5 Security Tips Candidates Need to Know to Protect Their Campaign Websites

Guest Post by Bill Hess of Pixel Privacy

Hackers are running wild today and no one is safe from their devious schemes –  especially political candidates. Just ask Hillary Clinton.


The following is a guest article by Bill Hess of Pixel Privacy that provides 5 Security Tips you as a candidate need to know to protect your campaign website.

Candidates running for office face a number of daunting tasks.

They have to organize events, recruit people, raise funds and meet the demands of the media.

There are plenty of things that must be anticipated in the build up and cyber attacks and campaign website security is on that list as well.

The global digitalization has shifted a large part of campaigns to become more digital as well. And the threats of foreign cyber criminals, mainly from China and Russia, is increasing.

The consequences of a hacked campaign website and leaked data can be disastrous for any candidate as it can derail the message the candidate wants to bring forward.

If hackers manage to take down websites for a significant time span or multiple times, it may cause huge donation losses, contribution and put the entire digital campaign on hold.

And it’s expected that cyber threats will continue to be a real issue for candidates.

It’s therefore essential for every candidate to secure the campaign website.

Although a 100% secure website is nearly impossible, there are some basic but incredibly effective methods candidates should implement to improve the protection of their campaign websites.

1.   Software Updates

It may sounds obvious, but it’s incredibly important to keep all website software up-to-date, as well as the server operating system running the CMS of the website.

That also includes any additional plugin that’s running in the background of a website.

Old and outdated themes, plugins or other software tools are easy targets for most hackers and are quick to abuse such security holes.

Software updates are released to improve usability and functionality but also to patch out security holes and weaknesses in the code of the software.

If you don’t update the software, it can be easily exploited.

In case a website is running on a reputable hosting server, it’s not your task to implement security measures on the server but the hosting company should.

It’s best to enable automatic updates for all software tools in order for the updates to be implemented as soon as possible.

2.   Cross-site Scripting Attacks

Cross-site scripting (XSS) are widely-used attacks by hackers.

Hackers inject malicious scripts on your website, which can carry out commands.

By doing so, hackers can steal data from your server (if they command the server to send data) or they can change your entire website.

Vulnerable aspects of your website are input fields such as a comment section, sign up page or payment page.

Hackers can input malicious JavaScript code there instead of actual information.

It’s important to make sure that input fields are protected with underlying code so JavaScript code can’t be injected.

This can be done by escaping data.

For example, if you built restriction on input fields, a hacker won’t be able to enter JS code into a phone number field, because your code only allows a certain range of specific numbers.

3.   Strong & Unique Passwords

Creating a strong and unique password is one of the items I stress the most, simply because it’s – by far – the easiest way to protect yourself against hackers.

Unfortunately, most people don’t actually create complex passwords.

It’s crucial to do so in order to protect user accounts which can be abused to attack a website.

Every password should have at least 10-12 characters, including special symbols, numbers and upper- and lowercase letters.

Furthermore, passwords should always be stored in encrypted format.

Thus, even if a hacker manages to steal the passwords, encrypted passwords are still not readable.

A very helpful tool to store passwords in an incredibly secure environment is on LastPass.

The website of LastPass also has a dedicated password generator to create strong and unique passwords.

4.   HTTPS

HTTPS is a protocol used to provide encryption security to website.

You can recognize secure websites on a green padlock and the “S” added to “HTTP,” the “S” also stands for security.

HTTPS protocols create a secure communication tunnel for the website visitor and the web server, meaning that all the in- and outgoing traffic is encrypted.

Thus, if the traffic is intercepted by a hacker, the content will be in encrypted format and useless to the hijacker.

If you have a donation page on your campaign website which requires users to input credit card or banking details, it’s essential to have an HTTPS connection to protect both the user, as well as the payment information stored on your server.

5.   Website Security Testing

Once you’ve addressed all the potential security holes in your website, it’s time to run some tests in order to make sure whether the website is ready to launch a campaign.

Xenotix is an advanced XSS vulnerability detection and exploitation tool.

You can use this tool to test whether input fields are secure.

Test whether the site is fully covered by the HTTPS protocol.

Netsparker can be used to scan for security holes, including built-in penetration testing tools.


Bill Hess here  from Pixel Privacy.

Whether it be one of our in-depth guides or our expertly crafted “how-to” articles, we’re here to show you how to stay safe online.

We believe everyone has the power to keep their data secure, no matter what your level of tech expertise is and our site will show you how!