Membership website security: how to keep your site safe and secure
If you’re running a membership website, member safety – and your reputation – hinges on your ability to keep data confidential and secure. Poorly designed or maintained systems put your community at risk, leading to poor performance and loss of trust. Here’s what to avoid and how to improve it.
Membership website security – why you should take it seriously
Whether you’re a business, a professional body or any other organisation, a membership website is a brilliant way to build a community. Your members pay a premium to get the best content or to access your expertise and support networks. That makes your website a flagship property for generating revenue, building your brand, or establishing and reinforcing your leadership role. And it makes website security paramount for protecting your community and reputation.
While it’s essential to nail down the security on any website, that’s especially true when handling payments or dealing with the personal data of thousands of members. And yet, too many organisations are struggling with the legacy of outdated or poorly designed membership portals running on insecure or outmoded systems. Without the resources to audit, understand and proactively fix website security issues, they face a growing risk from unpatched vulnerabilities and ageing, unsupported integrations.
The effects can be subtle, beginning with systems that generate errors or delays. But they can also be devastating, with significant data breaches that result in lost business, loss of trust, and huge penalties from the regulator.
So, what are the risks?
- Slow breakdown – a poorly maintained membership site can be slow, frustrating members, and potentially impact your search rankings on Google. Problems with essential integrations such as your payment system can prevent members from joining, upgrading or renewing, and they can knock members’ confidence in your ability to protect their financial data.
- Sudden breakdown – discontinued or unsupported technology can be unpredictable, leading to sudden failures. Updates can cause problems, too – core changes or new features can break the way things used to work. The risks are business interruption and loss of business as members lose faith.
- Data loss – a poorly managed membership platform is open to all kinds of technical failures. If the technology isn’t current, secure, and properly backed up, you could lose business or customer data.
- Data theft – membership websites that rely on legacy technology or aren’t properly managed and updated become increasingly vulnerable to attack. Data breaches can be punished with fines of up to 4% of your annual global turnover.
- Regulatory action – you don’t need to lose member data to be in hot water with the regulator. Failure to comply with the UK General Data Protection Regulation (GDPR) (or the EU GDPR if you process data from EU residents) can still attract warnings, bans or fines, even if you otherwise ‘get away with it’.
But more than all that, you simply owe it to your community to take its privacy seriously and to protect its members’ personal data. So, what steps should you take to lock down your membership website security and protect your members?
Secure your membership website
1. Apply regular updates
Whatever platform you choose for membership website development, you must regularly update it with the latest security and stability fixes. At least 43% of the world’s websites are built on WordPress, which has several maintenance updates yearly. If your membership website is built on WordPress, don’t delay applying updates, which fix bugs and sometimes address major security issues.
2. Don’t forget your plugins
Your membership site is as secure as its weakest link, which may be one of your plugins or even your theme. Use only themes and plugins that are well-supported with regular updates, and ensure you apply them on time. Deactivate or uninstall plugins you no longer use, too. We generally recommend you use only a small set of plugins you know well and which play nicely together – add more, and you could introduce problems.
3. Secure your hosting
Be sure you’re using a hosting provider that takes your data seriously. Verify what they’re doing to keep data safe and check where they’re storing it – GDPR legislation may prevent you from processing personal data outside the UK or EU. Again, don’t forget your plugins – ensure payment providers and other integrations offer the necessary controls and standards.
4. Clamp down on users and passwords
It’s essential to monitor and limit who has access to your site’s hosting, CMS and other backend functions. Use WordPress permissions to assign people the appropriate roles and restrictions, apply the “Principle of Least Privilege (PoLP)”, insist on strong passwords and two-factor authentication, and regularly audit who has access and why.
5. Harden WordPress
If you are running a WordPress membership site, you’ll need to harden it up. Change the default WordPress login URL (sitename/wp-login) to avoid brute-force attacks, and upgrade WordPress MD5 password security to something more secure. Rename or disable the default Admin account, too. And although we shouldn’t need to mention it, it’s imperative to use HTTPS throughout the site, not just for transactions, forms and other data gathering.
6. Use filters
If you run forums, allow comments, or have other user-generated submissions, ensure they’re correctly filtered for malicious content and crafted attacks. You almost certainly want to protect your community and reputation with spam and obscenity filtering. Depending on the nature of your site and the volume of user-generated content, you may also want to manually moderate the content or ask community members to help you do so.
7. Manage your data effectively
It’s vital to ensure your membership website is secure and that you’re protecting personal and financial data, but you must also consider what data you need to gather and keep. The GDPR requirements are that you collect and store data only for specific, agreed purposes and then ‘for no longer than is necessary’.
While there’s no fixed limit, the Information Commissioner’s Office (ICO) says you must be able to justify why you are keeping data, periodically review the data you hold, and erase or anonymise any that you no longer need.
8. Make regular off-site backups
This tip obviously applies to any website – and almost any system – but it’s critical for a membership site. Losing member data has a huge reputational impact, and it could do great damage to your business or community.
Check your hosting package includes regular backups – they may be the quickest way to restore everything after a disaster or breach. Also, configure and test your own backups using a plugin – these may be easier and quicker when you just need to restore a few files. Finally, ensure your backups are kept secure and ideally off-site. Large companies have been hacked and had their backups deleted or encrypted in the process.
Keeping your membership website secure isn’t just a one-time job: it’s a lasting responsibility that demands regular monitoring and action. Ensure you’ve got the skills and resources to stay on top of it or work with a trusted partner with the experience to protect you and your members.
At BrightMinded, we’re experts in membership website development and security, having delivered dynamic and safe sites for brands and organisations, including the British Ecological Society and the British Psychoanalytical Council. We’re also proud to be a MemberWise Network recognised supplier.
Get a free membership website expert review
If you need help protecting your membership or want to know how to improve your site’s performance, why not get in touch to book a free membership website expert review?
Discover how we helped the British Psychoanalytic Council update and secure its membership platform.