How to make own website secure

Hi all and a happy new year!

Suppose I intend to launch a side hustle relying on a website (so own data/ftp to protect against attacks), a newsletter (so client personal data to store, encrypt and protect) and email traffic. Suppose also that I am a total novice in internet security but I really much care that my website, my data and my clients’ data are properly protected.

I am trying to do some research on how to achieve that, which third party services to use (I’d rather have a dedicated specialized team working on it so would gladly use a professional solution from some major IT firm) but I am clueless as to where to start and what solutions are actually efficient for what I am trying to build. My own searches haven’t brought much in regards to specific security steps to take and interesting third party solutions I could use (I’ve looked into Google Sites and MS365 but they seem more intra business than b2c oriented).

I am searching for insights as to where to direct my searches. Would you guys, gals and people of all gender identities have any advice on the topic?

ETA: as additional information, I do have ownership of my website adresses, storage space to add content and email server through Axianet (site in French) for the time being. I am worried about outside attacks (2FA for my ftp access and backups) and proper hygiene when handling clients’ data (as well as specific solutions to ensure they are properly secured).

ETA2: I am leaning toward trusting my provider, securing my emails with 2FA and backing up my data in either Google’s or Microsoft’s cloud. No idea how to handle clients’ data, though.

ETA3: I am currently exploring what other swiss providers have to offer, the answer may very well simply be in choosing the right one (which would mean no reliance on US based companies).

1 Like

Rather than the choice of hosting provider and user authentication (such as 2FA for FTP), I‘d first give consideration to the software you intend to be using.

What does your website need to do (functionally) and what kind of data are you going to collect or store on that website?

1 Like

Thanks for your answer.

It’s a hiking organization business, so the website needs to be able to display news, the program of the planned hikes (with pictures) and allow for people to pre-register online, so I’d want a contact form with at the very least their name, first name and a way to contact them back, either email or phone number.

Ideally, there would be additional data like gender, age, number of people and specificities like potential health issues, allergies, medications they have to take,… that last part makes me very uncomfortable because it is sensitive health data so I’d probably not go that far and use a paper form for that.

Those who register to the newsletter would need to give an email address, so that would go into a database that I’d have to keep current. Said database may include additional clients’ infos depending on how comfortable I feel with that.

Past the hike, I would like to provide clients with a temporary access to the pictures of the hike, so those pictures (which can be deemed personnal) would be hosted on the site (in a private part of it) and accessible probably with temporary identifiers I’d provide them by email.

1 Like

Not a big specialist here, but: the best way to do something secure is to plan it properly.

Make sure your data go into an encrypted cloud.

Why do you have to keep these data on the server? I guess you will have less than 100 customers per month. A registration form that sends you an encrypted email would be enough, the rest you do on your computer in a spreadsheet.

A simple mailing list software such as GNU mailman will manage it. Your provider most probably also have it installed, setting it up with your custom email such as should be also a standard procedure.

An encrypted cloud will do the work.

1 Like

The only piece of advice I can think of is that if you are going beyond a static webpage, which you are, you should let your hosting take care of the platform. Instead of getting a server somewhere and installing everything yourself, get a ready-made package. That way they take care of the configuration and updates, otherwise most likely you are going to leave holes open, especially if you do not have experience.

Depending on the site you want to build you can choose a package. Probably one of the most common would be getting a Wordpress site. Very powerful, but careful with the plugins.

1 Like

Thanks Dr.PI and Ed_Waadt for your replies.

Will have to check that, thanks for mentioning it. I’m not sure OneDrive encrypts your data by default (though I’d find it odd if they didn’t) and I have no idea about what’s going on at my provider. I’ll have to check about that.

It doesn’t need to be on the servers, though I’ll have to have proper hygiene with email and backups handling. Thanks for pointing that out.

Will check on it, thanks!

It may sound like basic wisdom but I had at some point thought about trying to do it all myself… xD Solid advice, thanks!

I work in IT security, so I should be able to help here: Security is quite multi-faceted and you touch upon different aspects. Very important is the choice of software and keeping it up-to-date. In my experience, most websites of SMEs are hacked because they have some outdated software (e.g., an old WordPress version) with known vulnerabilities that automatic scanners pick up and exploit. Targeted exploits for smaller businesses are very rare.
With regards to hosting, I would recommend using some managed solution from a well-known hosting provider if this is not your area of expertise. These are usually well-secured and different instances should be properly isolated such that an exploit of a different customer does not matter to you. 2FA for all of your accounts is always a good idea.
I would always encrypt backups (yourself, not relying on the provider to do that) before uploading them to a third party. Then, your data is safe even if the provider is exploited.

These are all pretty generic recommendations and there are more specific peculiarities to consider depending on the exact details. For instance, when you have a private part of a page the identifiers should not be consecutive/guessable (may sound obvious, but this is something I see often in Pentests).

1 Like

Thanks! That’s very helpful to get me started in the right direction.

Any recommandation as to an efficient encryption software I could use on my end?

I like the open-source software Duplicati:

Supports many sources (e.g., FTP) and destinations (e.g., Azure, S3, Google Drive, Dropbox, …), AES-256 encryption and is quite easy to use with a nice web interface.

1 Like