IMPACT Inbound Marketing Agency]

They Ask, You Answer Mastery

A coaching & training program that drives unmatched sales & marketing results.


Sales Performance Mastery

Improve the competencies and close rates of your sales organization.

Web design

Website Mastery

Web design, development & training for your team.


HubSpot Mastery

Everything you need to get the most from HubSpot.

AI Mastery

AI Enablement Mastery

Unlock the power of AI in all aspects of your revenue operations.

Discover how IMPACT’s services can help take your business to the next level. Book a free 30-minute coaching session Book a free 30-minute coaching session
Learning Center
Learning Center

Learning Center

Free resources to help you improve the way you market, sell and grow your business.

[NEW] The Endless Customers Podcast is now available everywhere. Learn how to earn trust & win more customers in the age of AI. Listen Now Listen Now

Free: Assessment Does your website build trust with buyers and bring in revenue?

Close Bottom Left Popup Offer

Free: Assessment

Does your website build trust with buyers and bring in revenue?
Take this free 6 question assessment and learn how your website can start living up to its potential.
Tim Ostheimer

By Tim Ostheimer

May 25, 2020


HubSpot Web Design
Join 40,000+ sales and marketing pros who receive our weekly newsletter.

Get the most relevant, actionable digital sales and marketing insights you need to make smarter decisions faster... all in under five minutes.

Thanks, stay tuned for our upcoming edition.
HubSpot  |   Web Design

Why is a HubSpot-hosted website more secure than a WordPress site?

Tim Ostheimer

By Tim Ostheimer

May 25, 2020

Why is a HubSpot-hosted website more secure than a WordPress site?

The way in which a website’s security, or lack thereof, can be exploited is dependent on the method or goal of the attacker and the ways in which the website can be compromised. 

That said, HubSpot-hosted sites are less vulnerable to cyber attack than most.

WordPress sites, which make up about 35% of all sites on the internet, are typically more vulnerable, often because third-party plugins or themes offer attackers a way in. 

Regardless of your hosting platform, you should always be well-versed in the basics of cyber security. For your edification, here’s a primer.

What makes a website vulnerable to cyber attack?

There are a variety of ways in which someone could abuse website security loopholes to their own benefit. 

Depending on the motivation for the attack and the features being exploited, a combination of techniques may be used to access parts of the website’s server or database as needed. 

However, one of the most common methods revolves around a concept known as injection, and it is often just the first part of the attack.

Injection is the process of writing, modifying, or executing parts of a website by exploiting a flaw that allows parts of the server to be accessed from its front-end.

The front-end of a website is the code which is accessible by using a browser to visit its URL. 

Every website is hosted on a server, and when you visit its URL you are actually being rerouted to a specific IP address that loads data from various files — and sometimes one or more databases — to render that webpage.

It’s important to understand that the code your browser uses to display a website isn’t necessarily the same code that exists on the server.

On nearly all websites, there is server-side code such as PHP, Python, or Ruby, which is used to dynamically alter what code is provided to your browser when you visit a webpage.

The term ‘injection’ can be used to define more than one kind of cyber attack, but what it involves is using a feature that is intended to be accessed only from the server to retrieve or modify files or databases.

Depending on the attack, this could mean manipulating parts of the files used on the website or getting sensitive user information from a database that the server has access to.

Injection can be the starting point of an attack as it provides the attacker with more methods for accessing the server or databases.

This could happen by exposing new information about the server’s configuration or by injecting foreign code into parts of your website, which can then be used to perform further actions.

What makes one site more vulnerable than others?

Because injection is often the easiest way for a hacker to gain access to a site, websites with a security flaw that allows for this to happen are typically the most vulnerable to an attack.

The discussion of website vulnerability often comes up when talking about sites which are built using the popular open-source PHP-based CMS (content management system) WordPress.

WordPress is simply a website architecture consisting of a series of files that use PHP to build both the front-end website and back-end editing experience. 

The majority of the website data is stored in an external database, which is used by the server to create functioning webpages.

Being able to access all of a website’s files allows any developer to have a lot of control over the website while also providing a predetermined structure that makes the addition of pre-built plugins or scripts a very intuitive process.

However, this is where the discussion of website vulnerability begins.

Because of the ability to easily add plugins or themes, WordPress is an incredibly popular platform to use for building websites. But, all of these plugins and themes were built by humans and some of them may have unintentionally used flawed code that can be exploited.

This can make WordPress sites a common target for cyber attacks due to the potential for a poorly-written plugin to have been added to a site.

However, this does not mean that all WordPress sites are susceptible to attacks. This just makes them a bigger target since unfamiliar users of WordPress may not pay close enough attention to the plugins they choose to install on their website.

A hacker’s goal is to abuse a security flaw to find a creative way to access the back-end. If no security flaw exists, then they cannot gain access.

For sites using WordPress, we always encourage the use of WP Engine to help ensure your site is protected.

In addition to offering various preventive security measures, WP Engine also performs routine backups of a site so it can be easily reverted in the case of a successful attack.

🔎 Click here to read more information about WP Engine.

Do hackers only target customer data or financial information?

Cyber attackers could have any number of motives, but they are always looking to benefit from the attack in some way. Often, they are looking to retrieve sensitive information from the database(s) which can then be sold to a third-party. 

But, perhaps they’re looking to redirect all user traffic from your website to somewhere else by injecting a redirect into your website’s .htaccess file. Or, perhaps they want to install a tracking script to steal analytical data.

The creativity of cyber attackers is constantly growing, and they will attempt to exploit security flaws in any way you let them.

Why are websites built on HubSpot less vulnerable to attacks? 

There are many ways in which HubSpot proactively protects its websites, and some of these measures were put in place to stop specific methods of attack. 

However, one of the main features that makes HubSpot less prone to attacks is that they do not allow anyone, including developers, to directly access server-side code.

As a result, it’s not as easy for techniques like injection to take place since the server is not writable using the front-end in the same way that a website built using WordPress can be.

This is a double-edged sword. It makes for a more secure environment, but it also means that developers have less control than they would on a platform where all parts of the website and server can be accessed. 

However, HubSpot is constantly working to expand and improve the tools it provides so developers working on the platform are still able to build powerful websites. 

Also, although developers do not have access to true server-side code on HubSpot, they do have access HubL. This is HubSpot’s own markup language that allows for some dynamic website control that is similar to what server-side scripting languages can do — which wouldn’t be possible to achieve without it.

Does this mean HubSpot site owners don’t need to worry?

A website owner should always be concerned about vulnerability, but if your website is hosted on HubSpot you likely do not have to worry nearly as much as you might on other platforms.

Remember, what matters most is how data is used and how website code is written, since these are the ways in which sensitive information can be accessed. 

Unless you’re using a custom API and created an insecure endpoint or exposed your API key on the front-end of your website, then your HubSpot site and user data is safe. 

A good developer will always be careful to proactively prevent website vulnerabilities simply by using website data responsibly and ensuring their code cannot be used against them.

Where can I find more information about security and HubSpot sites?

If you’d like to learn more about HubSpot website security, the best place to look is on their website. Click here for more information about how HubSpot protects its users’ websites.

If you'd like help migrating your site from WordPress to HubSpot, we can help with that, too.

Free: Assessment

Does your website build trust with buyers and bring in revenue?
Take this free 6 question assessment and learn how your website can start living up to its potential.