A checklist for church website security
A secure website is about more than just keeping hackers from taking over. It helps visitors trust your site more and helps your search rank. Use this checklist, including specific guidance for WordPress users, to make your site more secure.
Look for Security Issues
Even if you implement all security measures, they won’t help if hackers have already gotten in. Some signs to look for:
• Visitors report issues more frequently
• Browsers give visitors a security warning when they try to access it
• The email address connected to your church’s site is suddenly filled with spam
• Google Search Console gives you a warning
• Your hosting company disables your site
• The website itself looks different or you notice content that you didn’t add
• You can’t log in
• Numerous error messages in your error logs
• Files have changed
• Pages of your site redirect somewhere else (usually visitors notice this first)
• Sudden traffic spikes, especially on a page you didn’t actually create
• Traffic decreases
• New users accessing your dashboard
Test Your Church Website
Multiple free tools are available to scan your website for potential problems. This is a great way to uncover malicious files, see if your site’s been blacklisted, spam injections and more. Free website testing tools include Sucuri, Qualys, Quterra, Intruder and UpGuard, to name just a few.
An SSL certificate is vital in helping encrypt data to keep your website secure. While it’s not a foolproof method, it does help. HTTPS is also a ranking factor for Google. The Google Search Console is even warning sites (if you have it implemented) about unsecured input boxes on your site.
Remove Default Admin Account
When you log in for the first time as the site’s administrator, change the username to something other than “admin.” The next step is to create a secure password. Make sure it’s not something you use anywhere else. Otherwise, if one account gets hacked, it puts your entire church website at risk.
Improve User Passwords
If the admin(s), users and visitors aren’t using secure passwords, your site is at risk. The idea is to create passwords that are too difficult (longer, mix of upper/lowercase, symbols, numbers, etc.) for computers to crack.
If you use WordPress, and haven’t updated to the latest version, including the themes and plugins you use, your church website is vulnerable. With so many moving parts, issues can arise sometimes, but reputable developers create new versions of their themes and plugins to work with new WordPress releases.
Use a Security Plug-in
Installing a security plug-in helps reduce the chance of malware and viruses on your church’s site. Some of the top security plug-ins include MalCare, Sucuri, Jetpack, All In One WP Security and Firewall, Wordfence.
Use Google Search Console and Google Analytics
Google Analytics gives you an overview of your site’s performance. Sudden changes, especially if you haven’t done anything different, could be a sign your church’s site has been hacked. The Google Search Console sends you alerts when something isn’t right.
Work With a Secure Host
When hackers are able to break through a web host’s defenses, they may also be able to access all the sites hosted on the web host’s servers. Choose a reputable web host, versus just the cheapest.
WordPress allows you to set a limit on how many failed attempts there are before the account locks. You can then determine the length of time the account is locked or if users need to contact the administrator to have the account unlocked manually.
Change Your Login Page
It’s harder for hackers to try to break in if they don’t know your church’s WordPress login page URL. By default, your site’s login is your site’s URL plus /admin, /login or /wp-login.php at the end. However, you can change this. Doing it manually is an advanced technique, but WPS Hide Login does all the heavy lifting for you, and it’s free.
Require Antivirus for All Users
If a user’s computer or device is hacked, the hacker may be able to see all their keystrokes, including their login details to your church’s site. Ask all users logging into the WordPress dashboard to install antivirus.
Block What Users Can Upload
For visitors, you might prevent any uploads at all and request that they use a site like Gravatar to create an avatar for your church’s site. For users, limit who is able to upload any files or pictures.
Manually dealing with comments might not sound like fun, but many comments contain malicious links. Plus, spam comments just look unprofessional and hurt the conversation.