Having a successful church website takes work, but it’s well worth it to expand your reach. Part of the job is taking care of church website security.
Sadly, it’s not quite as simple as figuring out what to blog about next or making sure your latest sermon uploads correctly. You also have to worry about cybercriminals causing trouble for your church and your site users.
While there isn’t any way to 100% protect a website, you can take certain steps to prevent attacks and hacks. The harder it is to infiltrate your site, the safer you are.
Understand Your Risks
At first, you might think your church’s website is safe. After all, you might just be a small church with a simple site. However, cybercriminals don’t care how big or small your church is or even how many people visit your website.
Your site may very well just be a page of church details, a monthly blog post and a contact form. Yet, hackers see it as an opportunity. Your site can be used as part of a DDoS attack on a larger site (such as Wikipedia), to serve malicious ads, insert malicious links and still credit card data (if your site accepts online tithes).
For some hackers, it’s just practice. Others may just want to steal usernames and passwords of anyone who manages your website. A single username/password combo could be enough to lead to identity theft if someone uses the same password for everything.
The truth is every website, including your church’s site, is a potential target. Since cybercriminals can use the smallest details to wreak havoc, it’s always better to be safe than sorry. After all, you wouldn’t leave your front door unlocked when you’re not home. Why leave your website open?
Change All Default Passwords
The first step to mastering church website security is changing all default passwords. Whether you’re setting up your site yourself or having it professionally done, there is usually a default administrator account. During the setup process, a few other accounts were probably set up as well.
Before you do anything else, change all those default passwords. Ideally, change the account names too. Something as simple as “admin” is far too easy to guess. Plus, if you left the name alone, hackers may realize you left the password alone too.
Use strong, unique passwords for every single account you set up to use on your church’s site. Avoid allowing multiple people to use the same account. If something does happen to go wrong, it’ll be easier to trace if every user has their own account.
Require Secure Passwords For Site Admins
Your church website admins should set up their own passwords so they’re easy to remember. However, passwords are a major line of defense. If your admins are using something like “pass1234” or “mypassword@church,” hackers will get in fairly easily.
Instead, set up password requirements. Any time an admin sets up an account or wants to change their password, they must meet those requirements or your site won’t accept them.
Some ideas for creating better passwords include:
- Longer is better
- Use a combo of letters, numbers and symbols
- Don’t use actual words
- Avoid common phrases
- Use a unique password (if another site gets hacked, it makes your site vulnerable if people reuse passwords)
You can also check out how secure a password is by using sites like How Secure Is My Password and HowSecureIsMyPassword.net. Try not to enter your exact password, but something similar to give you an idea of how strong it is.
Require Secure Passwords For Site Users
The same rules about passwords should apply to general site users. Remember, your church website security is only as strong as the weakest user. If a church member signs up to post on your forums or access a members-only section, but uses a bad password, your entire site could be at risk.
Set up the same requirements for site users and admins to lock down your site as much as possible, at least as far as accounts are concerned.
Limit Access To The Backend
How many people really need to access the backend of your church’s site? You may have dozens of people who are currently logging in to do different things. However, the more people with accounts, the more potential access points for cybercriminals.
Instead, limit access to your site’s backend. Only grant access to those you actually need it. Every staff member won’t need access. You can also restrict privileges so no one is off creating new accounts or changing security settings.
At first, some people might be offended, but remind them that that’s just fewer responsibilities for them to deal with. Assign them a new task to ensure they don’t feel like you don’t need their help.
Remove Access When Someone Leaves
When any church staff members or volunteers move on, remove their access to your site. Often, the biggest church website security issues stem from old users. Their passwords never get updated and if they left angry, they might try to cause trouble.
While hopefully that wouldn’t be an issue for your church, it’s always better to delete their account when they leave. Don’t just let someone else take over their account either.
Instead, create a brand new account for anyone who takes over the responsibilities. This makes it far easier to keep track of who is doing what in the backend of your website.
Avoid File Uploads
Obviously, you’ll be uploading files to your church website. However, it’s a good idea to restrict general website users from uploading files to your site. For instance, you might go through Gravatar for users to create avatars for their accounts versus uploading directly to your website.
Malicious files are all too common. All it takes is for a user’s computer or phone to be infected with malware to infect your entire website. By restricting file uploads to only admins, you reduce your risk.
Please use anti-virus software on all devices used to manage your site. This is one of the simplest church website security precautions. After all, if your device is safe, the files you’re uploading are safe too.
