2

What are some security protocols that I should be aware of when starting and running a personal blog? I am steering away from WordPress and will another hosting service.

The blog will mainly just be static content with a section for readers' comments.

Concerned_Citizen
  • 129
  • 3
  • 1
    Welcome to Information Security! Please see [ask] and [The perfect question](http://codeblog.jonskeet.uk/2010/08/29/writing-the-perfect-question/). With better questions, you are more likely to receive better answers faster. Thanks! – Tobi Nary Apr 17 '16 at 18:44

1 Answers1

3

There is always a trade off between the level of security and the amount of time and effort that you're willing to put into a project. For a personal blog I would reccomend you keep these things in mind.

  1. Always update your CMS. No matter if you choose wordpress, drupal, django, or something else make sure that you always check for security updates. The very minute you publish something on the internet it will be scanned from around the world for weaknesses. Keeping up to date with the latest patches will keep you much safer.
  2. Use a strong password! There are some good posts on this site regarding password management. Automated scanners will be brute forcing your admin page the second it is published. So use a unique password.
  3. Use multi factor authentication, if possible. For the admin page of your site you can sometimes enable multi factor authentication. If the CMS that you choose offers that as an option, use it.
  4. Keep backups. In the case that something goes wrong. Make backups as often as you are able to. (If you're making periodic posts, just back up the site after each post).

An alternate solution. You mentioned that your site will be "mainly just be static content with a section for readers' comments." If this is the case then you may want to look into static site generators. The idea is that you can generate a very nice site (especially a blog) offline. The site generator will spit out for you static html/css/js. You can then take these files and use a CDN (Amazon S3, for example) to host the site. Your web site will have a really hard time ever being hacked if it accepts no dynamic content! Comments can also be enabled on a site by offloading that work to another provider. Discus or Discourse may be viable solutions.

KDEx
  • 4,981
  • 2
  • 20
  • 34
  • The only thing I'd add is that if you do decide to run a CMS, please ignore the purported "best practice" of several of the popular CMSes of making the CMSes files writable by your web server in order to update via a click-through interface in the CMS itself. This is a recipe for disaster. Instead, do all CMS updates from the command line and do not allow the web server to write to anything executable, ever. – HedgeMage Apr 17 '16 at 06:06
  • 1
    Which of the terms mentioned in the answer is a "security protocol" that the question asked for? – techraf Apr 17 '16 at 06:17