Getting started Updates and releases

Ten tips for improving your security online

The internet enables us to connect with people around the world, to find a niche community of like-minded internet users who would otherwise be too disperse, or reach customers who are unable or uncomfortable with in-person shopping.

Despite these benefits, there are nonetheless certain risks with being online, not the least of which is the security of your personal data, your website, and your domain names.

Here are our ten tips for keeping yourself — and your website — secure.

1. Use unique passwords

We can’t stress enough the importance of using a different password for every account. That means your banking password should be different from your email password, which should be different from your domain registrar’s password, which should be different from your website login.

And because each of these should in turn be strong passwords, you should consider keeping your passwords in a password manager.

Why so many passwords?

We get it. Password authentication is not an ideal system [link to: passwords article]. But because each service that takes a password has some risk of being hacked, you should have different passwords for each so that if one password leaks on the dark web, it doesn’t give attackers access to all of your online accounts.

2. Use multi-factor authentication (MFA)

When you use multi-factor authentication, you add an extra layer of security on your logins, beyond the password.

Despite the abstract name, multi-factor authentication is pretty simple. It’s basically the digital version of when your bank asks you for two forms of ID. There are many kinds of multi-factor authentication:

Timed one-time password

This is an MFA method where you scan a QR code to activate it and then an algorithm in a specific app generates a six-digit password that’s only valid for 30 seconds at a time.

When you log in to your account, you type your username and password like usual, and then you open the app on your phone and enter the six-digit code.

Attackers won’t have access to the algorithm used to generate it and the code will change every 30 seconds, so it won’t be valid for long.

Find out how to activate a timed one-time password on your Gandi account

Security key

A slightly less complex, more secure, but ultimately more cumbersome option is a security key that consists of a small card that plugs into your USB port.

Security keys don’t require any special app or typing any extra password. They just need you to put the key into your USB port after you enter your username and password and press the button on the key.

The downside is that you need to have the physical key actually with you, so if you forget it or lose it, you won’t be able to log in.

Biometrics

It sounds fancy, but this form of multi-factor authentication is pretty simple, and it’s definitely the most user-friendly. In fact, you probably have biometric authentication enabled on your smartphone right now, in the form of either fingerprint recognition or facial recognition using your phone’s camera to unlock it based on your distinct fingerprint or facial features.

And as more personal computers start shipping with fingerprint recognition built into the keyboards as well, this form of authentication is getting much more accessible as well.

Logging in just requires entering your username and password and then using a biometric authentication device — whether built into your phone or your computer — to complete the log in.

N.B. Since biometrics authentication systems record and store intrinsic information about you — your fingerprint, aspects of your facial features, etc. — this type of authentication can pose a potential privacy risk versus other forms of multi-factor authentication. Read more here.

3. Watch out for phishing

Phishing emails are emails that purport to be from someone you trust — including companies and institutions, like your bank, your domain registrar, or the post office — but actually lead you to fake webpages where you are asked to give away your personal information (especially passwords).

Since sending an email costs next to nothing, and it’s still relatively simple to spoof someone’s email address, phishing attacks remain a major threat to any and all internet users.

The best ways to fight phishing are:

  1. Don’t panic. Phishing works because people let their guard down when they see a scary subject line. Taking just an extra minute to think about what an email is asking you to do and examine the link can prevent you from getting phished, and even for urgent issues, a minute is not going to impact you deeply
  2. Don’t click links. If an email is asking you to make a payment or enter personal data, navigate to the website in question separately. For example, you can check whether your domain at Gandi needs to be renewed by logging in to your Gandi dashboard at gandi.net separately from any link in an email you might receive.
  3. Report phishing. When you see a phishing email, report it. Not only does that help stop ongoing phishing campaigns, it enables mail service providers to flag phishing emails for future recipients to warn them that a particular email shouldn’t be trusted.

4. Use different email addresses for different logins

The email address associated to a particular login has many uses — it’s used to reset passwords, to send newsletters and marketing emails, and for some accounts as the username.

That means that if one login using a particular email address is compromised, any other accounts using that email address may be at risk as well.

In the context of managing a website, if you use the same email address for registering your domain name as you use for your CMS login, a compromise of your CMS could lead to a compromise if your registrar, limiting your ability to mitigate the issue.

Alternatively, even if you’re not dealing with compromised accounts, it might make sense to associate your CMS login to a custom email address @ your domain name for branding and contact purposes. But this is not a good idea for your account managing that same domain name. If something happens to your domain name, you won’t be able to access your domain registrar account to fix the problem because your email is directly dependent on your domain name working properly.

Finally, it’s better to use email addresses that are not “obvious,” like ‘admin@’ or ‘contact@.’ These are relatively easy to guess which not only gives a hint to potential attackers trying to crack your account, but also makes it easier to target more believable phishing emails to you, since attackers will try emailing common email addresses like contact@ and even any email addresses listed on your website.

5. Keep software updated

Digital security is in some sense a kind of virtual arms race between software developers on the one hand and cybercriminals and other entities trying to exploit the bugs and weaknesses in the software being developed.

That means that software developers are not just constantly building new features and improving the performance of the software they work on, but also constantly releasing new versions of their software, patching bugs, and fixing security issues.

That applies to the software that you use to access the internet — including internet browsers like Firefox, Safari, and Chrome, email clients like Thunderbird, Apple Mail, and Outlook, and also virtually any other app on your computer, smartphone, or tablet — but also to the software you use to manage your website.

