It’s easy to make mistakes during the excitement of opening a new website. Firing up a small store, portfolio, or blog is a lot of fun — but dealing with security breaches and hacks is a lot less so. When you’re setting up a new website, it’s important to make sure it’s secure.
Fortunately, most of the things you should do are very easy. Some will take a bit of time, but it’s a worthy investment. Don’t leave your site unprotected! Here are 10 things you can do to keep it safe.
1. Choose a Secure Domain Registrar
When registering your domain, you want to make sure that no one is going to get control over it. If a miscreant is able to log into your domain registrar, they could transfer it to themselves or wreak further havoc.
There are a few options for domain registrars that use two-factor authentication (2FA). This adds a further level of security and makes it much harder for someone else to access. Even if someone manages to get your password, they probably won’t have access to your phone.
Here are some registrars that offer 2FA:
2. Hide Your Information From WHOIS
Every website has a WHOIS entry, and if you don’t take steps to make sure your information there is protected, your name and email address will be easy for spam companies to find. Both your name and email address are necessary for identity theft, so keeping them private could help protect you on that front, too.
Most web hosts offer anonymous WHOIS registration for a small fee, but there are a few that provide it freely. Both Dreamhost and 1and1 let you open up a site with anonymous WHOIS information at no cost.
Whether you decide to pay for it or not, do what you can to keep your name and email (or even just your email address) off of your WHOIS record. It’ll save you the time of dealing with a lot of spam and make it just a bit harder for someone to get a hold of your information.
3. Change Your Passwords
Hopefully this goes without saying, but change your passwords immediately. If your domain, host, CMS, or anything else comes with a standard administrator password, change it. You should even change your username from “admin” to something else if that’s the default.
It’s not a bad idea to change your passwords regularly, too. Use a password manager to keep track of them, and make sure they’re secure.
4. Update Your Website Software
Once you’ve secured your registration, it’s time to secure the site itself. And the first step in that — much like the first step in securing anything else — is to keep everything updated.
As companies discover holes in their security, they release patches and updates. If you’re not updating your software, you’re going to stay vulnerable. Most hosts make this very easy, and will often remind you to update when there’s a new version available. Even so, it’s a good idea to check your version information regularly.
5. Use Security Plugins
If you’re using a content management system (CMS), there are security plugins available for it. The big ones like WordPress, Drupal, Joomla, and Magento all have a ton of them. All you need to do is choose the ones that best fit your situation, then download, install, and activate.
Each CMS and security extension will give you different advice on exactly what you should use. It’s also a good idea to consult third-party reviews on security plugins. But if the plugin is made by a reputable vendor, it’ll help keep your site safe. Use higher-security settings to eliminate even more vulnerabilities, and keep your extensions up-to-date as well.
6. Enable HTTPS
It’s not just your own security that you should think about. Both your visitors and Google will appreciate that you encrypt all of the traffic on your site. Especially if your visitors will be sharing any sensitive information.
Some hosting services automatically activate HTTPS for you, and others let you do it with a click or two. If you’re self-hosting or simply renting server space, you might have to do it the hard way. That involves buying an SSL certificate, activating it, and configuring your site to use HTTPS.
It’s not especially complicated, but the process might differ on your hosting service, so check with them to find the best way to do it.
7. Check Permissions
Various users of your website will have different permission levels. As the administrator, you’ll have permission to change anything you want — other people should be more restricted. CMSes often let you change the permissions for visitors, signed-in visitors, editors, contributors, and many other groups of users.
Think about how much access each group should have. Do your editors need to create new users? Should your readers be able to edit pages? Give everyone the fewest permissions possible for them to do their job.
If you want to get really technical, you can use an FTP client to look at all of the files on your site and check out their permissions in symbolic or numeric notation. You can then use the command terminal to change permissions. (If you have no idea what I’m talking about, be careful with this!)
8. Hide Your Admin Pages
The pages that you use to log into and manage your website shouldn’t be visible to search engines. This might not seem like much of a security measure, but it makes it harder for people with malign intentions to find those pages. And because it’s usually very easy to do, it’s worth taking a few minutes.
Some CMSes and security plugins will let you hide these pages from search engines. If yours doesn’t provide this functionality, you can do it manually by editing your robots.txt file, which should be accessible from your CMS settings or cPanel administrator section. Add the following to the file:
User-agent: * Disallow: [the relative URL of the page]
In WordPress, you’d use “/wp-admin/” as the URL. Other CMSes will have different URLs. You can also disallow any other pages that users don’t need to see. Not only is this good for security, but it can help your SEO, too!
9. Protect Against Cross-Site Scripting
XSS is a hacking tactic that involves running code on your website through round-about methods. It could happen in a contact form, for example. By including a script in the contact form, a hacker could get your website to execute that code, giving them access or wreaking havoc.
Protecting against this type of attack is actually rather complicated. If you want to learn about the methods you can use, check out this awesome anti-XSS cheat sheet from OWASP. If you’re less technically inclined, there are plenty of anti-XSS plugins available. Some standard security plugins may cover this vulnerability, but don’t assume that’s the case. Make sure you’re protected.
10. Prevent Information Leakage
While XSS, SQL injection, password cracking, and other methods of hacking might seem the most dangerous, it’s often the simplest things that cause problems. Information leakage is one of those things.
When you accidentally give away information that you didn’t intend to (or aren’t aware of), that’s information leakage. It’s easy for developers to accidentally leave HTML comments in your website code, for example, that contain sensitive information.
If you’re working with a standard CMS implementation, this won’t be much of a problem. But if you’ve had someone design a custom theme for you, or done extensive development work on the website, you should check for information leakage. One of the best ways is to simply use the View Source option in your browser and quickly scan for HTML comments that weren’t deleted.
Larger websites consisting of hundreds or thousands of pages might require a dedicated security specialist (or at least an intern) to go through this process. Either way, it’s an easy thing to check for, so don’t skip it.
Secure Your Site Now!
When you make a new website, there are a lot of things you have to do. And it’s easy to forget about these basic security measures. But they could save you a lot of trouble (and potentially a great deal of money) in the long run. So don’t skip out on them! Make sure your site is secure before you start working on your content.
What other tips do you have for securing new websites? Share your thoughts in the comments below!