Keeping your website in tip-top condition is something that will require some attention on a regular basis. It’s a fairly unglamorous job that seems easy to ignore but doing so could come back and bite you.
Content Management Systems like Drupal and WordPress are in some ways the victims of their own success and hackers are often looking for vulnerabilities within them to exploit. The developer communities are pretty good at keeping on top of the latest threats and loopholes and they release updates to the core files and to the plugins/modulestem
WordPress has a great security plugin that you can use to test and tighten up the security of your WordPress installation. To get the best out of it, it’s best to install it and run it as soon as you’ve setup your site and before you’ve added any content to it.
Securing your donations system
I’ve already touched on the online security implications of a few of the more common payment systems. Because charity donation pages are a common target of online criminals (because it has no delivery address, it’s an easy way of testing a whole load of credit card numbers to see which ones have been cancelled). They have programmes that can automate this process and can attempt many donations per minute. If they try it over a weekend then you can find yourself facing hundreds and hundreds of bogus transactions. You’ll have to refund the successful ones (and pay a processing fee on top) so as well as wasting your time, it can also cost you money too.
How to prevent/deter the fraudsters
You need to take a few steps to make sure that those automated scripts won’t work on your site. The payment processor providers (like Worldpay and Paypal) have some mechanisms in place that you can choose to enable. They can limit the transactions from the same IP address to one per hour for example, blacklist a whole range of IP addresses (to prevent computers in Nigeria from making donations for example). They can also add a ‘capture delay’ so that the transactions aren’t automatically approved – you can choose to capture or reject them manually, or add a capture delay of a few days so that you get the chance to spot any fraudulent activity. Rejecting a transaction is a lot quicker than refunding one, and it won’t cost you anything to do so.
This may sound kind of obvious, but don’t use the same password everywhere, and especially not the same one that you use for your own personal email, Amazon etc. I would recommend that your server/FTP, your CMS login and your Worldpay login all use completely unique passwords made up of letters, symbols and numbers. Change them every 6 months or so – especially if you’ve given any out to developers or third parties.
This can be a bit of a minefield. There are actual laws involved here. It’s a lot to stay on top of, but unless you’re storing sensitive material like medical records, form submissions with private data on, credit card or bank account number etc. then you shouldn’t run into too many issues and it’s unlikely you’ll get sued or fined!
If people ask to opt out then you need to be able to add them onto a ‘Do Not Contact List’ that makes sure they don’t get written to or emailed. This is why it’s important to have a good CRM system that can handle contact preferences.