Re: Anyone using a WordPress integration?

Valerie_Armstro
Level 10 - Champion Alumni

Anyone using a WordPress integration?

Hi Community - curious to know if anyone is currently utilizing a Wordpress integration.  There are a few listed over on LaunchPoint but I'm curious to hear what other Wordpress users are using, what the drawbacks are, and if it is necessary to have an integration/connector or if the integration is possible in-house.

Thanks in advance for any feedback!

12 REPLIES 12
Anonymous
Not applicable

Re: Anyone using a WordPress integration?

You can definitely do this with out of the box technology.  Simply add the javascript tracking code to your wordpress header file and then use embedded Marketo forms and you are good to go.  If you have Marketo social, all of those widgets are embed-able as well. 

Grégoire_Miche2
Level 10

Re: Anyone using a WordPress integration?

Hi Valerie,

We use wordpress for our blog and it does integrate totally seamlessly and easily with Marketo. Just pay attention to some so-called Wordpress Modules intended to "ease" the integration and that in fact use the server API on the client side. They are very dangerous as they expose Marketo connection info and would enable anyone to run a DoS attack on your Marketo instance.

As stated by Jamie, start with integrating the munchkin code on your pages. This is done adding the code to the page templates.

Then you can easily integrate Marketo forms. Various possibilities here : embed code, iframe or redirect to Marketo Landing pages.

What would be harder to do is to integrate wordpress user management with Marketo forms. This would require some in house work as, AFAIK, there is no wordpress module that can do this. The best and simplest way to do it if to use Marketo Webform 2.0 API and run Marketo forms in the background each time someone opens an account or logs in.

-Greg

Casey_Grimes
Level 10

Re: Anyone using a WordPress integration?

Grégoire Michel wrote:

Just pay attention to some so-called Wordpress Modules intended to "ease" the integration and that in fact use the server API on the client side. They are very dangerous as they expose Marketo connection info and would enable anyone to run a DoS attack on your Marketo instance.

Awww, Greg, that's what your WAF is for!

In all seriousness though, while I have seen this happen for other MAPs (InfusionSoft in particular) I've yet to see or hear any DoS attacks on a Marketo instance and would be interested in this beyond a "what if" scenario.

Grégoire_Miche2
Level 10

Re: Anyone using a WordPress integration?

Hi Courtney,

Neither do I, but some of my customers (WW scale financial institutions with all the regulatory arsenal and the IT Security Office) are adamant about the idea of some even suggesting exposing Marketo Client ID or Client secret in a client-side code...

Furthermore, in these matters, better safe than sorry, IMHO

-Greg

SanfordWhiteman
Level 10 - Community Moderator

Re: Anyone using a WordPress integration?

Neither do I, but some of my customers (WW scale financial institutions with all the regulatory arsenal and the IT Security Office) are adamant about the idea of some even suggesting exposing Marketo Client ID or Client secret in a client-side code...

Yes, when an integration uses the world-writing SOAP API instead of the permission-managed REST API it's even more worrisome.

SanfordWhiteman
Level 10 - Community Moderator

Re: Anyone using a WordPress integration?

... and if they're only worried about the SOAP API credentials they seem to be missing some other trees in the forest, no?

SanfordWhiteman
Level 10 - Community Moderator

Re: Anyone using a WordPress integration?

In all seriousness though, while I have seen this happen for other MAPs (InfusionSoft in particular) I've yet to see or hear any DoS attacks on a Marketo instance and would be interested in this beyond a "what if" scenario.

We could never recommend an architecture that can handle 10,000 legitimate uses per day (assuming zero other integrations are in use) even before you take malice into account. And since any DoS cascades to an attack on your website's core functionality, I have always found this a seriously horrifying proposition. (Heck, I feel that way about SFDC API forms integrations that max out at 100K+ legit uses when sites get millions of hits per day.)

To me, it's a perpetual 0day vulnerability, it isn't only whether an attack has been seen against a particular customer, but about the risk (and, in regulated industries, risk paperwork) involved. With so many major companies using Marketo, I'd have hoped this stuff would be off the table.

And besides, there are other ways to get prefill on 3rd-party forms....

Casey_Grimes
Level 10

Re: Anyone using a WordPress integration?

Honestly, I feel once you get into regulated industries you're almost better off just utilizing local storage for prefill, sending data to a PCI-compliant storage and setting up your own connection to any SaaS product, but that's just me and definitely off-topic here.

The conversation did prompt me to take a look specifically at Hutchhouse though (since it does use SOAP) and while not horrifying in terms of exposed data could probably go for a RESTful rewrite.

SanfordWhiteman
Level 10 - Community Moderator

Re: Anyone using a WordPress integration?

Honestly, I feel once you get into regulated industries you're almost better off just utilizing local storage for prefill, sending data to a PCI-compliant storage and setting up your own connection to any SaaS product, but that's just me and definitely off-topic here.

And that's if your legal team approves of prefill at all! 

But there are a lot of places (like SaaS and/or security tech vendors) who are mostly self-regulating but who don't pay attention to stuff like this even though it contradicts their mission statement, if nothing else. Drives me crazy.

The conversation did prompt me to take a look specifically at Hutchhouse though (since it does use SOAP) and while not horrifying in terms of exposed data could probably go for a RESTful rewrite.

If I were in a constructive mood, I'd say

  • switch to REST with a Read Lead permission
  • set a maximum # of calls per day (as much to allow cooperation between legit users of different integrations as to prevent abuse)
  • better exception handling, specifically for rate limit exceeded