Evaluate Your Web Host’s Security
So far, we’ve talked mainly about what to do on your end. However, your web host is also a major part of maintaining your church website security.
No matter what you do on your end, your site isn’t secure if your web host doesn’t take precautions as well. A few things to consider include:
- Does the web host use a firewall?
- Is there any encryption?
- If it’s a shared hosting platform, how many other sites use the same server? The more sites using the server, the bigger chance for security flaws.
- How often are security, operating system and software updates installed? Depending on your host, some of these updates may be your responsibility.
- Does the host have any anti-virus solution in place?
- Are any anti-spam protections in place? Once again, this may also be your responsibility to reduce malicious spam in your site’s blog comments.
The better security your web host has, the more secure your site will be. In regards to shared hosting, this isn’t a bad thing. However, choosing a shared host that puts security first will keep you safer. If you’re worried about other sites making your site vulnerable, choose a different hosting option.
Keep Your Site Platform Updated
Much like an operating system or an app, you have to install updates to your site platform. This is especially true with CMS-based platforms, such as WordPress and Drupal.
As vulnerabilities are found and new features are released, platforms release new updates. It’s important to update as soon as possible to keep your church’s website more secure. Plus, you get new features to play around with.
Another point to consider is if you use plugins or any third-party extensions and software, you may have to update your platform in order to keep everything running smoothly.
One important note – always back up your site fully before you update. Though it happens rarely, updates can backfire. If you have a recent backup, you’re back online quickly versus having to manually fix your site.
Keep All Plugins And Software Updated
Sadly, far too many websites are compromised due to an outdated plugin. Since these give your site additional functionality, they’re popular and necessary. However, they shouldn’t make your website vulnerable.
Boost your church website security by keeping all your plugins and software up to date as well. You should also remove any plugins and software that you’re no longer using from your site to avoid any issues.
It’s important to note that sometimes it may take a few months or more before developers release updates after a platform update is released. This is because they have to make changes based on the new code of the platform update.
It’s a good idea to check for updates every few weeks at least. After a major platform update, check weekly or subscribe to the developers’ newsletters to get updated when anything new is released.
Run And Test Backups Regularly
When was the last time you backed up your church website? If you can’t remember, then it’s time to create a backup plan immediately!
Sadly, far too many churches lose all their hard work when the worst does happen. It could be as simple as an admin accidentally deletes a few blog posts permanently or as terrible as ransomware holding your site hostage.
In either event, having a recent backup on hand means you don’t have anything to worry about. You simply switch to the backup and you’re all set. But, this means you need a recent backup. Even more importantly, you need a backup that works.
First of all, be prepared for church website security issues by backing up your site at least twice a month and before any major changes. If you blog regularly, weekly backups are ideal.
Sometimes, backups don’t quite go as planned. Perhaps someone didn’t set them up correctly or a file got corrupted on an old backup drive. The lesson is to always test backups. You can do this once a month or every few months by ensuring the files are accessible and still work.
Also, consider cloud backups to prevent corrupt files on old drives. You could also do two backups – one cloud and one local.
Implement HTTPS
If you’ve ever shopped online, you’ve seen HTTPS pop up in the address bar. However, do you use it for your church website? HTTPS is a universal sign that the site you’re using is protecting your information via encryption.
You can view more about the site by clicking the browser symbol beside the HTTPS. From here, you’ll see details about their SSL certificate. A valid SSL certificate makes your site visitors feel safer about sharing information you one website.
So how does this affect church website security? This security measure is more about your users than your actual website. It also has an effect on your church’s reputation and search engine rank.
You should use an SSL certificate for your entire site. This helps encrypt data for everything from blog comments to user login details. Protecting your users makes them feel more comfortable on your site, which improves your church’s reputation online.
Google has also included HTTPS as a ranking factor. Every little boost helps your site get noticed easier.
Hire A Website Maintenance Company
With so many frightening cybersecurity issues happening every day, you have to make church website security a priority. However, it can be daunting to try and do this all on your own.
Prevent all the headaches by hiring a website maintenance service. For a small monthly fee, they can handle all the updates and security aspects. This includes handling backups. Of course, you’ll still be responsible for password security. However, you’ll have far less responsibility to take care so you can focus on ministry.
Great church website security starts with a professional website. Contact us today to find out how we can help you create a secure site for your church and your users.
About The Author
