What is DMARC and how does it work?

What is DMARC and how does it work?

Domain-based Message Authentication Reporting and Conformance (DMARC) is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms. By having DMARC in place, business owners large and small can fight the massive cybersecurity problems caused by phishing and reputation damage caused by spoofing.

With DMARC you can tell the world how to handle the unauthorized use of your email domains by instituting a policy in your DMARC record. The three DMARC policies are:

p=none

Monitors your email traffic. No further actions are taken.

p=quarantine

Sends unauthorized emails to the spam folder.

p=reject

The final policy and the ultimate goal of implementing DMARC. This policy ensures that unauthorized email doesn’t get delivered at all.

How does DMARC work?

DMARC is based upon the results of SPF and/or DKIM, so at least one of those has to be in place for the email domain. To deploy DMARC, you need to publish a DMARC record in the DNS.

A DMARC record is a text entry within the DNS record that tells the world your email domain’s policy after checking SPF and DKIM status. DMARC authenticates if either SPF, DKIM, or both pass. This is referred to as DMARC alignment or identifier alignment. Based on identifier alignment, it is possible that SPF and DKIM pass, but DMARC fails.

A DMARC record also tells email servers to send XML reports back to the reporting email address listed in the DMARC record. These reports provide insight on how your email is moving through the ecosystem and allow you to identify everything that is using your email domain.

Because reports are written in XML, making sense of them can be tricky, and they can be numerous. dmarcian’s platform can receive these reports and provide visualization on how your email domains are being used, so you can take action and move your DMARC policy towards p=reject.

What is a DMARC Record?

As a mission-driven company, dmarcian is focused on spreading the adoption of DMARC. Because of this, we interface with a wide range of people with varying degrees of knowledge. We thought we’d take a step back and take a look at something fundamental: What is a DMARC record?

A DMARC record is a text entry within the DNS record that tells the world your email domain’s policy when it comes to checking to see if your SPF and/or DKIM has passed or failed.

A DMARC record also tells the servers that touch your email on its way to its final destination to send XML reports back to the reporting email address listed in the DMARC record. These reports provide insight on how your email is moving through the ecosystem and allow you to identify everything that is using your email domain.

More information on publishing DMARC records can be found here.

The DMARC Record; what does it look like?

an example of a dmarc record
  • v=” indicates this is a DMARC record 
  • p=” indicates the DMARC policy 
  • rua=” indicates where data should be sent 

RUA is reporting that provides an aggregate view of all of a domain’s traffic. The other option is RUF reports that are redacted forensic copies of the individual emails that are not 100% compliant with DMARC. While RUA reports show the traffic of the email, RUF reports contain snippets from the actual emails themselves. While RUA reporting is all that is needed for DMARC deployment, more advanced users may also add the RUF tag, which will send more sensitive information.

These reports are in Extensible Markup Language (XML), which isn’t easy to read:

There are tools that can translate these XML files into a human-friendly format. Services like Dmarcly, where the RUA reports can be pointed to, automatically process the reports and give you insight via a powerful dashboard to make identifying the valid uses of your email domain easier while disallowing abuse. A dmarcian account will store past reports so you can observe trends and be alerted when new threats arise.

Why Use DMARC for Email?

why dmarc illustration

Email is involved in more than 90% of all network attacks and without DMARC, it can be hard to tell if an email is real or fake. DMARC allows domain owners to protect their domain(s) from unauthorized use by fighting phishing, spoofing, CEO fraud, and Business Email Compromise.

By always sending DMARC compliant email, the operator of an Internet domain can tell the world “everything I send is easy to identify using DMARC—feel free to drop fake email that pretends to be me.”

DMARC’s utility as an anti-spoofing technology stems from a significant innovation; instead of attempting to filter out malicious email, why not provide operators with a way to easily identify legitimate email? DMARC’s promise is to replace the fundamentally flawed “filter out bad” email security model with a “filter in good” model.

If you’re curious about the health of your domain or anyone’s, use this free Domain Checker for a quick check. It inspects DMARC, SPF and DKIM and tells you which actions you need to take to reach compliance.

Benefits of DMARC

If you use email, you’ll benefit by incorporating DMARC.

When strong security controls are deployed against fraudulent email, delivery is simplified, brand reliability increases and visibility is granted to domain owners on how their domains are being used around the Internet.

Security

  • Security
    Disallow unauthorized use of your email domain to protect people from spam, fraud, and phishing.
  • Visibility
    Gain visibility into who and what across the Internet is sending email using your email domain.
  • Delivery
    Use the same modern plumbing that mega companies use to deliver email.
  • Identity
    Make your email easy to identify across the huge and growing footprint of DMARC-capable receivers.

Need Help?

If you are interested in a fully managed email security, domain alignment, Dmarc service

What is SPF (Sender Policy Framework)

What is SPF (Sender Policy Framework)

Sender Policy Framework (SPF) is used to authenticate the sender of an email. With an SPF record in place, Internet Service Providers can verify that a mail server is authorized to send email for a specific domain. An SPF record is a DNS TXT record containing a list of the IP addresses that are allowed to send email on behalf of your domain.

How does SPF work?

To take advantage of SPF, you publish an SPF record in the DNS. The record is a list of all the IP addresses that are allowed to send email on behalf of the domain. 

The SPF mechanism uses the domain in the return-path address to identify the SPF record. When a sender tries to hand-off an email to an email “receiving” server for delivery, the server checks to see if the sender is on the domain’s list of allowed senders. If so, then a link has been established between the piece of email and the email domain. If not, then the server continues processing the email as usual without this link, as any number of things could be going on. 

