Securing WordPress Sites: Unpacking The Squarespace Account Hijack Vulnerability
During one week last summer, an alarming incident arose involving the website development giant, Squarespace. More than a dozen organizations reported their websites commandeered by malicious actors. This was a problem specific to Squarespace, following their acquisition of Google Domains. For those interested in a secure WordPress website, understanding this incident could offer some valuable insights.
In a nutshell, malicious hackers learned to exploit unclaimed accounts following the migration from Google Domains to Squarespace. To secure these accounts, hackers only needed to supply them with an email address linked to an existing domain.
What we’ve seen is essentially a hijacking episode on the digital space, especially targeting organizations operating on the cryptocurrency market. Businesses like the Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains found themselves at the mercy of bad actors who could redirect their domains to phishing sites designed to purloin cryptocurrency funds.
Squarespace moved around 10 million domain names from Google Domains to their service after purchasing the latter in mid-2023. Although we never received any official comment or statement from Squarespace addressing the attacks or their plans for a WordPress site cleanup, it’s speculated they were under the impression that migrating users would opt for the social login options provided.
According to security experts, such as Taylor Monahan from Metamask, Squarespace did not anticipate that any threat actor might register for an account using an email associated with a recently-migrated domain before the legitimate email holder created a Squarespace account.
What’s particularly risky in this situation is that Squarespace didn’t enforce email verification for new accounts created with a password. Put simply, if a domain’s administrative email never established an account on Squarespace – due to factors such as employee turnover, disregarded emails, etc., anyone who inputs that particular email address associated with the domain in a Squarespace form can gain unhindered control over the domain.
Further, hackers can also hijack domains if they find the email addresses connected to user profiles with less authority, which can still transfer the domain or switch its Internet address. This worrying vulnerability underscores the importance of a thorough WordPress malware scan and taking measures for a more secure WordPress website.
Monahan warns that the migration process left domain owners with limited options to secure and supervise their accounts effectively. Squarespace users are essentially blind to the actions unfolding within their account or domain, and lack the controls to safeguard themselves.
For any website owner or admin, these revelations should emphasize the need to periodically adjust and examine their website’s security setup. Whether it’s removing unnecessary user accounts, disabling reseller access, or following industry-recommended guidelines for a secure WordPress website, these steps deserve prompt attention.
Another useful precaution includes a regular WordPress malware scan, giving you an objective outlook of your website’s security ecosystem. This incident serves as a timely reminder that every website owner has a role to play in safeguarding their platform. After all, a proactive approach can potentially save your website from devastating hijacks, costly data breaches, and the inadvertent loss of crucial information.
In conclusion, nobody can underscore enough the importance of a secure WordPress website. The recent Squarespace account hijacking episode is a wake-up call for all website administrators on the looming digital threats and the necessity to prioritize cyber hygiene in today’s virtual world.
Need security services for your WordPress site? Contact DrGlenn for protection and recovery. Order Services Today!.