SAFETY DISPATCH: How to Secure Your Author Website
by the SFWA Safety Committee
Numerous user-friendly options exist for authors to set up and manage their own websites, from single, static pages to actively updated blogs. They can be built with templates or custom designed, self-hosted, or placed on a managed hosting service. Regardless of format or complexity, an author website is a perennially useful information hub that is under your control. Social media sites may come and go, but you can always link back to your website.
The ease of setup can sometimes result in people hitting publish before they’ve looked into general security measures. Here are a few that you should bear in mind:
Choose A Reputable Web Host
Not all hosting is created equally. Some web hosts are heavily managed companies with built-in security measures. Others provide bare-bones hosting at low cost and leave it up to you to purchase, install, and maintain security plugins of your own. Read reviews of web hosts before committing to one, and if you aren’t confident in your ability to maintain website security on your own, then consider going with a managed hosting provider.
Secure Your WHOIS Information
When you register a domain name for your website, ICANN (Internet Corporation for Assigned Names and Numbers) requires you to submit personal contact information to the WHOIS database. This includes your name, physical address, phone number, and email address. By default, this information is made publicly available, and putting false information can get a website suspended.
Some people set up new contact points solely for things like website registration and newsletter footers, such as P.O. Boxes, phone forwarding services, or dedicated email addresses. Others form business entities and can use those contact details instead.
An alternate option is private registration. Many domain registrars offer a WHOIS privacy service, either for free as part of their hosting package, or for a small, additional annual fee. If you select this service, the registrar’s information will be displayed on an ICANN lookup instead of your own, and correspondence sent to their proxy address will be forwarded to your real one. Take a close look at your options, as these services vary by country and domain.
Enable Two-Factor Authentication
Consider enabling two-factor authentication for your admin login. You don’t want to be one compromised password or brute force attack away from losing control of your website.
At the minimum, use a strong, unique password that isn’t shared by any of your other online accounts so that a data breach at one can’t compromise the others. And change the default admin name—it doesn’t have to remain “admin,” giving everyone half of your username/password combo from the outset! Password managers, such as 1Password or Bitwarden, can also be useful tools for managing multiple accounts.
Moderate Comments
If your website accepts comments on posts, look into your moderation options before you have problems with spam or unwanted messages. Many blog hosts include an option to queue up comments for approval before they appear to the public. Alternately, if you don’t want to worry about moderating comments and rejecting spam, find out how to disable the option entirely.
Keep All Software Updated
Websites are not set-it-and-forget-it platforms. Security certificates need renewing, software needs to be patched, and websites need to remain compliant with ever-changing laws and regulations.
While managed hosts (think all-in-one services like WordPress.com) will push many of these updates for you, you’ll still need to keep your themes and plugins updated. Whenever you redesign your site, delete old plugins rather than let them clutter up your backend with extra vulnerability points. Compromised plugins are one of the primary sources of website vulnerabilities, so choose carefully, keep up-to-date with all security patches, and get rid of anything not actively in use!
Make Regular Backups
Find out if your web hosting includes regular backups and how to access them. If not, you can set up a backup schedule of your own, either manually, via a plugin, or through a third-party service. For extra security, keep a copy on an external hard drive and refresh it regularly. If disaster strikes you’ll be able to restore your website to a prior state instead of losing it all.
Carefully Choose What to Share
Your author bio doesn’t have to list family members, your hometown, or any other identity markers you aren’t comfortable sharing. You’re not obligated to mention your birthday, your employer, or your involvement with other organizations, through which somebody might find details about your identity and location that you don’t wish to share. Some authors are transparent about all of these things, and some aren’t. There isn’t a single right answer to sharing information about your life online. But if you think about the boundaries you would like to set in advance, you’ll find it easier to avoid posting information that you can’t take back.
Photographs can also be sources of more information than you intend. Pay attention to what’s in the background of any photos you post on your website or on social media, such as exterior shots of your home or distinctive landmarks through your windows. Turn off geolocation metadata when you take photos or make sure you know how to remove it before posting images online.
None of this is meant to discourage anyone from creating a website but rather to secure what you have so you can focus on the part that means the most: writing!
Further Reading
Personal Safety Online – Additional resources on safely maintaining an online presence from the SFWA Safety Committee.
Privacy Tools – A curated list of mostly free and open-source tools, including private emails, VPNs, file sharing, and encryption. Includes a section on blog hosting and domain providers.
ICANN FAQ – More information on ICANN, domain registration rules, and their full list of accredited domain registrars.
The SFWA Safety Committee maintains the Safety Resources on SFWA’s website at www.sfwa.org/safety. These resources contain useful information for creators maintaining an online presence and touch on safety considerations for in-person events for both attendees and event planners. We are here to help individuals and organizations navigate the speculative fiction publication industry with an increased consideration for safety.