The email might be real, but the list of senders might not be accurate. Real email might have been forwarded which means the email could have come from anywhere and the list of allowed senders doesn’t help too much. Or, the email is fake and unwanted. Too many possible outcomes makes it difficult to attach meaning to the absence of the link that SPF can provide. DKIM fills the gap in the DMARC technical framework as an additional way to try and link a piece of email back to a domain.

how does spf work. the spf authentication process

What is SPF Format?

More information about how an SPF record is formatted, and how you can create one for your email domain, can be found here: How to Create and Add an SPF Record

Already have an SPF record? We have also developed a comprehensive guide to SPF record formatting to increase your understanding and help troubleshoot any SPF issues that our free SPF Surveyor may bring to your attention:  SPF Record Syntax

SPF and DMARC for Email

By itself, SPF can associate a piece of email with a domain. With the DNS records in place, DMARC ties the results of SPF to the content of email, specifically to the domain found in the return path or From: header of an email. For SPF to work correctly in the context of DMARC, the return-path address has to be relevant to the domain of the From: header, which is the item that ties together DMARC alignment.

Why is SPF Important?

SPF has become exceedingly vital to help verify which sending infrastructure can relay email on behalf of your domain. Implementing SPF for email provides major benefits:

  • Increases domain reputation and email deliverability.
  • Fights domain impersonation and email spoofing to protect your brand reputation.
  • One of the foundational methods of email authentication for DMARC.

How do I check my SPF Record?

Check your domain’s SPF settings – dmarcian’s SPF Surveyor is an SPF diagnostic tool that presents a graphical view of SPF records. It allows you to quickly identify which servers are authorized to send on behalf of a domain.

Why SPF-Only Isn’t Safe Enough

Though SPF is a layer of proven email authentication that has been around since the late 1990s, it does have its challenges. Simply put, forwarding of email happens on the Internet and the SPF mechanism doesn’t survive the forwarding process. Forwarding typically happens when you send email to [email protected] and that person has set their email to be forwarded to another address, like [email protected]. In this example, your email appears to be coming out of infrastructure that appears to have nothing to do with you. 

DKIM signing can survive forwarding. If your domain is covered with DKIM, dmarcian’s ability to detect forwarding increases. SPF does not work in the context of forwarding, as SPF is simply a list of servers that are authorized to send on behalf of your domain, and it isn’t possible for a domain owner to maintain a list of forwarders.

SPF Misconceptions

Companies often misunderstand how SPF works and instruct their customers to include the company’s own SPF record. However, this ends up doing nothing if the company uses its own domain in the bounce address. When an email receiver processes a piece of email, it will look at the company’s SPF record—not the SPF record of the customer.

Two unwanted things happen because of this misconception:

  1. Unnecessary “includes” are added into their SPF records. This causes SPF records to bloat and introduces management challenges
  2. Confusion is introduced as people just want to get SPF into place to complete their DMARC deployment. The result is that SPF passes, but DMARC fails.

For SPF to work correctly in the context of DMARC, the bounce address has to be relevant to the domain of the From: header. Unfortunately, many companies that send email on behalf of others do not currently allow their customers to change the bounce address to the customer’s domain. This is slowly changing, but companies first have to understand the basics of how SPF works. We have resources available to help companies send DMARC compliant email on behalf of others.

Note: There is obsolete technology called SenderID that tried to perform SPF-like checks, except it used the From: header domain (among others) as the item to check. SenderID also attempted to reuse existing SPF records, causing even more confusion.  

7 Important HTTP Security Headers for Your Website

7 Important HTTP Security Headers for Your Website

When it comes to website security, most people are quite oblivious to the vulnerabilities that exist and are exposed on their own site.

Securing your website is all about minimizing attack surface and adding more layers of security. One strong layer that you can (and should) add is proper HTTP security headers. When responding to requests, your web server should include a number of security headers that help stop unwanted activity like XSS, MITM, and click-jacking attacks. While sending security headers does not guarantee 100% defense against all such attacks, it does help modern browsers keep things secure. So in this tutorial, we walk through seven of the most important and effective HTTP security headers you should add to your website in order to your website to bolster the security.

Note that the solutions below only work on Apache and compatible servers that use .htaccess, such as Litespeed.

Here are 7 Important HTTP Security Headers for Your Website.

Contents

Note: You can verify your site’s security headers using a free online tool such as the one provided by SecurityHeaders.com.

X-XSS-Protection

The X-XSS-Protection security header enables the XSS filter provided by modern web browsers (IE8+, Chrome, Firefox, Safari, et al). Here is the recommended configuration for this header:

# X-XSS-Protection
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
</IfModule>

Added to your site’s .htaccess file or server configuration file, this code instructs supportive browsers to block any requests containing malicious scripts. For more configuration options and further information about X-XSS-Protection, check out these resources:

X-Frame-Options

The X-Frame-Options (XFO) security header helps modern web browsers protect your visitors against clickjacking and other threats. Here is the recommended configuration for this header:

# X-Frame-Options
<IfModule mod_headers.c>
	Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

Added to your site’s .htaccess file or server configuration file, this code instructs supportive browsers to block any frames/content requested from external locations. So if your own site includes an iframe that loads a resources from the same domain, the content will load normally. But if any iframe is included that loads resources from any other domain, the content will be blocked. For more configuration options and further information about X-Frame-Options, check out these resources:

