When it comes to not-for-profit websites, the old adage that “prevention is better than cure” holds true, and never more so than when it comes to the question of security.
Website hacks can take many forms: silently inserting spam links, trying to install malware on your visitors’ computers, stealing your donors’ data and more. A compromised website can do irreparable damage to a not-for-profit organisation’s reputation, and even if caught quickly can be expensive and time-consuming to fix.
How do you prevent these malicious actors from getting access in the first place?
One of the most important – and easiest – things you can do is to ensure that your website is kept up to date with bug fixes and security patches. If your website utilises WordPress, it’s crucial to keep both WordPress and your plugins and themes up to date. As soon as a security vulnerability is identified, attackers will set up automated scripts which crawl the Internet looking for websites using the vulnerable software in order to exploit the weakness.
How do you keep your not-for-profit website up to date?
When it comes to WordPress, you’ve got a few options available to manage updates.
Automatic Updates
WordPress itself has offered automatic updates for a long time. In version 5.5 (released August 2020), they also added support for auto-updates for both plugins and themes. By opting in to these automatic updates, you ensure that the website will keep itself up to date on a regular basis (approximately twice per day), minimising the risk that you’ll be running out-dated, vulnerable code.
There are downsides to automatic updates though – on occasion an update may be released which breaks your site, and if that update was installed automatically you may not even know about it for several days (e.g. if it happens on a Friday night). Making matters worse, if several updates were installed at the same time it can be very difficult to determine which one caused the issue in order to rectify it.
Manual Updates
The obvious alternative is to manually install updates yourself on a regular basis. This has the benefit of giving you additional control over the timing of the updates, as well as ensuring that you’re present to immediately identify any issues that may come up as a result. The downside, however, is the time required to install updates, especially if you’re reviewing the release notes beforehand so you know what has changed. And if you’re installing the updates directly on your live site there’s still no guarantee that the update won’t cause problems – though at least your site won’t be down all weekend without you knowing!
Managed Hosting
Some hosting companies offer Managed WordPress hosting, which means that in addition to providing the server space for your site they will also keep it up to date. Different hosts approach this differently, so make sure you review the details carefully. If they are just installing updates directly on your live site without testing them elsewhere first, then it may not be any better than just letting WordPress handle the updates automatically.
Managed Updates
Another approach, offering the best of both worlds, involves having a professional service manage the updates for you, like Spark’s WordPress Update Management service. By installing all of the updates on a development copy of your site first, we are able to check for potential conflicts or errors without any risk to your live site. And it frees you up to spend your time on other things, like building relationships with your donors.
What’s your preferred approach to managing updates to your WordPress site?