How charity websites get hacked, and what the cleanup really costs
“…28% of charities had experienced a breach or attack in the previous year…”
Most charities assume they are too small to be worth hacking. It is an easy thing to believe, and it is wrong. The UK government’s most recent Cyber Security Breaches Survey found that around 28% of charities had experienced a breach or attack in the previous year, which works out at roughly 57,000 organisations (Cyber Security Breaches Survey 2025/2026).
Attackers are not sitting there choosing causes they dislike. They are running automated tools that scan the whole web for websites with a known weakness, and a charity site is as good a target as any.
We have been called in to clean up real compromises over the years, so this is not theory. Below are two of them, what they actually cost the charities involved, and the straightforward steps that would have prevented both. The encouraging part, which we will come to, is that most of this is well within reach of a charity’s own team.
Why would anyone bother hacking a charity?
Because your website is useful to them, whoever you are. A compromised site gives an attacker three things worth having.
The first is your traffic and your search rankings. By quietly injecting spam content or redirects, they piggyback on the reputation your site has built up to push their own dubious pages. Sucuri, which cleans hacked websites at scale, reports that injected malware and redirects are consistently among the most common infections it finds, and that this kind of spam is typically slipped in through redirects in your .htaccess file, your PHP, or your database (Sucuri 2023 Hacked Website Report).
The second is your server, which they can use to send spam or host scam pages. The third, if you take payments or hold supporter data, is that data itself. None of this requires anyone to take a personal interest in your charity. It is volume crime, and it is automated.
Where the holes actually are
Here is the part worth understanding, because it changes what you do about it. The problem is almost never WordPress itself. It is the plugins and themes bolted on top, and it is putting off updates.
Patchstack, which tracks security flaws across the WordPress world, logged 7,966 new vulnerabilities in 2024, around 22 every day. Of those, 96% were in plugins and only seven were in WordPress core (Patchstack State of WordPress Security 2025). Worse, 43% could be exploited without the attacker needing to log in at all, which is exactly what makes them easy to attack automatically and at scale.
Now pair that with how compromised sites tend to look when the cleanup team arrives. In Sucuri’s analysis, around half of hacked WordPress sites were running outdated software at the point of infection, and roughly a third had at least one vulnerable plugin or theme still in place (Sucuri 2022 Hacked Website Report). The pattern is clear. A vulnerability is found and published, a fix is released, and the sites that do not apply that fix become the easy targets. Both of the cases below are versions of this same story.
Case one: the site that kept sending visitors to a casino
A charity reached out to us on LinkedIn with a website that would, seemingly at random, redirect its visitors to an online casino. Someone would click through from a search result or a newsletter expecting to read about the charity’s work, and end up on a gambling site instead. This is a textbook malicious redirect, and gambling is one of the more common things this kind of spam pushes.
The damage did not stop at the website. Because the site had been compromised and was bouncing people off to a dodgy domain, the charity’s own domain reputation took a hit, and it ended up on blocklists. The knock-on effect was the painful part: the charity’s perfectly legitimate emails started getting caught by spam filters at the organisations it worked with. For a charity, that is a serious problem. Email is how you reach funders, partner organisations and supporters, and when your messages quietly stop arriving you can lose conversations, and relationships, without even realising why.
Cleaning this up meant finding and removing the injected redirect and any backdoors left behind to let the attacker back in (there were so many backdoor vulnerabilities!), then dealing with the reputation damage and getting the domain removed from the blocklists. That last part is not instant. Blocklisting is easy to land on and slow to climb out of, which is why the cost of a compromise is rarely just the cleanup itself.
Case two: the “if it isn’t broke” site that broke expensively
The second charity had taken the opposite approach to maintenance: leave it alone. Updates sat pending for a long time, on the reasonable-sounding logic that the site was working fine, so why touch it. If it isn’t broke, don’t fix it.
