Many parties work directly or indirectly to secure the websites on Georgetown Domains, including CNDLS staff, Reclaim Hosting — which manages the servers that Georgetown Domains uses, developers of applications available on Georgetown Domains, and you. 

As the administrator of your Georgetown Domains account, you have an essential role in securing your domain. This responsibility is part of owning your domain and, hence, the educational mission of the platform.

We’ve prepared a list of best practices for website security on Georgetown Domains. Please reference the actions that follow as you set up and maintain your website.

Many of the “Further Reading” links below provide guidance specifically for WordPress. If you are not using WordPress, please review similar resources for the software that you choose to install on Georgetown Domains.

Use community-vetted software

Review and read other reviews on the usage and security of the software that you intend to install. Keep in mind that software with more users and updates is generally safer.

• Read the “Overview” of the application that you want to install in cPanel. Note information related to application support and documentation and the date when the application was last updated.
• If you’re using WordPress, explore the theme and plugin directories for add-ons that have been vetted for security.

Further Reading: How to Make Sure You Pick a Secure WordPress Theme by John Hughes

Regularly update software

When using a popular Content Management System (CMS), like WordPress or Omeka, update the underlying application and any add-ons. 

• Enable “Automatic Updates” for minor versions and security releases when installing a new application in cPanel.
• Deactivate or remove any add-ons that are no longer in use.

Further Reading: Configuring Automatic Background Updates by WordPress

Strengthen and specify user accounts

Create usernames and passwords that are difficult to guess.

• Change default usernames like “admin.”
• Use passwords that are at least twelve but ideally twenty characters long and that contain letters, numbers and special characters. 
• Do not use passwords with terms easily linked to you, such as your street address or birth year.
• Store complex passwords with a password manager. University Information Services recommends LastPass.

Limit user permissions.

• Assign the right roles to user accounts. If a user doesn’t need administrator privileges, such as the ability to change settings or update add-ons, an editor or contributor role may be appropriate.
• Remove user accounts that are no longer in use.

Further Reading: Password Best Practices and Roles and Capabilities by WordPress

Backup your website before major updates

Save snapshots of your site so that you can retrieve your content if something goes awry. 

• Enable  “Automatic Update Backups” for major application updates when installing an application in cPanel.
• Backup your site before add-on updates within the “My Apps” interface in cPanel.

Further Reading: Backups Done Right by Tim Owens