ChurchCreation

Church Website Security: Protecting Your Ministry Online

by

Aigars
in

Church websites handle sensitive information — donor credit card details, member contact data, prayer requests, and sometimes even children’s check-in records. Yet most churches give almost no thought to website security. The attitude is often “Why would anyone hack a church?” — and the answer is: because hackers don’t care that you’re a church. Automated bots attack every vulnerable website they can find, and churches make easy targets because they rarely update their software or use strong passwords.

The good news is that church website security isn’t complicated. Most of the important steps are simple, free, and take less than an hour to implement. This guide covers what you need to know based on your platform, how to protect yourself, and what to do if the worst happens.

Table of Contents

  1. Security by platform: managed vs. self-hosted
  2. Essential security measures for all platforms
  3. WordPress-specific security
  4. What to do if your site gets hacked
  5. Donor data and PCI compliance
  6. FAQ

Security by Platform: Managed vs. Self-Hosted

The single biggest factor in your website’s security is your platform choice. Not all platforms carry the same risk.

Managed Platforms (Lower Risk)

Platforms like Squarespace, Wix, Tithe.ly, and Subsplash are managed platforms. This means the company handles server security, software updates, SSL certificates, malware scanning, and backups for you. You can’t install random plugins, and the attack surface is much smaller.

On a managed platform, your security responsibilities are limited to:

  • Using strong passwords
  • Enabling two-factor authentication
  • Limiting who has admin access
  • Not sharing login credentials

That’s it. The platform handles everything else. This is one of the biggest advantages of using a managed platform for your church website — security is essentially built in.

WordPress (Higher Risk, More Responsibility)

WordPress powers roughly 40% of all websites, which makes it the #1 target for automated attacks. WordPress itself is secure when kept updated, but the combination of outdated plugins, weak passwords, and cheap hosting creates vulnerabilities that bots exploit constantly.

If you’re on WordPress, you need to take security seriously. The good news is that the steps aren’t complicated — they just require consistency. We cover them in detail below.

⚠️ Important: If your WordPress site hasn’t been updated in 6+ months, it may already be compromised. Outdated WordPress sites are the #1 way church websites get hacked. If this describes your site, update everything immediately or contact a professional before proceeding.

Essential Security Measures for All Platforms

Whether you’re on Squarespace, WordPress, Wix, or any other platform, these four practices are your first line of defense.

1. Strong, Unique Passwords

This is the most basic security measure and the one most often ignored. The password “church2024” is not a strong password. Neither is the pastor’s birthday, the church name, or “password123.”

A strong password is:

  • At least 16 characters long
  • A random mix of letters, numbers, and symbols — or a long passphrase of 4+ unrelated words
  • Unique to your website (not reused from another account)
  • Stored in a password manager (Bitwarden is free and excellent)

Every person with access to your website should use a strong, unique password. If someone leaves your church staff, change the password immediately — or better yet, delete their individual account.

2. Two-Factor Authentication (2FA)

Two-factor authentication adds a second step after entering your password — usually a code from an app on your phone (Google Authenticator, Authy) or a text message. Even if someone steals your password, they can’t log in without the second factor.

Every major platform supports 2FA:

  • Squarespace: Settings > Security > Two-Factor Authentication
  • WordPress: Via a plugin like WP 2FA or Wordfence
  • Wix: Account Settings > Login and Security > 2-Step Verification

Enable 2FA for every admin account. It takes 5 seconds to use and prevents the vast majority of account takeovers.

3. Limit Admin Access

The more people who have admin access to your website, the more potential entry points for attackers. Follow the principle of least privilege: give people only the access level they need.

  • Full admin access: 1-2 people maximum (senior pastor and one tech-savvy leader)
  • Editor access: Staff who update content (sermons, events, blog posts)
  • No access: Volunteers who don’t need to edit the website

Audit your user list every six months. Remove accounts for people who no longer need access. Every dormant admin account is a potential vulnerability.

4. SSL Certificate (HTTPS)

An SSL certificate encrypts the connection between your visitors’ browsers and your website. It’s what puts the padlock icon in the browser address bar and changes your URL from http:// to https://.

Without SSL, data transmitted between your site and visitors (including login credentials and giving information) can be intercepted. Google also penalizes non-HTTPS sites in search rankings.

