The Entrepreneur Forum | Financial Freedom | Starting a Business | Motivation | Money | Success

Welcome to the only entrepreneur forum dedicated to building life-changing wealth.

Build a Fastlane business. Earn real financial freedom. Join free.

Join over 80,000 entrepreneurs who have rejected the paradigm of mediocrity and said "NO!" to underpaid jobs, ascetic frugality, and suffocating savings rituals— learn how to build a Fastlane business that pays both freedom and lifestyle affluence.

Free registration at the forum removes this block.

Basic cybersecurity for a new website?

Philip Marlowe

Every Day On, No Days Off
Read Fastlane!
Read Unscripted!
Summit Attendee
Speedway Pass
User Power
Value/Post Ratio
329%
Apr 28, 2017
279
918
40
NE
I'm (finally) launching my website this week and in an effort to focus on my strengths, I outsourced the web design so I could focus on content.

I'll do a crash-course with the firm on running the site (Wordpress), but can anyone tell me where to begin with good cyber security?

I've got the basic cyber hygiene down (strong passwords, multi-factor authentication where possible, avoid sketchy e-mails), but I'm afraid that a public website opens me to a whole host of new things.

A couple core questions:

1. I'd like to remain anonymous initially. My WHOIS is private - any other suggestions?
2. Should I avoid mixing business and personal activity on my laptop? (e.g., just keep it to my website and relevant sites - no banking, personal e-mail, etc.?)
3. If I log-in primarily from my home IP address, does that give me location away? (I don't think I can use Anonymizer because my IP address is cleared threw the firewall to my site for admin access)
4. Anything to worry about using Google Analytics? I only have one site so it won't be connected to a web of other sites.

Any guidance would be appreciated. My Google skills just land me at sorts of awful Forbes articles...

-PM
 
Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

rogue synthetic

Gold Contributor
Read Fastlane!
Read Unscripted!
Speedway Pass
User Power
Value/Post Ratio
310%
Aug 2, 2017
348
1,079
Install a security plugin like Wordfence or Sucuri. That can do a lot of heavy lifting for you.

Are you managing the server yourself, or is this a shared hosting deal? That's the other major thing to worry about.

I've got to run to a meeting right this second but I can give more advice about anonymity and privacy if someone hasn't beaten me to the punch before I get back. But 2-4 shouldn't be any serious worries, no.
 
D

Deleted50669

Guest
Make sure you have some form of secured socket layer (SSL). This encrypts data between your site and users who visit your site so that it can't get stolen. You'll notice in the browser sites that are "https" vs "http". "https" is a designation for sites that have adequate encryption through an SSL. Google actively prioritizes sites that meet this standard in its indexing algorithm. And aside from Google rankings, https also creates visitor trust (I'd never trust my financial information on a site without a recognized SSL).
 

ApparentHorizon

Platinum Contributor
Speedway Pass
User Power
Value/Post Ratio
301%
Apr 1, 2016
942
2,836
Greenville, SC
Backups. I manage a couple of sites, and all of them have redundant backups.

My approach: it's not if a site gets hacked. It's when.

So in the event someone breaks it, how can you have it up and running in a few hours? (Updraft plus is a good plugin)

That being said, I've never had a real problem in over a decade. And nearly all of them run WP.

Overall, you're overthinking it with the anonymity.

There are hundreds of sites that have your info. And if you found out what they knew about you, you'd crap your pants. In fact, they know more about you than you know about yourself.

So if someone really wanted to find you, they'd do it in a few hours. Something like whois only masks your identity from bot scraping.

Get ready to crap your pants: What every Browser knows about you

This is only what your browser sends to a website directly. Nevermind, the artificial intelligence predicting your next moves and changing preferences.

(Note: that site says to use noscript. You'll break half the sites you visit if you do.)
 
Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

Roli

Platinum Contributor
Read Fastlane!
Read Unscripted!
Speedway Pass
User Power
Value/Post Ratio
160%
Jun 3, 2015
2,061
3,301
Nope, and I can't vouch for any of the software there.

Don't download browser plugins directly from sites.

Go through the appropriate repository, like the Play store on Chrome.


Cool, thanks, good info though.
 
Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

rogue synthetic

Gold Contributor
Read Fastlane!
Read Unscripted!
Speedway Pass
User Power
Value/Post Ratio
310%
Aug 2, 2017
348
1,079
Okay, now that I've got some time here's a somewhat more value-added answer:

A couple core questions:

1. I'd like to remain anonymous initially. My WHOIS is private - any other suggestions?
2. Should I avoid mixing business and personal activity on my laptop? (e.g., just keep it to my website and relevant sites - no banking, personal e-mail, etc.?)
3. If I log-in primarily from my home IP address, does that give me location away? (I don't think I can use Anonymizer because my IP address is cleared threw the firewall to my site for admin access)
4. Anything to worry about using Google Analytics? I only have one site so it won't be connected to a web of other sites.

Let's make it clear right now that anonymity of your website or your domain name is not the same thing as what you do online as far as browsing and other kinds of activity go. These are two different sets of concerns.

Right where I'm sitting I can use a tool called 'whois' from the command line which gives all the publicly available data on a domain name. For example, when I type 'whois thefastlaneforum.com' it tells me some information about this site, among other things the registrar, when the domain was created, when it expires, the nameservers, and when the domain expires.

On domains without some kind of anonymizing service, it will also show you the name and contact details of the person who registered the site. MJ has this obscured, so I can't send pizzas to his house. Most modern registrars will offer some service like this and it's good practice to take advantage of it. As mentioned upthread, this won't prevent the malicious from finding you but it will put a nice roadblock in the way of spammers and scrapers.

Anonymity of your browsing habits and security of your local machine are a different set of problems. If you log in to your account from your home computer, using the IP assigned to your account by your ISP, then you can be tracked, and worse yet, you are already being tracked.

Being worried about this is like saying you're worried that you can be tracked if you walk out the door of your house to go to the supermarket. Of course you can, and why would you even ask? Your ISP will see where the traffic is going, as can any sites between you and your server unless you're using a VPN.

The question isn't whether your IP gives your location away. The question is who can see that information and who can act on it.

Nobody without access to your remote server can see that you have logged into it or where from (the NSA excluded). And, just like being worried about being seen on a trip to the supermarket, if you're in deep enough with the kind of people who can make you worry about this, worrying about whether they'll see you leave the house should be the last thing on your mind.

This just isn't something to worry about. If you're trolling the comments on the New York Times you'll probably want to use Tor or a VPN. Logging into your server over SSH or an SSH-secured portal, not so much.

Are you really ever private online?

What you do have to worry about is what @ApparentHorizon mentioned. Let's take a quick glance at the site he linked:

PjKhwks.png


The big red and green box is a Firefox extension called uMatrix. It shows you all the different sites that are trying to connect to you when you vist a web page. The big block of red down at the bottom left is showing me that the Google Analytics script and the script for Google's page syndication is blocked.

On a page with Facebook's scripts, I'll see similar blocks of red blocking them. Same for most of the major known trackers. I've got it rigged to block certain tracking features in Facebook, Twitter and Taboola based on this advice from the creator.

You think that's got you covered? Or are you in the mood for something more unnerving? Check this out: Panopticlick

My daily driver Firefox is about as cozy as you can make it without breaking 90% of websites. When I run it through Panopticlick, it tells that I have strong protection against tracking. Great!

But scroll down a little and I see this:

WdXQvTF.png


Unique fingerprint
? Yes, even with all the spyware blocking plugins and tweaks I've got on this browser, I've still got a unique signature that someone can use to follow me across the web. In fact, part of the reason I got this result is because my browser is blocking or spoofing certain values which are more common in non-secure browsers. How's that for a Catch-22?

For kicks I ran this through the beta version of Firefox which has a special configuration setting meant to block this. It gets only a marginally better score, around 1 in 500,000 (but at least it's not totally unique).

The only browser I know of which can insulate you against tracking is the Tor browser, which totally dominates the Panopticlick test and also natively blocks the canvas fingerprinting trick. Using Tor has a lot of downsides, and if you're using the browser as a daily driver it will add enough inconveniences that you will likely switch back.

What to do?

You can wring your hands about it and turn privacy into a hobby, hang out on websites approved by Richard Stallman, and avoid any site that runs non-GPL Javascript.

