Insights

Campaign website security: the risks nobody budgets for

When people hear “campaign security,” they picture nation-state hackers and presidential races. That picture is comforting for local campaigns, and wrong.

The threats that actually hit school board, city council, and legislative campaigns are smaller, dumber, and far more common: an automated bot that defaces an unpatched site, a domain that expires mid-campaign, a lookalike donation page harvesting your supporters’ credit cards. None of them require a sophisticated attacker. All of them require your name in a headline to matter.

That’s the asymmetry worth understanding. A hardened campaign site is invisible; nobody praises it. A compromised one is a news story about whether you can be trusted to run anything.

What actually goes wrong

Defacement by bots, not enemies. Most compromised campaign sites weren’t targeted at all. They ran outdated software with a known hole, and an automated scanner found them the same way it found ten thousand other sites that night. The attacker didn’t care about your race. Your local paper will.

Domain problems. Expired registrations, accounts controlled by a volunteer who left in March, lookalike domains registered by pranksters or opponents. Your domain is the one asset everything else depends on, and campaigns routinely leave it on a personal credit card with no renewal alert.

Phishing that wears your name. A copied version of your donation page on a similar domain, catching supporters who typo the address or click a bad link. Your donors lose money, and they associate the loss with you.

The quiet stuff. Trackers and plugins nobody can explain, added in a hurry and forgotten. Every one is a door, and donor trust walks out through open doors.

The defenses are boring, and that’s the good news

None of this requires a security team. It requires basics, done properly, before there’s a reason:

  • HTTPS everywhere, with no excuses page by page. Browsers literally label the alternative “not secure” next to your name.
  • Security headers configured: the settings that stop your site being framed, injected into, or impersonated. Invisible to voters, decisive against bots.
  • Software kept current, or better, a site built with almost nothing to patch. Static sites, the way we build them, have no admin login to brute-force and no plugin queue waiting for a missed update.
  • Domain hygiene: registration in the campaign’s name, auto-renew on, two-factor on the registrar account, and the obvious variants of your name pointed at the real site before someone else points them elsewhere.
  • A short list of who can touch what, so the answer to “who has the password?” is never “we’re not sure.”

Read that list again and notice what’s absent: nothing on it is expensive. Every item is a decision made once, early, by someone who knows to make it.

Security is a message, whether you send it or not

Here’s the reframe we offer every campaign: your website handles the two most sensitive things supporters give you, their money and their trust. How you protect both is not an IT detail. It’s a preview of how you’d handle the office.

Voters never see your security headers. But they see the absence of the bad week, the campaign that never had the embarrassing story, the donation page that always just worked. That quiet reliability is a message, and it compounds for the whole race.

Every site we ship is hardened this way by default, because it should never be a line item a campaign has to remember to ask for. Security is also step one on our pre-launch checklist. If you’re not sure where your current site stands, that’s worth thirty minutes before it’s worth a headline.

← All insightsView as Markdown

Ready to run a sharper campaign?

Tell us about your race. We’ll show you exactly what your digital presence should look like, and how fast we can build it.