Moving to Squarespace Isn’t Like Migrating a Website to a New Host

We recently had someone contact us looking to move their website to Squarespace. They believed that doing that is like migrating a website to a new web host, but it is very different.

Squarespace is not a web host, but a website builder. With a web host, you would create a website based on software you install in the hosting account. You can then move that to another web host as long as their hosting system is compatible with the software. With Squarespace, your website is created in their own software. So you can’t transfer an existing website to them and you can’t transfer a Squarespace built website to another web host.

When moving your website to Squarespace, you are largely starting over. Depending on what you are moving from, you can automatically move some content over to it, but otherwise everything needs to be redone.

You Can’t Migrate Your WordPress Website to Squarespace, Only Move Some of the Content

We were recently contacted by someone looking to migrate a WordPress website to Squarespace. Based on that interaction, it seems that not everyone is familiar with the implications of trying to make such a move. Put simply, those two systems are not compatible. You are largely starting over if you make that move. You can move various content, but everything else has to be done again.

Here is Squarespace’s own information on what content can be imported:

You can import the following content from WordPress:

  • Attachments
  • Blog pages, blog posts, and authors
  • Categories
  • Comments
  • Individual images
  • Site pages
  • Tags

You can’t import:

  • Content from plugins
  • Gallery images
  • Image captions
  • Images saved in your Media Library, but not attached to any posts or pages, won’t import. We recommend downloading all images in your Media Library so you have them as a backup.
  • Style or CSS. To customize your Squarespace site’s design, use the Site styles panel.

The last item mentioned that you can’t import, is really important to note. All the styling will need to be redone. Depending on how advanced the design of the website is, that might not matter much (if you, say, only have text pages), but it also might dramatically undo the look of the content.

How you manage the website can also be dramatically different.

If you are simply having some trouble with your WordPress website, as the person we were contacted by was, it would be better to see if that can be addressed instead of making a huge change, like switching to Squarespace. We can help you with that.

That SquareSpace Websites Can Be Hacked Seems Like It Should Have Been the Focus of This Story

We don’t think too highly of the current state of security journalism, so we were not surprised to see a journalist covering a situation where what seems to be the significant and newsworthy element was not the focus of their article.

Today, Ars Technica has a story headlined “Thousands of hacked websites are infecting visitors with malware“. That doesn’t seem all that newsworthy. The sub-headline hints at something possibly newsworthy, “Unusually advanced campaign infects people visiting a variety of poorly secured sites.” Nothing in the article though seems to back that up; here is part of what that seems to refer to:

To escape detection, the attackers fingerprint potential targets to ensure, among other things, that the fake update notifications are served to a single IP address no more than once. Another testament to the attackers’ resourcefulness: the update templates are hosted on hacked websites, while the carefully selected targets who fall for the scam download a malicious JavaScript file from DropBox. The JavaScript further checks potential marks for virtual machines and sandboxes before delivering its final payload. The resulting executable file is signed by an operating-system-trusted digital certificate that further gives the fake notifications the appearance of legitimacy.

To us that sounds like some rather common stuff.

One of These is Not Like the Others

Another part of the story did stand out to us though:

The campaign, which has been running for at least four months, is able to compromise websites running a variety of content management systems, including WordPress, Joomla, and SquareSpace.

Lumping SquareSpace in with WordPress and Joomla seems rather odd since SquareSpace is hosted solution and the other two are software that people can install on any hosting. There is certainly a belief that SquareSpace is secure in a way that those solutions are not. For example, when doing a search on Twitter for “squarespace hacked” here are some of the top results:

How Would a SquareSpace Website Get Hacked?

Considering how often we have seen false information being reported by security journalists, the claim that SquareSpace websites were hacked wasn’t necessarily true, so we went to look closer into that. An explanation from a SquareSpace customer as how their website was hacked, apparently as part of the campaign discussed in the Ars Technica article, is as follows:

Customer notified us that our site may be hacked. Sure enough I went to it and noticed it basically redirected me to a full page “your version of chrome needs updating” which looked super fake, and then Norton caught a download saying Chrome_67.9.17.js will harm your computer, do you want it keep it anyways.

So i login to the admin panel and in the GIT HISTORY it shows that one of my users which has never even logged in before, has sent an upload: site-bundle.js last week, along with some other big list of files

How do I go about doing anything about this? I’m not used to squarespace. In the old days I’d just login to my FTP and start navigating to the files in question. But I have no clue with this stuff.

It sounds like someone’s login credentials were compromised. That is something that is platform independent, which seems like a good reminder that the focus on the software used on hacked websites can be misplaced since websites can be hacked for a variety of reason outside the control of the software. That makes journalists usual lack of concern on how websites were hacked so problematic, as a lot of people come away with a belief that certain software is insecure in a way it isn’t. That can lead to people being less secure as they can come away with a belief that software that is actually more secure than other software is less secure, due to poor security coverage.

As to whether SquareSpace is better able to handle this situation as hosted solution, one thing we ran across while looking into this seemed less than reassuring. In a help article titled, ‘Google says “This site may be hacked”‘ they write the following:

Google applies this message to sites when they notice something that seems suspicious, which can include normal content, especially if it has external text formatting.

This means that the message was most likely triggered by content you added to your site, not by hackers. You can use Google Search Console to figure out what’s causing the message and remove it.

Squarespace offers free SSL certificates to provide a secure connection for visitors. We use many other methods to protect our customers, including regular security scans  and industry-developed and proprietary tools to guard against potential intruders, DDoS attacks, and other vulnerabilities.

We really can’t figure what the relevance of them providing secured connections (which involved more than just SSL certificates) to visitors of websites would have to do with the issue they are discussing there.