firm_website
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
firm_website [2019/08/09 18:26] – neil | firm_website [2021/07/06 09:26] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 2: | Line 2: | ||
====Key points: ==== | ====Key points: ==== | ||
- | * [[#Secure your DNS: it's critical|Secure your DNS: it's critical]]Â | + | * [[firm_website#Secure your DNS: it's critical|Secure your DNS: it's critical]]Â |
- | * [[# | + | * [[firm_website#Host your server |
- | * [[#Keep your software up to date|Keep your software up to date]]Â | + | * [[firm_website#Keep your software up to date|Keep your software up to date]]Â |
- | * [[#Encrypt traffic between your visitors and your website|Encrypt traffic between your visitors and your website]]Â | + | * [[firm_website#Encrypt traffic between your visitors and your website|Encrypt traffic between your visitors and your website]]Â |
- | * [[#Take backups|Take backups]]Â | + | * [[firm_website# |
- | * [[#Be careful with contact forms and text entry fields|Be careful with contact forms and text entry fields]]Â | + | * [[firm_website#Take regular |
- | * [[#Control who can post content to your website|Control who can post content to your website]]Â | + | * [[firm_website#Be careful with contact forms and text entry fields|Be careful with contact forms and text entry fields]]Â |
- | * [[#Your firm's website and Tor|Your firm's website and Tor]] | + | * [[firm_website#Control who can post content to your website|Control who can post content to your website]]Â |
+ | * [[firm_website#Your firm's website and Tor|Your firm's website and Tor]]Â | ||
+ | * [[firm_website# | ||
====Secure your domain name: it's critical ==== | ====Secure your domain name: it's critical ==== | ||
+ | |||
+ | ===The domain name system === | ||
If you have your own website, there' | If you have your own website, there' | ||
- | The domain | + | The domain is the bit which your visitors remember (probably something linked to the name of your firm) but the Internet works on numbers. |
- | The Domain Name System — the " | + | The Domain Name System — the " |
- | If someone gains control over the DNS for your domain | + | The DNS is the equivalent of a phone book (for those of you old enough to remember phone books): someone puts in a name, and it gives back the right number. This all happens behind the scenes, very quickly. |
+ | Â | ||
+ | ===Whoever controls the DNS for your domain controls where your domain' | ||
+ | Â | ||
+ | If someone gains control over the DNS for your domain, they can control what number gets given back to a would-be visitor. | ||
+ | Â | ||
+ | Importantly, | ||
Losing control over your website is damaging, but losing control over your DNS is far worse. | Losing control over your website is damaging, but losing control over your DNS is far worse. | ||
+ | |||
+ | === Securing your domain' | ||
Make sure you have admin control over your DNS settings, and do what you can to avoid being locked out of them: | Make sure you have admin control over your DNS settings, and do what you can to avoid being locked out of them: | ||
* Use a [[passwords|strong password]]. | * Use a [[passwords|strong password]]. | ||
* If your provider supports it, enable [[two-factor_authentication|two-factor authentication]]. | * If your provider supports it, enable [[two-factor_authentication|two-factor authentication]]. | ||
- | * If you can set a recovery email address in case you get locked out of your account, make sure it is set to a different email account which only you can access. | + | * If you can set a recovery email address in case you get locked out of your account, |
===Change your password if you have to give access to a third party === | ===Change your password if you have to give access to a third party === | ||
- | If you have to give a third party (such as an IT service provider) access (for example, to change a setting), see if you can limit the access you give them. If not, and you have to give them your password, change the password once they have made the changes. | + | If you have to give a third party (such as an IT service provider) access (for example, to change a setting), see if you can limit the access you give them. |
- | ====Host | + | If not, and you have to give them your password, change the password once they have made the changes. |
+ | Â | ||
+ | ====Host | ||
Different countries afford different protections, | Different countries afford different protections, | ||
If you are using a third party to host your website, they should be established in a safe country too. | If you are using a third party to host your website, they should be established in a safe country too. | ||
- | |||
- | If in doubt, hosting in the EU (including the UK!) is likely to be sensible. | ||
[[https:// | [[https:// | ||
Line 46: | Line 58: | ||
The more complex the software stack on which your website is running, the greater the opportunities for bugs or exploits. | The more complex the software stack on which your website is running, the greater the opportunities for bugs or exploits. | ||
- | Keep an eye on updates to the software, and test and deploy quickly. | + | Keep an eye on updates to the software, and test and deploy quickly. You are probably better of enabling automatic updates if this is an option. There is a risk that an update might be incompatible with something you are doing with your site, and so automatically upgrading might cause problems, but you are more likely to have problems if you do not update your software. |
