One place for hosting & domains

      Recommended Steps To Harden Apache HTTP on FreeBSD 12.0


      The author selected the Free and Open Source Fund to receive a donation as part of the Write for DOnations program.

      Introduction

      Although the default installation of an Apache HTTP server is already safe to use, its configuration can be substantially improved with a few modifications. You can complement already present security mechanisms, for example, by setting protections around cookies and headers, so connections can’t be tampered with at the user’s client level. By doing this you can dramatically reduce the possibilities of several attack methods, like Cross-Site Scripting attacks (also known as XSS). You can also prevent other types of attacks, such as Cross-Site Request Forgery, or session hijacking, as well as Denial of Service attacks.

      In this tutorial you’ll implement some recommended steps to reduce how much information on your server is exposed. You will verify the directory listings and disable indexing to check the access to resources. You’ll also change the default value of the timeout directive to help mitigate Denial of Service type of attacks. Furthermore you’ll disable the TRACE method so sessions can’t be reversed and hijacked. Finally you’ll secure headers and cookies.

      Most of the configuration settings will be applied to the Apache HTTP main configuration file found at /usr/local/etc/apache24/httpd.conf.

      Prerequisites

      Before you begin this guide you’ll need the following:

      With the prerequisites in place you have a FreeBSD system with a stack on top able to serve web content using anything written in PHP, such as major CMS software. Furthermore, you’ve encrypted safe connections through Let’s Encrypt.

      Reducing Server Information

      The operating system banner is a method used by computers, servers, and devices of all kinds to present themselves into networks. Malicious actors can use this information to gain exploits into the relevant systems. In this section you’ll reduce the amount of information published by this banner.

      Sets of directives control how this information is displayed. For this purpose the ServerTokens directive is important; by default it displays all details about the operating system and compiled modules to the client that’s connecting to it.

      You’ll use a tool for network scanning to check what information is currently revealed prior to applying any changes. To install nmap run the following command:

      To get your server’s IP address, you can run the following command:

      • ifconfig vtnet0 | awk '/inet / {print $2}'

      You can check the web server response by using the following command:

      • nmap -sV -p 80 your-server-ip

      You invoke nmap to make a scan (hence the -s flag), to display the version (the -V flag) on port 80 (the -p flag) on the given IP or domain.

      You’ll receive information about your web server, similar to the following:

      Output

      Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 00:30 CET Nmap scan report for 206.189.123.232 Host is up (0.054s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.41 ((FreeBSD) OpenSSL/1.1.1d-freebsd Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.59 seconds

      This output shows that information such as the operating system, the Apache HTTP version, and OpenSSL are visible. This can be useful for attackers to gain information about the server and choose the right tools to exploit, for example, a vulnerability in the software running on the server.

      You’ll place the ServerTokens directive in the main configuration file since it doesn’t come configured by default. The lack of this configuration makes Apache HTTP display the full information about the server as the documentation states. To limit the information that is revealed about your server and configuration, you’ll place the ServerTokens directive inside the main configuration file.

      You’ll place this directive following the ServerName entry in the configuration file. Run the following command to find the directive

      • grep -n 'ServerName' /usr/local/etc/apache24/httpd.conf

      You’ll find the line number that you can then search with vi:

      Output

      226 #ServerName www.example.com:80

      Run the following command:

      • sudo vi +226 /usr/local/etc/apache24/httpd.conf

      Add the following highlighted line:

      /usr/local/etc/apache24/httpd.conf

      . . .
      #ServerName www.example.com:80
      ServerTokens Prod
      

      Save and exit the file with :wq and ENTER.

      Setting the ServerTokens directive to Prod will make it only display that this is an Apache web server.

      For this to take effect restart the Apache HTTP server:

      To test the changes, run the following command:

      • nmap -sV -p 80 your-server-ip

      You’ll see similar output to the following with more minimal information on your Apache web server:

      Output

      Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 00:58 CET Nmap scan report for WPressBSD (206.189.123.232) Host is up (0.056s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.59 seconds

      You’ve seen what information the server was announcing prior to the change and you’ve now reduced this to the minimum. With this you’re providing fewer clues about your server to an external actor. In the next step you’ll manage the directory listings for your web server.