X-Content-Type-Options

The X-Content-Type-Options security header enables supportive browsers to protect against MIME-type sniffing exploits. It does this by disabling the browser’s MIME sniffing feature, and forcing it to recognize the MIME type sent by the server. This header is very flexible and may be configured extensively, however the most common implementation looks like this:

# X-Content-Type-Options
<IfModule mod_headers.c>
	Header set X-Content-Type-Options "nosniff"
</IfModule>

Added to your site’s .htaccess file or server configuration file, this code instructs supportive browsers to use the MIME type declared by the origin server. There are a couple of precautions to keep in mind. First, as with any security header, it does not stop 100% of all attacks or threats; it does stop some of them, however, and thus provides another layer of protection for your site. Also note that this header currently is supported only in Chrome and later versions of Internet Explorer. Hopefully other browsers will add support in the future. For more configuration options and further information about X-Content-Type-Options, check out these resources:

Strict-Transport-Security

The Strict-Transport-Security (HSTS) header instructs modern browsers to always connect via HTTPS (secure connection via SSL/TLS), and never connect via insecure HTTP (non-SSL) protocol. While there are variations to how this header is configured, the most common implementation looks like this:

# Strict-Transport-Security
<IfModule mod_headers.c>
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>

Added to your site’s .htaccess file or server configuration file, this code instructs supportive browsers to always use HTTPS for connections. This helps stop man-in-the-middle (MITM) and other attacks targeting insecure HTTP connections. For more configuration options and further information about Strict-Transport-Security, check out these resources:

Referrer-Policy

The Referrer-Policy security header instructs modern browsers how to handle or exclude the Referer header (yes the header normally is spelled incorrectly, missing an “r”). For those who may not be familiar, the Referer header contains information about where a request is coming from. So for example if you are at example.com and click a link from there to domain.tld, the Referer header would specify example.com as the “referring” URL.

With that in mind, the Referrer-Policy enables you to control whether or not the Referer header is included with the request. Here is an example showing how to add the Referrer-Policy header via Apache:

# Referrer-Policy
<IfModule mod_headers.c>
	Header set Referrer-Policy "same-origin"
</IfModule>

Added to your site’s .htaccess file or server configuration file, this code instructs supportive browsers to only set the referrer header for request from the current domain (same-origin). Keep in mind that this header is less about security and more about controlling referrer information, as is required by various rules and regulations (e.g., GDPR). For more configuration options and further information about Referrer-Policy, check out these resources:

Feature-Policy

The Feature-Policy header tells modern browsers which browser features are allowed. For example, if you want to ensure that only geolocation and vibrate features are allowed, you can configure the Feature-Policy header accordingly. It also enables you to control the origin for each specified feature. Here is an example showing how to add a Feature-Policy header via Apache:

# Feature-Policy
<IfModule mod_headers.c>
	Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>

Added to your site’s .htaccess file or server configuration file, this code instructs supportive browsers to enable only geo-location and vibrate features. Keep in mind that this header is less about security and more about ensuring a smooth experience for your users. For more configuration options and further information about Feature-Policy, check out these resources:

Content-Security-Policy

The Content-Security-Policy (CSP) header tells modern browsers which dynamic resources are allowed to load. This header is especially helpful at stopping XSS attacks and other malicious activity. This header provides extensive configuration options, which will need to be fine-tuned to match the specific resources required by your site. Otherwise if the header configuration does not match your site’s requirements, some resources may not load (or work) properly.

Because of this, there isn’t one most common example to look at. So instead here are a few different examples, each allowing different types of resources.

Example 1

First example, here is a CSP directive that allows resources from a CDN, and disallows any framed content or media plugins. This example is from the Google docs page linked below.

# Content-Security-Policy - Example 1
<IfModule mod_headers.c>
	Header set Content-Security-Policy "default-src https://cdn.example.com; child-src 'none'; object-src 'none'"
</IfModule>

Example 2

Second example, this CSP directive enables script resources loaded from a jQuery subdomain, and limits stylesheets and images to the current domain (self). This example is from the Mozilla docs page linked below.

# Content-Security-Policy - Example 2
<IfModule mod_headers.c>
	Header set Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self' https://code.jquery.com; style-src 'self'"
</IfModule>

Example 3

And for a third example, here is the directive I use on most of my WordPress-powered sites. Logically these sites tend to use the same types of resources, so I can keep things simple and use the following code on all sites:

# Content-Security-Policy - Example 3
<IfModule mod_headers.c>
	Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;"
</IfModule>

To get a better idea of what’s happening here, let’s apply a bit of formatting to the code:

Header set Content-Security-Policy "

default-src https:; 
font-src    https: data:; 
img-src     https: data:; 
script-src  https:; 
style-src   https:;

"

Stare at that for a few moments and you should get the idea: the header is setting the allowed source(s) for fonts, images, scripts, and styles. For each of these, a secure HTTPS connection is required. The only exception is also to allow data URIs as a source for fonts and images.

So for any of these examples, when added to your site’s .htaccess file or server configuration file, the code tells supportive browsers which dynamic resources are allowed and/or not allowed. But seriously, if you’re thinking about adding the powerful Content-Security-Policy security header, take a few moments to read thru some of the documentation:

Where to get help with CSP

Yes CSP can be confusing, but there is no reason to despair. There are numerous online tools that make it easier to figure out how to implement CSP, for example here are some top sites:

A quick search for “csp test online” yields many results.

