Securing your Political candidates' website
Secure your political candidate's website with these tips for your political campaign manager to ensure the candidate's website is safe.
If you're a political campaign manager, you're going to want the best security for your candidate's website. You can do many things to ensure your candidate's website is safe. First, you'll want to use a trusted password manager to generate and store authorized users within the campaign and contractors who may be working on your site. Having a tight lid on who has access to your website is a good start, but you can do a lot more to prevent your site from being vulnerable to hackers or any bad actor. Here is a guide to give you the best chance to ward off bad guys and keep your candidate's digital reputation safe.
F.B.I. 2020 Internet Crime Report
The FBI reported 12,827 victims of "Government Impersonators" these victims loss almost 110 million dollars. [https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf; Pages 19- 20]
Secure your political candidate's website from Imposters.
For a hacker or bad actor, impersonating your candidate or falsely representing the campaign can be very easy to do if you fail to take some simple steps.
An excellent place to start is registering your domain name itself.
Setting up DNSSEC Security this slightly technical but a moderately experienced web developer should do this.
What is DNSSEC?
DNSSEC protects against domain forgery by cryptographically signing the DNS records received and ensuring those records are identical to the DNS records published by the domain owner. Setting the DNSSEC record properly prevents bad actors from hijacking the domain name. Essentially this stops the bad guys from using an email pretending to be your domain, imposter your campaign, or your candidate. Image the damage this could do?
We do not recommend using a free email service like yahoo or AOL for your campaign; Gmail isn't the best option to represent the professional look of your campaign. Get a domain-based email. i.e., [email protected]
(Just do it)
Secure your Wesbite with offsite services
After you get your domain registered and email set up. Set up an account with Cloudflare. The free service will probably be sufficient unless you are collecting contributions on the site; you may want to consider upgrading at $20 a month. Cloudflare has many protections and most notably redirects your public traffic through a proxy server.
Secure your Website with onsite measures
Once your website is up, you will need an SSL certificate. You should be able ok with a free certificate from a service like "Let's encrypt" Cloudflare also offers several levels of SSL protection.
- Obstrufucate your website login, i.e., change /WP-admin to /anything-else.
- Implement 2fa login. A 2-factor login will help prevent unauthorized users from accessing your website. Although you can verify with an SMS message, we prefer an authenticator app. The Authenticator generates codes every 30 seconds and doesn't communicate between the site server and your device, adding an extra layer of security.
- Block other country's IP addresses if you can. i.e., Russia, China, and anywhere outside of the United States. For most local elections, anyone outside the country has no business on your campaign website, in our opinion. Besides, almost all of this traffic is bad actors scanning your site for a vulnerability.
- Perform a Security Audit ( We recommend hiring B2Intel); they can manually audit your site, your DNS, and other public-facing records and let you know whether your site is vulnerable to hackers. (Spoiler alert: It probably is).
We have a few tricks up our sleeve to help harden the security of your political website and protect your candidate's reputation and your campaign's legitimacy. So please don't get caught off guard and call us for a free consultation. 203.228.8133.