      Managing Directory Listings

      In this step you’ll ensure the directory listing is correctly configured, so the right parts of the system are publicly available as intended, while the remainder are protected.

      Note: When an argument is declared it is active, but the + can visually reinforce it is in fact enabled. When a minus sign - is placed the argument is denied, for example, Options -Indexes.

      Arguments with + and/or - can not be mixed, it is considered bad syntax in Apache HTTP and it may be rejected at the start up.

      Adding the statement Options -Indexes will set the content inside the data path /usr/local/www/apache24/data to not index (read listed) automatically if an .html file doesn’t exist, and not show if a URL maps this directory. This will also apply when using virtual host configurations such as the one used for the prerequisite tutorial for the Let’s Encrypt certificate.

      You will set the Options directive with the -Indexes argument and with the +FollowSymLinks directive, which will allow symbolic links to be followed. You’ll use the + symbol in order to comply with Apache’s HTTP conventions.

      Run the following command to find the line to edit in the configuration file:

      • grep -n 'Options Indexes FollowSymLinks' /usr/local/etc/apache24/httpd.conf

      You’ll see output similar to the following:

      Output

      263 : Options Indexes FollowSymLinks

      Run this command to directly access the line for editing:

      • sudo vi +263 /usr/local/etc/apache24/httpd.conf

      Now edit the line as per the configuration:

      /usr/local/etc/apache24/httpd.conf

      . . .
      #
      Options -Indexes +FollowSymLinks
      
      #
      . . .
      

      Save and exit the file with :wq and ENTER.

      Restart Apache HTTP to implement these changes:

      At your domain in the browser, you’ll see a forbidden access message, also known as the 403 error. This is due to the changes you’ve applied. Placing -Indexes into the Options directive has disabled the auto-index capability of Apache HTTP and therefore there’s no index.html file inside the data path.

      You can solve this by placing an index.html file inside the VirtualHost you enabled in the prerequisite tutorial for the Let’s Encrypt certificate. You’ll use the default block within Apache HTTP and place it in the same folder as the DocumentRootthat you declared in the virtual host.

      /usr/local/etc/apache24/extra/httpd-vhosts.conf

      <VirtualHost *:80>
          ServerAdmin your_email@your_domain.com
          DocumentRoot "/usr/local/www/apache24/data/your_domain.com"
          ServerName your_domain.com
          ServerAlias www.your_domain.com
          ErrorLog "/var/log/your_domain.com-error_log"
          CustomLog "/var/log/your_domain.com-access_log" common
      </VirtualHost>
      

      Use the following command to do this:

      • sudo cp /usr/local/www/apache24/data/index.html /usr/local/www/apache24/data/your_domain.com/index.html

      Now you’ll see an It works! message when visiting your domain.

      In this section you’ve placed restrictions to the Indexes directive to not automatically enlist and display content other than what you intend. Now if there is not an index.html file inside the data path Apache HTTP will not automatically create an index of contents. In the next step you’ll move beyond obscuring information and customize different directives.

      Reducing the Timeout Directive Value

      The Timeout directive sets the limit of time Apache HTTP will wait for new input/output before failing the connection request. This failure can occur due to different circumstances such as packets not arriving to the server or data not being confirmed as received by the client.

      By default the timeout is set to 60 seconds. In environments where the internet service is slow this default value may be sensible, but one minute is quite a long time particularly if the server is covering a target of users with faster internet service. Furthermore the time during which the server is not closing the connection can be abused to perform Denial of Service attacks (DoS). If a flood of these malicious connections occurs the server will stumble and possibly become saturated and irresponsive.