Even better, they now have “CSP generators” that literally write the code for you based on your input variables. Here are two solid looking CSP generators:

There are lots of useful tools out there to make CSP easier. Just enter your infos and copy/paste the results. If in doubt, use multiple tools and compare the results; the code should be the same. If not, don’t hesitate to reach out to the tool providers, who will be able to answer any questions, etc.

All Together

For the sake of easy copy/pasting, here is a code snippet that combines all of the above-described security headers.

Important: before adding this code to your site, make sure to read through each technique as explained in corresponding sections above. There may be important notes and information that you need to understand regarding each particular directive included in this code snippet.

# Security Headers
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Frame-Options "SAMEORIGIN"
	Header set X-Content-Type-Options "nosniff"
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
	# Header set Content-Security-Policy ...
	Header set Referrer-Policy "same-origin"
	Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>

As with each of the above techniques, this code may be added to your site via .htaccess or Apache config. Understand that this technique includes commonly used configurations for each of the included headers. You can (and should) go through each one to make sure that the configuration matches the requirements and goals of your site. Also remember to test thoroughly before going live.

Note: Notice the following line in the above “Security Headers” code snippet:

# Header set Content-Security-Policy ...

The pound sign or hash tag or whatever you want to call it means that the line is disabled and is ignored by the server. This means that the Content-Security-Policy directive is “commented out” and thus not active in this technique. Why? Because as explained previously, there is no recommended “one-size-fits-all” CSP example that works perfectly in all websites. Instead, you will need to replace the commented out line with your own properly configured CSP header, as explained above.

Testing

Once you are done, you can use these handy Geekflare Tools to test that your security headers are working properly.

14 Top CMS Platforms in 2021

14 Top CMS Platforms in 2021

Are you struggling to decide what CMS platform to use for building your new website?

A CMS (Content Management System) platform lets you easily create and managed a website without understanding any code (at least for most of them). There are lots of CMS options available, which means you might struggle to choose the best CMS for your needs.

In this article, we’ll be explaining why it’s so important to choose the right CMS platform for your website. We’ll also share our top picks for the best CMS platforms along with a comparison.

Best CMS platforms compared

What is a CMS Platform?

A CMS platform (content management system platform) is a piece of software that allows you to easily manage content and create a website.

Normally, web pages are written in HTML, JavaScript, and CSS programming languages. If you were to build a website without a CMS platform, then you would need to learn these languages and write a lot of code.

CMS platforms solve this problem by allowing you to make a website without writing code or learning programming.

Unless of course, you’re looking for a developer-friendly CMS which means you already know how to code.

How to Choose the Best CMS Platform for Your Website

There are lots of different CMS platforms out there, so which one should you pick? Before you we jump to our CMS platform comparison, here is what you should look for in a good CMS.

Ease of use

You want a CMS that makes it easy for you to create and edit content. This often means having a drag and drop interface, so you can add different elements on your pages.

It should be quick and straightforward for you to make changes to the content on your site after publishing it.

Design options

Your CMS software should offer you plenty of website design templates to choose from. It should also allow you to easily customize those designs to your own requirements (ideally without writing code).

Data portability

A great CMS platform should have tools for you to easily export your data and move it elsewhere.

For instance, you may later decide to choose a different platform or a different hosting company. Data portability makes it easier for you to move around with complete freedom.

Extensions and addons

Not all websites are the same. This is why it is impossible for any CMS platform to come with all the features that would fulfill requirements for every website.

Extensions and addons fix that problem. These are separate software that you can just install on your CMS software to extend its features and add new ones when needed. Think of them as apps for your CMS platform.

Help and support options

Although CMS platforms aim to make building a website as straightforward as possible, you still might have some questions. Find out what help and support is available if you get stuck.

Some CMS providers will have a handful of FAQs and a customer service team that’s painfully slow to respond. Others will have a big supportive community that can help you any time of the day or night.

How much does it cost?

Some CMS platforms are completely free. Others charge a monthly fee. Even with free CMS platforms, you’ll often need to pay for third-party extensions, designs, and/or web hosting services.

Try to find out as much as you can about the pricing before you choose your CMS, so you don’t have any nasty surprises.

With these things in mind, let’s take a look at the best CMS platforms to choose from.

1. WordPress.org

The WordPress.org front page

WordPress.org is our number one choice for the best CMS platform. It’s the world’s most popular CMS software, and it powers around 35% of all websites on the internet.

It’s important to not confuse WordPress.org with WordPress.com. WordPress.org is a free open source CMS originally designed for blogging, but now it’s used by all sorts of websites / online stores. WordPress.com is a blog hosting platform.

If you’re not sure about the difference between the two, check out this detailed comparison of WordPress.org and WordPress.com.

Note: When we talk about WordPress on WPBeginner, we normally mean WordPress.org. We specify WordPress.com where appropriate.

You need to host your WordPress site yourself, which means finding a suitable WordPress hosting provider.

