There is a lot of risks related to a webpage and some of them might be high and others low, but knowing them and addressing them according to your risk acceptance, can be a good idea for both personal and commercial use.
- Register domain with hidden PII [punktum.dk or hosting provider]
- Enable MFA via Mit-ID on domain [punktum.dk]
- Enable MFA at hosting provider admin panel [eg. simply.com]
- Enforce DMARC, SPF and DKIM on domain to protect email.
- Enable DNSSEC on domain
- Disable SSH, etc. if possible or create very long passwords (40+).
- MFA on CMS login [eg. WordPress site using authy]
- Remove all plugins not used
- Remove all themes not used
- Register WPScan API and scan for known vulnerabilities. [WPScan]
- Security scan the site on sitecheck.sucuri.net [Sucuri Sitecheck]
- Install WordFence plugin and register as minimum, the free license [WordFence]
- Set WordPress plugins and themes to autoupdate
- Setup continuous website monitoring on shodan.io [Shodan.io]
- Create your security.txt file [securitytxt.org]
- Test website configuration and mail [SikkerPåNettet.dk] (Ignore ridiculous IPv6 errors]
The above are the things I came up with, when registering a new personal domain and website. The more important/commercial the website is, consider DDoS protection, WAF, etc. provided by CloudFlare, Imperva or others.
If selfhosting, Install EDR on the servers use CIS Benchmarks and SELinux, rotate DKIM keys, periodically, etc.)
Enjoy !