Or you can do what you can to block the major offenders and get on with your business. If the right person wants to know who you are, you aren't going to prevent them without taking serious measures, and even then it is much easier for you to screw up than it is for them to miss what they want to know. You can stop some of the most intrusive tracking across websites, but if you use Google or Facebook at all, well, they know who you are, and they have data on you unless you've been blocking everything for a very long time.

I'm about as paranoid about this stuff as you can get while still being functional in the mainstream internet, and I have no doubt there are paper trails on me in all the major databases.

The question is, besides the philosophical debate about privacy and anonymity, does it affect you? I can't answer that. But please keep in mind that this is a totally separate issue from the security of your Wordpress site, or any website you operate.
 

GravyBoat

Gold Contributor
Read Fastlane!
Summit Attendee
Speedway Pass
User Power
Value/Post Ratio
267%
Nov 25, 2013
763
2,041
28
San Diego
2. Should I avoid mixing business and personal activity on my laptop? (e.g., just keep it to my website and relevant sites - no banking, personal e-mail, etc.?)
3. If I log-in primarily from my home IP address, does that give me location away? (I don't think I can use Anonymizer because my IP address is cleared threw the firewall to my site for admin access)

As someone who has worked in IT for 5 years, I'll play devils advocate here and say you're worrying WAY too much already.

Usability vs. security. The age old debate.

My take: during start up phase, you're just fine using your personal laptop. If you want to be sure, wipe it and reinstall the OS, then go from there. Don't visit any sketchy sites, don't torrent, you should be just fine. You're a small fish at this point, everyone is when they first start their business.

You're gonna hurt yourself more than help if you're constantly worrying about this stuff. There are certain advanced situations I can think of where you'd want to get another computer, but again, worry about that once you're making money and it's not a problem to buy a new computer.

I've seen people worry to the point where they still have non-smart phones to this day. They use a VPN every day for no real reason. They run Linux based OS to do all their banking, etc. Don't make it harder on yourself.

EDIT: That does NOT mean don't use backups. For the love of God please back up everything personal and on your site. As often as possible.
 

Choate

Gold Contributor
Read Fastlane!
Read Unscripted!
Summit Attendee
Speedway Pass
User Power
Value/Post Ratio
243%
Mar 25, 2014
640
1,557
Boston
If you're worried about personal security as far as computers go, I would highly recommend a Chromebook. Mine is lightning fast and only cost me a little over $200 a few years ago and I never have to worry about security or anything like that. As a web designer and copywriter, it takes care of all my needs functionally (since everything with wordpress is in the cloud) and Google docs is great. Basically zero worries about security. For me, its a peace of mind knowing I'm not too worried about this device if anything should happen, compared to having a $1000+ Macbook or Windows laptop.

As far as Google Analytics goes, just make sure you are giving proper disclaimers on your site especially if you use some of their more intricate data services.
 
Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

Roli

Platinum Contributor
Read Fastlane!
Read Unscripted!
Speedway Pass
User Power
Value/Post Ratio
160%
Jun 3, 2015
2,061
3,301
Keep your porn browsing and business separate and you should be fine!
 

Tiger TT

Bronze Contributor
Read Fastlane!
Speedway Pass
User Power
Value/Post Ratio
198%
Dec 25, 2015
141
279
41
1. Don't save your passwords in your FTP Client, because there're viruses which steal your FTP credentials stored in your PC and use that to hack your website.

2. Use KeyScrambler on your computer. This little program encryptes your keystrokes, so even if your anti-virus doesn't detect a keylogger on your PC, the keylogger won't be able to record your sensitive information.

3. Use a desktop cloud backup solution like MozyHome on your PC. So that all your important files are regularly backed up to the cloud and also to an SD card at the same time if you want.

4. Not now, but when your website becomes an important asset to you, use a website firewall and have regular security scans for your website. I use Sucuri for this. Their service is just awesome.

These are some of the things I do in order to maintain a good security posture.
 