The trouble is that the web around a website does not stand still. Old versions of PHP, the language WordPress runs on, stop receiving security updates once they reach the end of their life, and hosts eventually move on from them. When this site finally did break, it had fallen so far behind that there was no quick fix. Bringing it up to a current, supported version of PHP and WordPress meant rebuilding parts of the site so they were compatible with the newer software, because the old code simply would not run on the new stack. A series of small, routine updates had turned into a much larger and more costly repair job.
It is the same lesson as case one, seen from a different angle. The Sucuri data shows that running outdated software is also the single biggest thing that gets sites hacked in the first place, so “don’t fix it” is not a saving. It is a bill you are choosing to pay later, with interest, and a security risk you are running in the meantime.
The good news: you can do most of this yourself
Here is the genuinely reassuring bit. The single most effective thing you can do to keep your website safe is also the simplest, and most charities can do it themselves without a developer. It is just keeping things up to date.
If you have a confident member of staff or a volunteer who is comfortable logging in, the essentials are very doable:
- Keep WordPress, your plugins and your themes updated. This one habit closes the door on the large majority of attacks.
- Switch on automatic updates for the plugins you trust, so the routine ones look after themselves.
- Remove any plugins and themes you are not using. Deactivated ones still sit on the server and can still be a way in, so delete what you do not need.
- Steer clear of abandoned plugins. If something has not been updated by its developer in a year or more, treat it with suspicion and look for a maintained alternative.
- Use strong, unique passwords and turn on two-factor authentication for anyone with an admin login.
- Take regular backups, and check they actually work. If the worst happens, a good backup turns a crisis into an inconvenience.
- Learn the warning signs: unexpected redirects, admin accounts you do not recognise, browser or Google warnings on your site, or a sudden odd change in your traffic.
None of that needs technical training. A lot of it is half an hour on a quiet morning once a week.
When it makes sense to call someone in
That said, two things tend to trip charities up, and both are normal.
The first is that updates can occasionally go wrong. An update to one plugin can clash with another and take part of the site down, and when that happens you want someone who can work out what broke and put it right, rather than guessing under pressure. The second is simply capacity. Not every charity has a person with the time, or the confidence, to stay on top of this every week, and that is completely fair. And once a site has actually been compromised, cleanup is a specialist job. Removing the visible infection is not enough if you leave the backdoors behind, which is how sites end up reinfected days later.
That is where we often come in, and you have a choice about how much you hand over. We are happy to be there as a safety net, on hand for a tricky update, a cleanup, or a question when you need one. Or we can take the whole thing off your plate entirely, with a maintenance plan where we handle the updates, the monitoring, the backups and the security so that you never have to think about it. For a lot of the charities we look after, that peace of mind is the entire point: they get on with their mission, and we keep the website quietly working in the background.
The bottom line
Your charity is not too small to be a target, because the attackers are not choosing targets, they are scanning for weaknesses. The good news is that the main weakness is out-of-date software, and keeping things updated is something most teams can manage themselves. Do that, take backups, and you will avoid the great majority of what we get called in to fix. And when you would rather have a safety net, or hand the whole job over, that is exactly what we are here for. If you would like us to take a look at how your site is set up, we build and look after WordPress sites for charities and we are always happy to talk it through.
Sources
- Department for Science, Innovation and Technology, Cyber Security Breaches Survey 2025/2026: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-20252026/cyber-security-breaches-survey-20252026
- Patchstack, State of WordPress Security in 2025: https://patchstack.com/whitepaper/state-of-wordpress-security-in-2025/
- Sucuri, 2023 Hacked Website and Malware Threat Report: https://sucuri.net/reports/2023-hacked-website-report/
- Sucuri, 2022 Hacked Website Threat Report: https://blog.sucuri.net/2023/04/hacked-website-threat-report-2022.html
- Sucuri, SiteCheck Remote Website Scanner Mid-Year 2023 Report: https://sucuri.net/reports/sitecheck-remote-website-scanner-mid-year-2023-report/
