Article - Ensuring the Security of Your InstaPage Community Website
Security is a high priority with our company's InstaPage homeowners association website product line. While HOA websites seldom contain sensitive data, an appropriate level of security precautions remain warranted for community websites. Accordingly, we take a number of precautions we deem advisable as discussed in this article.
When evaluating our security protocols many factors come into play:
- DATA SENSITIVITY: As mentioned in this article's opening, HOA websites seldom retain sensitive information. Requirements do not rise to the level of financial or insurance institutions which control money, credit, health histories, social security numbers, etc. The most sensitive information typically retained on these sites, potentially, are users' logins which may be the same logins they utilize elsewhere. While studies show that the vast majority of Internet users have learned not to use the same login for their bank accounts on less sensitive or important websites, we do still take steps to protect that and all data, such as:
- LIMITING SERVER ACCESS: Neither SSH nor FTP are left open on our servers, either are opened only when we must do work on a website then closed shortly thereafter.
- SSL CERTIFICATE: While we leave this up to each client operating under their own domain as to whether or not they wish to use SSL, when in use it serves to encrypt all data transferred between a user’s browser and the server. This is the web industry standard for securing transfers. Note we apply the SSL to not just the website itself, but also to the SMTP server so email sent through the server is sent encrypted as well. This includes the email for the “Forgot Password?” feature. We cannot recommend SSL strongly enough to clients operating under their own domains, which do require a separate SSL certificate (our domains, ips5.us and instapage.org are SSL secured).
- PASSWORD PRIVACY: InstaPage 5.0 prevents even the Site Administrator from viewing or downloading user passwords to ensure full privacy. Additionally, all passwords in the MySQL database are stored as encrypted.
- EASE OF USE/LOGIN RECOVERY FEATURE: It is not uncommon that users for get their logins if they did not use their browser to memorize same. This we have learned is because users do not visit an HOA website frequently enough to recall the logins, and is another verification they are using a login other than their primary one they might use for banks, etc. or they would easily recall it. To ensure ease of use, prevent frustrations and delays, we use the password recovery system you see. We are comfortable with the security of same, not only because the e-mail is sent through SSL when present on an account, but because we feel forgotten logins are NOT likely to be in use on a user's banking or frequently used websites or the user would not have forgotten same. Further, the sending of the e-mail is immediate, the user will receive it in seconds, and most will immediately clear it from their mail server upon receipt and will act on it within minutes. Financial institutions use far more time consuming and cumbersome systems these days we feel are unnecessary in the HOA environment. They force you to change your password to something you have not used before making it much less likely you will remember it, they text your phone or call you for verification before implementing the new password. We simply feel systems such as this would be expensive overkill for an HOA website product. Literally our entire industry acts similarly.
- HISTORY ON SECURITY: InstaPage is now a product with a 15 year history behind it, now supporting nearly 10,000 community associations and management firms. We have never documented a security breach resulting in compromised data. This is not just because of steps we have taken – as you know ANY website can be hacked just as the Russians hacked DNC mail servers and Florida election servers – but because of several practical factors. First, InstaPage is written in proprietary code making it much less hackable or attractive to hackers as compared with say WordPress where hackers know the systems, the code, their weaknesses, and how to search for WP site files to identify them as targets. Secondly, hackers have little motivation. There is neither an opportunity for financial gain from accessing an HOA website’s data or a ‘claim to fame’ for doing so. Accordingly, we feel comfortable given these factors and the track record, that our security protocols rise to actual client needs. Having said that, we are always monitoring and re-evaluating the evolving landscape of web security protocols.
Should you have questions please either e-mail our support department (if a current client) at firstname.lastname@example.org, or our sales department (if you are considering InstaPage) at email@example.com.