A secure website is about more than just keeping hackers from taking over. It helps visitors trust your site more and helps your search rank.
But, it’s not always obvious if your church website’s secure or not. That’s why it’s important to check regularly for any security issues.
Use the checklist below to see how your church’s site stacks up. And then, take action to make it more secure if necessary.
Signs of Security Issues
The first step to a secure website is ensuring you don’t currently have any security issues. Even if you implement all the security measures listed in this post, they won’t help if hackers have already gotten in.
Much like with a personal computer or a mobile device, the signs aren’t always obvious, though some are. For instance, sudden site performance issues that can’t be attributed to your host or a site upgrade may indicate your site’s being used by hackers for other purposes, resulting in poor performance for your actual visitors.
Some of the top signs to look for include:
- Visitors report issues more frequently
- Browsers give visitors a security warning when they try to access it (check out your site at least every few days to see if you get an error message)
- The email address connected to your church’s site is suddenly filled with spam, at least far more than usual
- Google Search Console gives you a warning (if enabled – more on that later in the post)
- Your hosting company disables your site
- The website itself looks different or you notice content that you didn’t add
- You can’t log in (if visitors start reporting log in issues to a password-protected area of your site, this is a sign too)
- Numerous error messages in your error logs
- You notice files have changed
- Pages of your site redirect somewhere else (usually visitors notice this first)
- Sudden traffic spikes, especially on a page you didn’t actually create
- Traffic decreases (performance issues and security warnings drive visitors away)
- New users accessing your dashboard (check your site’s activity logs for unusual users or unusual user activity from a known account)
Something as simple as logging in to your website’s dashboard and checking for any changes that weren’t approved is a great way to catch malicious code and files before the worst happens. Check your site every few days at least for potential signs your church’s site has been compromised.
If you find any issues, you may need to temporarily go offline to fix the problems. Restoring from a backup before the attack and locking down the entry point is one of the easiest methods.
Testing Your Church Website
Unless you’re a security expert, you’re not going to catch everything yourself. Even then, it’s still easy to miss things. Hackers are good at what they do, even if what they do isn’t necessarily good.
The good thing is there are multiple free tools to scan your website for potential problems. This is a great way to uncover malicious files, see if your site’s been blacklisted, spam injections and more.
Some providers only offer a free trial, but it’s a good way to check your site’s security quickly. You can also subscribe to providers for more in-depth checks and regularly security checks. Geekflare lists some of the best free tools to test your church’s website security.
Back in 2017, we talked about why your church needs an SSL certificate. It’s vital in helping encrypt data to keep your website secure. While it’s not a fool-proof method, it does help. Plus, when users see the HTTPS, they feel safer when it comes to online tithing, logging in, signing up for things and anything else that requires them to enter personal data.
It’s also important to remember that HTTPS is a ranking factor for Google. The Google Search Console is even warning sites (if you have it implemented) about any unsecured input boxes on your site.
While it’s not a major ranking factor, it has been confirmed to be a lightweight ranking factor. So, you get a more secure website and help optimizing your site. It’s a win all around.
Remove Default Admin Account
Are you still logging into your church’s WordPress dashboard with “admin” as the user name and the default password? If so, you’re putting your site and its visitors at major risk. Hackers love it and it makes their job so much easier.
The first thing to do when you log in for the first time as the site’s administrator is change the admin account. Change the username to something other than “admin.” This can be your email or another username.
Of course, the next step is to create a secure password. Using something obvious gives hackers an easy way in. Make sure it’s not something you use anywhere else. Otherwise, if one account gets hacked, it puts your entire church website at risk.
Improve User Passwords
Passwords are critical to securing your church’s website. If the admin(s), users and visitors aren’t using secure passwords, you put your site at risk of brute force attacks. The idea is to create passwords that are too difficult for computers to crack in your lifetime.
Mental Floss and CNET offer several tips for more secure passwords, which you can turn into requirements on your church’s site:
- Longer is better
- Use a mix of upper/lowercase, symbols and numbers
- Skip personal information, such as names and dates
- Don’t recycle passwords
- Use passphrases instead of passwords
Passphrases might sound less secure, but experts are discovering that they may be more secure, while being easier to remember. The key is to use four random words versus an actual quote or known phrase, such as using “today i live four” versus “live for the day.”
You can make passphrases more secure by adding spaces or symbols between the words. Also, misspell a word or use a made up word your kid might have used when they couldn’t pronounce another word.
To avoid password fatigue, don’t require anyone on your site to change their passwords unless you suspect a breach. The 60-90 day rule just causes less secure passwords.
