Skip To Main Content
The Real Cost of an Open-Source Website Hack
Connor Gleason

Finding a web provider through a lower-cost open-source CMS like WordPress or Drupal is tempting at first, but these options pose an extra layer of security risks for schools.

Consider the total cost if a cyberattack occurs: ransoms, recovery fees, learning loss, and perhaps the most crippling — damage to your school’s brand. Losing the trust of your families and community isn’t worth the price.

Cyberattacks on schools

Amid staffing and enrollment concerns, cyber threats are among the biggest challenges facing school leaders, and the threats aren’t going away anytime soon. Ransomware attacks — when your data or computer is locked and held until the user pays the hacker a ransom, are still one of the most common occurrences. 

Given the amount of personal and financial data schools have from employees, families, and donors, it’s not a big surprise that schools and districts remain among the most popular and vulnerable targets for ransomware, malware, and cyberattacks. 

At least 44 universities or colleges and 45 school districts were hit by ransomware attacks in 2022, marking a slight increase from the previous year, according to a year-end report by Emsisoft. A minor increase might suggest progress, but the 2022 number represents 1,981 schools, which is nearly double the amount of K-12 schools potentially compromised in 2021.

In reality, that number is likely greater — much of what we know about cyberattacks depends on both the cybercriminal and the victim coming forward to either take credit or publicly disclose details about an incident. That’s not always the case when there are ongoing investigations. One of the most recent public incidents occurred when the Los Angeles Unified School District’s systems were compromised and hit for roughly 500 gigabytes of data.

The risks of open source for a school website are too great. Drupal recently announced updates that addressed four vulnerabilities, which could result in unauthorized access to data. To add to the drama, a new malware has been spotted surfing the web for vulnerable, self-hosted WordPress sites in an attempt to decode the login information and encryption keys to gain unauthorized access and take control of the website.

While low-cost open-source software solutions like Drupal and WordPress for school websites are tempting, their lack of security leaves too much room for cyber attacks...the real cost of a website hack can be astronomical.


In 2021 alone, ransomware attacks cost U.S. schools and colleges an estimated $3.56 billion. Administrators also faced additional recovery costs and legal fees that were added to the price to restore devices, recover data, and upgrade their systems against more attacks, according to a report from Comparitech.

That report also included numbers such as:

  • The range of ransoms demanded was $100,000 — $40 million.
  • In one attack, the ransom hackers were paid $547,000.

Another report placed the average ransomware payment to hackers as $239,733, and sometimes, the recovery costs can exceed the ransom demanded. After refusing to pay a ransom, Buffalo Public Schools in New York spent an estimated $10 million on recovery costs and security upgrades after a cyber threat.

buffalo news tweet mockup

Schools and districts are often left feeling like they have no other options. Still, authorities actually discourage paying ransoms because there’s no guarantee that the data being held will ultimately be recovered.

Keep Reading: Here's Why Schools Are Perfect Targets for Hackers


What’s more valuable to us than time? After the LA incident, the district initiated a complete reset of more than 600,000 passwords after it discovered the ransomware group changed many passwords during the attack. 

Initiatives like that require a precious time commitment from the IT department, administrators, department heads, and families, who have little patience these days. Software updates, whether they’re done remotely or manually, one by one, would take a significant amount of time (and patience) to ensure data integrity.

Learning loss

Losing time and money is one thing, but there’s a new level of disruption when a hack brings your school’s daily operations to a halt or, worst of all — impacts students’ learning. That can prevent students from attending school or engaging in their education effectively, which can ultimately keep kids out of school.

Suppose a school's systems are hacked, and it causes disruption to the school's operations. In that case, it can prevent kids from accessing important resources like online learning platforms, constituent portals, schedules, and calendars, and even make it difficult for students to continue their education remotely — which can lead to students falling behind in their studies.

In the Comparitech report, the resulting learning loss was substantial, with numbers like

  • Cyberattacks caused an average downtime of four days.
  • The average time it takes to recover from an attack was one month.

Des Moines Public Schools— a district of 30,000 students, canceled classes for two days after noticing a cybersecurity incident on its network.

The largest district in Iowa said it turned off all of its network systems “out of an abundance of caution” to resolve the incident, which meant it cut off access to systems tied to transportation, building operations, health and safety, finance, and communications.


Any hack can create a perception that the school is not competent, secure, reliable, or trustworthy, and this can lead to a significant loss of trust in the school's brand — something that’s so difficult to re-establish.

The perception that the school is not adequately protecting its students' personal information is nothing new, considering there’s admittedly a lack of cybersecurity training and resources in the education sector.

If a school's computer systems are hacked, and sensitive student or family information is stolen or compromised, parents and community members may lose trust in the school's ability to keep their children's personal information safe. Word can spread quickly, and the risk can lead to a loss of trust in the school's brand, a decrease in enrollment, or losing support from parents and community members.

The financial loss or disruption to the school's operations damages the reputation of the school. That may cause parents and community members to lose faith in the school's ability to manage its resources effectively or deliver quality education.

How can schools and districts prevent a hacked website?

No school or district is completely immune to cybersecurity risks. However, in a proactive measure, schools can partner with a secure web provider and invest in upgrading networks, helping your team establish better security protocols, and continuing to educate their communities about best practices in IT safety by avoiding malware, phishing attacks, and engaging with spam.

Investing in a web solution that makes security and support a priority can save an invaluable amount of time and resources in the long run, including support for your school’s brand.

Key takeaway

A low-cost open-source solution may seem too good to be true but consider the real cost. These platforms leave too much opportunity for bad players to take advantage of their weaknesses and pose a real, costly threat to a school’s financial security, the time of its staff and students, and, ultimately, the reputation of the school.

Composer Navattic Demo

Connor Gleason Headshot


Connor has spent the last decade within the field of marketing and communications, working with independent schools and colleges throughout New England. As Finalsite’s Senior Content Marketing Manager, Connor plans and executes marketing strategies and digital content across the web. A former photojournalist, he has a passion for digital media, storytelling, coffee, and creating content that connects.

Explore More Recent Blogs

Subscribe to the Finalsite Blog

Love what you're reading? Join the 10k school marketers who get the newest best practices delivered to their inbox each week.

Request a FREE
website report card

Want feedback on your school or district's site? Get a free website report card, generated by an in-house website expert, sent right to your inbox.