5 online security musts for churches and other religious organizations

Guard your flock

Online security is often hit-and-miss in most religious organizations. It’s been my experience that many religious organizations — at least the churches — are seriously lacking in the security department, and are often working on a mishmash of technology, which causes its own problems.

I don’t know if it’s the trusting nature of churches, or that most church staffs aren’t packed with a lot of tech-savvy folks, but online security never seems to be a top priority. In my experience, many religious organizations often don’t use things like secure passwords, website security or even multiple backups — let alone one backup — of important data. I imagine it’s this way for a lot of religious organizations: the staff is more focused on what their members need, not their IT systems. That means there are a few holes in their security that makes them vulnerable to outside attacks and interference.

It’s understandable: you want to focus on your members and community more than your computers.


But that doesn’t mean you can’t take a few simple steps to keep your information safe. So, here are a few online security must-dos for any religious organization to follow.

5 online security musts for churches and other religious organizations

These five online security musts will get your house in order and help you protect your religious organization’s website and your members’ data.

  1. Use complex passwords.

  2. Keep two separate backups of your data.

  3. Make sure you have admin level access to all online properties.

  4. Turn on two-factor authentication.

  5. Everything else.

Now that I have your attention, let’s dig in!

1. Use complex passwords

Your church or religious organization’s computer network is critical. This is where you keep your membership data, financial records and credit card numbers of many of your members. This is a prime target for identity thieves, and if your system gets hacked, the recovery can get complicated and expensive.

(Side note: Ask your business insurance provider about cyber insurance. You’ll need this if hackers ever break into your system. As my cybersecurity friends like to tell me, “Never think of it as “if you get hacked, but when you get hacked.” Cyber insurance will help you recover from data breaches and defray the costs of what could be an expensive process.)

Many people will use a password they think is secure, like their kids’ names, anniversary or even a pet’s name. But a semi-competent criminal can figure those out by looking at your staff’s Facebook profiles.

Other people will try to be tricky and use a password like p@ssword1. (Hint: It’s not tricky. Don’t bother.)

Church Online Security Characters

For any password situation, you need to use complex passwords. In some cases, that can be a password like xbwMmh$RX44tp4,C9Vv+, but you don’t actually need anything that complicated. In fact, the guy who actually invented these “mash the keyboard” passwords recommends against using them.

Instead, you can use passwords made up of three or four unrelated words, like statue-syllabic-biceps-north. These are just as effective as the garbled password, but they’re easier to remember, plus you’re less likely to make a typo when you enter it.

If a hacker was to use cracking software on a complex password on your church’s website, it can take them thousands of centuries to do it. You’ll probably have upgraded your system before then.

Finally, get a password vault like 1Password or LastPass so you never have to remember your passwords at all. Both store your passwords, work on all laptops, tablets and phones, and you can even install extensions into your favorite web browser for quick online access. Plus, the vaults can generate random passwords which are nearly impossible to break.

2. Keep two separate backups of your data

Protecting and backing up your site’s data is a critical step in managing your church or religious organization’s online security. This is because you can lose data for any number of reasons: theft, fire, flood, lightning or just good old-fashioned hard drive failure.

The average hard drive has a lifespan of five to seven years, and if you’re still using a big CRT monitor and tower computer under the desk, you’re overdue for a catastrophic failure. As it is, a hard drive can fail for any number of reasons, so it always pays to keep daily and weekly backup copies of your data.

To start with, buy a portable USB hard drive that holds at least 2 TB (terabytes). They’re a little bigger than a smartphone and usually cost less than $100. Plug that into your computer, and let it do its thing. (If you have a Mac, run Time Machine for backups. If you run Windows, use File History). Keep it plugged in at all times, because it will back up your data on a regular basis.

Second, use an online backup system like Apple’s iCloud, Dropbox, Box, Google Drive or any other cloud storage system that synchronizes your data over the internet.

This is important because if you ever lose your portable drive, you still haven’t lost your data.


It lives in the cloud, and can be accessed once you get your new computer up and running. (By the way, one of the benefits of using a password vault is that when you get a new computer, you can download the vault, log in with your credentials and your old passwords will be loaded onto your new computer.)

Editor’s note: GoDaddy’s Website Backup can give you all the protection you need without any legwork on your part. This service will help keep your data safe when servers crash, hackers attack, and malware makes the rounds.

If you would like a third backup, get a wireless backup system that will backup your data over WiFi. I use the Apple 3TB WiFi tower, and it syncs all the data on my hard drive several times a day. Even if I forget to plug in my portable drive, my tower still has everything on it.