      To change the value you’ll find the Timeout entries in the httpd-default.conf file:

      • grep -n 'Timeout' /usr/local/etc/apache24/extra/httpd-default.conf

      You’ll see similar output to:

      Output

      8 # Timeout: The number of seconds before receives and sends time out. 10 Timeout 60 26 # KeepAliveTimeout: Number of seconds to wait for the next request from the 29 KeepAliveTimeout 5 89 RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

      In the output line 10 sets the Timeout directive value. To directly access this line run the following command:

      • sudo vi +10 /usr/local/etc/apache24/extra/httpd-default.conf

      You’ll change it to 30 seconds, for example, like the following:

      /usr/local/etc/apache24/extra/httpd-default.conf

      #
      # Timeout: The number of seconds before receives and sends time out.
      #
      Timeout 30
      

      Save and exit the file with :wq and ENTER.

      The value of the Timeout directive has to balance a time range large enough for those events to allow a legitimate and successful connection to happen, but short enough to prevent undesired connection attempts.

      Note: Denial of Service attacks can drain the server’s resources quite effectively. A complementary and very capable counter measure is using a threaded MPM to get the best performance out of how Apache HTTP handles connections and processes. In this tutorial How To Configure Apache HTTP with MPM Event and PHP-FPM on FreeBSD 12.0 there are steps on enabling this capability.

      For this change to take effect restart the Apache HTTP server:

      You’ve changed the default value of the Timeout directive in order to partially mitigate DoS attacks.

      Disabling the TRACE method

      The Hypertext Transport Protocol was developed following a client-server model and as such, the protocol has request methods to retrieve or place information from/to the server. The server needs to understand these sets of methods and the interaction between them. In this step you’ll configure the minimum necessary methods.

      TheTRACE method, which was considered harmless, was leveraged to perform Cross Site Tracing attacks. These types of attacks allow malicious actors to steal user sessions through that method. The method was designed for debugging purposes by the server returning the same request originally sent by the client. Because the cookie from the browser’s session is sent to the server it will be sent back again. However, this could potentially be intercepted by a malicious actor, who can then redirect a browser’s connection to a site of their control and not to the original server.

      Because of the possibility of the misuse of the TRACE method it is recommended to only use it for debugging and not in production. In this section you’ll disable this method.

      Edit the httpd.conf file with the following command and then press G to reach the end of the file:

      • sudo vi /usr/local/etc/apache24/httpd.conf

      Add the following entry path at the end of the file:

      /usr/local/etc/apache24/httpd.conf

      . . .
      TraceEnable off
      

      A good practice is to only specify the methods you’ll use in your Apache HTTP web server. This will help limit potential entry points for malicious actors.

      LimitExcept can be useful for this purpose since it will not allow any other methods than those declared in it. For example a configuration can be established like this one:

      /usr/local/etc/apache24/httpd.conf

      DocumentRoot "/usr/local/www/apache24/data"
      <Directory "/usr/local/www/apache24/data">
          Options -Indexes +FollowSymLinks -Includes
          AllowOverride none
           <LimitExcept GET POST HEAD>
             deny from all
          </LimitExcept>
          Require all granted
      </Directory>
      

      As declared within the LimitExcept directive only the GET, POST, and HEAD methods are allowed in the configuration.

      • The GET method is part of the HTTP protocol and it is used to retrieve data.
      • The POST method is also part of the HTTP protocol and is used to send data to the server.
      • The HEAD method is similar to GET, however this has no response body.

      You’ll use the following command and place the LimitExcept block inside the file:

      • sudo vi +272 /usr/local/etc/apache24/httpd.conf

      To set this configuration you’ll place the following block into the DocumentRoot directive entry where the content will be read from, more specifically inside the Directory entry:

      /usr/local/etc/apache24/httpd.conf

      . . .
      <LimitExcept GET POST HEAD>
         deny from all
      </LimitExcept>
      . . .
      

      To apply the changes restart Apache HTTP:

      The newer directive AllowedMethods provides similar functionality, although its status is still experimental.

      You’ve seen what HTTP methods are, their use, and the protection they offer from malicious activity leveraging the TRACE method as well as how to declare what methods to use. Next you’ll work with further protections dedicated to HTTP headers and cookies.

