This is my very first post on my new website, and I want to share some lessons I’ve already learned the hard way about website security. I purchased my domain last month; and, though it took me a while to choose, I settled on DreamHost to host my site a little over a week ago now.

Last Friday night, I tried to take a look at this site – not because I had done too much with it yet, but just because I was happy with the way it was taking shape. I had installed my WordPress.org content management system, and I had loaded my lovely website theme onto the site earlier in the week. That night however, I was stunned to find that when I typed in www.techkathy.com, my site no longer loaded. Instead, I was rerouted to some German guy’s website devoted to new developments for the iPhone.

I was shocked, upset, angry and confused, all at the same time, but I slowly pulled myself together to take action. Unfortunately, since this is my first website, I wasn’t exactly sure what that action should be. I struggled for the next four hours to figure out how this had happened and what I could do about it.

Now rather than tell you about my frustrating experience along with a few of the errors I made,  I thought it would be far better to share with you some of the lessons I learned from all this:

- Lesson 1: Never keep the default passwords your website host or content management system set up for you. Once you receive passwords, log into each respective account and change the passwords. The fewer people who know your passwords the better! I thought that because they were randomly generated passwords, they were secure. Maybe they were, but others may have had access to them.

- Lesson 2: Always transfer your files between your computer and your host’s servers securely. The default option set up for me was “FTP,” which works just fine, but it doesn’t encrypt any data – including usernames and passwords! Everything you send and receive is readily available to anyone who might want to see it. There are far more secure methods of transferring files between your computer and your host’s servers, including “SFTP” (Secure File Transfer Protocol) and “FTPS” (File Transfer Protocol over a Secure Sockets Layer). Both encrypt your data; and, fortunately, it’s not necessary to know too many of the details about this – most hosts offer all of these options and most FTP software applications allow you to just pick one of these options when you establish a connection to your server.

- Lesson 3: Always back up all your content. I had only just started the website, but I had already posted an “About” section, telling people about me and the purpose of the site, and I lost it. Luckily, my husband was able to recover it from the browser cache, so I didn’t have to rewrite it all, but I should have kept a copy of it on my computer.

- Lesson 4: If your site is attacked, alert your host immediately. This was in my host’s documentation, so I did it right away. They offered a few pieces of advice (although it didn’t actually fix the problem), but it did give me some guidance on where to start looking for problems.

- Lesson 5: If your site is attacked, keep a log of what you do to fix it. I wanted to fix the problem right away, but I couldn’t figure out what exactly it was, so I just took down the entire site, which included many files that looked unfamiliar to me. It didn’t help that I was upset and somewhat unsure about what I was doing. Later I found out that some of the files were supposed to be there. Since I kept track of what I had done, I was able to look back at what I had done and know how and where to put them back. It was also helpful because when I asked someone else for help identifying what went wrong, I had something I could show that said exactly when the problems started, what I had done, and when I had done it.

Of course, this is not a comprehensive list of how to keep your website secure nor is it a guide for what you should do if and when your site is hacked. These are just a few of the lessons I learned from my experience. Now, I actually consider myself lucky that this happened when it did. I could have lost much more of my content and had a much harder time getting the site back up and running, if it had happened later.

If, like me, you’ve learned a few pointers you’d like to share with others about keeping your website and its content secure, please feel free to post a comment here about it. Thanks, and best of luck with your own websites!

Copyright © 2008, Kathy Keating and TechKathy.com. All rights reserved.