The good news: SSL is free and automatic on virtually every modern platform. Squarespace, Wix, Tithe.ly, and Subsplash all include SSL automatically. WordPress hosts like SiteGround, Bluehost, and WP Engine include free SSL through Let’s Encrypt. If your site still shows “http://” in the address bar, contact your hosting provider — this should have been fixed years ago.

WordPress-Specific Security

If your church uses WordPress, these additional measures are essential. WordPress’s flexibility is its strength and its vulnerability — more plugins and customization mean more potential attack vectors.

Keep Everything Updated

This is the #1 WordPress security practice, and it’s not negotiable. Outdated WordPress core, themes, and plugins are the primary way hackers get in. Security patches are released regularly, and every unpatched vulnerability is an open door.

What to update and how often:

  • WordPress core: Update within a week of any new release. Enable auto-updates for minor releases.
  • Plugins: Update weekly. Enable auto-updates for trusted plugins.
  • Themes: Update when available. Keep only the active theme and one default theme (delete the rest).
  • PHP version: Keep your server’s PHP version current (8.1+ in 2026). Your hosting provider controls this — check their dashboard.

Set a weekly calendar reminder: “Update WordPress.” It takes 5 minutes and prevents the most common attacks.

Install a Security Plugin

A WordPress security plugin adds firewall protection, malware scanning, and login security. You don’t need to understand the technical details — just install one and let it work.

Recommended options:

  • Wordfence (free tier): The most popular WordPress security plugin. Includes a firewall, malware scanner, and login security. The free version covers everything most churches need.
  • Sucuri Security (free tier): Focuses on monitoring and malware detection. Their paid tier includes a website firewall (WAF) that blocks attacks before they reach your server.
  • iThemes Security (free tier): User-friendly setup with over 30 security measures. Good for non-technical users who want guided security hardening.

Pick one. Don’t install multiple security plugins — they can conflict with each other.

Automated Backups

Backups won’t prevent an attack, but they’re your safety net if one happens. With a recent backup, you can restore your site to a clean state within hours instead of rebuilding from scratch.

Set up automated daily backups stored off-site (not on the same server as your website). Options:

  • UpdraftPlus (free): The most popular backup plugin. Backs up to Google Drive, Dropbox, or Amazon S3. Schedule daily database backups and weekly full backups.
  • Your hosting provider: Many managed WordPress hosts (SiteGround, WP Engine, Flywheel) include automatic daily backups. Verify this is enabled and test a restore once.

A backup you’ve never tested is a backup you can’t trust. Once a quarter, do a test restore to make sure it actually works.

Limit Login Attempts

By default, WordPress allows unlimited login attempts — meaning a bot can try millions of password combinations. Install a plugin that limits login attempts to 3-5 before locking the account temporarily. Both Wordfence and iThemes Security include this feature. This single measure blocks the vast majority of brute-force attacks.

Remove Unused Plugins and Themes

Every plugin on your WordPress site — even deactivated ones — is potential attack surface. If you’re not using it, delete it. Not deactivate — delete. The same goes for themes. Keep your active theme, one default WordPress theme as a fallback, and nothing else.

While you’re at it, audit your active plugins. Do you really need 25 plugins? Many churches accumulate plugins over the years that are no longer used or duplicated. Fewer plugins means fewer updates, fewer vulnerabilities, and a faster website.

Choose a Reputable Host

Your hosting provider is the foundation of your site’s security. A cheap $3/month shared hosting plan might save money, but it often means shared server resources with hundreds of other sites, minimal security monitoring, and slow support when something goes wrong.

For WordPress churches, we recommend managed WordPress hosting from providers like SiteGround, Flywheel, or WP Engine. They include automatic updates, daily backups, staging environments, and proactive security monitoring. The extra $10-20/month is worth it for peace of mind. For a full platform comparison, see our church website builder guide.

