• The Entrepreneur Forum | Startups | Entrepreneurship | Starting a Business | Motivation | Success
  1. Join 40,000+ entrepreneurs
    who are kicking butt and
    winning their dream life.

    Unscripted™ Entrepreneurship:
    A Business That Pays More Than Money, It Pays Time.

    "Fastlane" is an entrepreneur discussion forum based on The Unscripted Entrepreneurial Framework (TUNEF) outlined in the two best-selling books by MJ DeMarco (The Millionaire Fastlane and UNSCRIPTED™). From multimillionaires to digital nomads, the forum features real entrepreneurs creating real businesses.

    Download (Unscripted) Download (Millionaire Fastlane)  Register
    Registering for the forum removes this block!

Basic cybersecurity for a new website?

Discussion in 'Education, Learning, Books' started by Philip Marlowe, Apr 25, 2018.

  1. Philip Marlowe
    Offline

    Philip Marlowe Every Day On, No Days Off Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    277
    Likes Received:
    818
    Joined:
    Apr 28, 2017
    Gender:
    Male
    Location:
    NE
    Rep Bank:
    $1,334
    I'm (finally) launching my website this week and in an effort to focus on my strengths, I outsourced the web design so I could focus on content.

    I'll do a crash-course with the firm on running the site (Wordpress), but can anyone tell me where to begin with good cyber security?

    I've got the basic cyber hygiene down (strong passwords, multi-factor authentication where possible, avoid sketchy e-mails), but I'm afraid that a public website opens me to a whole host of new things.

    A couple core questions:

    1. I'd like to remain anonymous initially. My WHOIS is private - any other suggestions?
    2. Should I avoid mixing business and personal activity on my laptop? (e.g., just keep it to my website and relevant sites - no banking, personal e-mail, etc.?)
    3. If I log-in primarily from my home IP address, does that give me location away? (I don't think I can use Anonymizer because my IP address is cleared threw the firewall to my site for admin access)
    4. Anything to worry about using Google Analytics? I only have one site so it won't be connected to a web of other sites.

    Any guidance would be appreciated. My Google skills just land me at sorts of awful Forbes articles...

    -PM
     
    TinyOldLady likes this.
  2. rogue synthetic
    Offline

    rogue synthetic * Not actually Rutger Hauer Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    183
    Likes Received:
    575
    Joined:
    Aug 2, 2017
    Gender:
    Male
    Location:
    New Zealand
    Rep Bank:
    $4,067
    Install a security plugin like Wordfence or Sucuri. That can do a lot of heavy lifting for you.

    Are you managing the server yourself, or is this a shared hosting deal? That's the other major thing to worry about.

    I've got to run to a meeting right this second but I can give more advice about anonymity and privacy if someone hasn't beaten me to the punch before I get back. But 2-4 shouldn't be any serious worries, no.
     
    Philip Marlowe likes this.
  3. 404profound
    Offline

    404profound Gold Contributor I've Read UNSCRIPTED Speedway Pass

    Messages:
    630
    Likes Received:
    1,338
    Joined:
    Aug 27, 2017
    Gender:
    Male
    Location:
    Desert of Desertion
    Rep Bank:
    $1,277
    Make sure you have some form of secured socket layer (SSL). This encrypts data between your site and users who visit your site so that it can't get stolen. You'll notice in the browser sites that are "https" vs "http". "https" is a designation for sites that have adequate encryption through an SSL. Google actively prioritizes sites that meet this standard in its indexing algorithm. And aside from Google rankings, https also creates visitor trust (I'd never trust my financial information on a site without a recognized SSL).
     
    Philip Marlowe and Roli like this.
  4. ApparentHorizon
    Offline

    ApparentHorizon Gold Contributor Speedway Pass

    Messages:
    667
    Likes Received:
    1,884
    Joined:
    Apr 1, 2016
    Location:
    Greenville, SC
    Rep Bank:
    $6,615
    Backups. I manage a couple of sites, and all of them have redundant backups.

    My approach: it's not if a site gets hacked. It's when.