Pros

  • WordPress offers you the flexibility and freedom to build any kind of website (online store, auction site, membership site, etc).
  • It does not require any technical skills or coding knowledge. The WordPress block editor makes it really easy to create great looking pages on your site.
  • You have complete freedom to make money online from your website in any way you want.
  • There are thousands of WordPress themes and plugins available, both paid and free. These let you add all sorts of useful extras to your site, like contact forms, photo galleries, and much more.
  • WordPress is really well designed for search engine optimization (SEO). It’s easy to create SEO-friendly URLs, categories, and tags for your posts. You can also choose from plenty of SEO plugins to help you do more.
  • There’s a huge and supportive community around WordPress, as it’s an open source CMS. You can join groups like the WPBeginner Engage Facebook group to get help with any problems you run into.
  • WordPress offers a lot of extensibility which is what makes it an ideal CMS platform for both beginners and developers alike.
  • WordPress lets you download all your content in XML format, making it easy to move to a different system in the future if you choose to do so.

Cons

  • You’ll need to set up your hosting and domain name, and you’ll be responsible for managing things like security and backups.
  • Because WordPress offers so many options and so much flexibility, it can sometimes feel a little daunting when you’re getting started. This is why many beginners use drag & drop page builder plugins for WordPress.

Pricing

WordPress itself doesn’t cost anything. However you’ll need a domain name (around $9 – $15 per year) and a hosting account with a web host that can run WordPress (normally from $7.99/month).

2. Joomla

The Joomla front page

Joomla is another popular free open source CMS platform that comes with lots of different templates and extensions. It’s free to use, but you’ll need hosting and a domain name.

It was first released in 2005, so like WordPress, it’s been going for years. Joomla is packed with features, and many web hosts offer a 1 click installation. However, it’s really an ideal CMS platform for developers and experienced website creators, so it’s not such a good option for beginners.

Pros

  • Joomla gives you lots of flexibility and plenty of options. It’s a good choice if you’re building something complicated or bespoke.
  • Although Joomla is particularly useful for developers, you can still use it even if you don’t want to ever touch a line of code. It’s easy to edit your content.
  • Like WordPress, Joomla is open source, and there’s lots of community support available if you get stuck.
  • You can use Joomla to run an e-commerce store as there are extensions available for this.

Cons

  • Even Joomla fans will admit it can be pretty complex. Depending on what you want to do with it, you may well need to hire a developer to help out.
  • There aren’t that many options for additional extensions. If you’re used to a CMS like WordPress, which has thousands of available themes and plugins that extend the core functionality, you might be disappointed by Joomla.
  • There can be some compatibility issues if you have a lot of different extensions and modules installed.

Pricing

Joomla itself is free, though you’ll need to pay for a domain name and web hosting that supports Joomla. Hostek is a good generic option here, as they support all popular CMS systems.

You may find yourself paying for some extensions to add more functionality to your website. You might even want to budget for getting help from a developer, depending on what you’re trying to achieve.

3. Drupal

The Drupal front page

Drupal is another open source CMS platform. It’s the CMS behind some major websites, including The Economist’s site and a number of university’s sites.

Drupal is a good option for developers, or for people able to hire a developer. It’s especially good if you’re aiming to build a highly customized site that needs to handle a lot of data.

You can host a Drupal site on Hostek. They offer free installation and can even help you transfer an existing Drupal site.

Pros:

  • It’s easy to add content on Drupal. The custom content types are flexible and offer plenty of options.
  • There are lots of different modules available that you can add to your site (these work like WordPress plugins).
  • Support is available via community support options similar to other popular platforms like Joomla and WordPress
  • User management is easy, with a built-in system where you can create new roles and specify their permissions.

Cons:

  • With Drupal, it can be tricky to figure out how to change the appearance of your site or add extras. It’s definitely not as beginner-friendly as WordPress.
  • Most Drupal websites have a heavily customized theme created by a developer, which can be very expensive.

4. WooCommerce

The WooCommerce front page

WooCommerce is the most popular eCommerce platform in the world. It’s really flexible and it’s easy to manage.

WooCommerce isn’t technically a CMS platform itself. Instead, it runs as a plugin on WordPress, so you’ll need to have WordPress on your site in order to install WooCommerce.

If it was a CMS platform, though, it’d have 5.8% of marketshare, according to W3Techs. That’s the percentage of all the websites in the world that use it.

Pros

  • WooCommerce is available as free software, but you’ll need WooCommerce hosting and domain name to get started.
  • There are lots of WooCommerce themes available, which makes it really easy to get your site looking exactly how you want.
  • WooCommerce has lots of available extensions (known as WooCommerce plugins) that let you add extra functionality to your site.
  • You can sell physical or digital products using WooCommerce. You can even sell affiliate products through affiliate links.
  • You can fully manage your inventory through WooCommerce, making it easy to keep track of what you have in stock.
  • WooCommerce comes with PayPal and Stripe payments by default. You can also add any other payment gateways through extensions and add-ons.

Cons

  • There are a lot of different options in WooCommerce, which can be a bit daunting when you’re new to setting up a website.
  • WooCommerce technically works with any WordPress theme, but you may want to stick with themes made specifically for WooCommerce for extended support.

Pricing

The WooCommerce plugin itself is free, but you may need to pay for extra plugins and extensions for your online store.

You’ll also need to pay for a domain name and a web hosting account. Flywheel is a great web host to pick as they provide great support and will help you get everything setup.

5. Wix

The Wix front page

Wix is a popular CMS platform, though it has some limitations. We often get readers asking how to switch from Wix to WordPress that’s because every smart business owner knows that WordPress is definitely better than Wix.

With that said, Wix is beginner-friendly and it might be worth considering. It offers a free plan, too.

