Best Practices for Webmasters
Running a Web site, exposed to a wide audience or not, is not always easy. It is important to think about your personal safety as well as the safety of the visitors. Often, Webmasters are surprised when their Web sites are unexpectedly blocked in a certain country. If a large number of visitors are unable to access the site, the site operator may also face economic problems. Losing your Web site content or server, or having to set up a new server can also be disturbing and frustrating.
This chapter intends to gather a checklist of good practices and advice to have in mind when running your Web site.
Protect your website
- Always schedule automated backups (files and database) on at least one another physical machine. Be sure to know how to restore it.
- Monitor your traffic to learn something about the countries your visitors come from. You can use geo location databases to make a guess about which country an IP address is located in. If you notice a major drop in traffic from a specific country, your Web site may have been blocked. You can share this with geographical blocked Web sites databases, like Herdict (https://www.herdict.org/web).
- Secure your Web site, especially if you use a CMS (Content Management System). Always install the latest stable updates to fix security flaws.
- Secure your Web server software with high level security settings (you can find plenty of online resources about how to secure Linux Web servers).
- Register (or transfer) your domain name to another DNS provider which is not your hosting provider. In case of attack on your current provider, you will be able to easily point your domain name to a new hosting provider.
- You may also want to create a mirror server running as a standby to which you can switch easily. Learn how to switch your DNS entries to the mirror server.
- Consider hosting your website in a foreign country, where the content is less controversial and clearly legally protected. This may imply only a small additional delay in page load time (usually a few milliseconds) for your visitors and may save you a lot of trouble if you are located in a country where you web site's content is considered very controversial.
- Test and optimize your website with the main circumvention tools your visitors are likely to use. Check and fix any broken pages or features. Ideally, make your website usable to visitors without JavaScript or plugins, since these may be unavailable or broken when people are using proxies.
- Avoid using FTP to upload your files. FTP sends your password over the Internet unencrypted, making it easy for eavesdroppers to steal your login credentials. Consider using SFTP (File Transfer Protocol over SSH), SCP, or secure WebDAV (over HTTPS) instead.
- Use alternative ports to access your back-end. Hackers usually run automatic scans on standard ports to detect vulnerabilities. Consider changing your ports to non-standard values (such as SSH) to minimize the risks of these attacks.
- Protect your server against brute-force attacks by installing a tool such as DenyHosts on your server (http://denyhosts.sourceforge.net) to protect your server by blacklisting IPs that attempt unsuccessful logins more than a certain amount of times.
Protect yourself
Here are some tips to prevent potential personal harm, if staying anonymous as a webmaster is important for you.
- Use an anonymous e-mail address and name which is never associated with your real identity.
- If you own a dedicated domain name, you can record dummy entries in the WHOIS public database by using a service often called "WHOIS proxy", "WHOIS protect" or "domain privacy".
- Use a service like Tor to stay anonymous when updating your Web site.
Protect your visitors
Apart from protecting your Web site and yourself, it is also important to protect the visitors from potential third party monitoring, especially if they submit content to your website.
- Deploy HTTPS so your users can access your site over an encrypted connection, to make it more difficult to look automatically at the content which is being transferred and to assure your identity. Ensure that your HTTPS configuration covers your entire site and that you use other best practices for HTTPS configuration. You can find information on how to deploy it correctly on https://www.eff.org/pages/how-deploy-https-correctly and also try the automated tests at https://www.ssllabs.com/ for many technical parameters.
- Minimize retained data in your logs. Avoid saving IP addresses or any personal data related to your visitors longer than necessary.
- Encrypt critical user data such as passwords, for example using salted hashes.
- External services like Google Analytics or other third-party content like ad networks are difficult to control. Avoid them.
- Create a light and secure version of your Web site, without any Flash or Javascript embedded code, compliant with Tor and low-bandwidth connections.
Educate your visitors
- Teach your users how to use circumvention tools, and be able to improve their online security.
- Make a digital safety checklist available so your visitors can be sure they are not being monitored or attacked.
Share circumvention tools with your visitors
- Host Web proxy instances (such as SabzProxy or Glype Proxy). Share them with your visitors, by email, through your social networks.
- Send out psiphon invitations if you have an account on a private node
- Install other kinds of Web and application proxies if you own a dedicated server and share it.
- Link to this manual or relevant circumvention tools from your website.
Multiply channels of distribution
Webmasters can and should take different actions in order to spread their content as much as possible, to prevent being shut down or blocked.
- Set up a newsletter, and send regular updates of new content by e-mail. You will still be able to reach users when they are not able to visit your Web site anymore.
- Set up a RSS feed and make sure it contains full articles and not only excerpts (snippets). This way your content can be parsed very easily by third party websites and applications such as Google Reader, which can be used to read your content where direct access is blocked.
- Share your content on popular social networking platforms, such as Facebook or Twitter, which may be hard to block.
- Spread the content as much as possible. Make your content available for download. Wikipedia, for example distributes its entire content freely as a database dump which can used to easily create new mirror Web sites with the same content elsewhere.
- Consider publishing your articles under an open license (like GPL or Creative Commons) which allows everyone to reuse your content and create mirrors.
- Mirror your files on free sharehosting services like Rapidshare.com or Megaupload.com and peer-to-peer filesharing software like Bittorrent.
- Configure your Web server to also serve content on different ports than the standard ports 80 (http) and 443 (https).
- Offer an API (application programming interface) which allows others to access your content automatically via third-party software such as Twitter or Wikipedia does.
Reduce your page load time
Reducing your page load time not only will save you some bandwidth and money, but will also help your visitors coming from developing countries to access your information better. A good list of best practices for speeding up your website can be found at http://developer.yahoo.com/performance/rules.html and https://code.google.com/speed/page-speed/.
- Adopt a minimalist style. Consider keeping images to a minimum, and use CSS to style your layout. A good introduction to CSS can be found at http://www.w3schools.com/css/css_intro.asp.
- Optimize your images. Use programs like OptiPNG (http://optipng.sourceforge.net/) to make your pictures load faster by optimizing them for the Web. Also, never scale images with HTML if you don't need to (i.e. if you need a 60x60 image then resize it directly, rather than using HTML).
- Reduce Java, JavaScript, Flash and other content that runs in the client's computer to a minimum. Remember that some Internet cafés disable this kind of content for security reasons. Make sure that the information you want to convey is displayed in pure HTML.
- Use external files for your CSS and JavaScript. If you have a certain CSS style or JavaScript that is recurrent in your Web site, consider saving it in a separate file and calling it in the header of your Web page. This will allow your client's browser to cache the files, and they will not have to download all this content each time they visit a Web page on your site.
- Minify your code. Remove any unnecessary break lines and spaces. Some tools that do this automatically can be found at http://javascriptcompressor.com
- Reduce the number of server requests to a minimum. If you have a dynamic Web site but the content doesn't change really frequently, you may want to install some cache extensions that will provide your users with a static version of your content, thus significantly reducing the number of requests to your database.