Even smaller company websites are increasingly targeted by hackers. There are many reasons for this, but they all boil down to financial or political/ideological objectives.
- To enrich themselves through your or your customers data; they use it either to get access to financial resources like credit cards or banks or sell/misuse customer data.
- To harm the victim, e.g., because of a strong disagreement with their ideological standpoint.
This is why many newspapers and governments are regularly targets of attacks.
But why is security an issue anyway? Why isn’t it ok to accept that the webpage is down for some hours and simply start it up with the clean backup? The answer is simple: if critical data gets in wrong hands, the damage and its consequences are beyond control. In past years this was not an issue as webpages were rather electronic catalogs with no or only little critical data inside. However, in times of content marketing and huge databases on customers including their behaviour, preferences and financial data, websites are the new gold-mines of organized crime.
In addition, we must not forget the damage given to SEO and your reputation once your site is classified as “dangerous.”
The longer your recovery time is, the bigger is the damage for your visibility on the Web.
This article has a close look at security relevant factors, i.e. human, procedural, infrastructure related, physical and legal factors.
While shedding light on these issues, the article compares how WordPress and HubSpot cope with them.
WordPress and HubSpot Are Two Completely Different Concepts
WordPress is an open-source content management system with plugins and themes, which are provided by a vast community of developers. It is freely available, open in most respects with file server access and Web server access. A file server is the server where you upload files via FTP or SSH protocol. A Web server is a server appliance that accepts and supervises the HTTP requests. This is level where the user configures the WordPress application through the graphical user interface of the WordPress Content Management System.
HubSpot is an all-in-one inbound marketing platform with integrated features for marketing and Web analytics, content management, social media and email marketing and an optional CRM. HubSpot reminds on Apple’s strategy of restricting freedom for the benefit of user experience and security. In particular, it only allows for Web server access. And even this access is deliberately limited.
5 Website Security Dimensions to Analyze
In the analysis, we looked at 5 factors:
- human factors
- procedural factors
- infrastructure factors
- physical factors
- legal factors
Human Factors
Security Awareness
HubSpot works with a dedicated team of security experts for site management and monitoring. An open flank for hackers in WordPress sites is the lower security awareness of site administrators, doing this activity only as a side-job with restricted availability. Not being trained regularly and not being focused 100% on the security issue leads to weaknesses in the system that are provenly exploited by hackers. Weak or old passwords are only one example of resulting mistakes.
Security Proficiency for the Complete Architecture
The strong factor at HubSpot is that they provide a dedicated security team who is 100% focused on protecting your website and data. In the WordPress case, there is no team available unless you pay for it. But even external security experts cannot cope with all the open source plugins and sources which you need to use to set up a decent website.
Availability
Another common open flank given by website operators is the lack of 24/7 availability (which would not make sense from an economical point of view). The Websites hosted by Hubspot are managed and monitored by a dedicated team with 24/7 availability.
In the WordPress case, monitoring depends fully on the management processes put in place by the Website operator. All 5 hacker attacks to one of our WordPress websites that we experienced in 2015 took place on a Saturday. Is that coincidence or proper planning by the hackers?
Access by Multiple Users
Being close to the customer means that not only marketers but also the sales team has access to the website data. Which customer was recently on the Web, what did he look at, what is his burning issue, how frequent did he come? The team members might access from home, office, hotel, airports, mobile phones, etc. All these factors let the risk for attacks exponentially grow. From a business point of view, the rapid access is vital and should not be challenged.
The WordPress infrastructure is shows weaknesses in terms of protective measures through contaminated client computers. HubSpot is pretty safe against malicious code - in fact it heavily restrains JavaScript code - the preferred cardridge of worms and troyans.
Manual theft of customer data however, e.g., by a faithless employee, cannot be ruled out. Also the leakage of customer data after a stolen password cannot be excluded by 100%. However, there are routine scans for any kind of malicious patterns on the website.