Last edited:

Philip Marlowe

Every Day On, No Days Off
Read Fastlane!
Read Unscripted!
Summit Attendee
Speedway Pass
User Power
Value/Post Ratio
329%
Apr 28, 2017
279
918
40
NE
Make sure you have some form of secured socket layer (SSL). This encrypts data between your site and users who visit your site so that it can't get stolen. You'll notice in the browser sites that are "https" vs "http". "https" is a designation for sites that have adequate encryption through an SSL. Google actively prioritizes sites that meet this standard in its indexing algorithm. And aside from Google rankings, https also creates visitor trust (I'd never trust my financial information on a site without a recognized SSL).

Thanks 404. Yes - I do have SSL for the website, although mostly because I understand that Chrome users would all get warnings and my domain name would be highlighted in red without it. It was an upfront recommendation from the builder, so I guess that's a good sign.
 
Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

Philip Marlowe

Every Day On, No Days Off
Read Fastlane!
Read Unscripted!
Summit Attendee
Speedway Pass
User Power
Value/Post Ratio
329%
Apr 28, 2017
279
918
40
NE
This is excellent - thanks @rogue synthetic

On domains without some kind of anonymizing service, it will also show you the name and contact details of the person who registered the site.
I purchased privacy from day one when I bought the domain, so it sounds like that helps.

Anonymity of your browsing habits and security of your local machine are a different set of problems. If you log in to your account from your home computer, using the IP assigned to your account by your ISP, then you can be tracked, and worse yet, you are already being tracked.
Would using my Verizon hot-spot help? I feel stuck. To keep the site/server secure I've added only my IP to the firewall, and yet it sounds like that actually makes me more of a target. It also seems that a business location is key - by registering the WHOIS at a business AND logging-in only at a business, you separate the site from your home life?

Or you can do what you can to block the major offenders and get on with your business.
I think this is where I'm confused. To your earlier post, does this essentially mean a: private domain registry, a solid password, and reputable security plug-in? After that it's just overkill unless I'm some sort of dissident from China who wants to create an anonymous site that I only access via TOR?

if you use Google or Facebook
Thankfully I have no social media, but based on the website you sent me, that doesn't matter.

Thanks again!
 

Philip Marlowe

Every Day On, No Days Off
Read Fastlane!
Read Unscripted!
Summit Attendee
Speedway Pass
User Power
Value/Post Ratio
329%
Apr 28, 2017
279
918
40
NE
As someone who has worked in IT for 5 years, I'll play devils advocate here and say you're worrying WAY too much already.

Usability vs. security. The age old debate.

My take: during start up phase, you're just fine using your personal laptop. If you want to be sure, wipe it and reinstall the OS, then go from there. Don't visit any sketchy sites, don't torrent, you should be just fine. You're a small fish at this point, everyone is when they first start their business.

You're gonna hurt yourself more than help if you're constantly worrying about this stuff. There are certain advanced situations I can think of where you'd want to get another computer, but again, worry about that once you're making money and it's not a problem to buy a new computer.

I've seen people worry to the point where they still have non-smart phones to this day. They use a VPN every day for no real reason. They run Linux based OS to do all their banking, etc. Don't make it harder on yourself.

EDIT: That does NOT mean don't use backups. For the love of God please back up everything personal and on your site. As often as possible.

Thanks @GravyBoat - web security has been part of my analysis paralysis in even starting this venture so I couldn't agree more. The website is up - I'm just constantly fretting. That said, I do have a back-up.
 

rogue synthetic

Gold Contributor
Read Fastlane!
Read Unscripted!
Speedway Pass
User Power
Value/Post Ratio
310%
Aug 2, 2017
348
1,079
Would using my Verizon hot-spot help? I feel stuck. To keep the site/server secure I've added only my IP to the firewall, and yet it sounds like that actually makes me more of a target. It also seems that a business location is key - by registering the WHOIS at a business AND logging-in only at a business, you separate the site from your home life?

Nah, the point was not to sweat it.

If you've got somebody after you who can do anything with the information about your location (a crazy Russian hacker, the NSA), you've already got much bigger problems.

Don't log in to your site without SSL and avoid public wifi. You've fixed 98% of your worries. Anything else is either overkill or useless.
 
Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

Post New Topic

Please SEARCH before posting.
Please select the BEST category.

Post new topic

Guest post submissions offered HERE.

New Topics

Fastlane Insiders

View the forum AD FREE.
Private, unindexed content
Detailed process/execution threads
Ideas needing execution, more!

Join Fastlane Insiders.

Top