Step 1: Use Secure Web Hosting Providers and Software

Once you have a domain and a website, it is time to do a stocktake and see if it is safe enough to use, or if it is time for an upgrade. There are a few different providers involved in hosting a website, even if some are not very obvious to you or others. These include:

• The domain registrar, which is the service provider who you purchase and manage your domain name through.

• The DNS hosting provider, which is the service provider where you configure different technical settings related to your domain name (like your TXT records for SPF/DKIM) and the records for tying your domain name to your website (IP address). Your DNS hosting provider and domain registrar may be the same company.

• The website hosting provider, or the service provider who gives you a website server to share or use to host your website itself.

• The content management system (CMS) provider, or the service provider (or just software) used for managing all the content on your website.

• Any other third-party software or plugins on your website, or supporting analytics or the site’s content.

If you are moving to a new service provider or setting up with a new one, you might find yourself using a website builder service, such as Squarespace, Wix, or Webflow, or an e-commerce platform, such as Shopify. Such services provide a website and cover both the roles of a hosting provider and a content management system. Paying anywhere from US$15–$40 a month can be a small price to pay for the simplicity of running your website, and these providers often provide the security features you need.

Optionally, you may pay a contractor, often called a managed service provider, to wrangle all these for you.

​confusion​ Some techies may tell you it is cheaper and better to build your website yourself—using tools like Amazon Web Services and WordPress—but this assumes you have the technical expertise, time, and energy to use and secure these correctly. If a website builder service passes the vetting tests we discuss next, they may be best for your needs.

Here is how each service provider fits together, using our safestack.io website as an example:

Figure: Services involved when a user visits a website.

It might be that you have one service provider for all of these services, or you might have a few different providers. When taking stock inventory, identify all the third-party website service providers you have or work with, and make a note of which providers perform which services based on the providers and technologies listed above. From there, go through each and check if they provide the following key features needed to secure your website:

• 2FA for the account you use to access your DNS records, website server, and content management system. These are critical technology components, and they need to be protected with two steps of authentication.

• Website server and daily content backups, which are stored on a different server from your main website, or are managed by your service provider (you just have to tell them which backups you need and if you need to restore from one).

• Automatic updates to website server software and third-party software. This is a brownie point because not all service providers can give you this option, as helpful as it might be. You might have to compromise with just a fortnightly or monthly reminder to manually update things yourself instead.

The list of key features might seem quite small, but you would be surprised how many service providers fail just that first feature of 2FA. When drawing the line to filter out service providers who don’t check all these boxes, you might find yourself with quite a short list of options. (Silver lining: that makes decision paralysis much easier to manage!)