Church Website Security Basics (Newsletter 3-12)

Church Website Security Basics
Matt Adams

You spent good time and money building a site for your church. You convinced the leadership a new website was the right move and a good investment. And now here you are, staring at security warnings, or worse, a hacked website.

But you can remedy the situation, if not avoid altogether. Learn how with some church website security basics.

Good Security Starts With People Processes
When it comes to home security, you lock the doors and close the windows. It’s a no-brainer. I’m not sure what happens with site security, but I’m constantly surprised by how many people fail to lock their website’s “doors.”

Super Basic Starting Check List
• Set secure passwords for CMS admin systems.
• Don’t use “admin” as a username.
• Save your password securely. No, not in a Google doc. Try 1Password.
• Use secure usernames and passwords for the FTP.
• In general, limit access and never share usernames and passwords.
• When someone leaves the church, remove their access privileges immediately. Just be careful—deleting the user can sometimes delete their content, too.

Good Security Continues With Secure Webhosting
The cheaper the hosting, the more likely it is you’re sharing a server with hundreds, if not thousands, of other accounts. What does that translate to? Well, the more accounts per server, the more load and demand it has to bear, including issues like downed websites, slow load times, and odd errors. The situation’s kind of like roommates hogging the Wi-Fi except you don’t know who the roommates are, what they’re doing, or why they’re there.

Now, it’s not all bad. No matter whom you choose as a webhost provider, you’re going to be sharing the webhosting with other people. Just be aware that all resources come at a cost. To make sure the costs aren’t too high—crashed servers, slow sites at peak times, etc.—ask the following three questions.

What to Look for in Shared Hosting
• What are the policies in place for resource hogs? Data caps? Quality of service settings? Service level agreements?
• What preventative measures are in place for malware? Firewalls? Antivirus?
• How many accounts, on average, share a server? One hundred is okay, 1,000 is not.

Good Security Requires Staying Secure, All the Time
Updates, updates, updates. Did I say updates? The number one way sites get hacked is through out-of-date plugins and content management systems (CMS). ALWAYS accept the updates when they become available.

Best Practices for Updating Your Site
• Talk to your developer about running updates for the first time.
• Regularly backup your data to the cloud or an external server.
• Keep the latest copy of the site handy.
• Run the update for the plugins and the CMS core.

If your developer says the site will break if you run an update, you need a new developer. Sorry, but critical system updates should never break your site.

I once found a site I coded eight years ago. I’d never updated it, but when I did, all remained well. When developers use the tools the right way, things stay fine. It’s when they use the tools incorrectly or use the wrong tool for a particular task that sites get into trouble.

Good Security Relies on End-to-End Protection
Keeping things updated is good, but active monitoring and end-to-end protection is better, especially in the church context. Geo-political groups, for whatever reason, commonly target church websites. The place where I work, factor1, has 10 years of experience in developing and hosting over 200 sites. In that time, we’ve seen more attacks on church sites than on any other type of website.

Recommendations for Protecting Your Site
• If you use WordPress, install the iThemes Security plugin. It combines with back up buddy, making it easy to back up your site’s data.
• If you aren’t on WordPress, Sucuri provides a good system. It covers WordPress, Joomla, Drupal, and .net systems.
• If you fear botnet DDOS attacks, Cloudflare offers a firewall that allows humans in but keeps bots out.

If you use the practices outlined above, I can say with 99% certainty you should be fine. Using a trusted webhost provider, backing up data, updating your site, employing firewalls, and following security best practices will keep your site running smoothly, Sunday in, and Sunday out.

________________________________________
Matt Adams is a full-time web designer for factor1, a digital creative agency located in Tempe, Ariz. He and his wife have twin boys and spend more hours cycling than most sane people can imagine.

The above article, “Church Website Security Basics” was written by Matt Adams. The article was excerpted from www.churchmarketing.com web site. August 2017.

The material is copyrighted and should not be reprinted under any other name or author. However, this material may be freely used for personal study or research purposes.

This article may not be written by an Apostolic author, but it contains many excellent principles and concepts that can be adapted to most churches. As the old saying goes, “Eat the meat. Throw away the bones.”