Remember, implement strong password requirements for anyone logging into your WordPress dashboard and website.
Outside of passwords, outdated plugins, themes and WordPress core software are all popular entry points for hackers. If you haven’t updated to the latest versions of WordPress and the themes and plugins you use, your church website is vulnerable.
The reason many site owners don’t update when they should is updating doesn’t always go smoothly. For instance, your theme might not work correctly or your favorite plugin fails when you update to the latest version of WordPress. With so many moving parts, there are issues sometimes, but reputable developers create new versions of their themes and plugins to work with new WordPress releases.
Plus, it’s better to have temporary issues than have your church’s website hacked. After all, that could result in fewer new visitors to your church and a decrease in your online community.
Many hacks come from this simple website maintenance mistake. To give you an idea of just how important updating your site’s core elements really is, look at all the security fixes WordPress has released.
All it takes is a single vulnerability in an older version to leave your church’s site exposed. The same is true for plugins and themes.
Use A Security Plugin
Viruses and malware have the power to destroy all your church has worked for online. Your site could get banned from Google and visitors who may have been affected spread the word that your site can’t be trusted. Unless you’re a major brand, it’s hard to bounce back from this.
Installing a security plugin helps reduce the chance of malware and viruses on your church’s site. These work much like antivirus for your computer. Installing and using a plugin is an incredibly simple, yet effective way to create a more secure website.
Some of the top security plugins include:
Use Google Search Console And Google Analytics
Google Search Console and Google Analytics are both free and provide your church’s website with security warnings when something’s wrong. While these tools won’t prevent security issues, they will help you uncover many potential issues early before things get too bad.
Google Analytics gives you an overview of your site’s performance. Sudden changes, especially if you haven’t done anything different, could be a sign your church’s site has been hacked.
The Google Search Console, once Google Webmaster Tools, sends you alerts when something isn’t right. If a page or your entire site is being blocked by browsers as a threat, you’ll be alerted. This takes some of the pressure of you to constantly monitor everything by letting a free tool help out instead.
Work With A Secure Host
If your church’s web host doesn’t put security first, all your own security measures might not be enough. When hackers are able to break through a web host’s defenses, they may also be able to access all the sites hosted on the web host’s servers.
Choose a reputable web host, versus just the cheapest. Not only does this immediately help with security, but it improves your site’s up time and performance.
Brute force attacks are all too common. This is when hackers try to break in using one password after another. However, if you limit failed login attempts, this drastically slows down the process. Plus, if a user reports being locked out of their account without having tried to log in more than once, you know someone was trying to break in.
WordPress allows you to set a limit on how many failed attempts there are before the account locks. You can then determine the length of time the account’s locked or if they need to contact the administrator to have the account unlocked manually.
Change Your Login Page
It’s harder for hackers to try to break in if they don’t know your church’s WordPress login page URL. By default, your site’s login is your site’s URL plus /admin, /login or /wp-login.php at the end. Anyone wanting to try to hack the admin login would know to go to one of these pages.
However, you can change this. Doing it manually is an advanced technique, but WPS Hide Login does all the heavy lifting for you and it’s free. The same developer also makes a plugin to limit login attempts.
Require Antivirus For All Users
While you can’t do much about visitors to your website or any visitors who create accounts on your site (if that’s a feature on your site), you can ask all users (those logging into the WordPress dashboard) to install antivirus.
If a user’s computer or device is hacked, the hacker may be able to see all their keystrokes, including their login details to your church’s site. Create a more secure website just by requiring all users to keep an active antivirus tool on their devices. You can suggest a universal free option if necessary.
Block What Users Can Upload
Pictures and documents aren’t always what they appear to be. It’s a good idea to limit what users and visitors can upload. For visitors, you might prevent any uploads at all and request that they use a site like Gravatar to create an avatar for your church’s site. You can connect to Gravatar to pull in profile pictures.
For users, limit who is able to upload any files or pictures. VirusTotal allows you to scan files and URLs (where a file may be downloaded from) to check for anything malicious. It’s not a fool-proof method, but it helps.
You can also limit images for your site and blog posts to specific trusted sites and those you’ve taken yourself.
The last step is to monitor your comments. Manually dealing with comments might not sound like fun, but many comments contain malicious links. Plus, spam comments just look unprofessional and hurt the conversation.
A few ways to deal with malicious and spam comments are to require users to register before leaving a comment and use an anti-spam plugin. Akismet Anti-Spam is one of the most popular available.
Reach Right Studios helps your church start off right and make great first impressions. Between a great site and a secure website, you’re able to increase engagement and spur growth. Learn more about our web design services today.