Pros

  • Wix’s drag and drop interface makes it really easy to create pages that look just how you want. You can select any part of your page and start editing it.
  • There are lots of pre-made templates you can choose from in Wix. These are fully responsive, so they look great on mobiles and computers.
  • You can add lots of apps to your site from the Wix App Market. These work like WordPress’s plugins to give your site new features.

Cons

  • Once you’ve chosen a template on Wix, you can’t change to a different one. This could mean that you get stuck with a layout that’s not quite right for your site.
  • You can’t run an eCommerce store on Wix unless you upgrade to a paid plan, and even then, you can only accept payments using PayPal or Authorize.net.
  • Wix doesn’t allow you to easily download your data and export it. You can download your blog posts (though not your images) to move them, but if you have any pages on your site, you’ll need to copy and paste these manually. Here are some instructions on how to move your Wix site to WordPress.
  • If you’re using the free plan, you’ll have a Wix-branded domain name and ads on your site. The ads make money for Wix, not you.

Pricing

You can use Wix for free, if you’re happy with a Wix-branded domain name and ads running on your site. The paid plans offer more flexibility and start from $13 per month (paid upfront annually).

If you want to take online payments, you’ll need to pay $23/month or more (again, upfront annually).

6. BigCommerce

The BigCommerce front page

BigCommerce is a fully hosted eCommerce platform, which is sometimes called an all-in-one platform. It’s easy to get started with if you’re a beginner.

BigCommerce hosts your site for you, as well as providing the actual CMS platform itself. It also handles security and backups for you.

Pros

  • There’s a trial plan, so you can give BigCommerce a go before committing.
  • You can use a free domain name from BigCommerce, which will look something like mystore.mybigcommerce.com, or you can pay for a custom domain name.
  • There are lots of different ways you can take payments through BigCommerce. Customers can use digital wallets like PayPal, Apple Pay, and Amazon Pay, or they can pay by credit or debit card.
  • BigCommerce has support options that you can access straight from your dashboard, 24/7. These include live chat, email, phone support, community support, and more.
  • You can use BigCommerce with WordPress if you want to, which can give you the best of both CMS platforms.

Cons

  • BigCommerce doesn’t give you as much control over your store as WooCommerce. There are limited themes and integrations which may hold you back from using a third-party service to grow your business.
  • Once your sales reach a certain threshold per year, you’ll be automatically moved up to the next level of the pricing plan. This could be difficult for you if you have a lot of expenses.

Pricing

You need to pay a monthly subscription to use BigCommerce, which means it’s not so cost-effective as some other solutions. With all the plans, you can save a bit of money by paying upfront annually instead of paying monthly.

The cheapest pricing plan, Standard, is $29.95/month, for up to $50k/year sales. The priciest is the Pro plan for $249.85/month, which will cover you up to $400k sales. You’ll need to get a custom Enterprise plan after this.

7. Shopify

The Shopify front page

Shopify is another all-in-one hosted CMS platform. You won’t need to buy hosting, install any software, or manage things like updates and backups.

It has a straightforward drag and drop interface. It supports in-store sales, which is great if you have a physical store as well as an online one.

Pros

  • You can accept credit and debit cards through Shopify’s integrated payment solution, Shopify Payments. PayPal is also included as one of Shopify’s default payment providers.
  • There are lots of extensions and themes available for Shopify. You can buy third-party Shopify apps that let you add all sorts of features to your online store.
  • You don’t need to upgrade if you make over a certain dollar amount in sales, like you do with BigCommerce.
  • Shopify has 24/7 support through live chat, email, phone, and even Twitter. There’s also lots of documentation available (including written how-to guides and video tutorials) plus online forums.

Cons

  • Your costs can end up quite high, especially if you want to add lots of third-party apps to your store.
  • You may find that you want to add functionality that simply isn’t available: Shopify’s apps are more limited than things like WordPress’s plugins.

Pricing

Shopify’s pricing plans are similar to BigCommerce’s options. There’s one major difference, though. Shopify doesn’t make you move up to the next plan based on a certain dollar figure in sales.

The cheapest plan is $29/month. The most expensive is $299/month and includes more features. You get a discount for paying for a year upfront.

8. WordPress.com

The WordPress.com front page

WordPress.com is the commercial, hosted version of WordPress. It’s easy to confuse it with WordPress.org, which is open source, self-hosted WordPress.

If you’re not sure about the difference between WordPress.com and WordPress.org, you can find out more here.

With WordPress.com, you get an all-in-one CMS platform that’s hosted for you. You can purchase a domain name or use a free subdomain with WordPress.com branding.

Pros

  • WordPress.com is easy to get started with. You can add and edit content easily, and beginners tend to find it a straightforward CMS to use.
  • You can create a site with WordPress.com completely free of charge. You’ll probably want to pay for at least the cheapest plan, though, so you can use your own domain name.
  • There are different themes (designs) available for your WordPress.com site. You can easily switch between these in your WordPress.com dashboard.
  • As your site grows in size and popularly, you can upgrade to a new plan. There are lots of options, including a plan with eCommerce features.
  • WordPress.com has built-in analytics, which means you can see statistics about how many people are visiting your site in your dashboard. This does mean you can’t use Google Analytics, though, unless you’re on a Business Plan.
  • It’s quite straightforward to switch from WordPress.com to WordPress.org in the future, if you decide to change to a more powerful and flexible CMS.

Cons

  • WordPress.com has limited monetization options even with their business plan.
  • You can’t add a custom domain name unless you pay for at least the cheapest paid plan.
  • While there are plugins you can use for your WordPress.com site, there aren’t nearly so many available as there are for WordPress.org.
  • You don’t have the full control over your site that you’d have with WordPress.org.