      Securing Headers and Cookies

      In this step you’ll set specific directives to protect the sessions that the client machines will open when visiting your Apache HTTP web server. This way your server will not load unwanted content, encryption will not be downgraded, and you’ll avoid content sniffing.

      Headers are components of the requests methods. There are headers to adjust authentication, communication between server and client, caching, content negotiation, and so on.

      Cookies are bits of information sent by the server to the browser. These bits allow the server to recognize the client browser from one computer to another. They also allow servers to recognize user sessions. For example, they can track a shopping cart of a logged-in user, payment information, history, and so on. Cookies are used and retained in the client’s web browser since HTTP is a stateless protocol, meaning once the connection closes the server does not remember the request sent by one client, or another one.

      It is important to protect headers as well as cookies because they provide communication between the web browser client and the web server.

      The headers module comes activated by default. To check if it’s loaded you’ll use the following command:

      • sudo apachectl -M | grep 'headers'

      You’ll see the following output:

      Output

      headers_module (shared)

      If you don’t see any output, check if the module is activated inside Apache’s httpd.conf file:

      • grep -n 'mod_headers' /usr/local/etc/apache24/httpd.conf

      As output you’ll see an uncommented line referring to the specific module for headers:

      /usr/local/etc/apache24/httpd.conf

      . . .
      122  LoadModule headers_module libexec/apache24/mod_headers.so
      . . .
      

      Remove the hashtag at the beginning of the mod_headers.so line, if present, to activate the directive.

      By making use of the following Apache HTTP directives you’ll protect headers and cookies from malicious activity to reduce the risk for clients and servers.

      Now you’ll set the header’s protection. You’ll place all these header values in one block. You can choose to apply these values as you wish, but all are recommended.

      Edit the httpd.conf file with the following command and then press G to reach the end of the file:

      • sudo vi /usr/local/etc/apache24/httpd.conf

      Place the following block at the end of the file:

      /usr/local/etc/apache24/httpd.conf

      . . .
      <IfModule mod_headers.c>
        # Add security and privacy related headers
        Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;"
        Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
        Header set X-Content-Type-Options "nosniff"
        Header set X-XSS-Protection "1; mode=block"
        Header set Referrer-Policy "strict-origin"
        Header set X-Frame-Options: "deny"
        SetEnv modHeadersAvailable true
      </IfModule>
      
      • Header set Strict-Transport-Security "max-age=31536000; includeSubDomains": HTTP Strict Transport Security (HTSTS) is a mechanism for web servers and clients (mainly browsers) to establish communications using only HTTPS. By implementing this you’re avoiding man-in-the-middle attacks, where a third party in between the communication could potentially access the bits, but also tamper with them.

      • Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure": The HttpOnly and Secure flags on headers help prevent cross-site scripting attacks, also known as XSS. Cookies can be misused by attackers to pose as legitimate visitors presenting themselves as someone else (identity theft), or be tampered.

      • Header set Referrer-Policy "strict-origin": The Referrer-Policy header sets what information is included as the referrer information in the header field.

      • Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;": The Content-Security-Policy header (CSP) will completely prevent loading content not specified in the parameters, which is helpful to prevent cross-site scripting (XSS) attacks. There are many possible parameters to configure the policy for this header. The bottom line is configuring it to load content from the same site and upgrade any content with an HTTP origin.

      • Header set X-XSS-Protection "1; mode=block": This supports older browsers that do not cope with Content-Security-Policy headers. The ‘X-XSS-Protection’ header provides protection against Cross-Site Scripting attacks. You do not need to set this header unless you need to support old browser versions, which is rare.

      • Header set X-Frame-Options: "deny": This prevents clickjacking attacks. The 'X-Frame-Options’ header tells a browser if a page can be rendered in a <frame>, <iframe>, <embed>, or <object>. This way content from other sites cannot be embedded into others, preventing clickjacking attacks. Here you’re denying all frame render so the web page can’t be embedded anywhere else, not even inside the same web site. You can adapt this to your needs, if, for example, you must authorize rendering some pages because they are advertisements or collaborations with specific websites.

