How did we get locked out of our own website?!?

That’s a question no executive director wants to be asking – ever. At most nonprofits, the website is in daily use performing mission-critical tasks: accepting donations, membership applications, event registrations and more.

Yet leaders of organizations are less cautious about getting locked out of their website than getting locked out of their home. The key to their home is not only on their personal keychain, a copy is typically hidden outside the home and/or given to a trusted family member, friend or neighbor “just in case.”

Two all-too-common practices result in nonprofit and for-profit organizations getting locked out of their websites. Cautionary tales from the current month illustrate the hazards:

• The wrong person has the key. In a nonprofit membership organization that shall remain nameless, the website manager was a dedicated volunteer and the only person with the admin username and password. Then his troubled adult son was caught stealing from fellow members. When the nonprofit reported the crime to police, the volunteer became angry and took the website hostage, cutting off all access.
• Only one person has the key. Perhaps you saw this headline: Crypto exchange founder dies, taking the password (and $190M) with him. According to his widow, the dearly departed CEO of QuadrigaCX had “sole responsibility for handling the funds and coins” the company owes investors and never shared the admin username and password with anyone. The company has filed for bankruptcy.

Here’s what to do to keep this from happening to your organization:

• Entrust the key to the top two people – typically the executive director and either the chief financial officer or board chair. They should have the admin usernames, passwords, and other access information needed to protect your organization’s ownership and control of its website. These keys should be passed down to successors with the same care as access to the bank account.
• Add user management functionality to your website. Any company that develops websites can do this for you. User management enables the key-keepers to add and remove users and control each one’s permission level. So a website manager can be granted enough permission to log in and do the job, but can’t ever lock out the person(s) who have the admin username and password.

We’re made a handy Keys to Your Website checklist for you to fill out and keep somewhere safe.