Skip to main content

Featured post

Don’t Forget These 10 Security Tips When Launching a New Website

It’s easy to make mistakes during the excitement of opening a new website. Firing up a small store, portfolio, or blog is a lot of fun — but dealing with security breaches and hacks is a lot less so. When you’re setting up a new website, it’s important to make sure it’s secure.
Fortunately, most of the things you should do are very easy. Some will take a bit of time, but it’s a worthy investment. Don’t leave your site unprotected! Here are 10 things you can do to keep it safe.

1. Choose a Secure Domain Registrar

When registering your domain, you want to make sure that no one is going to get control over it. If a miscreant is able to log into your domain registrar, they could transfer it to themselves or wreak further havoc.
There are a few options for domain registrars that use two-factor authentication (2FA). This adds a further level of security and makes it much harder for someone else to access. Even if someone manages to get your password, they probably won’t have access to your phone.
Here are some registrars that offer 2FA:

2. Hide Your Information From WHOIS

Every website has a WHOIS entry, and if you don’t take steps to make sure your information there is protected, your name and email address will be easy for spam companies to find. Both your name and email address are necessary for identity theft, so keeping them private could help protect you on that front, too.
whois lookup
Most web hosts offer anonymous WHOIS registration for a small fee, but there are a few that provide it freely. Both Dreamhost and 1and1 let you open up a site with anonymous WHOIS information at no cost.
Whether you decide to pay for it or not, do what you can to keep your name and email (or even just your email address) off of your WHOIS record. It’ll save you the time of dealing with a lot of spam and make it just a bit harder for someone to get a hold of your information.

3. Change Your Passwords

Hopefully this goes without saying, but change your passwords immediately. If your domain, host, CMS, or anything else comes with a standard administrator password, change it. You should even change your username from “admin” to something else if that’s the default.
It’s not a bad idea to change your passwords regularly, too. Use a password manager to keep track of them, and make sure they’re secure.

4. Update Your Website Software

Once you’ve secured your registration, it’s time to secure the site itself. And the first step in that — much like the first step in securing anything else — is to keep everything updated.
As companies discover holes in their security, they release patches and updates. If you’re not updating your software, you’re going to stay vulnerable. Most hosts make this very easy, and will often remind you to update when there’s a new version available. Even so, it’s a good idea to check your version information regularly.

5. Use Security Plugins

If you’re using a content management system (CMS), there are security plugins available for it. The big ones like WordPress, Drupal, Joomla, and Magento all have a ton of them. All you need to do is choose the ones that best fit your situation, then download, install, and activate.
Each CMS and security extension will give you different advice on exactly what you should use. It’s also a good idea to consult third-party reviews on security plugins. But if the plugin is made by a reputable vendor, it’ll help keep your site safe. Use higher-security settings to eliminate even more vulnerabilities, and keep your extensions up-to-date as well.

6. Enable HTTPS

It’s not just your own security that you should think about. Both your visitors and Google will appreciate that you encrypt all of the traffic on your site. Especially if your visitors will be sharing any sensitive information.
Some hosting services automatically activate HTTPS for you, and others let you do it with a click or two. If you’re self-hosting or simply renting server space, you might have to do it the hard way. That involves buying an SSL certificate, activating it, and configuring your site to use HTTPS.
It’s not especially complicated, but the process might differ on your hosting service, so check with them to find the best way to do it.

7. Check Permissions

Various users of your website will have different permission levels. As the administrator, you’ll have permission to change anything you want — other people should be more restricted. CMSes often let you change the permissions for visitors, signed-in visitors, editors, contributors, and many other groups of users.
Think about how much access each group should have. Do your editors need to create new users? Should your readers be able to edit pages? Give everyone the fewest permissions possible for them to do their job.
If you want to get really technical, you can use an FTP client to look at all of the files on your site and check out their permissions in symbolic or numeric notation. You can then use the command terminal to change permissions. (If you have no idea what I’m talking about, be careful with this!)

8. Hide Your Admin Pages

The pages that you use to log into and manage your website shouldn’t be visible to search engines. This might not seem like much of a security measure, but it makes it harder for people with malign intentions to find those pages. And because it’s usually very easy to do, it’s worth taking a few minutes.
Some CMSes and security plugins will let you hide these pages from search engines. If yours doesn’t provide this functionality, you can do it manually by editing your robots.txt file, which should be accessible from your CMS settings or cPanel administrator section. Add the following to the file:
User-agent: *
Disallow: [the relative URL of the page]
In WordPress, you’d use “/wp-admin/” as the URL. Other CMSes will have different URLs. You can also disallow any other pages that users don’t need to see. Not only is this good for security, but it can help your SEO, too!