Pricing

There is a free WordPress.com plan available, but if you’d like your own domain name (and you want to avoid WordPress putting ads on your website), you need to choose one of their paid plans.

The cheapest is $48/year ($4/month), or you could move up to other plans, including the eCommerce plan for online stores for $540/year ($45/month). Beyond this, there are WordPress VIP options offering additional features.

9. Ghost

The Ghost front page

Ghost is a CMS platform specifically designed for bloggers. You’ll often hear it described as a “headless CMS,” which might sound quite odd. This just means that the CMS platform doesn’t force content to be delivered in a specific way.

So, the content or data you produce could be shown on a website, but it could also be sent to a mobile app or something else entirely. If you’re not a developer, though, or you just want to use Ghost for blogging, you don’t need to worry about this.

Pros

  • You can use Markdown when you’re writing in the Ghost editor. Markdown is a way of formatting text where you add special characters around words to make them bold, italic, and so on.
  • Ghost has a content editor that uses cards. These work a bit like WordPress’s blocks in the block editor.
  • There’s great support for SEO (search engine optimization) built into Ghost. You don’t need to add any plugins to deliver this.
  • Ghost is well set up for charging for content, so if you want to run an online magazine or publication that people pay for, you can do this easily.

Cons

  • Ghost doesn’t offer the same amount of power and flexibility as WordPress.
  • Although Ghost started off as a CMS platform designed just for blogging, some users feel it’s become overly complicated as it now offers things like paid subscriptions for your site’s readers.

Pricing

The Ghost software itself is free, but you’ll need to pay for a domain name and web hosting. Unlike bigger CMS platforms, Ghost isn’t supported by all that many web hosts.

You can get Ghost hosting from Ghost(Pro). The basic plan is $36/month, but you’ll need to upgrade if you want extra staff users or subscribers, potentially paying as much as $249/month.

10. Magento

The Magento front page

Magento is a powerful open source eCommerce platform from the huge software company Adobe. There’s a free version you can download and install on your own web hosting account, called Magento Open Source.

If you want to use this, then Hostek Magento hosting would be a good way to get started.

If you prefer, then you can pay for Magento Commerce. This comes with full support, and is hosted for you, but it’s very expensive.

Pros

  • Magento is highly customizable, with lots of third-party extensions available that you can use to add extra features.
  • With Magento, you can handle lots of products and customers. It lets your business grow easily, without your site slowing down. (You’ll likely need to upgrade your hosting plan, though.)
  • There are some really big name brands using Magento, including Nike, Ford, and Coca Cola.
  • You can connect different payment gateways to Magento. It also comes with certain options, like PayPal, cash on delivery, and bank transfer already built-in.

Cons

  • If you’re just starting out in eCommerce, Magento might seem overwhelming.
  • It can be tricky to find good developers for Magento projects, and it can be very expensive to hire them.
  • The support available can vary, particularly if you’re using Magento Open Source and relying on online forums for help.

Pricing

Magento Commerce isn’t cheap. In fact, it’s so pricy that the Magento website doesn’t even tell you what it costs.

Prices start at around $22,000/year, which puts it outside the budget of many new businesses. If you want a powerful eCommerce CMS platform for an established business, though, it could be an option to consider.

However many larger stores are migrating to either WooCommerce, Shopify, or BigCommerce.

11. Textpattern

The Textpattern front page

Textpattern is a simple, straightforward CMS platform that’s been available since 2003. It’s open source and has plenty of documentation to help you get started.

Pros

  • There are lots of Textpattern modifications, plugins, and templates (designs) available completely for free.
  • Textpattern has a flexible approach to how you structure your content. You can use “sections” and “categories” to organize it, and readers can subscribe to specific RSS feeds for different parts of your site.

Cons

  • There’s no 1 click installation process for Textpattern with any of the major web hosts. It’s not too tricky to install, but you will have to be comfortable with creating a database on your web host and using FTP to upload the software.
  • Textpattern isn’t particularly well known, and it’s much less popular than other CMS platforms like WordPress. You might find it hard to hire authors or developers who are familiar with it.

Pricing

Textpattern itself is completely free. You’ll need to have a domain name and web hosting account in order to use it to build a website.

12. Blogger

The Blogger front page

Blogger has been around since 1999. As you can tell from the name, it’s a CMS platform that’s specifically geared up for blogging. It’s a free service provided by Google.

Blogs on Blogger normally have blogspot in the domain, though it’s possible to use your own domain name instead.

We’ve got an article looking at WordPress vs Blogger and a guide on how to switch from Blogger to WordPress.

Pros

  • Blogger is easy to get started with. You can set up a blog in minutes, and it’s well designed for writing and publishing posts.
  • There are a number of gadgets that you can add to your blog for free so that you can include things like a contact form and even ads on your blog.
  • Your blog is hosted by Google. You don’t need to install anything, update anything, or pay for hosting.
  • Blogger offers a generous amount of space. There’s no limit on how many posts you can have per blog, and you can have up to 20 static pages. Your images are stored in Google Drive, so they’ll count towards your 15GB limit there.

Cons

  • If you want to run a website that isn’t a blog, Blogger won’t be the best CMS platform for you. It doesn’t have any eCommerce features, for instance.
  • While all the themes available are free, they’re pretty basic. You can modify them a bit, but you can’t create your own themes. If you want something more specialized, you’d need to hire a designer.
  • While you can export your posts if you want to switch from Blogger to WordPress, you’ll need to copy your pages over manually.

