Most church websites have at least 3 fixable security issues. We find them, document them, and tell you exactly how to fix each one — in plain English, no tech degree required.
WordPress sites often expose every admin account name through a public API. Attackers use this to target your login page with automated password attacks.
Found on 78% of WP church sitesUnpatched plugins are the #1 way church websites get hacked. A single outdated contact form or event calendar plugin can open the door to a full site takeover.
Found on 71% of church sitesSecurity headers tell visitors' browsers how to behave safely. Without them, your site is more vulnerable to cross-site scripting and clickjacking attacks.
Found on 91% of church sitesIf any admin account uses a weak or reused password with no 2FA, a single data breach on any other site can unlock your WordPress dashboard.
Found on 83% of church sitesStaff emails written directly in your HTML are harvested by spam bots within hours of posting. This leads to phishing attempts against your church staff.
Found on 64% of church sitesEvery external script loaded on your site has full access to everything visitors type — including giving forms. We identify which scripts are high-risk.
Found on 69% of church sitesWe check all 8 critical browser security headers and tell you exactly which ones are missing and how to add them.
We identify outdated or vulnerable plugins/themes and cross-reference against known CVE databases.
We test whether staff usernames are publicly accessible and assess your login page protections.
We verify your HTTPS setup is correctly configured and enforced across all pages — including giving forms.
We catalog every external script and iframe loaded on your site and flag any that introduce risk.
Color-coded findings (Critical / High / Medium), prioritized action list, and plain-English fix instructions for each issue.
We walk your team through the report findings and answer any questions — no tech background needed.
After you've applied fixes, we re-scan the key findings and confirm they're resolved. Included at no extra cost.
Book a call or fill out our form. Provide your website URL and a contact email. That's all we need.
Our team performs a thorough passive security review — headers, APIs, scripts, plugins, and more.
Within 48 hours you receive a professional PDF report with every finding explained in plain language.
A 15-minute call to explain priorities, answer questions, and confirm your team knows what to do next.
colonialkc.org · Passive Security Assessment · April 2026
2 critical, 5 high, and 5 medium severity issues identified. Several are quick fixes.
Already a ChurchAutomate subscriber? Security audit is included free with Pro and Elite plans.
No. Our audit is fully passive — we only examine what any visitor (or attacker) can see publicly. We never ask for passwords or admin access.
We audit any publicly accessible website — WordPress, Squarespace, Wix, custom-built, or anything else. If it has a URL, we can audit it.
You'll receive your report within 48 hours of submitting your site URL. Most reports are delivered same-day for sites submitted before noon.
The Starter and Full Audit include a fix guide and walkthrough call. If your team needs hands-on help, we offer implementation support as an add-on ($75/hr).
No — a penetration test involves active exploitation and requires signed legal agreements. Our audit is a passive security review using only publicly available information.
We complement your IT volunteer or staff. Our report gives them a clear prioritized list to work from — saving them research time and ensuring nothing critical is missed.
A security audit is one of the most responsible things a church can do in 2026. Book yours today — your report arrives in 48 hours.