Why Your Church or Nonprofit Website Needs Regular Security Updates

hacked

One of the items Harrelson Agency itemizes on invoices when building out a new client website (particularly when using WordPress or Drupal) are maintenance and security updates for the year.

It’s not a major cost, but I often receive questions about the charge and whether or not it’s really necessary. That’s particularly the case when dealing with churches, nonprofits, and small businesses who are on tight budgets and looking to save every penny possible (and understandable). However, it’s necessary and I always counsel our clients (of all sizes) to understand what that cost entails and why it’s beneficial in the long run.

Regardless of the amount of traffic your website receives, if your site is self hosted and using software such as WordPress or Drupal, you have to make sure you or your website manager are doing regular updates of plugins and versions, as well as making sure there is some sort of security software in place to manage firewalls, login attempts, IP attacks etc.

If you accept online donations or payments via your website, this is especially true. If you host any sort of “member directory” or registration information or personal details of your congregants or customers, this is especially true. That’s not depending on the size of your church, nonprofit, or business.

This week, press (and governments) around the world are reeling from the explosive release of the Panama Papers. This is the largest leak of private documents ever, and exposes a number of world leaders and companies and their potentially illegal financial transactions. It happened because of outdated software with known vulnerabilities:

“FORBES discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.

That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers. On its site, the company claims: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.” That boast now looks somewhat misguided.”

Source: From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers

So yes… in 2016 it certainly matters that you have good passwords and good security on your personal online accounts as well as those of your church or business.

Don’t wait until it’s too late and have to deal with the ramifications.