We’re introducing a new series on our blog called “The Array”. Each month, we are going to take a list of URLs, complete a website analysis, and find out what we can learn about how different industries and cohorts build their websites. This month’s list is from the St. Louis Business Journal and looks at the Largest Advertising & Marketing Agencies in St. Louis.
In the last post, we learned that 20% of the Agency Websites had a CDN between the user and the server. One of the functions built into those systems is an additional level of security both for monitoring malicious attacks and protecting the site from things like Distributed Denial of Service (DDOS) Attacks. But that leaves of curious about what other measures are the Largest Agencies in St. Louis using to protect themselves and their users.
Let Me Encrypt That for You
Social credibility of the Lock next to the domain is an important indicator for users. In 2019, almost half of all users surveyed were hesitant to use sites with a “Not Secure” browser bar. So it is good to see that all sites allow secure access via HTTPS. Additionally, all but one of the sites were redirected to the secure version.
Tenacity Note: For most sites, a Free SSL from hosting providers will suffice if you aren’t moving a large number of transactions or high-value transactions. The process of setting up these kinds of Certificates is largely automated. If you need couple more reasons, Google penalizes non-secure websites and current HTTPS versions are also faster than standard HTTP protocols, so it’s a win all around!
Certified Sure, But Are You Bonafide?
When it comes to Security, we suspect most people only care that there’s a lock at the top, and that it doesn’t “scream” Not Secure. SSL Certificates are issued by various organizations to verify whether or not your server connection encryption is adequate. This used to be difficult to apply and install, but with most hosts providing automated Certificates for free, it has become relatively easy to set up. Let’s Encrypt, a non-profit certificate authority from Internet Security Research Group, has led this effort, so it’s no surprise that 52% of Agency Website SSLs were issued by Let’s Encrypt.
Tenacity Note: I remember the days where you literally had to fax or use certified mail your information to the SSL issuers… what a nightmare. Also, haven’t heard Starfield Technologies, Inc.? We hadn’t either apparently its a spin-off of GoDaddy.
No, I Don’t Want Your Cookies
Ever since the General Data Protection Regulation or GDPR went into effect in 2018, we’ve seen cookie notifications and acceptance bars on the rise. If you only do business inside the U.S., you might not need to worry about this. But as you might expect, these notifications are showing up on St. Louis’ Largest Agencies’ websites, with 32 percent having a cookie notification bar of some kind, granted those might not all satisfy the GDPR requirements.
Tenacity Note: It would be interesting to see which Agencies have Cookie Notifications and use CDNs to put their site “closer” to users outside of the United States.
What’s Your “Whatever” Policy?
When we took a look at who actually provides information on what user data they were storing, using, and what they were doing with it, 60% of the Advertising and Marketing sites had easily findable pages outlining Cookies and Privacy. But only 16% of the websites had a dedicated Cookie Policy page. The Overlap of those that had that explicit Cookie Policy which also had a Notification and Privacy Policy page, was 100%.
Tenacity Note: If you are going to collect any data on users at least have a page explaining what you collect and what you use it for. It can seem arduous but you can find Privacy Policy generators that make it much easier.
You’ve Gotta Push Update… Eventually
It is crucial to keep your website’s software up-to-date, so it is concerning that of the 14 sites that used WordPress where we could determine the version, only two were using the current release (v6). That said, the majority (79%) of the Agency WordPress Websites have completed a security update in the last four months. We did find that other 21% of WordPress installs were using a version older than 1.5 years, with the oldest being over seven years old!
| Versions | # of Websites |
| 4.1.5 | 1 |
| 4.9.20 | 1 |
| 5.5.3 | 1 |
| 5.6 | 1 |
| 5.8.4 | 1 |
| 5.9.3 | 7 |
| 6.0 | 2 |
Tenacity Note: I would guess that some of this results from WordPress’ switch to Gutenberg and, more recently, to Full Site Editing. The CMS is very backward compatible, and because of the large user base, many workarounds exist. So while we do recommend testing before going live, we think it’s critical to stay up-to-date.
You Can’t Get In, If You Can’t Find The Door
“Security Through Obscurity” is definitely not the only path that should be taken when securing a website. But one of the relatively easy things you can do to protect your site is to relocate the standard login location. While this is obviously not possible with Web Builder Platforms, like Webflow and Squarespace for most other platforms, it is possible with most other CMS.
We found that 81.3% used the standard login location of the known Content Management Systems.
Additionally, none of the logins at standard login locations used Captchas to reduce automated attacks. Of course, other methods prevent these attacks, but Relocation and Captchas are easily added to most Logins.
Tenacity Note: We obviously didn’t hammer these websites to see whether or not there were any other security methods implemented. Setting these up is standard practice for any of our managed websites, so we hope additional security is in-place.
It’s great to see all of these sites securing user data with HTTPs and that so many of the Advertising & Marketing Agencies had provided a dedicated Privacy Policy. But it is concerning that many of them didn’t have additional security steps around their logins and a few had out-of-date installs. We hope we didn’t find them more security methods because we didn’t do true PenTests. This is an area where Agencies could do better.
What are your biggest privacy and security concerns while surfing the Internet? Let us know in the comments, and don’t forget to check out the Content Strategy and Marketing of the Largest Advertising & Marketing Agencies in St. Louis.