Procedural Factors
Open Source vs. Centralism
WordPress’s strong point is the huge community of open source players who continue providing applications. Unfortunately, this is a weak point at the same time, as the community provides thousands of entry points to hackers. Let us not be negative about decentralised communities. Platforms like the Apple App store or Salesforce successfully work with an ecosystem of providers, but in a rigorously controlled manner that does not leave much scope for fraud. This is unfortunately not the case with WordPress.
Level of Freedom to the Website Operators
In WordPress, the website operator can change every line of code, he has access to the Web server and the file server likewise. The Web server in WordPress is the editor environment where you enter your text and configure the website. The file server is the more critical area. Here you upload files and plugins via an FTP or SSH connection. This is a hacker’s paradise.
HubSpot excludes any access to file servers. Also, any JavaScript that allows file uploads is excluded. That would have been the backdoor for hackers to smuggle their malicious software into the website. We tested various scripts to see how far we can go with JavaScript in Hubspot. The maximum we were able to do is to include embedded YouTube videos (technically this is an i-frame script).
Regular Implementation of Security Patches and System Scans - WordPress provides regular security updates. As plug-ins are of open-source origin, this includes the risk of aggravating the sites security situation or in the worst case of importing a worm or trojan into the website.
In WordPress, this task needs to be done by the website operator, a time consuming and hence costly procedure.
In HubSpot, the high security infrastructure runs continuous scans and intrusion detection routines. HubSpot does all updates centrally, the website operator is not involved.
Rapid Escalation Routines
In order to insure business continuity, you need rapid escalation routines, environmental hazard plans, flood detection programs and so on. And you need a dedicated team who is in charge of it and able to implement it. With WordPress, it depends on the hosting provider you choose. Many of them have that service. That kind of hosting should definitely not given to self-storing startups. With HubSpot, the routines are certified for data centre continuity and recovery plans with the SOC2-certification.
Infrastructure Factors
Data Storage Security
When working with WordPress, responsibility for data storage is completely in the hands of the website operator. Normally, data is stored in an FTP environment at his website host, and everything else is up to the website operator himself. Given that, the website operator normally is not a security expert (but rather in the field of business which he tries to market with his site), it brings us back to the open flanks of human factors described above, and the related HR cost implications.
With HubSpot, storage has a whole series of security features:
- Data encryption following the TLS standard with a 2,048 bit key and application enforced authentication. TLS stands for transport layer security. This is an encryption standard which in this case protects the data at rest as well as the data which is being exchanged with the website user (through the authentication enforcement). In short, even if in a very unlikely case a hacker could intrude, he would be unable to understand the exchanged data, neither would he be able interfere with it.
- Network security to prevent unauthorised or unintended access to any internal storage, network or computing devices. HubSpot does this through a series of systems such as
- professional intrusion prevention systems (IPS).
- Web application firewalls (WAF) that protect the websites hosted at HubSpot. In fact, they bring firewall protection to the Web application layer, which is the only space where a website operator that uses HubSpot has access to.
- Distributed denial of service (DDoS) protection. Such systems protect websites against converted attacks which are often concurrently driven by thousands of bots from different addresses concurrently with the objective to make the website and its offerings unavailable to the outside world. You can compare this to a computer-driven “shit storm attack,” in a polite case only overloading the servers to compromise users from accessing the website. In more diabolic approaches, hackers are even trying to bring in malicious software or code. Especially banks or newspapers have recently been victims to such attacks.
- Proactive and continuous scanning and network testing through notable third-party auditors. A scanning every 24 hours would give potential intruders a head margin of worst case 23 hours and 59 minutes. Enough to destroy the system, steal the data and to publish sensitive customer data irrevocably in the Web. In the HubSpot case, it is done continuously.
- Comprehensive logging of all application access paths through web and application server logs. In other words, the system verifies whether the access behaviour indicates efforts for malicious attacks, like access efforts form various IP addresses concurrently, continuous typing of wrong passwords, fraud-typical activities on the website, etc.
Multilayered Security
This security measure is more holistic, embracing network, storage and physical security issues. There are many subsystems in an integrated data chain from Web-communication to entry and handling of data in the CRM. The idea of multiple security zones with autonomous firewalls, virus scanning software and authorised personnel could reduce the risk of a full system failure.