      • Header set X-Content-Type-Options "nosniff": The 'X-Content-Type-Options’ header controls MIME types so they’re not changed and followed. MIME types are file format standards; they work for text, audio, video, image, and so on. This header blocks malicious actors from content sniffing those files and trying to alter the file types.

      Now restart Apache for the changes to take effect:

      To check the security levels of your configuration settings, visit the security headers website. Having followed the steps in this tutorial, your domain will score an A grade.

      Note: If you make your headers check by visiting https://securityheaders.com/ and get an F grade it could be because there is no index.html inside the DocumentRoot of your site as instructed at the end of Step 2. If checking your headers you get a different grade than an A or an F, check each Header set line looking for any misspelling that may have caused the downgrade.

      In this step you have worked with up to seven settings to improve the security of your headers and cookies. These will help prevent cross-site scripting, clickjacking, and other types of attacks.

      Conclusion

      In this tutorial you’ve addressed several security aspects, from information disclosure, to protecting sessions, through setting alternative configuration settings for important functionality.

      For further resources on hardening Apache, here are some other references:

      For extra tools to protect Apache HTTP:



      Source link

      How to Create a Website for Your Event (In 4 Steps)


      Planning events can be both fun and strenuous. Whether you’re working on the fundraiser of the year, a huge wedding, or an academic conference, you might be wondering how you can create an appealing online presence for the upcoming event.

      Fortunately, creating an event website using WordPress can be fast and easy. As an open-source Content Management System (CMS), WordPress has a ton of built-in flexibility. Additionally, the platform has a vast community of helpful users and developers that you can reach out to for help.

      In this article, we’re going to discuss why WordPress is a smart choice for your event website. Then we’ll walk you through all the steps needed to create your own event website using WordPress. Let’s jump right in!

      Why You Should Consider a WordPress Site for Your Event

      There are many reasons WordPress is an excellent platform for building an event website. For example, it offers both ease of editing and a high level of flexibility. Plus, the platform is always free to download.

      What’s more, since WordPress is built using open-source code, developers all over the world have added onto the platform’s core functionality with plugins. This means there are many options for enhancing your site with event-specific, niche plugins that can help you easily track, promote, and share your event in order to boost registrations.

      Another benefit to building with this CMS is that it doesn’t matter how big or how small your event might be — WordPress always fits like a glove! Fortunately, building your event website using WordPress doesn’t have to be difficult at all.

      WordPress + DreamHost

      Our automatic updates and strong security defenses take server management off your hands so you can focus on building a great event website.

      How to Create a WordPress Site for Your Event (In 4 Steps)

      To get started with your WordPress event site, all you need to do is follow these four steps. Each will help you get up and running as quickly as possible, so you can move on to planning and hosting the event itself.

      1. Choose a Secure and Professional Hosting Platform

      While the WordPress software is free, you’ll still need to host your site somewhere. Choosing a web host can seem overwhelming at first, but it’s an essential first step in getting your event site started.

      A web host is where all of your site’s data is stored, along with the files that create the functionality you’ll need to manage your event. There are a few things to consider when choosing your host since there are lots of options out there.

      You’ll want to make sure the host you choose has the support you might need for certain types of events. You may need to accommodate a live stream, for example, or your event might require higher bandwidth for heavy registration traffic.

      Here at DreamHost, we have several Virtual Private Server (VPS) options that can suit a wide variety of event planning needs.

      DreamHost VPS pricing.

      We recommend really getting a feel for all the different types of hosting out there. That way, you can make sure your event website is stored in the most secure, high-performance location possible.

      2. Select a Theme to Suit Your Event

      Once you’ve installed WordPress on your hosting plan, you can move on to some of the more exciting parts of building a website!

      Choosing a theme can be a lot of fun, and it’s also a vital step. That’s especially true if you are looking to create a cohesive brand or send out a certain “vibe” about your event.

      There are two main ways you can obtain WordPress themes, including:

      • Downloading free themes from the WordPress Theme Directory
      • Purchasing premium themes from a theme marketplace or directly from a developer

      Themes often come with built-in functionality or features that you’ll want to understand before installing them. If you know you need a certain kind of layout, footer, or sidebar, for example, you’ll want to make sure the theme you pick can handle that type of design.

