🚧 Don't lose control of your website!


Hi friends 👋🏻

Twice this month I've been tasked with regaining control of a nonprofit website that the client didn't know how to access.

In one of these cases, the website had been compromised because it hadn't been updated for such a long time (because no-one could access it...) and the hack evolved to the point where the site suddenly started redirecting visitors to a spam clone of the Home Depot website ... not good!!

Read on for some tips to avoid this happening to you ...


Want links to recent emails or a sign-up link to share? Go to The Digital Landscape sign-up page

ICYMI here are a couple of recent editions!


Why having a website you can't access is more common than you might think.

If you're lucky enough to work in a well-resourced setting and have your ducks in a row, you probably feel confident knowing that either you or your website vendor has complete administrator-level control over your website.

But it's not uncommon for a nonprofit org to have lost the ability to log in to their website in an administrator role, and to not know where the website is hosted.

A team member might still have edit access—perhaps the ability to publish blog posts or edit existing pages—but no-one has administrator access.

How does this typically happen? In my experience, it's a people problem:

  • The organization has lost contact with the developer or agency that built the website
  • The staff person who used to take care of this left and the information was lost in the transition
  • The relevant information still exists in a spreadsheet somewhere, but no-one knows where to look

This is most common with aging WordPress websites, but it can happen to websites on fully-hosted platforms like Squarespace and Wix too.

What's the risk?

I think the risk is probably obvious, but I'll spell out what makes this a big, urgent problem here:

If no-one is regularly logging in as an administrator, website updates aren't being managed carefully, which introduces the risk of (a) website functionality breaking, or worse, (b) the website getting hacked or going offline. This is what happened in the situation I described above, with the entire website being taken over by a fake DIY

This is particularly likely to happen to unmaintained WordPress websites, and if you don't have admin access it can be hard (and slow, and expensive) to recover.

Before continuing, here's a common response I hear when discussing these concerns:

"But we have updates set to install automatically"

or

"We use Squarespace so we don't have to worry about updating plugins"

Nope, sorry. In both of these cases, complex website components are being installed automatically without anyone testing them first to make sure they don't break anything. That's not ok!

If you have a super-simple Squarespace website with no custom code that's lower risk. But even then, I've seen a Squarespace platform-wide change break site layouts. Indeed, later this year Squarespace is ending support for a long list of custom fonts, some of which might be in use on your site. Someone needs to be paying attention to these details.

Besides the security risks, having a website online that you can't fully control is also a huge communications liability.

If one of these things happened, would you be able to quickly (at least within a couple of days) update your org's website?

  • Publish an important announcement
  • Remove or add a staff profile
  • Adjust the link or embed code for your donation platform

What's the solution?

Either a good relationship with a reliable developer, or a staff person with the right skills to serve as a website administrator. Or ideally, both!

I should also balance this advice by reminding you to limit the number of people with administrator level access. Anyone logged in as an administrator can make significant changes and potentially do serious damage, so the more of those username/password pairs their floating around, the more risk you are exposed to. For users that simply need to edit or publish content, use "editor" or "author" roles instead. And for administrator users, make sure to enforce secure, unique passwords and require two-factor authentication.


Until next time ✨

— Ed Harris (your digital strategy guide)


🤔 Have a question?

If you have a question about how to optimize your website or get more out of your digital marketing we’ll do our best to help out. Hit reply and send us a message and we’ll get in touch.

🔗 Affiliate Disclosure

Some links to products or services in The Digital Landscape emails and on the Blue Hills Digital website are affiliate links. This means we may receive compensation in return for new customers we refer. We only recommend products and services we use and love, and this helps us fund the creation of educational content for subscribers like you!

Want to stop receiving these emails?

You're receiving this email because you signed up either at the Blue Hills Digital website, or on my personal site at edharris.me.

You can update your preferences or unsubscribe using the links below. No hard feelings!

Unsubscribe · Preferences · 5331 S Macadam Ave, Ste 258 PMB 1090, Portland, OR 97239

Blue Hills Digital

A guide for nonprofit communications professionals & mission-driven marketers. Delivered weekly, by email.

Read more from Blue Hills Digital

Hi friends 👋🏻 This week, a reminder about online privacy laws and a tool recommendation to make compliance easy! Want links to recent emails or a sign-up link to share? Go to The Digital Landscape sign-up page ICYMI here are a couple of recent editions! Where are your donors coming from? You're not ready for a website project Disclaimer before we get into the details: I’m not an attorney, and this is not legal advice. Consult an actual, licensed attorney in your jurisdiction! Here are a few...

Hi friends 👋🏻 This week, I'm sharing a quick example of what custom content types look like on a website. I realize I throw this phrase around a lot when I'm consulting on website projects, and examples are always helpful! Want links to recent emails or a sign-up link to share? Go to The Digital Landscape sign-up page ICYMI here are a couple of recent editions! Where are your donors coming from? You're not ready for a website project Remind me: what do you mean by content types? One of the...

Hi friends 👋🏻 A common question from clients: how can we track which donations are coming from which website traffic sources? This is particularly interesting when an org has decided to invest time and money in a specific campaign – like ads on Meta platforms, or a paid partnership with a specific sponsor. This week, I share some tips about how to approach this. Want links to recent emails or a sign-up link to share? Go to The Digital Landscape sign-up page ICYMI here are a couple of recent...