Related: 10 cloud security tips from the hosting experts

3. Make sure YOU have admin level access to all online properties

Whether it’s your church or religious organization’s website, blog, email, YouTube channel, Planning Center app or even social media channels, don’t rely on volunteers to run things so much that they have ultimate access to it. Your online security depends on that not being the case.

You need to have institutional control of all online accounts so that if something happens to your volunteer or staff member who’s running it, you haven’t lost access to it completely.

Picture this: A friend runs a faith-based nonprofit, and someone set up a Facebook page for him several years ago. The problem is, the other person set up ownership under his own Facebook account, not my friend’s. That means the other guy “owns” the page — not the organization. Except my friend needs admin access to the page, but the friend does not recall ever setting it up and can’t get access to it himself.

This could have been solved if the group had set up a page independently of any one person, or at the very least, through the executive director’s account. This way he would have ultimate access and wouldn’t be looking at replacing a page that already has a lot of traction.

This needs to be true of everything you do online.


I don’t care if you hate computers and don’t even own a smartphone; it’s the 21st century, and unless someone printed out this article for you on paper, you’re reading this online, which means you have some sort of online access and knowledge of the internet. So, you should at least be able to handle having someone set up these accounts with your email address, even if they manage it for you. At least you’ll be able to recover the passwords and regain access with the “I forgot my password” link at the login screen.

Church Online Security Admiring

4. Turn on two-factor authentication

OK, this one is a little tricky, but only a bit. But it will save you if someone ever gets access to your password.

There are some online accounts — Gmail and GoDaddy, for example — that offer an extra step to log in. You’ll log in with your username and password like always, but then you’ll be asked to provide an additional code, which is sent to you during the login process. This is two-factor authentication.

In other words, when I log in to my Gmail, I then receive a text from Gmail with a code in it. I enter that code when asked, and I can get into my account. This blocks anyone who might have guessed my password: when they get past the first screen, there’s a second screen asking them for a code, which they won’t get because it went straight to my phone.

Related: Increase account security with two-step verification on your mobile device

5. Everything else

There are actually a lot more things church’s or religious organizations can do for online security — enough to fill up an entire book. But these are a few other miscellaneous items to use:

Use a virus checker

Make sure you have a virus checker on your computer, whether you have Mac or Windows. Make sure it’s up-to-date, and scans your network every two weeks. I’ve used Avast on my laptop, phone and tablet for years, and it’s easy to use and unobtrusive.

Related: Protect your library, nonprofit or municipal agency from the ransomware virus

Beware of malware

Never click on email attachments from people you don’t know. And if you get strange messages from people you do know, call them and see if they meant to send you anything. Chances are, someone is faking their email address, and if you click a link you’ll be hit with some malware.

Editor’s note: GoDaddy Website Security scans your website for malware and removes it if found. It even monitors brand reputation, performs Google blacklist monitoring and removal and more!

Never feed the phish

Your bank will never, ever email you about difficulties with your account. If you get one and you think it’s legitimate, call your bank directly and ask them. Never click the link.

This is a phishing scam trying to steal your information.


If you need to, type in your bank’s main web address, and log into your account from there.

If you don’t trust them, don’t visit them

Websites are often very vulnerable to cyberattacks and can deliver malware (viruses, trojan horses and spyware) to visitors, because the original website was infected. Many people think it’s the more unsavory sites on the internet that will do this, but you’re more likely to pick up some malware from websites of religious organizations. That’s because their online security is poor, they’re more likely to carry infections. So be careful which sites you visit, and make sure your virus protection is up-to-date.

Update your website software

Keep your blog or website up-to-date. If you use WordPress for your site, make sure all your plugins are current. Also, avoid using too many plugins. Each one is a vulnerability point, so the fewer you have, the better.

Related: How to check for WordPress security updates in 2 simple steps

Install WordPress security plugins

There are also WordPress security plugins you can use, like WordFence. If you didn’t set up your website, talk to the person who did and ask them to install the right security. If they can’t manage it, hire someone to do it.

It’s a small price to pay for online security.


Churches and religious organizations are just as vulnerable as any other business when it comes to online security. You can protect yourself and greatly reduce your odds of having data or identities stolen, or having your data wiped out by a hacker, if you just practice some smart online security.

Use complex passwords that you store in a password vault, keep all your data backed up in at least two locations, turn on two-factor authentication for your online networks, and make sure you or someone in charge has admin level access to all online properties. If you can follow these basic online security steps, you can protect your church or religious organization and your members from possible theft and mayhem.

Image by: Patrick Schneider on Unsplash