If your nonprofit website has a donation page, chances are threat actors are always looking for a way in. Many organizations underestimate the likelihood of a cyberattack, often presuming they’re not large or popular enough to attract such attention. Nothing could be further from the truth. The presence of a payment processing gateway is usually enough to pique the interest of malicious users.
Unfortunately, just one successful attack can completely erode donor trust, directly impacting your nonprofit’s fundraising ability. Prevention through robust security and best practices remains the best way forward.
Table of Contents
Why Do Hackers Target WordPress Donation Pages?
WordPress is the world’s most popular content management system (CMS), making it a prime target for cyberattacks. According to recent statistics, WordPress sites worldwide experience about 90,000 hacking attempts per minute, with 52% occurring because of outdated plugins.
Donation page forms created using plugins have been particularly vulnerable to carding attacks. While this cyberthreat most commonly affects e-commerce websites, it is steadily spreading to nonprofits. What makes it even more unique is unlike conventional e-commerce sites that involve multiple steps before payment, donation forms offer one-click payment options.
This feature presents the perfect opportunity to test the validity of stolen cards. From there, the hacker can use them for larger purchases. Such was the case of a nonprofit that received hundreds of $1 donations over a short period, which turned out to be a card-testing attack.
These pages can also provide a gateway to private data theft. Donors likely input their personal information into your website when making a donation, which hackers are more than happy to sell on the black market or, worse, use to conduct sophisticated attacks.
On a broader level, nonprofits are easy targets for cybercrime because most operate on well-defined and often limited budgets with little allocation for cybersecurity. One report found that about 56% of NGOs don’t even have a cybersecurity budget. This dynamic must change soon, or reports of nonprofits being hacked will continue to dominate headlines.
6 Ways to Secure Your Donation Page
With charitable giving on the rise, organizations must take all the necessary steps to demonstrate that they take donor online security and privacy seriously.
1. Only Collect Information You Need
Many nonprofits collect vast amounts of data because they think it improves their operations. While there’s some truth to the belief, it also puts them at increased risk of cyberattacks. Hackers cannot steal information from your site if it’s not there. As such, there’s no reason to collect or store unnecessary donor information.
2. Regularly Update Plugins
Updating your WordPress plugins monthly is one of the simplest ways to maintain a resilient security posture. Hackers often use advanced software to scan websites and identify outdated ones as they’re easier to compromise.
WordPress and its associated third parties regularly release updates to address the most recently discovered cybersecurity issues. For example, GiveWP, a WordPress donation page plugin, released a security patch in 2023 containing a critical SQL injection vulnerability fix.
3. Opt for Premium Web Hosting
Using cheap hosting might seem like a great way to save money, especially from a nonprofit’s perspective. However, discount providers may cut corners in their security protocols to provide the service at a lower cost.
The right hosting solution can make a difference, especially for sites that receive many visitors, such as charity organizations. Experts recommend choosing a service with at least 99.5% uptime to improve security and reliability. Your choice of web hosting is also essential to handling high-traffic surges and preventing website crashes.
4. Install reCAPTCHA on the Page
reCAPTCHA is a free Google service that helps protect websites from spam and abuse by providing a Turing test to tell humans and bots apart.
V3 reCAPTCHA is the latest version, created after people complained about the challenge-solving complexities of V2. It works by tracking user behavior on the WordPress site and assigning a score from 0 to 1 to determine whether that person is a bot or a human. This measure ensures that an automated system set up by a cybercriminal cannot use the donation form.
5. Invest in Phishing Awareness
Phishing remains one of the biggest threats in cybersecurity. Nonprofit organizations would do well to regularly educate their staff on identifying the red flags of an attempt. This awareness campaign should extend to donors so they also understand the do’s and don’ts of safely interacting with the donation page or the rest of the website.
6. Prepare for When an Incident Might Happen
The current rate and sophistication of cyberattacks mean you cannot be sure that your WordPress site won’t be hacked. Outlining the immediate next steps following an incident is essential to mitigating the impact and reassuring donors.
However, many organizations fail to implement this critical measure. According to a recent report, 70% of NGOs lack an incident response plan in case of a cyberattack. That’s an unflattering statistic for such an integral industry.
Secure Your Nonprofit Website Against Cyberattacks
Staying safe from malicious donation page attacks requires constant vigilance. The threat landscape is constantly evolving and hackers have become increasingly adept at switching up their approaches. Updating plugins, using premium hosting, prioritizing phishing education and having an incident response plan will help you improve your nonprofit website’s security framework and safeguard your donors’ information.