It is not surprising that church websites are prime targets for hackers. They receive a fair amount of traffic, and are often made by volunteers with limited experience. This dangerous combination makes them easy mark. Here I will give you some security best practices for your church website.
In May of 2012 Slate Magazine interviewed me, resulting in an article on church websites getting hacked. Hopefully after writing over 100 articles on church websites, and 17 years of experience in the website industry; you do not think I am the bumbling fool the article makes me sound like. However, it does illustrate that these sites are often run by amateurs. You, my loyal reader, may be a one-stop-shop for making, designing, and in some cases, securing your website. Please be more disciplined than I was and follow these steps to prevent the embarrassment of having your church website hacked.
It is no secret that a website's security is as strong as its password (upper and lowercase letters, numbers, and symbols). A hacker can use brute force to guess the password of a website and gain entry to the files. This is what happened to me, and the intruder added encrypted malicious code to the beginning of every file. There is now way to stop this from happening, only best practices to help prevent it.
Regular Password Changes
The drawback of this type of brute force attack is that it takes time. Web servers often flag activity if it is constantly getting bad password attempts. Thus, hackers need to space out their guesses. If you periodically change the password, you will hopefully thwart their attempts to gain access.
Change/Limit Default Accounts
If you use a platform such as WordPress, a typical account name for the administrator might be "admin". Do not do this! Use something that is more substantial and harder to guess. Remember that it takes a login and a password to gain access. If you make both the login name and the password difficult to guess, you greatly increase your chances of staying hacker free.
Schedule Security Scans
There are services that will monitor your website for intrusions, malicious code injections, and suspicious activity. One that I use with my WordPress site is a plugin called WordFence. It has both free and paid tiers of service, and is a must have in my opinion. Additionally, Google Webmaster Tools will flag your site if it detects malicious software. This is how I discovered the intrusion I endured a few years ago. Google blacklisted the site and my Google Analytics statistics fell to zero. Within a week of restoring my original clean files; I was up and running. Which brings me to my last point, backing up files.
Back Up Your Site
I have a free account with DropBox to which my WordPress site regularly backs up to. Although this is not an enterprise solution, it does solve the problem of restoring any infected files to their original state. If you have WordPress, you can reinstall the core software, but this does not cleanse any infected plugins or themes. Restoring from a backup may be the key to saving you hours of clean up. The plugin I use for this is called WordPress Backup to Dropbox.
When you setup your website maintenance calendar, schedule password resets, software updates, security scans, and backups. It may seem like a lot of extra work, but trust me that you do not want to spend hours cleaning up a code injection. It requires research and often extensive knowledge of the platform you are using for your site. Preventing an intrusion not only saves you time, but also the embarrassment of having your site hacked and exposing your visitors to possible attacks.
Photo courtesy of Marc and Cristina Palmer and Burke