Keep Your Website, Email, Personal Data & Visitors Secure
Monday, November 20, 2017 3:50 PM
Every few months another major website is hacked and personal information is leaked. Today, we have our whole life on the internet including passwords, bank accounts and lots of personal information. I’d like to outline some best practices for securing your EverWeb website, email, personal data and your visitors.
These tips are helpful for anyone running a website and will bring extra benefits like reduced spam and reduced risk of losing your data. Most of the suggestions are linked together and should be part of your overall protection strategy.
Protect Your Website & Visitors
There are three important things you should do to protect your website, the personal information attached to your website and your website visitors.
1. ID Protection for your domain
When you register a domain you must include your update to date, and proper contact information as this is used by ICANN, the central domain authority to make sure you don’t lose your domain name. Unfortunantly for most domain names this information is publically available as you can see if you search the ICANN Database.
The moment you registar a domain, spammers scan the ICANN database for your contact information so you’ll start receiving spam emails from them. You can’t use fake information because ICANN requires up to date and correct details or you risk losing your domain. Domain ID protection solves this issue and is available in your Client Area at any time if you want to add it to your domain.
Just go to Domains->My Domains and select your domain in the following page. From there click ‘Addons’ on the left side.
2. SSL/TLS Encryption for an HTTPS URL
When you visit a website that just starts with http:// instead of https:// it is possible for anyone connected to your network to not only see what pages you are visiting but also any passwords or information entered in forms on a website.
As well, Google and other search engines are going to require an https:// url in the next coming months, otherwise an error message will appear when visiting your website in Google Chrome or clicking your website in Google’s search results.
EverWeb Site Shield™ is the easiest way to add a SSL/TLS Certtificate to your website. Once added to your website you can simply click the ‘Use HTTPS Secure URLs’ under File->Edit Publishing Settings in EverWeb. If you have an EverWeb + Hosting account simply login to your Client Area and select Services->My Services from the navigation bar. Then select ‘Addons’ from the left hand side to see the EverWeb Secure Shield™ addon.
If you use a third party web hosting provider you can purchase an SSL/TLS certificate from your web hosting provider. It is highly recommended that you add the SSL/TLS certificate to your website.
3. Publish your website securely
When publishing your website make sure you are publishing with FTP over SSL/TLS or FTP over SSH. EverWeb 2.6 and later supports both protocols so there is no reason to use regular FTP.
If you are Publishing to EverWeb + Hosting account go to the Preferences and select ‘Use Secure Publishing’. This option is available only because some hotels and public WIFI connections don’t support this protocol but we highly recommend you keep it enabled.
If you are publishing to a third party web hosting provider go to File->Edit Publishing Settings in EverWeb’s menu bar. Then make sure from the protocol menu 'FTP with SSL/TLS' or 'FTP with SSH' is selected. Your webhosting provider must support these protocols and most support FTP with SSL/TLS so verify with them which protocol they support first.
Protect Your Email
1. Use SSL/TLS encryption to check and send email
As noted above it is very easy for someone on the same WIFI or Internet network as you to see your passwords unless you are using SSL/TLS encryption. This tip is one of the quickest and most important change you should make right now if you don’t already use SSL or TLS encryption. It is free and requires just ticking a checkbox and changing the PORT field in your Email Client Account Preferences.
When setting up email accounts, you should always make sure the SSL or TLS option is selected in your Account Preferences. Our Email Setup Instructions include the details on how to make sure you are using SSL or TLS for sending and receiving email.
We highlighy suggest you review your email set up and make sure it is using SSL or TLS encryption. Without this option, this is the number one way a hacker can get your password for your email and get complete access. This step should only take a few minutes to verify.
2. Disable Catch All Emails
Many web hosting providers provide a way to set up a catch all email address which means that if you don’t have an email set up for your domain and someone sends an email to ‘firstname.lastname@example.org’ for example you can forward it to an existing domain address.
This option signficantly exposes you to spam emails as well as having your emails marked as spam if you forward your catch all email address to a third party service such as aol.com or gmail.com
We recommend that you set this option in your web hosting control panel to fail and never forward to another email address. Instead, set up an email address or specific email forwarders for each email address that you need.