9. Protect Against Cross-Site Scripting

XSS is a hacking tactic that involves running code on your website through round-about methods. It could happen in a contact form, for example. By including a script in the contact form, a hacker could get your website to execute that code, giving them access or wreaking havoc.
Protecting against this type of attack is actually rather complicated. If you want to learn about the methods you can use, check out this awesome anti-XSS cheat sheet from OWASP. If you’re less technically inclined, there are plenty of anti-XSS plugins available. Some standard security plugins may cover this vulnerability, but don’t assume that’s the case. Make sure you’re protected.

10. Prevent Information Leakage

While XSS, SQL injection, password cracking, and other methods of hacking might seem the most dangerous, it’s often the simplest things that cause problems. Information leakage is one of those things.
When you accidentally give away information that you didn’t intend to (or aren’t aware of), that’s information leakage. It’s easy for developers to accidentally leave HTML comments in your website code, for example, that contain sensitive information.
site code
If you’re working with a standard CMS implementation, this won’t be much of a problem. But if you’ve had someone design a custom theme for you, or done extensive development work on the website, you should check for information leakage. One of the best ways is to simply use the View Source option in your browser and quickly scan for HTML comments that weren’t deleted.
Larger websites consisting of hundreds or thousands of pages might require a dedicated security specialist (or at least an intern) to go through this process. Either way, it’s an easy thing to check for, so don’t skip it.

Secure Your Site Now!

When you make a new website, there are a lot of things you have to do. And it’s easy to forget about these basic security measures. But they could save you a lot of trouble (and potentially a great deal of money) in the long run. So don’t skip out on them! Make sure your site is secure before you start working on your content.
What other tips do you have for securing new websites? Share your thoughts in the comments below!

Comments

Popular posts from this blog

MacPorts Brings the Best Open Source Software to Your Mac

It’s safe to say that the Apple ecosystem brought “app stores” to the mainstream. Before the introduction of the iPhone, buying digital software was often full of trials like submitting your payment to the developer’s website, waiting for a license key by email, and negotiating refunds. You’d be forgiven for thinking that free and open source software (FOSS) is rare on the Mac, given Apple’s approach. In reality, the Mac is an excellent host for many of the community’s best free tools. MacPorts  is your “app store” for all this great software. Let’s take a look at how it works. What Is MacPorts? MacPorts is a package system for Macs. It’s very similar in function and use to the Red Hat Package Management (RPM) system and Advanced Package Tools (APT), which install DEB packages on Linux. Actually, it descends from the Ports system of FreeBSD. Did you know Mac OS X started its life as a fork of FreeBSD called Darwin? Even today macOS has a sol...

Finding the Cheapest Car to Insure When Making a New Car Purchase

other lists of least expensive cars to insure do exist, in comparing the results above to those lists, the top 5 were already in this list, so this is a good guideline for the National Average expectation for cars costing less on insurance. Here are the other cars that made the list of vehicles that will save you money on insurance costs compared to the national average. All these cars cost between $1,204 and $1,221 per year according to the annual ranking of least expensive cars to insure. Mazda CX-3   Honda Pilot LX Fiat 500X Pop Nissan Frontier S Hyundai Tuscon SE Subaru (XV) Crosstrek 2.0l Honda HR-V LX Ford F-150 XL Ford Edge SE What Makes a Car Less Expensive for Insurance The information used to determine the cheapest cars to insure can often also be a good indicator to you of the cheapest cars to maintain and service. It can also be an indicator of potential problem areas because the insurance rates are determined when the insurance company...

Google Birthday Surprise Spinner: The Best Games And How To Play them

Google is celebrating its birthday in perhaps the most Google of ways: with a Doodle that lets you play through the most fun Doodles ever. The company is now 19 years old (or is it?) and so has a huge stock of entertaining and time-wasting little animations to play through. So it has selected the best of recent years and assembled them all into the meta-Doodle, which lets people use a spinner to find which of the Doodles to play. Using the Doodle is simple enough: you head to the Google homepage, click on the spinner, and opt either to play the option you've been given or have another go. But read on, because there's a major catch. In some cases, they're actually better than the times they were Google Doodles. That's because the company has made them full screen this time around, allowing you to see everything you're doing without all that bothersome Google branding getting in the way. For most people, picking through the games is an initially fu...