security than organisations in other sectors, according to the Web Application Annual Security Report 2009 which was published this week. What kind of insecurities did the report find?
Not having account lockout mechanisms in place, which stop hackers from repeatedly guessing passwords. That’s why on my websites (which use the WordPress CMS) I now use a plugin called Login Lockdown which locks people out of the login form if they keep entering incorrect passwords.
Charities often choose insecure passwords, which increases the chances of unauthorised access to accounts. Too many charities use their organisation’s own name or location as their password, sometimes with a letter replaced by a number. Anything that can be guessed is really poor security. LASA’s Knowledgebase has advice on choosing secure passwords.
Apparently charity websites tend to be configured weakly when first set up and then not they’re not updated to resist the latest security threats. With WordPress this used to be a big issue because new versions would come out and the web designer would be required to install them, but these days WordPress and any plugins in use can be updated by the charity itself with just a couple of clicks when prompted to do so.
There are many other ways to make a WordPress website more secure but you can’t assume you’ll never be hacked (it happened to me only last week). That’s one reason that making a regular backup of data is so important: I use a plugin called WP DB Backup which I configure to send me a weekly backup by email.
One last piece of advice: open a free Google Webmaster Tools account. Apart from getting really useful information on how well Google can index your website, you can receive an alert if Google detects that your site has been compromised and once you’ve fixed the problem you can request that Google reinstates your website in its index.
No related posts.
