State of security of NFP websites

James Hornitzky from Leafcutter shares the latest findings from a research project exploring the potential threat of attacks on NFP websites and suggests steps you can take to protect your website.

Recently there has been a number of high profile security breaches, including the breach of ANU systems and the breach of Westpac’s PayID system, that have severely impacted these large and prominent organisations. 

Whilst NFPs may not present as high-value targets compared to other organisations, there are still payments and sensitive personal details transacted and stored in these systems that are valuable to attackers and are important to protect.

As an NFP, trust is one of the key reasons your supporters engage with you, and it is important to do everything you can to protect your digital systems from intrusion.

Over the past month, our team has conducted a basic research project to understand the potential threat of attacks on NFP websites. 

From a sample size of 399 sites, our team found approximately 50 sites with outdated software versions vulnerable to known hacks and intrusions. These sites were scanned using a combination of custom python scripts and the WP vulnerability tool wpscan v3.7.3. 

They were scanned at two intervals, once at the end of May 2019, and a second time near the end of June 2019. For each of the affected organisations, we have attempted to advise them privately to ensure that action is taken to secure their systems as quickly as possible.

Key findings

• 400 sites were scanned in May 2019.
  • Approximately 14 per cent (56) of the sample were found to have vulnerabilities.
  • 314 sites were not scanned (218 were non-WP sites, 65 sites were down or not resolvable, and 31 sites were not scanned due to redirects).
  • Six sites returned 403, suggesting a WAF is already in place.
  • If you remove the not scanned results, that leaves 86 target sites, of which 65 per cent had some kind of vulnerability. 
  • Whilst the vulnerabilities may not be immediately possible to exploit without admin permissions or other access, the ratio of sites that have exploits versus those that do not is alarmingly high.
• 399 sites were scanned in June 2019.
  • Approximately 14 per cent (57) of the sample were found to have vulnerabilities.
  • 304 sites were not scanned (208 were non-WP sites, 65 sites were down or not resolvable, and 31 sites were not scanned due to redirects).
  • Six sites returned 403, suggesting a WAF is already in place.
• The number of vulnerabilities found overall is unexpectedly high, especially considering the scanning tool is specific to WordPress sites and is relatively basic.
• Over 90 per cent of sites appeared both in May and June. This is significantly concerning as it shows regular maintenance is not adequately performed on these sites. This means that vulnerabilities are not being reviewed or fixed. 
• The vulnerabilities found were exploits that affected outdated plugins and themes. It’s really important to update not just core software but all plugins and add ons.
• Note that this research does not include any microsites or secondary properties where there may be other vulnerabilities.
• No brute force attacks on passwords were undertaken as part of the research project. 
• Given the number of sites that were not scanned, it is worth looking at the use of another security scanning tool that is able to scan other CMS technologies to better understand the exposure more broadly across the industry.

Taking steps to protect your website

As immediate steps, if you are facing issues with your website or you know that it has out-of-date dependencies, you should:

• update your software immediately on your website; and
• install a web application firewall to prevent future scanning and to block common attacks.

These two steps alone stop the majority of automated attacks and will significantly reduce the weaknesses in your website.

It is recommended that you also consider a longer-term plan with regard to website security:

• Perform regular security monitoring of your website – to detect hacks if they do occur and be able to action quickly.
• Ensure that you have regular backups of your website in case there is a hack and can restore/rollback with minimal data loss and downtime.
• Commit to a regular cycle of updates, at least monthly.
• Ensure you have a strong password policy that is enforced. Ideally, you change your passwords on a semi-regular basis.
• Penetration testing – to scan for more advanced levels of weakness and potential points of entry.

Wrapping Up

Securing your site as an NFP is important as the potential ramifications far outweigh the cost of a well-regimented security program. There are some basic actions you can take quickly which put you significantly ahead of the market, and you need to have a regular plan to keep your site safe and up to date. Your supporters will thank you for it through their trust and continued engagement with your organisation.

About the author: James Hornitzky is the co-founder and COO of Leafcutter, a digital agency that helps NFPs and for-purpose organisations strategise and build digital services, tools and campaigns to help them raise more funds and deliver more life changing programs to the community.