In WordPress, such a system is costly to manage. In HubSpot it comes as included system component. Even the website operator himself is kept on the upper level of the website, the webserver level. He has no possibility to access the file-servers (this is where hackers love to place malicious scripts and files). This might be disappointing for users who are accustomed to full liberty, but when looking at the security advantages, it might be worth it. In example, even the files and documents that the website operator uploads to the system are passed to the webserver (a bit like when you upload videos to YouTube). The HubSpot system transfers these files into the heart of the website only after intensively checking them.
SSL Security (Secure Sockets Layer)
SSL is a cryptographic protocol that encrypts the communication between the website visitor (his browser) and the website. This allows for confidential communication which prevents website and user likewise from being tapped by hackers.
Since summer 2015, Hubspot offers a free-of-charge shared SSL to their website customers. Wordpress users can get an SSL protection from their host. For this, you need a private nameserver, which requires a more costly hosting service. The result is the same. Both alternatives allow for encrypted communication between the website and the customer’s browser. In both cases it is unlikely that communication cannot tapped by hackers.
SSL by the way has a positive SEO effect as Google awards the trustworthiness of such certified sites.
Physical Factors
Physical Security - This includes
- audited protected buildings and access control (ideally with staged security domains),
- 24/7 security staff,
- biometric scanning,
- video surveillance,
- redundancy in IT and communication infrastructures.
In the WordPress case this depends on the hosting service you use. When working with providers like 1&1 or Amazon, physical security is given.
Legal Factors
With WordPress, all data security is in your hand and consequently in your responsibility. In case of a data law breach (e.g., sensitive customer data is stolen from your website), it is pretty impossible to claim and responsibility from your providers. There are too many (hosting service, WordPress, open source plug in providers) and there are terms and conditions which exclude any kind of responsibility for any damage or legal consequence.
HubSpot complies to US and EU Safe Harbour. This is a pretty high level or security, but in fact it only secures that it complies to its terms and conditions. The good thing is that HubSpot is also willing to sign a contract compliant to German data protection law. This is one of the highest standards in the world. And HubSpot gives a high commitment in its terms and conditions and if requested, its confidential disclosure agreement in compliance with German law.
FACEBOOK's recently lost law suit at the European Court will push HubSpot one step further.
The reason: the European Court of Justice considers Safe Harbour as “not safe” from a European view point of data protection.
This is great news for us! The European Court granted companies a transition period into 2016 to straighten things up again. A modernization and harmonization of the European data protection (decided on December 15, 2015) will make sure that data protection is on the same level in all European countries by 2018.
Let us see how HubSpot will proceed. In my humble opinion, HubSpot will soon host its European data in Europe.
CONCLUSION
Let us not be security maniacs. But let us also think of the losses we or our customers may face when our site is hacked, non operational and shooting down in page rank. Imagine the image damage that your customers face when their data is exposed and misused.
When the costs are compared between HubSpot and WordPress, we regularly follow discussions about the relatively high price of HubSpot as compared to the zero WordPress costs. But you need to compare all costs. If you count the personnel costs the calculation comes to a complete different result. An you may also think about costs caused by malicious intrusion, e.g., lost business or compensation of damage.
Our personal conclusion in most of our sites: We cannot afford to be dead cheap.
References and Further Reading
- A Beginner's Guide to SSL: What It Is & Why It Makes Your Website More Secure (2015) by Jeffrey Vocell
- How to secure a WordPress website with SSL certificate? (2015) comment by Brad Dalton
- The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid (October 2015),
by the Court of Justice of the European Union, PRESS RELEASE No 117/15:
If you look at security for a strategic perspective, e.g., because you are the CISO in a large corporation, a bank, or a government, please have a look at our co-edited posts on the Cryptomathic Web-page. These folks secure several government infrastructures and a big part of the credit card transactions all over the globe:
- The Crypto Blog by Cryptomathic
Ulrich Scholten thanks Ashig JA, security expert and penetration tester for banks and governments for his appreciated advice.