    So in the event someone breaks it, how can you have it up and running in a few hours? (Updraft plus is a good plugin)

    That being said, I've never had a real problem in over a decade. And nearly all of them run WP.

    Overall, you're overthinking it with the anonymity.

    There are hundreds of sites that have your info. And if you found out what they knew about you, you'd crap your pants. In fact, they know more about you than you know about yourself.

    So if someone really wanted to find you, they'd do it in a few hours. Something like whois only masks your identity from bot scraping.

    Get ready to crap your pants: What every Browser knows about you

    This is only what your browser sends to a website directly. Nevermind, the artificial intelligence predicting your next moves and changing preferences.

    (Note: that site says to use noscript. You'll break half the sites you visit if you do.)
     
    Philip Marlowe, Kid and Roli like this.
  5. Roli
    Offline

    Roli Gold Contributor Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    868
    Likes Received:
    1,144
    Joined:
    Jun 3, 2015
    Gender:
    Male
    Rep Bank:
    $6,346
    LeoistheSun likes this.
  6. ApparentHorizon
    Offline

    ApparentHorizon Gold Contributor Speedway Pass

    Messages:
    667
    Likes Received:
    1,884
    Joined:
    Apr 1, 2016
    Location:
    Greenville, SC
    Rep Bank:
    $6,615
    Nope, and I can't vouch for any of the software there.

    Don't download browser plugins directly from sites.

    Go through the appropriate repository, like the Play store on Chrome.
     
    Roli likes this.
  7. Roli
    Offline

    Roli Gold Contributor Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    868
    Likes Received:
    1,144
    Joined:
    Jun 3, 2015
    Gender:
    Male
    Rep Bank:
    $6,346

    Cool, thanks, good info though.
     
  8. rogue synthetic
    Offline

    rogue synthetic * Not actually Rutger Hauer Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    183
    Likes Received:
    575
    Joined:
    Aug 2, 2017
    Gender:
    Male
    Location:
    New Zealand
    Rep Bank:
    $4,067
    Okay, now that I've got some time here's a somewhat more value-added answer:

    Let's make it clear right now that anonymity of your website or your domain name is not the same thing as what you do online as far as browsing and other kinds of activity go. These are two different sets of concerns.

    Right where I'm sitting I can use a tool called 'whois' from the command line which gives all the publicly available data on a domain name. For example, when I type 'whois thefastlaneforum.com' it tells me some information about this site, among other things the registrar, when the domain was created, when it expires, the nameservers, and when the domain expires.

    On domains without some kind of anonymizing service, it will also show you the name and contact details of the person who registered the site. MJ has this obscured, so I can't send pizzas to his house. Most modern registrars will offer some service like this and it's good practice to take advantage of it. As mentioned upthread, this won't prevent the malicious from finding you but it will put a nice roadblock in the way of spammers and scrapers.

    Anonymity of your browsing habits and security of your local machine are a different set of problems. If you log in to your account from your home computer, using the IP assigned to your account by your ISP, then you can be tracked, and worse yet, you are already being tracked.

    Being worried about this is like saying you're worried that you can be tracked if you walk out the door of your house to go to the supermarket. Of course you can, and why would you even ask? Your ISP will see where the traffic is going, as can any sites between you and your server unless you're using a VPN.

    The question isn't whether your IP gives your location away. The question is who can see that information and who can act on it.

    Nobody without access to your remote server can see that you have logged into it or where from (the NSA excluded). And, just like being worried about being seen on a trip to the supermarket, if you're in deep enough with the kind of people who can make you worry about this, worrying about whether they'll see you leave the house should be the last thing on your mind.

    This just isn't something to worry about. If you're trolling the comments on the New York Times you'll probably want to use Tor or a VPN. Logging into your server over SSH or an SSH-secured portal, not so much.

    Are you really ever private online?

    What you do have to worry about is what @ApparentHorizon mentioned. Let's take a quick glance at the site he linked:

    [​IMG]

    The big red and green box is a Firefox extension called uMatrix. It shows you all the different sites that are trying to connect to you when you vist a web page. The big block of red down at the bottom left is showing me that the Google Analytics script and the script for Google's page syndication is blocked.