Specifically, it’s important to keep your CMS software up to date. That includes the CMS itself as well as any plugins or add-ons you use. For example, if you’re using WordPress, you should make sure to keep your WordPress version up to date, but also any WordPress plugins you use for your site.

The developers of this software will generally alert you when they release a new version, and upgrading whenever you receive this kind of notification is important. But it’s also a good idea to periodically proactively check whether you’re using the latest version of the software.

6. Make regular backups

It’s easy to put off preparing for the worst, until the worst actually does happen. Whether that’s a deliberate attack, an “act of God,” a missed renewal, or a mistake in managing your website, when things go wrong, being able to restore from a backup is essential.

What to back up

Here are a few different types of backup you should be sure to make:

  1. Back up your computer, smartphone, and other devices. 
It’s always a good idea to regularly back up your computer and other devices such as your smartphone so that critical applications you need to manage your website or domain name are accessible even if something bad happens. That doesn’t just mean your browser, but especially applies if you’re using a password manager or multi-factor authentication that can be reset using backup codes. Losing these in addition to your computer can compound a bad problem into a worse one.

    Backing up your computer and other devices to the cloud is easy when you have a Nextcloud instance installed
.

  2. Back up your website. 
Making regular backups isn’t just important for your computer, but this sage advice also applies to your website as well. There are many reasons you might need to restore your website from backup, and especially if your website ever is compromised, having a backup from before the compromise that you can use to restore from is essential to getting back up and running afterwards.

    Learn more about backing up your website at Gandi

  3. Back up your domain’s settings. 
If something catastrophic happens to your domain name, such as missing a renewal and having to re-register it, having it transferred out by a domain name thief, or if you just make a mistake editing your DNS, you can get your domain back up and running normally again by restoring from your backup.

    
Read more about DNS backups

How to back up your data

In general, your backups should follow the 3-2-1 rule:

3 backups
2 mediums
1 off-site

That means — make three copies, across two different mediums, and in two different physical places.

If it helps you remember, every year, World Backup Day is March 21, or 3/21.

7. Use HTTPS or SSL/TLS

SSL, which stands for “secure socket layer,” and is also known as TLS (for “transport layer security”), is a specific method for encrypting data that’s used in HTTPS (“Hypertext Transfer Protocol Secure”), which you might recognize from web addresses starting with https://.

This works by installing an SSL/TLS certificate on your website. An SSL/TLS certificate is a file that’s generated using public key cryptography. This is a way of encrypting (or encoding) data in a way that only the sender and the intended recipient of that data are able to decrypt or decode. When you then use HTTPS on your website, a virtual “tunnel” is formed between the browser and the website. If a third party accesses the data being transmitted between a website and an end-user’s browser, that person will only see encoded and encrypted data that they have no way of decrypting.

That’s why an SSL/TLS certificate or HTTPS is what make it possible to send sensitive data like credit card numbers, ID numbers, usernames, and password over the web.

Some types of SSL/TLS certificates even go so far as to guarantee transactions are safe. To get this kind of SSL/TLS certificate, you need to undergo an extended validation process.

When a valid SSL/TLS certificate is installed on a webpage using HTTPS, a closed lock icon typically appears next to the address in your browser. This makes your SSL/TLS certificate an essential part of building trust between you and your website’s users.

When to use SSL/TLS

SSL/TLS was initially billed as a way to protect the following types of sensitive data:

  • Username and password
  • Financial information (such as credit card numbers)
  • Personal identifying information

For these uses, SSL/TLS is absolutely essential.

But in addition to this, it’s now recommended that any and all web browsing be encrypted with SSL/TLS. This ensures that internet users can have greater confidence that nothing about them is leaking to those who would divert it for other purposes. Even information about what and where you browse can be considered sensitive information, so keep your website and your website’s users safe with an SSL/TLS certificate.

Find out more about SSL/TLS certificates

8. Avoid using defaults

Most CMSes, like WordPress and Joomla, use defaults for the administrative login or directory. In the case of WordPress, the default login URL is example.com/wp-admin/. To customize this, you’ll need to find a (secure, maintained) plugin that allows you to.

You should also avoid using usernames for your website like ‘admin,’ which aren’t default but are commonly used.

9. Disable features you don’t use and audit your plugins

Features that allow your website’s users to interact with your site that you don’t use can pose a security threat to your website. Any form that users can use to submit data to your website — such as comments, registration, and contact forms — can potentially be used to compromise your website.

If you don’t need or regularly use these features, you should make sure they are disabled. For example, f you have comments enabled on your CMS but your comments section is not really active, you should disable them to prevent possible attacks that use comments to either compromise your site or that might lead naive users of your website to click links to fraudulent or dangerous websites.

Likewise, you should periodically audit the plugins you have installed on your CMS, especially if you’re using a CMS like WordPress. Old plugins that are no longer maintained are a security threat. Plugins in general can be a source of security issues even when they are maintained, so it’s important to uninstall plugins that you aren’t actively using.

10. Stay vigilant

Keeping vigilant is the number one thing that you can do to ensure your safety and security online. Vigilance is the key to catching phishing attempts and making sure your software is up to date.

Your vigilance can spot when something is wrong, when you’re navigating to a particular website, when you’re managing your logins for your domain name, hosting, and CMS, and when you’re checking your website and notice something unusual.

So stay safe out there and stay vigilant!