Pricing

Blogger is completely free and you won’t be charged anything, unless you choose to buy a custom domain name.

If you do buy a domain name, it’s best to get it from a domain registrar, not from Blogger itself. That way, you can more easily move your site away from Blogger in the future.

13. Bitrix24

The Bitrix24 front page

Bitrix24 is a business tool that offers a CMS platform alongside other features like the ability to manage your tasks, projects, communications, and customer relationships.

It’s free at the basic level (which offers up to 5GB of online storage and 12 user accounts) and offers an all-in-one solution for small businesses. If you want a CRM (Customer Relationship Management) tool, it could be a good choice.

Pros

  • The basic level of Bitrix24 is free, meaning you can try it out without committing anything.
  • There are a huge number of features included with Bitrix24, giving you everything you need to manage a small to medium-sized company.
  • The website builder has a drag and drop interface that includes landing pages and even eCommerce stores.
  • Your website hosting is free (if you’re on the free plan).
  • Bitrix24 is really geared up for use as a CRM, so if you’ve already got a CRM you’re happy with or you don’t want that functionality, it’s a rather complicated way to get a CMS platform.
  • As there are so many features, you may find the Bitrix24 interface confusing or tricky to navigate.

Cons

  • Bitrix24 is really geared up for use as a CRM, so if you’ve already got a CRM you’re happy with or you don’t want that functionality, it’s a rather complicated way to get a CMS platform.
  • As there are so many features, you mkopage.ukay find the Bitrix24 interface confusing or tricky to navigate.

Pricing

The Start+ plan costs $24/month, and the Professional plan costs $199/month, with a range of options in between. You get a discount if you pay for the year upfront.

You can also opt to purchase the software to use within your organization (instead of paying a monthly fee and using it online). This costs from $1,490.

14. KOPAGE

kopage website builder

Kopage is one of the newer solutions on this list, but is also one of our favourite. If you are looking for an easy to use tool to create an attractive, responsive, professional looking website, then you should definitely give kopage a try.

Kopage is simple enough for even the most inept users to produce something decent, yet flexible enough to edit the code and add your own tweaks if you know how.

If has more than enough content blocks, widgets and embeddable applications for the average website and it is easy enough to integrate other 3rd party apps such Ecwid, Mailerlite, ElfSight and many others.

Unlike other site builders such as Wix, Squarespace etc, you own the data with Kopage. So you are free to host it anywhere you like, as long as you purchase a licence.

Kopage uk also offer you the option to build and manage the site for you if you don’t feel like going down the DIY route.

There are not many ready made templates compared to other site builders, however you really don’t need them. The templates are just a starting point, and once you find one you like the look of, it is easy enough to just swap out a few images and change the colour scheme.

PROS

  • Really easy to use drag and drop interface
  • Responsive, looks nice on all devices
  • Can host it anywhere
  • Zero maintenance, no requirement to install updates unless you need to.
  • Excellent support

CONS

  • Some of the modules could do with a bit more functionality
  • A few more templates would be nice
What Is a Hostname?

What Is a Hostname?

A hostname is a label assigned to a device (a host) on a network. It distinguishes one device from another on a specific network or over the internet. The hostname for a computer on a home network may be something like new laptopGuest-Desktop, or FamilyPC.

Hostnames are also used by DNS servers so you can access a website by a common, easy-to-remember name. This way, you don’t have to remember a string of numbers (an IP address) to open a website.

A computer’s hostname may instead be referred to as a computer name, sitename, or nodename. You may also see hostname spelled as host name.

Examples of a Hostname

Each of the following is an example of a Fully Qualified Domain Name with its hostname written off to the side:

  • www.google.com: www
  • images.google.com: images
  • products.office.com: products
  • www.microsoft.com: www

The hostname (like products) is the text that precedes the domain name (for example, office), which is the text that comes before the top-level domain (.com).

How to Find a Hostname in Windows

Executing hostname from the Command Prompt is the easiest way to show the hostname of a computer.

hostname command prompt command in Windows 10

Never used Command Prompt before? See our How to Open Command Prompt tutorial for instructions. This method works in a terminal window in other operating systems, too, like macOS and Linux.

Using the ipconfig command to execute ipconfig /all is another method. Those results are more detailed and include information in addition to the hostname that you might not be interested in.

The net view command, one of the several net commands, is another way to see your hostname and the hostnames of other devices and computers on your network.

How to Change a Hostname in Windows

Another easy way to see the hostname of the computer you’re using is through System Properties, which also lets you change the hostname.

System Properties can be accessed from the Advanced system settings link inside the System applet in Control Panel. Or, press Win+R and then type control sysdm.cpl to go to the correct screen.

System Properties dialog box

More About Hostnames

Hostnames can’t contain a space because these names can only be alphabetical or alphanumerical. A hyphen is the only allowed symbol.

The www portion of a URL indicates a subdomain of a website, similar to products being a subdomain of office.com.

To access google.com’s images section, you must specify the images hostname in the URL. Likewise, the www hostname is always required unless you’re after a specific subdomain. 

For example, entering www.lifewire.com is technically always required instead of only lifewire.com. This is why some websites are unreachable unless you enter the www portion before the domain name.

However, most websites you visit open without specifying the www hostname—either because the web browser does it for you or because the website knows what you’re after.

Pin It on Pinterest