      Some of the free themes available in the directory are nearly as packed with features as premium themes that come with a price tag. Reading their reviews and checking to see when each theme was last updated are smart ways to decide which is best for your site.

      Of course, it’s also important to remember that sometimes niche themes can be more helpful than general, all-purpose themes. For example, ShowThemes offers event-specific WordPress themes and lets you search its database by feature set so you can find exactly what you’re looking for.

      The ShowThemes home page.

      ShowThemes covers the full spectrum of possible events you might want to promote. For instance, if you just need a one-page site for a conference, the Fudge theme is a solid option. Not only is it already optimized for mobile devices, but it also has a clear and easy-to-customize design for your Call-to-Action.

      The Fudge theme.

      Starting with a theme designed for the type of event you’re promoting can save you a lot of time, so it’s well worth considering.

      3. Add Event and E-Commerce Plugins to Manage Registration

      There are a few more universal aspects of event planning to keep in mind while building your WordPress event site. Typically, events require some kind of registration process, guest list, or check-in management (just to name a few examples).

      Whether or not your event is free-of-charge or requires payment, adding event and e-commerce plugins to your site can be extremely helpful. There are a number of ways to build in the functionality you’ll need to handle ticket sales or registrations.

      Event Espresso, for instance, is an all-in-one plugin solution that covers everything from setting up a registration form to using payment gateways.

      The Event Espresso plugin.

      While the free version provides plenty of functionality, you can purchase Event Espresso’s premium tier if you’re interested in add-on features such as printable tickets, ticket scanning, and waitlists.

      If you need a plugin that specializes in managing a guest list and registration data, on the other hand, you might want to check out the RSVP and Event Management plugin.

      The RSVP and Event Management plugin.

      Additionally, you can maximize WordPress’ flexibility by using plugins that make it possible to connect to outside event software, such as EventBrite, to help you manage your event. While this method requires you to have an account with the platform, it’s still an excellent option if you have specific event management applications you know and love.

      4. Promote Your Event on Social Media

      Once you’ve built your event site, you’ll likely want to start getting the word out and encouraging registrations. It’s no secret that social media is probably the best way to share your event with your target audience, as widely or as privately as you want.

      One of the most straightforward ways to promote your event on social media is to let your website visitors do it for you, through adding social sharing buttons to your website. You can add on a plugin like Sassy Social Share, for example, and choose from over 100 social media and bookmarking site buttons to add to your site.

      The Sassy Social Share plugin.

      If you want to take things a step further, and proactively push your event content and site updates to a variety of social media sites, you can check out the free plugin Blog2Social. This tool gives you the option to set up automatic posts from your website to 14 different social networks.

      The Blog2Social plugin.

      With Blog2Social, you can also cross-post content, schedule updates, and automatically post new content. Additionally, you can customize your posts with comments and hashtags, for even more engagement and appeal.

      You can even enable guests to register for your event via their existing social media accounts. Adding the Social Login plugin to your event site makes that simple.

      The Social Login plugin.

      Whether you’re looking to push content to social media accounts, or pull in guests and registrations via social channels, adding some of these helpful plugins to your event site can help you stand out from the pack and attract attention.

      Easy Event Marketing

      If you’ve been worried about how to get your event website off the ground, while also planning for all your other event-related needs, we hope this step-by-step guide has helped to ease your burden a bit. WordPress can help you get your site up and running quickly, which leaves you plenty of time to focus on all the other details that make for a great event.

      Here at DreamHost, WordPress is always invited to the party. Check out our WordPress hosting plans and get your event website online today!



      Source link

      How to Start a Photography Blog (In 4 Steps)


      Photography is a popular and useful hobby, especially with the variety and convenience of advanced camera options we have now. Whether you’re into dark rooms and film or high-end digital lenses, turning your photography hobby into a business might be on your radar. Figuring out how best to get your work online, however, can be a full-time job.

