Today I read about the ‘Women’s Resource Centre’, a small charity with – from what I can tell – 11 employees and income of around £900k. They had their website hacked by a ‘pro-Isis group’. You can read all about it on the Guardian’s Voluntary Sector Network (hat tip to Charity Digital News for the link).

I wanted to offer some opinion and advice on this. I really, really don’t mean to criticise the Women’s Resource Centre – they’re probably having a tough enough day as it is – but there are things that other small charities can learn from this incident.

All websites are hacking targets

WRC’s head of communications is quoted as saying:

“We didn’t expect it so we only have a normal hosting package. We did not have any extra precautions in place to protect us from hacking.”

So the first thing to make clear is that any website can be subject to hacking.  And this doesn’t look to me like a targetted attack, it looks like what I call a “drive by”.  An automated script found a way in to the website and took it over. It didn’t care who’s website it was. It was random and indiscriminate.

Looking at the screenshot in the Guardian, their website was probably running WordPress. WordPress powers a significant percentage of the world’s websites, and attackers are constantly trying to hack into WordPress websites of all sorts.  They have automated scripts that find sites and try to find ways in. These don’t care what your business or cause is – if there’s a way to deface your site then they will do it.

To own a website is to risk being attacked.

Basic security is essential, not an add-on

Yes, some websites are more liable to attack than others. Some campaigning organisations that I work with have specific opponents who occasionally carry out intense and sustained attacks to bring websites down. These need extra precautions.

But that’s not to say that your website doesn’t need any security. Basic things like using strong passwords, using non-default admin usernames, locking down certain parts of WordPress, and implementing brute-force login protection are all essential. I know that these things sound technical but they’re easy to do – just ask a friendly web developer to help.

Backups are essential

The article says that:

“The [website] hosting company is trying to access back-ups of our site…”

I’m going to guess that their “normal hosting package” had no backups included.

It’s easy to think that bad things happen to other people (or to other websites) but this is clearly not true. If your website is even vaguely important then you should be taking regular backups of it (or paying someone else to). It’s the only way to guarantee that you can get it back if it gets hacked.

Your website is worthy of investment

Does your charity have locks on the office doors? Maybe an alarm system? Does it pay insurance?

I hope so. Why? Because your office is an important space that’s key to the running of your organisation. It deserves investment and care.

Perhaps, relative to other offices, it doesn’t contain much of value. But you still look after it.

WRC say: “With limited resources, we have to focus on our beneficiaries, not cyber security.”

If an organisation’s website is important to their organisation then it’s worth protecting and investing in. Perhaps the website is actually really important to your beneficiaries. For some organisations the website is as much of a “front door” to the organisation than the actual front door!

It, like your office, can be critical to the running of your organisation.

So if your website is important to you, and if you’re in doubt about whether this could happen to you – whether you have basic security and backups in place – I urge you to spend some money finding out and protecting yourself.

WRC are probably spending more money and time – more of their limited resources – fixing this now, then they would have spent on basic security and backups up-front.

I feel for them, and I know that they will learn from this experience.  I hope that in sharing these thoughts some others can also learn from this and avoid an attack like this in future.

I really don’t want to make sales from this – I’m too busy and don’t need the work – but if anyone has questions or wants to know more then ask questions in the comments below and I’ll see if I can help.