Is Squarespace Safe? An Honest Deep Dive into Website Security Data
The internet is much like a city, with good places and bad places, people you can trust and people you can’t. When you live in a big city, you don’t go out without locking your door. A website without the proper security mechanisms is just like leaving your house unlocked. It can leave you and your client’s private information open to hackers. In this day and age your website and your domain are THE most important assets your business posses. With that in mind, we’re asking the question - how secure is Squarespace? In this guide, we compare Squarespace’s breach statistics against WordPress to see who really protects your data. In short - Squarespace is extremely secure but let’s dig into why and how it compares with other platforms.
The Walled Garden vs. The Wild West
Is Squarespace more or less secure than Wix? To answer that, it’s important to understand that these are two completely separate beasts. When Wordpress launched in 2005 it was a game changer. Compared to what had come before, it offered a modern and user-friendly platform for managing content. Soon an entire ecosystem of plugins sprung up, allowing users to extended the functionality of their sites with little to no coding knowledge. In a short space of time, Wordpress had transformed from a simple blogging tool to a powerful engine that still powers most of the worlds websites today. How was it able to scale so fast and with such a sharp eye for the features that users needed? A little thing called ‘Open Source’. Meaning, that anyone anywhere can access, modify, and distribute the code with minimal restrictions. Some of the most important software ever developed works this way. It’s a development model that harnesses the power of collaboration to foster innovation and accessibility. Best of all it’s free. That’s the power of Wordpress, if you browse the themes and plugins you’ll find that many of them are available without paying a penny. But it’s the open source nature of Wordpress that also exposes it’s biggest vulnerability. It’s not a finished product, it’s a tool for building the finished product. A website built on Wordpress is only as good as the developer who built it and who provides regular updates to it. Think of it like building a house. You can have the most fantastic plans for your house but if you don’t hire a decent architect to build it you could be in trouble!
Conversely, Squarespace is not open source. The enterprise grade platform was developed by a team of engineers and the code is very much closed and walled in. While it provides much less functionally and scalability than Wordpress, the model is infinitely more secure because the code has been written and stress tested by a multibillion dollar company rather than an independent coder in their bedroom. Squarespace’s Security Operations Center (SOC) monitors for threats and vulnerabilities 24/7 and handles any required updates for you. Your site is constantly monitored to ensure its in compliance with global privacy and payment standards. So it’s looking pretty good for Squarespace in this department but let’s explore further.
Squarespace vs. WordPress: The Hacking Statistics
When it comes to the stats, we have a clear loser. Wordpress accounts for 95.5% of all infected websites online, with sites facing roughly 13,000 hack attempts per day on average. Why? Because hackers understand that a Wordpress website that has not been well configured and regularly maintained, with security updates, is extremely vulnerable to attacks. In fact, new hackers who are learning their craft frequently target Wordpress sites for practice.
For Squarespace, infection rates are statistically negligible in public reports because it’s a closed system. 93-98% of WordPress vulnerabilities are cause by plugins (software the user has added). Squarespace eleminates that risk by vigorously vetting all intergrations for quality and security.
Squarespace Security Features Under the Hood
SSL Certificates
In your travels across the web you have likely, at some point, run into this warning message: ‘This website is not secure’. Now, if it was a website you trusted then you might have continued on but, nine times out of ten, you probably closed the tab and never went back. So what’s going on? What makes one site ‘secure’ and another ‘insecure’. If you look to the left of the URL bar in your web browser you may have noticed the little ‘lock’ icon. This means that the website you are on has a valid SSL certificate - a digital file that authenticates a website's identity and enables an encrypted connection. It protects sensitive data like passwords and credit card details from any eavesdropping third parties. It’s extremely important that your website has one of these for both security and SEO. Google penalises websites that aren’t secure and many users won’t even be able to access them because their web browser sees it as threat and blocks it. Squarespace provides SSL certificates automatically and free of charge with all plans. If you’re building your site on Wordpress, be aware that you might have to configure the certificate yourself.
DoS Protection
A DoS (Denial of Service) attack is when hackers create massive amounts of traffic to your website with the intention of overwhelming and crashing it. In 2016 a major DoS attack took down Netflix and, what was then known as, Twitter. A tool of state-sponsored cyber warfare, it’s also commonly used on a much smaller scale by independent hackers seeking to cause damage.
Squarespace has solutions designed to protect against and mitigate effects of DoS attacks. The fully-managed cloud hosting supports billions of monthly views and provides 99.9% uptime - making your website a fortress that most hackers wouldn’t bother trying to contend with.
WAF (Web Application Firewall)
A bit like an alarm system on your property, a Web Application Firewall is a security system that filters, monitors, and blocks malicious traffic. The technology evolved in the late 1990s in response to a rise in attacks on web applications. Squarespace’s security engineers and architects employee this invisible shield to keep your website safe. Wordpress does not have the feature built in but it is available via multiple plugins, some of which have free tiers.
PCI-DSS Compliance
All of Squarespace’s built-in payment processor integrations are compliant with PCI-DSS. Sensitive card data is never handled by Squarespace. It goes directly to the payment processor’s servers; Squarespace doesn’t have access to this information.
Login Activity
Use the login activity panel to review your account’s active login sessions and spot any suspicious logins from devices you don’t recognise.
Password Protected Pages
If required, hide individual pages behind passwords in page settings to prevent them from being publicly accessible.
Two-Factor Authentication
Add an extra layer of security and prevent unauthorized access to your account by enabling two-factor authentication (2FA).
Data Privacy
The privacy and security of Squarespace customers’ data is a top priority. Squarespace work diligently to ensure they are prepared to meet the demands of global data privacy laws like GDPR as a company and for you.
How Squarespace Sites Get Hacked - The Human Factor
The single most effective form of hacking requires no code and little to no technical knowledge. It’s known as the art of social engineering. Imagine, you’re a hacker trying to gain access to the credentials of key individuals at an organisation. After a quick scan of LinkedIn, you call the IT department. ‘Hi, this is Colin from the central London office. I’ve got a presentation in 5 minutes and I’m locked out of my account - can you reset my password?’. You may be thinking ‘How could someone fall for this?!’ but they do - every day. In fact, social engineering attacks against insurance and finance companies is on the rise.
You may have heard of phishing - where cyber attackers impersonate trusted entities like banks or colleagues with fake emails, calls or texts to trick you into revealing passwords, bank details or other sensitive information to steal money or gain access to systems.
Another vulnerability could be your choice of password. You know, the one you have written on a post-it note stuck to your screen. The same one you use for all of your other applications and services. It’s often the case that hackers don’t have to steal your password - all they have to do is guess it. This form of ‘hacking’ accounts for more cases than you might think. Once a hacker gets in they can transfer ownership of your website, change the content and make charges on the card attached to the account. That’s why it’s important to use a strong password and avoid sharing it with anyone where possible. If you need to add a user to your site be sure to send them them an invite so that they can create their own account login details (and you can remove them in the future if needed). Your account is a valuable asset that only you should have access to.
You may have noticed that the number of data leaks is on the rise. Hackers gain access to large numbers of stolen usernames and passwords and automate the entering of that information into login pages - a process known as credential stuffing. It’s important that you monitor if your data has been in any breaches, most modern web browsers provide notification of this in the password settings.
To conclude, Squarespace is just about the safest web platform out there but no business can ever be 100% protected against cyber attacks. It’s important to stay vigilant and keep your login details secure. If you do go down the Wordpress route, be sure to hire an expect who can ensure that your website is secure and well managed.
I build secure, impactful websites on Squarespace, Shopify, Wix & Wordpress. Let’s talk →
