Churches, We Need to Talk About Website Accessibility (and Discrimination)

Open Door to a Church

“Failure to comply with Section 508 of the Department of Justice’s ADA (American with Disabilities Act) Standards for Accessible Design could expose your company to hefty fines, the risk of expensive criminal and civil litigation as well as a reputation for being unfriendly to the disabled.” https://userway.org/

I’m going to make a rant here. Forgive me (or just don’t read if you’re not up for a Sam Rant™).

Cheap website builders really upset me. For a number of reasons.

We’re working on a couple of large church website revisions for clients this week. These are content-heavy sites with numerous pages that are all info-dense with text, video, audio, podcasts, galleries, and just about every measure of content you can imagine. They are both complicated builds with lots of moving parts. So, we are constantly doing checks and QA (quality assurance) tests to make sure everything is working. Building websites of this scale might be sold as an easy thing to do on Super Bowl ads, but they are definitely not easy or “quick” things to do if you want to do them right.

One of the pitches I make to clients like this when they want to know what Harrelson Agency does differently that they couldn’t get done if they just used Wix or Squarespace or Weebly or one of the many other “website builder” apps is the care and attention we give to details such as Search Engine Optimization, mobile user experiences, payments and online giving (those %’s really do add up when you start receiving online donations), and security. It’s not that the website builder apps don’t offer those services, but items like SEO or mobile experience and especially website security tend to be the last things that someone volunteering to build your site checks (if at all). Plus, there are just better tools that last longer if you know what you’re doing, which is a cost saver over time. That’s especially true of security in 2018 and 2019.

However, one of the newer pitch items I’ve been including out of my own interests and passion is accessibility. I’ve always been interested in the subject, but that became especially true during my time in the classroom as a teacher. I frequently became frustrated with books or apps or computers or websites that students were forced to use but designed specifically with no regard to accessibility or usage issues. Over the last few years running Harrelson Agency and working heavily on website builds and designs with companies, individuals, churches, and nonprofits I’ve noticed that accessibility definitely takes a back seat to other concerns. That’s ESPECIALLY true with resource-strapped and budget limited churches and nonprofits.

However, that should not be the case. In my mind (that’s admittedly full of “too much righteous indignation” as a mentor once chided me), churches and nonprofits should be leading the way to make their websites true open doors to the public in a way that does not discriminate against anyone, including those who need usage, visual, or auditory accommodation to participate in that invitation.

  • 1 in 5 Americans experience permanent or temporary usage, auditory, or visual disability
  • 7.6 million Americans are auditory impaired
  • 8.1 million Americans are visually impaired
  • 2.2 million Americans suffer seizures and epilepsy
  • 2 million Americans are blind
  • 19.9 million Americans are motor impaired and cannot use a computer mouse

Technology is most powerful when it empowers everyone.

Apple is one of the most forward thinking and acting tech companies when it comes to raising awareness of accessibility issues for users. It’s one of the reasons I truly love that tools such as iPad are available for students and all people who seek to participate in the global experience that is the world wide web.

https://www.apple.com/accessibility/

Why aren’t churches talking the similar language and instead forcing everyone to fit through a very narrow door and definition of visitor abilities? We wouldn’t do that in the physical world. It’s time to take the digital world just as seriously and stop passively discriminating because of poor website build decisions.

Take your website’s functionality seriously and allow it to empower and welcome ALL. It’s a matter of mixing philosophy with theology with technical know how. And the trick is that it won’t even cost you that much, but you’ll gain so much more and perhaps share the love of God with someone who is looking for a real open door.

WordPress Plugin Supply Chain Attacks

These are pretty popular plugins in the SEO world… I imagine lots more of these “supply chain attacks” exist due to older but still popular plugins being sold or leased:

If you have any of these plugins running on your site, we recommend that you remove them immediately and that you make sure that SEO spam hasn’t been injected into your site. Even though one of them, WP No External Links, has been updated to remove the backdoor, it has been closed, so it will never be updated again in the future.

via Three Plugins Backdoored in Supply Chain Attack

Building a website is cheap, but not protecting it is costly.

massive-brute-force-attack-dec18

We use Wordfence as a default on all new WordPress client sites that we create for good reason. Here’s a scary reminder that while building a website has become quick, easy, and relatively cheap your company / nonprofit / church / community group should not take WordPress security for granted with cheap hosting and no one overseeing these sorts of things:

This is the highest volume brute force attack we have seen to date. It may also be using the fresh credentials that were provided in the database released on December 5th, so it may achieve a higher than normal success rate. Please spread the word among the WordPress community to create awareness of this new threat.

via Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC

Even Hackers Take Summer Vacations

Pretty staggering July stats from Wordfence regarding attempts to log in to WordPress installs with guessed user / passwords. People still don’t use secure passwords (or more preferably a password manager)…

The average number of daily brute force attacks increased 21% from last month, which was up substantially from May. Daily attack volumes were incredibly stable throughout the month, with no big peaks or valleys. It’s almost like the attackers went on vacation and left their malicious bots running on autopilot.

via The July 2017 WordPress Attack Report

Why Your Church or Nonprofit Website Needs Regular Security Updates

hacked

One of the items Harrelson Agency itemizes on invoices when building out a new client website (particularly when using WordPress or Drupal) are maintenance and security updates for the year.

It’s not a major cost, but I often receive questions about the charge and whether or not it’s really necessary. That’s particularly the case when dealing with churches, nonprofits, and small businesses who are on tight budgets and looking to save every penny possible (and understandable). However, it’s necessary and I always counsel our clients (of all sizes) to understand what that cost entails and why it’s beneficial in the long run.

Regardless of the amount of traffic your website receives, if your site is self hosted and using software such as WordPress or Drupal, you have to make sure you or your website manager are doing regular updates of plugins and versions, as well as making sure there is some sort of security software in place to manage firewalls, login attempts, IP attacks etc.

If you accept online donations or payments via your website, this is especially true. If you host any sort of “member directory” or registration information or personal details of your congregants or customers, this is especially true. That’s not depending on the size of your church, nonprofit, or business.

This week, press (and governments) around the world are reeling from the explosive release of the Panama Papers. This is the largest leak of private documents ever, and exposes a number of world leaders and companies and their potentially illegal financial transactions. It happened because of outdated software with known vulnerabilities:

“FORBES discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.

That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers. On its site, the company claims: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.” That boast now looks somewhat misguided.”

Source: From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers

So yes… in 2016 it certainly matters that you have good passwords and good security on your personal online accounts as well as those of your church or business.

Don’t wait until it’s too late and have to deal with the ramifications.