Website security used to lull people to sleep until major web vulnerabilities started to become more widespread. Cloudbleed bug shook the internet last week as headline after headline alerted people to change their online passwords. We’re not going into an exhaustive examination of Cloudbleed, but we going to take this opportunity to reiterate the need for nonprofits to take their website security seriously.

We’ve officially entered a new digital era and hacking has become ubiquitous. Gone are the days when only popular websites with millions of users were the targets. Every website is now a target and that includes your nonprofit website. And as your nonprofit continues to build a strong online presence and connect with more donors and more volunteers, it’s even more imperative to protect confidential information such as financial information.


Seriously, don’t use passwords such as ‘password’ or your dog’s name or your birth date. Hackers will immediately use public information to crack your website security. At the very least your passwords should be using a combination of letter, numbers and special characters and be 7 characters long, at a minimum. For the strongest passwords, use this free password generator tool that randomly creates a password using criteria you set.

2-step Verification

2-step verification adds a, you guessed it, a second step in the logging in process. The most common method hackers use to gain access to There are countless apps that provide 2-step verification, including Google’s app.your online accounts is by discovering your password, either by guessing easy passwords or by more nefarious means such as ‘phishing.’ By requiring an added layer of security, your password isn’t your last and only line of defense. As Google aptly describes it, ‘think of this like withdrawing money from an ATM/cash machine: You need both your PIN and your debit card. There are countless apps that provide 2-step verification, including Google’s app.

Search Console

Most nonprofits have Google analytics installed on their websites to monitor website traffic. However, a lesser known tool is Search Console. This platform provides even greater insights into your website’s performance. Search Console provides settings for search appearance, search traffic, Google index, crawl rates and even security messages. From Search Console, nonprofit website administrators can see if their websites have been compromised.


With WordPress content management system running nearly 25% of the world’s websites and other commercial website platforms accounting for millions more, hackers know exactly how to get to your login screen. If you can mask or hide the login page to your website, hackers will have a much more difficult time cracking the vault. There’s a few plugins available, including this one with over 100,000 installs and was updated about two months ago.


SSL Certificate

SSL Certificates are what change your web browsers address bar green with a lock icon or even the word ‘Secure.’ A website is considered secure when the information that is passing between the website and browser is encrypted. Even if a hacker is able to steal data from your website, they won’t be able to do much with it because it the information will be under a proverbial lock and key. Most domain registrars offer SSL certificates for as low as $50 annually.

SSL Certificates are what change your web browsers address bar green with a lock icon or even the word ‘Secure.’


Nonprofits must start taking their website and their online account security seriously in this brave new world. And nonprofits that are growth-oriented and have invested in their digital presence and online giving would be wise to protect their investment with the simple security measures listed above.