Step 1: Use Secure Web Hosting Providers and Software

5 minutes, 4 links
From

editione1.0.0

Updated October 9, 2023
Now Available
Security for Everyone

Once you have a domain and a website, it is time to do a stocktake and see if it is safe enough to use, or if it is time for an upgrade. There are a few different providers involved in hosting a website, even if some are not very obvious to you or others. These include:

  • The domain registrar, which is the service provider who you purchase and manage your domain name through.

  • The DNS hosting provider, which is the service provider where you configure different technical settings related to your domain name (like your TXT records for SPF/DKIM) and the records for tying your domain name to your website (IP address). Your DNS hosting provider and domain registrar may be the same company.

  • The website hosting provider, or the service provider who gives you a website server to share or use to host your website itself.

  • The content management system (CMS) provider, or the service provider (or just software) used for managing all the content on your website.

  • Any other third-party software or plugins on your website, or supporting analytics or the site’s content.

If you are moving to a new service provider or setting up with a new one, you might find yourself using a website builder service, such as Squarespace, Wix, or Webflow, or an e-commerce platform, such as Shopify. Such services provide a website and cover both the roles of a hosting provider and a content management system. Paying anywhere from US$15–$40 a month can be a small price to pay for the simplicity of running your website, and these providers often provide the security features you need.

Optionally, you may pay a contractor, often called a managed service provider, to wrangle all these for you.

confusion Some techies may tell you it is cheaper and better to build your website yourself—using tools like Amazon Web Services and WordPress—but this assumes you have the technical expertise, time, and energy to use and secure these correctly. If a website builder service passes the vetting tests we discuss next, they may be best for your needs.

Here is how each service provider fits together, using our safestack.io website as an example:

Figure: Services involved when a user visits a website.

It might be that you have one service provider for all of these services, or you might have a few different providers. When taking stock inventory, identify all the third-party website service providers you have or work with, and make a note of which providers perform which services based on the providers and technologies listed above. From there, go through each and check if they provide the following key features needed to secure your website:

  • 2FA for the account you use to access your DNS records, website server, and content management system. These are critical technology components, and they need to be protected with two steps of authentication.

  • Website server and daily content backups, which are stored on a different server from your main website, or are managed by your service provider (you just have to tell them which backups you need and if you need to restore from one).

  • Automatic updates to website server software and third-party software. This is a brownie point because not all service providers can give you this option, as helpful as it might be. You might have to compromise with just a fortnightly or monthly reminder to manually update things yourself instead.

The list of key features might seem quite small, but you would be surprised how many service providers fail just that first feature of 2FA. When drawing the line to filter out service providers who don’t check all these boxes, you might find yourself with quite a short list of options. (Silver lining: that makes decision paralysis much easier to manage!)

Step 2: Use Unique Credentials and 2FA

You are going to see the phrases “unique passwords” and “two-factor authentication” so much in this book that you will start dreaming about security. It is probably no surprise that protecting the accounts used to manage your domain, servers, and website content are important. Attackers often break into unsecure websites by simply guessing passwords, re-using leaked or stolen passwords, or brute-forcing their way in. You already know the best defense against this is a unique password for each account, and adding a second authentication step in case that password is lost.

This is a case where having a team password manager can come in handy. You might be getting help from others on the team to manage your website. Most of the time, website management accounts only allow you to have a single user, or in some rare cases they may charge you per user.

True, sharing accounts can be risky. But when it comes to setting up a website, you might not be using those accounts all the time. Sharing a single account is a great way to save cash. The safe way to navigate this is to create a unique password, and store it in a shared folder or vault in your password manager. If you picked a good password manager, you can also use the 2FA that is built into your password manager. So you can keep your account secured, and also get help from others in managing it.

If you found this post worthwhile, please share!