What to Do If Your Site Gets Hacked

If your church website has been compromised, don’t panic — but act quickly. Follow these eight steps in order:

  1. Don’t delete anything yet. You may need evidence of what happened and how they got in.
  2. Take your site offline temporarily. Most hosting providers have a “maintenance mode” or you can ask them to suspend the site. This prevents visitors from seeing malicious content and protects them from potential malware.
  3. Change all passwords immediately. WordPress admin, hosting account, FTP, database, and email accounts associated with the site. Use new, strong passwords for all of them.
  4. Contact your hosting provider. They deal with hacked sites regularly and can help identify the breach, clean infected files, and restore from a backup. Many managed hosts will clean your site for free.
  5. Restore from a clean backup. If you have a recent backup from before the hack, restore it. This is the fastest path to recovery. Make sure to update all plugins and themes after restoring.
  6. Scan for malware. Use Wordfence or Sucuri to scan every file. Remove any files that don’t belong. Pay attention to files in the uploads folder and wp-includes directory — these are common places hackers hide malicious code.
  7. Update everything. WordPress core, all plugins, all themes, and your PHP version. The hack likely exploited an outdated component — close that door.
  8. Request a Google review. If Google flagged your site as dangerous (showing a “This site may be hacked” warning in search results), submit a review request through Google Search Console once the site is clean. Google will re-crawl your site and remove the warning, usually within 24-72 hours.

If you’re not comfortable handling this yourself, services like Sucuri ($199/year) and Wordfence ($119/year) offer hack cleanup as part of their premium plans. It’s money well spent for peace of mind.

Donor Data and PCI Compliance

If your church accepts online donations, you have a responsibility to protect donor financial information. The Payment Card Industry Data Security Standard (PCI DSS) sets the rules for how credit card data must be handled.

The good news for most churches: you probably don’t need to worry about PCI compliance directly. Here’s why:

If you use a third-party giving platform — Tithe.ly, Pushpay, Planning Center Giving, Subsplash Giving, or even Stripe/PayPal — the payment processor handles all credit card data. Your website never sees, stores, or transmits card numbers. The giving platform is PCI compliant, and as long as you’re using them correctly (embedding their giving form or redirecting to their page), you’re covered.

What you should NOT do:

  • Never collect credit card numbers through a regular contact form or email
  • Never store credit card information in your WordPress database or a spreadsheet
  • Never ask donors to email their card details
  • Never build a custom giving form that directly processes cards (use a PCI-compliant provider)

Beyond credit cards, protect the personal data you do collect — names, emails, addresses, phone numbers from connection cards and forms. Store this in your church management system (Planning Center, Breeze, etc.), not in random spreadsheets. Limit who has access to this data, and don’t email it around unencrypted.

Frequently Asked Questions

Why would anyone hack a church website?

Hackers rarely target churches specifically. Automated bots scan the entire internet for vulnerable websites — outdated WordPress installations, weak passwords, unpatched plugins. They don’t check what the website is about. Once in, they use your site to send spam emails, host phishing pages, distribute malware to your visitors, or inject SEO spam (links to gambling or pharmaceutical sites). Your church website becomes an unwitting tool for someone else’s scam.

Is Squarespace more secure than WordPress?

In practice, yes — because Squarespace handles all security updates, patching, and server hardening automatically. WordPress can be just as secure, but it requires active maintenance (updates, security plugins, good hosting). Most church WordPress sites are poorly maintained, making them significantly more vulnerable. If security is a major concern and you don’t have someone dedicated to WordPress maintenance, a managed platform like Squarespace eliminates most of the risk.

How do we know if our site has been hacked?

Common signs include: your site redirects to a different website, Google shows a “This site may be hacked” warning, you find pages or posts you didn’t create (often with spammy content), your hosting provider contacts you about malicious activity, visitors report security warnings in their browsers, or your email is suddenly being flagged as spam. Install a security plugin with monitoring (Wordfence or Sucuri) and you’ll be alerted automatically.

Do we need cyber insurance?

For most small to mid-size churches, general liability insurance with a cyber rider is sufficient. If your church handles significant online transactions or stores member data (health information, financial records), consider a dedicated cyber insurance policy. Talk to your insurance provider about your specific needs — many church insurance providers now offer cyber coverage as an add-on.

How much should we budget for website security?

On a managed platform (Squarespace, Tithe.ly, Wix): $0 beyond what you already pay for the platform. On WordPress: a good hosting provider ($15-35/month), a security plugin (free tiers are sufficient), and a backup plugin (free). Total WordPress security cost: $0-30/month on top of hosting you should already have. The real cost is time — 15 minutes per week to apply updates and monitor security alerts.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *