Imagine This…

It’s 11:47 PM on a Saturday. A worship leader is doing one last check before bed and pulls up the church homepage on her phone. Where the welcome video used to be, there’s a blinking ad for discount pharmaceuticals in three languages. The “Plan Your Visit” button leads nowhere. The online giving form throws an error.

By Sunday morning, the staff group chat has 47 unread messages, and nobody knows who to call.

This is not a hypothetical. Some version of this Saturday-night scramble plays out at churches every weekend, and it’s almost always preventable. Your website is the front door of your ministry — the first place visitors form an impression, the place members go for service times, the hub for online giving and prayer requests. When that door gets kicked in, it’s not just a technical problem. It’s a ministry problem.

The good news: you don’t need to become a cybersecurity expert. You just need a few core habits and a clear-eyed view of what you’re actually protecting.

Quick Wins You Can Do This Afternoon

Before we go deeper, three things any church can do today, in under an hour:

Turn on Multi-Factor Authentication (MFA) for every admin account on your website.

Log in and delete user accounts for anyone who no longer works at the church.

Update WordPress core, your theme, and every active plugin.

That’s it. Those three steps will close the doors most attackers actually try.

Why Security Matters More Than You Think

Most churches don’t think about security until something breaks — a site goes down, a giving form stops working, or a strange message shows up on the homepage. Suddenly, security is the most urgent thing on the desk.

The reality is that security works best when it’s proactive, not reactive. Your website likely handles online giving, collects prayer requests, and serves as a central hub for your community. If those systems are compromised, it creates more than an “IT issue” — it creates confusion and unnecessary stress for your team and your people.

Most of the time, the challenge isn’t a lack of care. It’s that no one on staff was hired to be a cybersecurity expert. The work ends up on the desk of an already-busy admin or associate pastor, and it stays there until something forces the issue.

Think of Your Website Like Another Campus

A helpful way to frame this is to think of your website as an extension of your physical campus. On your property, you have intentional systems. You lock the back doors at night. You have people keeping an eye on the lobby on Sunday morning. You have a fire safety plan, even if you hope you never use it.

Your website needs that same layered approach.

Access Control: Who has the keys? Every former staff member, intern, or volunteer who once had admin access is a key still floating around. The fix isn’t complicated — it’s a quarterly habit of pulling up the user list and asking, “Does this person still need to be in here?” Pair that with strong, unique passwords and MFA, and you’ve handled the single biggest source of church website breaches.

Maintenance: Is the roof leaking? WordPress, your theme, and every plugin you’ve installed get regular security updates. These aren’t optional polish — they’re patches for vulnerabilities that attackers already know about. An unupdated site is a site with a known hole, and the bots scanning for that hole find it within days. Updating things isn’t glamorous, but it’s the church-website equivalent of changing the air filter.

Monitoring: If a window breaks at 3 AM, who gets the call? This is the piece most churches miss. You need something — a security plugin, a service, or a partner — that watches the site continuously and alerts someone when something looks wrong. Without monitoring, you find out about a breach when a member emails to ask why the homepage is in Russian.

When you view security through the lens of hospitality and stewardship, it becomes less intimidating and more practical. You’re not building a fortress; you’re being a thoughtful host. And a secure, well-maintained site is the foundation for everything else your digital presence needs to do — from welcoming first-time visitors to supporting your church’s long-term growth.

What Churches Are Actually Up Against

Most attacks on church websites aren’t personal. They’re automated. Bots constantly scan the internet for weak points — outdated plugins, exposed login pages, weak passwords like “ChurchName2024” or “Pastor!2024.” If your site has one of those gaps, it gets flagged and targeted by a script, not a human.

Smaller churches often assume they’re “too small to be a target.” The opposite is true. Church sites are attractive precisely because they tend to be high-trust, low-security environments — built years ago by a volunteer, updated occasionally, and trusted by congregations who would happily click a link sent from “the church.”

On a typical small-church WordPress site we manage, we see hundreds of automated login attempts every week. Not because the church did anything wrong, but because that’s the baseline noise of being on the internet. The question isn’t whether attackers will try; it’s whether your front door holds when they do. In our State of Church Websites report — where we audited 2,725 church websites — we found that the vast majority of churches are operating without the basic protections in place. Security gaps are far more common than most church leaders realize.

Foundations That Actually Move the Needle

Strip away the tech-talk and good security comes back to a few core habits:

Protect the keys. Strong, unique passwords plus MFA on every admin account. A surprising number of breaches trace back to one person reusing the same password across their email, Facebook, and the church website. When one of those services gets leaked, all three are exposed.

Keep the system healthy. Update WordPress core, themes, and plugins on a regular schedule. Ignoring an update because it’s inconvenient is like leaving the front door unlocked because you don’t want to grab the key.

Backups that actually work. It’s not enough to have a backup — you need to know it’s valid. Test a restore at least once a quarter. The difference between a five-minute hiccup and a three-day disaster is whether your last backup is real or theoretical.

The little padlock. Make sure your SSL certificate is active and renewing automatically. The “https://” in the browser bar is the digital version of a “Welcome” sign — it tells visitors their connection is private and signals to search engines that you’re a legitimate site.

Building a Sustainable Rhythm

The biggest mistake churches make is treating security as a massive, one-time project. It doesn’t have to be. It just needs to be a rhythm.

Monthly (10 minutes): Review who has admin access. Delete old accounts. Run available updates. Check that backups are still completing.

Quarterly (30 minutes): Test a backup restore. Skim activity logs for anything that looks off. Audit your installed plugins and remove anything you’re not using.

Yearly (a half-day): Zoom out. Does your site still serve your goals? Are your tools still earning their keep? Is it time to refresh the design, the platform, or the partner you’re working with? This is also a good moment to revisit how your site is organized for different audiences and whether it’s still structured to serve both visitors and members well.

Stewarding Sensitive Data: Giving, Prayer Requests, and Member Info

Churches collect remarkably sensitive information: prayer requests, family addresses, event registrations, sometimes counseling notes. Part of good stewardship is being thoughtful about how that data is handled.

The two best practices are simple. First, only collect what you actually need. If you don’t need someone’s home address to register them for a Bible study, don’t ask. Second, use trusted, third-party platforms for anything involving payments. You should never store credit card numbers on your own server. Let specialized providers — Pushpay, Tithe.ly, Planning Center, Stripe — handle payment security while your team handles ministry.

If your church is also using a mobile app to handle giving and member communication, the same principle applies: a platform built specifically for churches, with security built in, is far safer than a patchwork of tools. Our Connected Church solution is designed with exactly this in mind — keeping giving, events, and communication in one secure, integrated system.

If You Think You’ve Been Hacked

Sometimes prevention fails. If your site has been compromised — defaced homepage, strange redirects, members reporting weird emails from your domain — here’s what to do, in order:

Don’t panic, and don’t start clicking around. Take a screenshot of what you’re seeing.

Contact your hosting provider. Most reputable hosts have a security team that can help isolate the issue and put the site into maintenance mode while you sort it out.

Change every admin password immediately, starting with your own.

Pull a fresh backup from before the incident and prepare to restore. Don’t restore yet — first make sure you understand how the attacker got in, or you’ll just be hacked again in a week.

Check your user list for accounts you don’t recognize. Attackers often add a hidden admin account so they can come back.

Communicate with your people. A short, honest note (“We’re aware our site is down and we’re fixing it — service is on as scheduled”) is far better than silence.

Once restored, rotate all credentials and turn on MFA if it wasn’t already on.

If this list feels overwhelming in a moment of crisis, that’s exactly when having a partner pays off. You shouldn’t be Googling “how to clean a hacked WordPress site” at 11 PM on a Saturday.

You Don’t Have to Do This Alone

For most churches, this is where the work starts to feel heavy — one more thing for a team that is already spread thin.

That’s why many churches partner with a team, like ours, instead of trying to handle the under-the-hood work themselves. At One Eighty Digital, we come alongside churches to take this off your plate. We handle the updates, the monitoring, the backups, and the late-night fire drills so your team can focus on people instead of plugins.

It’s not about outsourcing responsibility. It’s about supporting your mission.

The Goal Is Peace of Mind

This isn’t about fear. It’s about faithfulness. When your website is secure, it just works. Your team isn’t scrambling on a Saturday night, and your visitors find what they need without distraction.

Want a free 15-minute security audit of your church website? We’ll check for the most common vulnerabilities — outdated software, weak access controls, missing SSL, broken backups — and send you a one-page report with the top three things to fix. No pitch, no obligation.