This post is part of our ongoing Community Call Series under the Cybersecurity Assessment Tool (CAT) project, where we bring together civil society organizations, nonprofits, and human rights defenders to strengthen digital resilience. During our call, back in September we covered issues around Website security for non profits.
But why is this important? In today’s world, as we try to move beyond algorithmic logic, preserve our memory independently and strengthen trust with our communities, securing our website is essential. We must protect the data of visitors, donors, and team members going through our website. If the site becomes unavailable, the community can lose access to information they need to make informed decisions. Finally, recovering from a cyberattack can also drain critical resources from our NGO.
CAT community members attending the call also learned how to recognize signs of compromise, and how tools such as GitHub and Project Galileo can support version control and defense against Distributed Denial of Service (DDoS) attacks.
Below is a summary of some of the website security recommendations covered during the call.
- 3-2-1 Backup Rule to prevent data loss
- Enable HTTPS to protect data transmitted between a user’s browser and your website
- Update Everything — Content Management System (CMS), plugins, and themes
- Remove unused or deactivated plugins/themes
- Limit Login Attempts to protect against brute-force attacks (e.g., Wordfence)
- Secure your domain registrar account
- Run regular vulnerability scans or pentests to discover and fix vulnerabilities
Let’s start with the topic that could be most familiar to you: the HTTPS protocol, securing site traffic prevents interception of sensitive data — start by enabling HTTPS.
HTTPS protocol
HTTPS is the protocol that allows your website and its server to communicate securely through encryption. It ensures that sensitive data—such as usernames and passwords—can’t be easily intercepted or read by attackers. Websites without HTTPS are flagged as “not secure” by browsers, which can erode user trust and even harm search rankings, as search engine platforms like Google prioritize secure websites.
After securing your website, a good step is to keep software current, closing known attack paths, so regular updates are essential. Let’s see some tips in the next section.
Update software
One of the biggest infrastructure risks highlighted was the use of outdated software. Over 34,000 plugins no longer receive updates. Organizations unknowingly depend on these vulnerable tools, leaving their websites exposed to potential threats.
Security scans frequently reveal outdated plugins, themes, WordPress versions, and even unsupported PHP or server software. A recent example involved a critical vulnerability in the GiveWP plugin, widely used by nonprofits for online donations. Many sites failed to install the patched version, leaving them exposed to potential takeovers.
Backup and recovery
Since breaches happen, reliable backups let you restore service quickly, a good tip is to follow the 3-2-1 rule: keep three copies of your website on two different storage types, with one stored off-site. For example, you might back up your WordPress site using a plugin connected to Google Drive while also keeping a local copy on your computer or an external hard drive. Tools like UpdraftPlus make this process simple and even offer free options.
For organizations using static websites, platforms such as GitHub are excellent for version control and backup management. Most importantly, remember to test your backups regularly to ensure you can quickly restore your site after an incident.
Supply chain attacks
Now that you have backups, let’s make sure we are not overeliant on someone else’s software. Beyond your own plugins, threats can come through third-party components; these are supply chain risks. Backups protect your own data; supply chain vigilance protects the tools you depend on.
Another growing concern discussed was supply chain attacks—a tactic where attackers compromise widely used plugins or software dependencies to target users at scale. Many digital services rely on open-source components maintained by small teams or individuals, making them vulnerable if those dependencies are compromised.
Recent examples include attackers posing as legitimate maintainers of abandoned WordPress plugins or injecting malicious code into popular npm packages. These attacks can spread rapidly across multiple sites and platforms. The key takeaway: always verify that your plugins and updates come from trusted, active developers and maintain strict oversight of what runs on your website. If prevention fails, clear response plans reduce damage. Here are step-by-step actions for common incidents.
Tips to Protect Your Website
We didn’t just discuss the problems, we shared concrete strategies to help our community protect their websites and respond to website attacks. If you see unauthorized content on your homepage, follow a Website defacement response plan first:
Website defacement response plan
Website defacement is one of the most common website attacks. This is a cyberattack where an attacker gains unauthorized access to a web server and alters the visual appearance of a website. Instead of the intended content, visitors see a modified page—often displaying political messages, hacker group logos, warnings, or embarrassing images. If you experience this attack, here is what you should do:
- Contact your hosting provider for support.
- Restore your website from a clean backup.
- Change all passwords.
- Scan and remove any backdoors.
- Patch the vulnerability that allowed the unauthorized access.
- Monitor the site closely for at least a month.
With the public-facing damage contained, focus on possible account compromises behind the scenes, let’s check tips around accounts compromise.
Account compromise response plan
Another common attack is account compromise, where an attacker gains access to a user or administrator account on a website. Unlike defacement, which is often visible, account compromise can happen silently, allowing attackers to steal data, make unauthorized transactions, or use the account for further attacks. Here’s the response plan for account compromise:
- Change all passwords immediately.
- Enable two-factor authentication (2FA).
- Review all recent changes using tools like Wordfence Audit Log
- Check for unexpected administration accounts and remove them.
- Audit what was accessed or changed, and revert using backups if possible.
- Notify affected stakeholders.
Account takeover can lead to malware installation. After securing accounts, inspect the site for malware and persistent backdoors.
Malware response plan
Attackers can also use malware to inject malicious code into a website’s files, database, or server configuration. If this happens, you should:
- Identify infected files.
- Recover the website using clean backups.
- Fix the entry point of the malware.
- Strengthen security measures (e.g., firewalls, SSH hardening, ClamAV, Fail2Ban).
eQualitie could be a great partner to support protection against Malware.
After malware removal, restore only from a verified backup and tighten backup practices, let’s see some of them next.
Backups
As seen in each of the response plans, backups are crucial in website incident response. Maintaining current, tested backups of your website isn’t just good practice, it’s your fastest path to recovery from incidents. Below are some free or low-cost backup options:
- Use UpdraftPlus (for WordPress) — backup your website to Google Drive.
- GitHub — version control for static websites, allowing you to undo breaking changes.
- Host-provided backups — test your daily, weekly, and monthly backups regularly.
If you want to go deeper into this recommendations please check this tipsheet also available in Spanish, Portuguese and French that includes topics like:
- Know your website type
- Top security risks to fix
- Essential protection checklist
- Backup strategy: The 3-2-1 rule
- Free security tools
- Incident response: What to do when incidents happen
- Emergency contacts
- Resources to stay informed on website vulnerabilities
Some members of our community also shared their work and contacts to keep exploring this topic, some contacts to check:
- eQualitie provides protection to CSOs and media websites against DDoS attacks, secure hosting for websites based on WordPress. These services are free for organizations, media outlets, or individuals who qualify.
- Qurium provides secure hosting, circumvention and digital forensics.
- Cloudflare, make websites, apps, AI agents, and networks faster and more secure.
If you want to hear Brian’s presentation, keep an eye on our LinkedIn, we are posting short fragments of the community call.
Stay tuned for our upcoming Community Calls to deepen your digital security knowledge, connect with peers, and become part of a network of advocates strengthening collective care and protection across the civil society space.