      That’s where WordPress and the time-saving functionality of website builders come in. When you combine the content management options of WordPress with drag-and-drop site design capability, it’s easy to turn your big ideas into a professional photography site.

      In this article, we’ll cover four steps for creating a photography website with WordPress. We’ll also discuss why this platform is the best option and share the best website builder tools for WordPress to help you attain your dream photography blogging site.

      Take that lens cap off your camera, friend, and let’s get started!

      Why You Should Consider a WordPress Website for Your Photography Blog

      When it comes to Content Management Systems (CMSs), we make no bones about it — WordPress is the best. You don’t have to take our word for it, though. WordPress owns 50–60% of the global CMS market. Additionally, it’s the first choice for 14.7% of the top 100 sites on the web.

      Outside of those numbers, WordPress’s practical, open-source platform is another reason we suggest it for a photography blog. A nearly endless array of custom themes and plugins are available to help you eliminate distractions and create a truly unique website for your photography.

      One more plus? WordPress software is free. That means that even as a brand new blogger, you can afford a self-hosted website.

      How to Start a Photography Blog With WordPress (In 4 Steps)

      One of the first steps in designing a photography website is to determine your own style or niche. Whatever your blogging focus might be, knowing this ahead of time will help you design your site and target your specific audience. Take a few minutes to set some goals for your site and then write them down.

      Once you have your blogging goals, the following four steps should help to guide you through setting up and designing a site with WordPress.

      Step 1: Choose Your Domain Name and Web Host

      Picking out a domain name can be a fun but frustrating process. One of the best ways to stand out as a blogger is with a unique and brand-oriented name. You might find, however, that many of the names you want are already taken.

      Fortunately, while choosing a .com is still popular, there are quite a few new Top-Level Domains (TLDs) available that might be just right for your photography site if the domain you wanted is unavailable.

      Searching for a domain name.

      As for selecting a hosting provider, this step might seem overwhelming at first. However, there are a few things to keep in mind as you shop that should help. For instance, if you plan on setting up an e-commerce page as part of your blogging strategy, you’ll want to look into what each host provides for that use case.

      Regardless of your goals as a blogger, other significant features to look out for include:

      • Storage. If you plan on using the same host for your website and your photos, you’ll want to investigate the amount of storage that’s available. There may be several options, or even additional storage available as an add-on to handle your larger, high-quality images.
      • Software. You’ll also want to consider whether you’ll need a one-click solution to get started with WordPress. This is an excellent option for anyone who is not hiring a developer and isn’t a programming expert.
      • Support. The last thing you want is for your clients to run into downtime while trying to view your photos. Make sure your web host has 24/7 support, and read up on its site backup and restoration options in case something happens.
      • Extras. Some hosts come with extra features you might want to consider. These can include premium themes or plugins, staging sites, or site builders.

      No matter what type of hosting you ultimately decide you need, here at DreamHost we offer a wide range of WordPress plans.

      WordPress hosting at DreamHost.

      You Take Great Photos, We’ll Handle the Hosting

      Our automatic updates and strong security defenses take server management off your hands so you can stay behind the camera.

      Step 2: Install a Dedicated Photography Theme

      Installing a theme enables you to customize the look of your WordPress site. What’s more, it’s as easy as uploading a file or clicking a button. There are a lot of photography themes out there, however, so deciding which one is best for you might be the hardest part.

      If you’re using DreamHost as your WordPress hosting service, you’ll have access to WP Website Builder. As a photographer, this means you can drag-and-drop your site elements in a front-end view of your website. You can choose from photography-specific custom templates and view your changes live as you make them.

      Getting started is easy. You simply need to select “WP Website Builder” as an option when purchasing your DreamHost plan.

      Adding WP Website Builder to DreamHost.

      Once you complete your purchase with the website builder selected, WordPress and premium plugins built by our friends at BoldGrid will be installed. The Page and Post Builder and Inspirations will appear in your menu options once you visit your WordPress dashboard.

      Once you’re logged into WordPress for the first time, you’ll be immediately taken to a setup page. When you’re ready, select Let’s Get Started!.