    On a page with Facebook's scripts, I'll see similar blocks of red blocking them. Same for most of the major known trackers. I've got it rigged to block certain tracking features in Facebook, Twitter and Taboola based on this advice from the creator.

    You think that's got you covered? Or are you in the mood for something more unnerving? Check this out: Panopticlick

    My daily driver Firefox is about as cozy as you can make it without breaking 90% of websites. When I run it through Panopticlick, it tells that I have strong protection against tracking. Great!

    But scroll down a little and I see this:

    [​IMG]

    Unique fingerprint
    ? Yes, even with all the spyware blocking plugins and tweaks I've got on this browser, I've still got a unique signature that someone can use to follow me across the web. In fact, part of the reason I got this result is because my browser is blocking or spoofing certain values which are more common in non-secure browsers. How's that for a Catch-22?

    For kicks I ran this through the beta version of Firefox which has a special configuration setting meant to block this. It gets only a marginally better score, around 1 in 500,000 (but at least it's not totally unique).

    The only browser I know of which can insulate you against tracking is the Tor browser, which totally dominates the Panopticlick test and also natively blocks the canvas fingerprinting trick. Using Tor has a lot of downsides, and if you're using the browser as a daily driver it will add enough inconveniences that you will likely switch back.

    What to do?

    You can wring your hands about it and turn privacy into a hobby, hang out on websites approved by Richard Stallman, and avoid any site that runs non-GPL Javascript.

    Or you can do what you can to block the major offenders and get on with your business. If the right person wants to know who you are, you aren't going to prevent them without taking serious measures, and even then it is much easier for you to screw up than it is for them to miss what they want to know. You can stop some of the most intrusive tracking across websites, but if you use Google or Facebook at all, well, they know who you are, and they have data on you unless you've been blocking everything for a very long time.

    I'm about as paranoid about this stuff as you can get while still being functional in the mainstream internet, and I have no doubt there are paper trails on me in all the major databases.

    The question is, besides the philosophical debate about privacy and anonymity, does it affect you? I can't answer that. But please keep in mind that this is a totally separate issue from the security of your Wordpress site, or any website you operate.
     
  9. GravyBoat
    Offline

    GravyBoat Silver Contributor Read Millionaire Fastlane Speedway Pass

    Messages:
    486
    Likes Received:
    539
    Joined:
    Nov 25, 2013
    Gender:
    Male
    Location:
    San Diego
    Rep Bank:
    $3,000
    As someone who has worked in IT for 5 years, I'll play devils advocate here and say you're worrying WAY too much already.

    Usability vs. security. The age old debate.

    My take: during start up phase, you're just fine using your personal laptop. If you want to be sure, wipe it and reinstall the OS, then go from there. Don't visit any sketchy sites, don't torrent, you should be just fine. You're a small fish at this point, everyone is when they first start their business.

    You're gonna hurt yourself more than help if you're constantly worrying about this stuff. There are certain advanced situations I can think of where you'd want to get another computer, but again, worry about that once you're making money and it's not a problem to buy a new computer.

    I've seen people worry to the point where they still have non-smart phones to this day. They use a VPN every day for no real reason. They run Linux based OS to do all their banking, etc. Don't make it harder on yourself.

    EDIT: That does NOT mean don't use backups. For the love of God please back up everything personal and on your site. As often as possible.
     
    Philip Marlowe likes this.
  10. Dark Water
    Offline

    Dark Water Silver Contributor Read Millionaire Fastlane I've Read UNSCRIPTED Speedway Pass Summit Attendee

    Messages:
    349
    Likes Received:
    771
    Joined:
    Mar 25, 2014
    Gender:
    Male
    Location:
    Boston
    Rep Bank:
    $162
    If you're worried about personal security as far as computers go, I would highly recommend a Chromebook. Mine is lightning fast and only cost me a little over $200 a few years ago and I never have to worry about security or anything like that. As a web designer and copywriter, it takes care of all my needs functionally (since everything with wordpress is in the cloud) and Google docs is great. Basically zero worries about security. For me, its a peace of mind knowing I'm not too worried about this device if anything should happen, compared to having a $1000+ Macbook or Windows laptop.

