WordPress is a popular choice for charities and civil society organisations around the world. However, websites powered by WordPress are far from immune to attack. Most websites are hacked simply because they can be. However, human rights defenders, independent media and advocacy groups also face the threat of targeted attacks by government, corporate or criminal interests. What can be done to better protect these websites?