Squarespace Help: How Squarespace Addresses the Technical Security Challenges of WordPress Websites
Reliability and security are non-negotiables when you are looking to design (or redesign) a new business website. According to Terranova Security, 60% of small businesses go out of business after being victims of a cyber attack. Most of these MSMEs (Medium Small Scale Enterprises) are served by website builders, also popularly known as CMSs (Content Management Systems). Small businesses often choose this option, instead of going the custom-build route, because they want to launch their website faster, pay less, manage their content easily, and not have to deal with lots of technical jargon. While these considerations are good, unintentionally choosing an unreliable or insecure website builder can put your business at great risk.
For a business owner whose expertise is within your own domain, avoiding this pitfall can be challenging. Moreso because you are spoilt for choice among the huge range of website builders available on the market today. There's the popular options, like WordPress, Squarespace, and Wix and there's the lesser known options like Carrd, or Strikingly. How do you choose? And when you do choose a CMS, how do you make sure it's reliable and secure? As Official Squarespace Web Designers, we are biassed towards the website builder we’ve used to enable the growth of 500+ businesses like yours across the world. But before all of that, we are primarily tech enthusiasts, business people, and Internet Professionals who can help you make sense of the technical data you need to make the right choice for your business. So here goes!
WordPress or Squarespace? An Analysis of Available Security Measures.
Everyone trying to choose the right website builder has to think about WordPress at some point! WordPress remains one of the most popular Content Management Systems today but its security gaps are a well known fact. These gaps constantly expose Wordpress users to risks such as data breaches and other cybersecurity attacks. A nightmare no business owner wants to repeatedly deal with. Where WordPress assigns the responsibility of website security to the user, Squarespace offers an alternative approach with in-built security features that are seamless and effective.
In this article, we will analyse the security vulnerabilities pertinent to WordPress, and how SquareSpace addresses these vulnerabilities.
Vulnerabilities in Themes, Plugins and Password Systems.
In the year 2022 alone, Kaspersky, a cybersecurity company disclosed that WordPress was discovered to have a total of 1779 vulnerabilities– among these, 97 were in its themes, and 1659 were found in its plug-ins. Plug-ins are third-party software add-ons which come with their own risks. Gergely Kalman, a verified Expert in Engineering has noted numerous instances where 3rd party software such as WordPress plugins resulted in unauthorised access to the administrative system of a website. WPSecurity Ninja noted that when a security vulnerability is discovered in a plug-in, it becomes public knowledge. This ends up leaving a backdoor open for potential hackers. This means, in the event that a user forgets to update a plugin or uninstall an unnecessary one, their business website is exposed to an even larger risk.
Squarespace simply helps you avoid these worries by removing plug-ins (unverified third-party softwares) that need to be constantly updated, and themes (often from unverified sources) from the heart of your web design process. At Winn-Brown & Co, we offer custom template builds that are 100% yours and 100% developed and built on Squarespacs’s secure platform.
Weak Password System and Lack of Two-Factor authentication
Beyond this, WordPress has a weak password system. Astrasecurity mentions that WordPress faces an average of 90,000 attacks per minute, and 8% of WordPress websites are successfully hacked due to their weak passwords. Through brute-forcing or credential stuffing, hackers easily infiltrate websites that use WordPress as a CMS. Brute-forcing entails the use of automated tools by hackers. These tools generate possible combinations of symbols, numbers and symbols until they succeed. In addition, hackers simply guess password pairs from personal information or password leaks from other sites.
On the other hand, credential stuffing involves hackers utilising large databases of username and password combinations from breached sites to gain unauthorised access to other sites where similar combinations might be used. This 2021 Report from Verizon found that 95% of the monitored organisations received between 637 to 3.3 billion brute-forcing attempts.
While WordPress offers to tackle this vulnerability with plugins, with Squarespace, you can simply turn on your 2-factor Authentication (2FA) without having to install an extra add-on. All your website(s) are hosted within a single Squarespace account offering you access to a strong security cover that works for one and all.
Poor User Control and Permission System
WordPress websites suffer from poor user permission management. If a user with high access rights gets compromised, a hacker could obtain remarkable control over the website, leading to devastating consequences. When this occurs, hackers can manipulate the content of the website with SEO Spam injection to increase their own Search Engine Ranking, ultimately weakening the user’s competitive leverage. Hackers can also steal sensitive information from the website database such as passwords or financial information. This breach can lead to significant damage to the reputation of a business website if it caters to users with high profiles such as public figures.
This is another vulnerability Squarespace's inbuilt 2 Factor Authentication feature can address. In addition to this, Squarespace enables the site owner to easily track suspicious activities within Squarespace's Login Activity Panel. The site owner can track users’ browsers, IP addresses, operating systems, date and time of their first login and if they observe suspicious activity, force unauthorised users to log out remotely.
Unrestricted XML-RPC Protocol and DDoS attacks.
Another WordPress-specific security vulnerability lies in its XML-RPC Protocol. The XML-RPC (Remote Procedure Call) allows one computer to request a service from another system over a network with XML (Extensive Procedure Language). This is similar to the delegation of a task to a coworker in another department. With XML-RPC, WordPress allows site owners to publish content to their website from anywhere; from mobile devices or third-party apps. While this automation can be valuable, an Unrestricted XML-RPC can become a gateway for attackers through Brute-force attacks and DDoS attacks.