      BoldGrid Inspirations.

      Next, you’ll be able to choose from a menu of theme categories. Inspirations includes 20 stunning photography-friendly themes.

      Theme choices.

      Once you select the theme you want, you’ll be guided through choosing some custom content options. You can use preset page layouts and create menus. You’ll also be able to test your theme’s responsiveness to mobile devices.

      Content choice settings.

      You might notice additional content on your WordPress dashboard now as well. There are some tutorial videos, for example, in case you need extra support along the way. Plus, if you want to spice things up later and change your theme, the Inspirations menu will lead you through that process.

      Step 3: Select Plugins to Enhance Your Site

      Now that you’ve selected a theme, you might want to look at some plugins as well. WordPress plugins are add-on packages of code that can enhance and extend the functionality of the platform. You’ll want to familiarize yourself with the best way to manage them, in order to make sure you’re keeping your site safe and secure.

      Photography blogs and websites have some unique needs, such as the ability to display and watermark high-quality images. You may also need to create image galleries with password protection or tie your e-commerce options to a file download manager. All of these tasks can be tackled with plugins.

      One tool to check out is Photography Management.

      The Photography Management plugin.

      This plugin is a client management solution for photographers who need to provide images and galleries to their customers. It can help you create a login portal for clients and provides notifications when your clients complete an action.

      Another reliable photography plugin is Envira Gallery.

      The Envira Gallery plugin.

      The Envira feature list is extensive. It includes options for watermarking your images, which may be an important part of your security strategy. You can also set up a storefront, create video galleries, and import content from Instagram. Combining this kind of tool with our website builder makes displaying your work dynamically online a cinch.

      Be Awesome on the Internet

      Join our monthly newsletter for tips and tricks to build your dream website!

      Step 4: Create Compelling Content

      When it comes to Search Engine Optimization (SEO), there is more to think about than just keywords. What other pages say about you is just one other element that is vital for securing better page rankings.

      Gaining backlinks or having your pages shared on social media are both effective ways to build page rank and clients. One way to garner more backlinks is to create compelling content. This could come in the form of tutorials, downloads, infographics, videos, or podcasts.

      A beautiful example of these options can be seen on the Julia & Gil photography site.

      Julia and Gil photography site.

      Adding a blog to your page is also a great way to build a following and establish yourself as a trusted name in the industry.

      How to Promote Your Photography Business

      Now that your photography has a home on the web, you might be wondering how to get more eyeballs on your work. Self-promotion can be a challenge at times, but with WordPress and your professional theme, you have plenty to showcase!

      There are a few ways to approach promoting your new site, including:

      • Social Media. Sharing your work on social media can reap significant benefits. One way to get into the habit is to stay on a posting schedule, so interested viewers know they can regularly expect new content. Here’s how we recommend promoting your blog on social.
      • Testimonials. Research shows that 82% of consumers seek recommendations from family and friends before making a purchase. This makes customer testimonials a powerful tool on your website.
      • Call to Action. If your goal is to gain clients or fill up your email subscriber list, you might want to study up on the art of writing a good Call to Action (CTA). This will clearly guide your site’s visitors towards the action you want them to take.
      • Portfolios. Creating a portfolio can give you a portion of your site that is specifically geared toward promoting your skills. While your entire website might function as an advertisement, a portfolio allows you to pick and choose your best work to highlight.

      However you decide to promote your new website, it’s a proven best practice that keeping your site information up-to-date and accurate is crucial when it comes to improving SEO and gaining a following.

      Blogging Photographers

      Whether it’s nature, weddings, family portraits, or street photography, you can personally display your images with a professional photography theme and WP Website Builder. WordPress’ niche photography plugins can also help you add unique elements to set your site apart.

      Here at DreamHost, we want you to be focused on the next shot — not whether your site might crash. Our complete WordPress hosting solutions come with easy built-in solutions for backing up your website and maintaining top-notch performance. Additionally, WordPress setup is fast and easy, so you can get up and running and share your amazing images with the world!



      Source link