Hi friends 👋🏻

Yesterday I wrote up a project scope for a (likely) client to tackle a WordPress website they couldn't access 🤪

Read on to hear how this happened, how unfortunately common this is, and how to avoid it happening to you.

---

Want links to recent emails or a sign-up link to share? Go to The Digital Landscape sign-up page​

---

Why having a website you can't access is more common than you might think.

If you're lucky enough to work in a well-resourced setting and have your ducks in a row, you probably feel confident knowing that either you or your website vendor has complete administrator-level control over your website.

But it's not uncommon for a nonprofit org to have lost the ability to log in to their website in an admin role, and to not know where the website is hosted.

A team member might still have edit access—perhaps the ability to publish blog posts or edit existing pages—but no-one has administrator access.

How does this typically happen? In my experience, it's a people problem:

• The organization has lost contact with the developer or agency that built the website
• The staff person who used to take care of this left and the information was lost in the transition
• The relevant information still exists in a spreadsheet somewhere, but no-one knows where to look

This is most common with aging WordPress websites, but it can happen to websites on fully-hosted platforms like Squarespace and Wix too.

What's the risk?

I think the risk is probably obvious, but I'll spell out what makes this a big, urgent problem here:

If no-one is regularly logging in as an administrator, website updates aren't being managed carefully, which introduces the risk of (a) website functionality breaking, or worse, (b) the website getting hacked or going offline.

This is particularly likely to happen to unmaintained WordPress websites, and if you don't have admin access it can be hard (and slow, and expensive) to recover.

Before continuing, here's a common response I hear when discussing these concerns:

"But we have updates set to install automatically"

or

"We use Squarespace so we don't have to worry about updating plugins"

Nope, sorry. In both of these cases, complex website components are being installed automatically without anyone testing them first to make sure they don't break anything. That's not ok!

If you have a super-simple Squarespace website with no custom code that's lower risk. But even then, I've seen a Squarespace platform-wide change break site layouts. Indeed, later this year Squarespace is ending support for a long list of custom fonts, some of which might be in use on your site. Someone needs to be paying attention to these details.

Besides the security risks, having a website online that you can't fully control is also a huge communications liability.

If one of these things happened, would you be able to quickly (at least within a couple of days) update your org's website?

• Publish an important announcement
• Remove or add a staff profile
• Adjust the link or embed code for your donation platform

What's the solution?

Either a good relationship with a reliable developer, or a staff person with the right skills to serve as a website administrator. Or ideally, both!

I should also balance this advice by reminding you to limit the number of people with administrator level access. Anyone logged in as an administrator can make significant changes and potentially do serious damage, so the more of those username/password pairs their floating around, the more risk you are exposed to. For users that simply need to edit or publish content, use "editor" or "author" roles instead. And for administrator users, make sure to enforce secure, unique passwords and require two-factor authentication.

---

Stay safe out there, website owners! That's all for this week.