DDoS attacks can be explained like this; As a business owner who owns a store, consider a group of people suddenly flooding the entrance preventing your real customers from coming in. DDoS, also known as Distributed Denial-Of-Service is similar to online traffic, where attackers use infected computers to send a massive wave of requests to a website, inhibiting it from responding to real users due to overloaded servers.
According to Cloudflare’s DDoS threat report, HTTP DDoS attacks increased by 111% in 2022 from 2021 and Ransomware attacks increased by 67% during the same period.
If you have a checkout page on your business website, DDoS attacks mimic requests for purchases which can render your website slow and inaccessible, ruining the business experience for your customers altogether. While WordPress users can disable XML-RPC to mitigate hacking risks, Squarespace’s security system protects its sites from DDoS attacks in general through its built-in protection(s). Squarespace has a fully managed cloud hosting solution that supports billions of monthly views, providing 99.9% uptime against cyberattacks. In their data breach report, IBM relays that in North America alone, retail accounts for 14% of cyberattacks. To proactively combat this, Squarespace’s Security Operations Center (SOC) assumes a pivotal position by monitoring threats all hours of the day to tackle security vulnerabilities and ensure its websites are protected. The SOC infrastructure also tracks suspicious behaviour and contains it rapidly with its hybrid combination of advanced automation and cybersecurity analysts.
Malicious Plug-Ins
According to Kaspersky, the issue with plugins extends beyond just malfunctioning ones. Plugins exist that are either intentionally created to allow hackers to gain unauthorised access to websites or are once-legitimate plugins abandoned by their developers. These abandoned plugins can be repurposed by hackers as a backdoor for malicious activities.
Contrastingly, Squarespace provides a comprehensive suite of built-in features. Thanks to these extensive range of features, Squarespace users can establish and manage their websites without the need to install third-party plugins.
SSL Configuration Issues
Secure Sockets Layer (SSL) is a security protocol designed to encrypt the connection between a website and its users, ensuring that any data exchanged is secure and unreadable to outsiders. WordPress users often encounter SSL-related issues, largely due to the sheer number of plugins and themes that may not always be compatible. This incompatibility can arise when certain plugins enforcing SSL conflict with existing website settings.
A common vulnerability in using WordPress as a Content Management System (CMS) is SSL misconfiguration. This issue becomes apparent when a website, intended to load securely over HTTPS, defaults to an HTTP connection, indicated by a 'Not secure' warning in the browser's address bar. Such misconfiguration opens the door for attackers to decrypt sensitive information, potentially leading to data breaches.
In contrast, Squarespace automatically secures all domains hosted on its platform with free SSL certificates. This certification guarantees that all website pages, particularly data-sensitive ones like checkout pages, load securely over HTTPS instead of the vulnerable HTTP. SSL protection is crucial for guarding against phishing, where fraudulent web pages mimic legitimate ones to trick users and steal sensitive data such as passwords, personal identification numbers, and biometric information.
Moreover, Squarespace ensures that all business checkout pages adhere to Level 1 PCI compliance standards and utilise a 128-bit SSL encryption, the highest security level for businesses processing large volumes of credit card transactions. Additionally, Squarespace includes a feature for sending built-in cart recovery emails, enhancing the overall security and efficiency of online transactions.
Conclusion
Since the emergence of the first computer virus, the Morris worm, in the 1960s, the adoption of network security measures has become widespread. These challenges have led to the development of tools like antivirus software, Virtual Private Networks (VPNs), and encryption technologies. As security threats increase in sophistication, the field of network and cybersecurity has evolved to protect internet users. Yet, according to Kaspersky, 21% of individuals do not view security software as essential, considering it an unnecessary feature. However, cyberattacks target not only organisations and businesses but also individuals, with threats ranging from phishing and malware to email hacking. The UK Web Host Review also indicates that companies with 1 to 250 employees experience the highest rate of malicious emails, with one in every 32.3 emails being harmful. This statistic underscores the importance for business owners to implement cybersecurity measures to stay ahead of hackers, safeguard their customers, and secure their transactions.
Prioritising the security of a business website can mitigate the negative publicity associated with cybersecurity breaches and enhance your site’s user experience, which is a net positive for projected conversions.
In conclusion, while WordPress is a widely-used Content Management System (CMS), its security vulnerabilities can be costly. Chloe Forbes K., in explaining her switch from WordPress to Squarespace, notes that WordPress, despite being free, incurs hidden costs for domain, email, and hosting, which can accumulate quickly. She appreciates that Squarespace consolidates all these needs into one platform, eliminating the need to find separate providers for domain, hosting, themes, email, and various plugins. In her words, "It's all-inclusive." Forbes also highlights Squarespace's ability to provide a straightforward solution for business owners who want to create a beautiful, functional website with minimal effort, emphasising the tool’s simplicity and constant support.
Squarespace, with its mostly automated and built-in security features, presents a compelling alternative for brands seeking a simple, user-friendly CMS. In an ever-changing digital landscape, selecting the right CMS involves a careful balance between your business needs and the platform's capabilities. Despite WordPress's popularity, Squarespace edges it out due to its comprehensive security features, making it a safer and more reliable choice for business owners that truly care about growth.
Thinking about Migrating from Wordpress to Squarespace? We can help!