    As far as Google Analytics goes, just make sure you are giving proper disclaimers on your site especially if you use some of their more intricate data services.
     
  11. Roli
    Offline

    Roli Gold Contributor Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    868
    Likes Received:
    1,144
    Joined:
    Jun 3, 2015
    Gender:
    Male
    Rep Bank:
    $6,346
    Keep your porn browsing and business separate and you should be fine!
     
  12. Tiger TT
    Offline

    Tiger TT Bronze Contributor Read Millionaire Fastlane FASTLANE INSIDER Speedway Pass

    Messages:
    134
    Likes Received:
    245
    Joined:
    Dec 25, 2015
    Gender:
    Male
    Rep Bank:
    $1,249
    1. Don't save your passwords in your FTP Client, because there're viruses which steal your FTP credentials stored in your PC and use that to hack your website.

    2. Use KeyScrambler on your computer. This little program encryptes your keystrokes, so even if your anti-virus doesn't detect a keylogger on your PC, the keylogger won't be able to record your sensitive information.

    3. Use a desktop cloud backup solution like MozyHome on your PC. So that all your important files are regularly backed up to the cloud and also to an SD card at the same time if you want.

    4. Not now, but when your website becomes an important asset to you, use a website firewall and have regular security scans for your website. I use Sucuri for this. Their service is just awesome.

    These are some of the things I do in order to maintain a good security posture.
     
    Last edited: Apr 27, 2018
  13. Philip Marlowe
    Offline

    Philip Marlowe Every Day On, No Days Off Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    277
    Likes Received:
    818
    Joined:
    Apr 28, 2017
    Gender:
    Male
    Location:
    NE
    Rep Bank:
    $1,334
    Thanks 404. Yes - I do have SSL for the website, although mostly because I understand that Chrome users would all get warnings and my domain name would be highlighted in red without it. It was an upfront recommendation from the builder, so I guess that's a good sign.
     
  14. Philip Marlowe
    Offline

    Philip Marlowe Every Day On, No Days Off Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    277
    Likes Received:
    818
    Joined:
    Apr 28, 2017
    Gender:
    Male
    Location:
    NE
    Rep Bank:
    $1,334
    This is excellent - thanks @rogue synthetic

    I purchased privacy from day one when I bought the domain, so it sounds like that helps.

    Would using my Verizon hot-spot help? I feel stuck. To keep the site/server secure I've added only my IP to the firewall, and yet it sounds like that actually makes me more of a target. It also seems that a business location is key - by registering the WHOIS at a business AND logging-in only at a business, you separate the site from your home life?

    I think this is where I'm confused. To your earlier post, does this essentially mean a: private domain registry, a solid password, and reputable security plug-in? After that it's just overkill unless I'm some sort of dissident from China who wants to create an anonymous site that I only access via TOR?

    Thankfully I have no social media, but based on the website you sent me, that doesn't matter.

    Thanks again!
     
  15. Philip Marlowe
    Offline

    Philip Marlowe Every Day On, No Days Off Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    277
    Likes Received:
    818
    Joined:
    Apr 28, 2017
    Gender:
    Male
    Location:
    NE
    Rep Bank:
    $1,334
    Thanks @GravyBoat - web security has been part of my analysis paralysis in even starting this venture so I couldn't agree more. The website is up - I'm just constantly fretting. That said, I do have a back-up.
     
  16. rogue synthetic
    Offline

    rogue synthetic * Not actually Rutger Hauer Read Millionaire Fastlane I've Read UNSCRIPTED FASTLANE INSIDER Speedway Pass

    Messages:
    183
    Likes Received:
    575
    Joined:
    Aug 2, 2017
    Gender:
    Male
    Location:
    New Zealand
    Rep Bank:
    $4,067
    Nah, the point was not to sweat it.

    If you've got somebody after you who can do anything with the information about your location (a crazy Russian hacker, the NSA), you've already got much bigger problems.

    Don't log in to your site without SSL and avoid public wifi. You've fixed 98% of your worries. Anything else is either overkill or useless.
     
    Philip Marlowe likes this.

Share This Page