If you are using a third party to run your website, or you are hosting it on someone else’s platform, check out their policy on applying software updates. If you can, enter into a service level arrangement which sets out how and when they patch their servers, at both the operating system level and the application level (i.e. the web server software itself, as well as the software on which that web server software runs). | If you are using a third party to run your website, or you are hosting it on someone else’s platform, check out their policy on applying software updates. If you can, enter into a service level arrangement which sets out how and when they patch their servers, at both the operating system level and the application level (i.e. the web server software itself, as well as the software on which that web server software runs). | ||
+ | |||
====Encrypt traffic between your visitors and your website ==== | ====Encrypt traffic between your visitors and your website ==== | ||
- | Just as you would look for a [[secure_browsing# | + | Just as you would look for a [[secure_browsing# |
+ | Â | ||
+ | ===Configure encryption ===Â | ||
+ | Â | ||
+ | Set up your server so that visitors can connect to your website securely. | ||
+ | Â | ||
+ | Exactly how you do this depends on how your website is set up, but it usually entails:Â | ||
+ | Â | ||
+ | * installing a digital certificate. Doing this is easy and cheap (free, if you use [[https:// | ||
+ | * changing your web server' | ||
+ | * opening an additional port in your firewall, to allow traffic on port 443. | ||
+ | Â | ||
+ | If your website hosting provider offers " | ||
+ | Â | ||
+ | If you run your own server, the easiest way to get this up and running is to use a free [[https:// | ||
+ | Â | ||
+ | ===Renew your certificate automatically ===Â | ||
+ | Â | ||
+ | A common failing when using an encryption certificate for a website is failing to renew it. If you do not renew it before it expires, visitors to your website will see an error message, which you do not want. | ||
+ | Â | ||
+ | LetsEncrypt certificates expire after three months, and, if you use certbot to install a LetsEncrypt certificate, | ||
+ | Â | ||
+ | If you do not have a LetsEncrypt certificate, | ||
+ | Â | ||
+ | ===Redirect unencrypted connections to encrypted connections ===Â | ||
+ | Â | ||
+ | In addition to setting up your server to offer an encrypted connection, make a further change so that visitors are automatically redirected to the secure version of your site. | ||
+ | Â | ||
+ | This means that, even if they access the insecure version of your website (http:), they will be automatically redirected to the secure version (https:), without them needing to do anything. | ||
+ | Â | ||
+ | If you use certbot to install a LetsEncrypt certificate, | ||
+ | Â | ||
+ | ==== Configure your site to be as secure as you can ====Â | ||
+ | Â | ||
+ | You can increase the security of your site, and lessen the risk of malicious or inadvertent compromises, | ||
+ | Â | ||
+ | The easiest way to start is to visit [[https:// | ||
- | Doing this is easy and cheap (free, if you use [[https:// | + | {{::screenshot_2019-08-23_at_20.09.08.png?400|}} |
- | It is hard to see how you could comply with your legal and regulatory obligations if you did not do this if you collect personal data on your website (such as through a contact form). | + | You implement these changes by configuring the " |
- | Once you have set up this encrypted connection, change | + | Make sure you test your site thoroughly after making changes, |
- | ==== Take backups ==== | + | ==== Take regular |
- | Ensure you have an accessible, tested backup of your firm's website. If you update your site regularly, consider automating your backups, so that you don't have to think about it (if you have to think about it, you'll probably forget to do it). | + | Ensure you have an [[backups|accessible, tested backup of your firm's website]]. If you update your site regularly, consider automating your backups, so that you don't have to think about it (if you have to think about it, you'll probably forget to do it). |
- | If your hosting provider decides to close shop unexpectedly, | + | If your hosting provider decides to close shop unexpectedly, or your website gets hacked, you can get back up and running far more quickly if you have a tested backup available. |
==== Be careful with contact forms and text entry fields==== | ==== Be careful with contact forms and text entry fields==== | ||
Line 79: | Line 128: | ||
Give every person who can post content their own unique username, and the most restrictive set of permissions which let them do their job. | Give every person who can post content their own unique username, and the most restrictive set of permissions which let them do their job. | ||
- | Make sure that access is secured by https. | + | Make sure that access is [[#Encrypt traffic between your visitors and your website|encrypted]]. |
If your web host offers it, enable [[two-factor_authentication|two-factor authentication]]. | If your web host offers it, enable [[two-factor_authentication|two-factor authentication]]. |
firm_website.1565375175.txt.gz · Last modified: 2021/07/06 09:26 (external edit)