Sr. Front-end Developer, 8+ Years of Web Development on HubSpot and Various CMSs
May 25th, 2020
The way in which a website’s security, or lack thereof, can be exploited is dependent on the method or goal of the attacker and the ways in which the website can be compromised.
That said, HubSpot-hosted sites are less vulnerable to cyber attack than most.
WordPress sites, which make up about 35% of all sites on the internet, are typically more vulnerable, often because third-party plugins or themes offer attackers a way in.
Regardless of your hosting platform, you should always be well-versed in the basics of cyber security. For your edification, here’s a primer.
What makes a website vulnerable to cyber attack?
There are a variety of ways in which someone could abuse website security loopholes to their own benefit.
Depending on the motivation for the attack and the features being exploited, a combination of techniques may be used to access parts of the website’s server or database as needed.
However, one of the most common methods revolves around a concept known as injection, and it is often just the first part of the attack.
Injection is the process of writing, modifying, or executing parts of a website by exploiting a flaw that allows parts of the server to be accessed from its front-end.
The front-end of a website is the code which is accessible by using a browser to visit its URL.
Every website is hosted on a server, and when you visit its URL you are actually being rerouted to a specific IP address that loads data from various files — and sometimes one or more databases — to render that webpage.
It’s important to understand that the code your browser uses to display a website isn’t necessarily the same code that exists on the server.
On nearly all websites, there is server-side code such as PHP, Python, or Ruby, which is used to dynamically alter what code is provided to your browser when you visit a webpage.
The term ‘injection’ can be used to define more than one kind of cyber attack, but what it involves is using a feature that is intended to be accessed only from the server to retrieve or modify files or databases.
Depending on the attack, this could mean manipulating parts of the files used on the website or getting sensitive user information from a database that the server has access to.
Injection can be the starting point of an attack as it provides the attacker with more methods for accessing the server or databases.
This could happen by exposing new information about the server’s configuration or by injecting foreign code into parts of your website, which can then be used to perform further actions.
What makes one site more vulnerable than others?
Because injection is often the easiest way for a hacker to gain access to a site, websites with a security flaw that allows for this to happen are typically the most vulnerable to an attack.
The discussion of website vulnerability often comes up when talking about sites which are built using the popular open-source PHP-based CMS (content management system) WordPress.
WordPress is simply a website architecture consisting of a series of files that use PHP to build both the front-end website and back-end editing experience.
The majority of the website data is stored in an external database, which is used by the server to create functioning webpages.
Being able to access all of a website’s files allows any developer to have a lot of control over the website while also providing a predetermined structure that makes the addition of pre-built plugins or scripts a very intuitive process.
However, this is where the discussion of website vulnerability begins.
Because of the ability to easily add plugins or themes, WordPress is an incredibly popular platform to use for building websites. But, all of these plugins and themes were built by humans and some of them may have unintentionally used flawed code that can be exploited.
However, this does not mean that all WordPress sites are susceptible to attacks. This just makes them a bigger target since unfamiliar users of WordPress may not pay close enough attention to the plugins they choose to install on their website.
A hacker’s goal is to abuse a security flaw to find a creative way to access the back-end. If no security flaw exists, then they cannot gain access.
For sites using WordPress, we always encourage the use of WP Engine to help ensure your site is protected.
In addition to offering various preventive security measures, WP Engine also performs routine backups of a site so it can be easily reverted in the case of a successful attack.
Do hackers only target customer data or financial information?
Cyber attackers could have any number of motives, but they are always looking to benefit from the attack in some way. Often, they are looking to retrieve sensitive information from the database(s) which can then be sold to a third-party.
But, perhaps they’re looking to redirect all user traffic from your website to somewhere else by injecting a redirect into your website’s .htaccess file. Or, perhaps they want to install a tracking script to steal analytical data.
The creativity of cyber attackers is constantly growing, and they will attempt to exploit security flaws in any way you let them.
Why are websites built on HubSpot less vulnerable to attacks?
However, one of the main features that makes HubSpot less prone to attacks is that they do not allow anyone, including developers, to directly access server-side code.
As a result, it’s not as easy for techniques like injection to take place since the server is not writable using the front-end in the same way that a website built using WordPress can be.
This is a double-edged sword. It makes for a more secure environment, but it also means that developers have less control than they would on a platform where all parts of the website and server can be accessed.
However, HubSpot is constantly working to expand and improve the tools it provides so developers working on the platform are still able to build powerful websites.
Also, although developers do not have access to true server-side code on HubSpot, they do have access HubL. This is HubSpot’s own markup language that allows for some dynamic website control that is similar to what server-side scripting languages can do — which wouldn’t be possible to achieve without it.
Does this mean HubSpot site owners don’t need to worry?
A website owner should always be concerned about vulnerability, but if your website is hosted on HubSpot you likely do not have to worry nearly as much as you might on other platforms.
Remember, what matters most is how data is used and how website code is written, since these are the ways in which sensitive information can be accessed.
Unless you’re using a custom API and created an insecure endpoint or exposed your API key on the front-end of your website, then your HubSpot site and user data is safe.
A good developer will always be careful to proactively prevent website vulnerabilities simply by using website data responsibly and ensuring their code cannot be used against them.
Where can I find more information about security and HubSpot sites?