Is your Squarespace account secure? Maybe not…
Table of Contents Show
A couple of weeks ago, a past client of mine called me in a panic!
We had worked together a few years back to get her website switched over from Wix and she’s been maintaining the site herself with her team, successfully, including their shop! (So proud!)
Recently, she had hired me to redo a page on the website where services had changed and needed to be organized differently, so I was still currently an Admin contributor on her site.
Little did I know that would be both scary and beneficial…
Her panic was real, but she was handling it –frankly, much better than I would’ve had our positions been reversed. 😂
Her account had gotten hacked.
Not her website (yet), but her actual Squarespace account which has her website in it.
The hacker had changed the password and locked her out of the account. He/She had bought 5 completely random domains within her live website (which meant they'd be redirecting to her site also). Of course, they also had some access to private information as well as freewheeling access to the backend of her website itself.
So I went into problem-solving mode (after we both cursed a bit on a call, about how crazy this situation was.)
Because she couldn’t get into her account, she was also having trouble getting to Squarespace support. So I contacted them on her behalf & told them what was going on, got the chat transcript & forwarded it to her with their suggestions.
And here’s what we learned:
everything is hack-able,
using better passwords & changing semi-regularly is a must
TFA is important
where to adjust security settings (it’s not where you think)
tips for getting back in, straight from Squarespace Support gurus
And then I’ll tell you how we began to resolve the situation.
Security Setting basics
The first reaction to the news that one of my favorite clients’ had been hacked was probably the same as yours: I thought Squarespace was secure?!
The truth is, everything is hackable these days. Nothing is foolproof.
I can’t figure out what there was to gain for this hacker, since no money was taken (that we know of), nothing was stolen, the unauthorized domains that were purchased were canceled & refunded. We never found any sketchy shit in her website that the hacker had messed with. Squarespace Support removed the card on file so further charges couldn’t be issued while we got the situation back under control, and the business information in there, besides email addresses for contributors, was mostly public information also displayed on the site.
My husband remains convinced that it was some high school kid just practicing his hacking skills, and he may very well be right. Who knows. We’ll never know!
But here’s what I learned from the situation from Squarespace Support:
How to find & set Security Settings in your Squarespace Account
Okay this one I already knew, but that’s because I’m actively in my Squarespace Dashboard a lot and I have several websites connected with my Squarespace account.
Most people who only have 1 website in their account, don’t realize that there is even a dashboard at all. So here’s how to get to it (& your security settings):
STEP ❶
From the main lefthand menu, click the Squarespace logo in the top left
Now you’ll be rerouted to a new page with a white background and your website’s thumbnail (preview image).
STEP ❷
Click Account Settings next to your round account profile image in the upper righthand corner
STEP ❸
Select Account & Security from the lefthand menu of that pop-up
STEP ❹
Use this panel to change these 4 things:
Change your password – make it at least 10 characters long, using uppercase, lowercase, numbers & symbols –and yes, I mean it.
turn on Two-Factor Authentication – basically, this gives you the option of selecting whether to be notified via email or text message when someone logs into your Squarespace account, even if it’s you.
I think you can set the reminders to stay about 30 days apart, but not in this area, that option pops up during the actual login process.
set up Account Recovery options – this is about 3 or 4, 6-ish digit codes generated for you (you do not create them yourself) you can copy/paste and keep safe somewhere, even if you just print it out & file it away somewhere. If you ever get locked out of your account, you can provide those codes to Squarespace Support to get back in more quickly and easily.
If you get locked out and Squarespace is aware of a hack related to your account, they can’t/won’t Live Chat with you because they can’t verify your ownership of the account &/or website in question, in order to help you get back in. Support communication is limited to email only. Good to know! (And also kind of frustrating at the same time.)
check your Login Activity – this will be a list of IP addresses, browser & device types, and locations of recent logins.
check this regularly!!
If you ever see anything there that you don’t recognize, click the red “Log Out” text listed underneath that entry & you can force that user to be logged out unceremoniously. Then immediately change your password –especially if you’re positive no one you know from Timbuktu has logged into your Squarespace account recently.
Don’t worry, if it ended up being you, you just log yourself back in with the updated. 😉
⚠️ Notice for users on satellite internet! That satellite in your yard beams up to a satellite in space and back down to earth, literally, to get your data to you, and it can bounce from location to location before it gets to you, making it really hard for you to use any “location-based” service. That also means finding “restaurants near me” in a Google search while you’re on your home-wifi doesn’t work because it shows you results from anywhere but near home, –I’m sure you’ve noticed. It also throws off your location in these types of login activity feeds. So if you check yours it may say someone from Denver, CO just logged in, but you live in Tallahassee, FL; –it could still be you, but juuuust to be safe –especially if you’re not sure & always if it shows up from another country– just click Log Out.
Reminder: Nothing is foolproof –you have to be smart about this!
I know it’s hard to remember your passwords. These days we have a bazillion accounts with different logins and maybe now you have multiple email addresses so you can have junk mail sent to one and not the other(s). –I get it!
Here are some tips to help you keep track of your passwords, and create better ones:
Use a password manager app:
1Password and LastPass are the 2 most popular. I’ve used both and prefer the UI of one over the other.
Both 1P and LP work across multiple devices so you have access to a secured, saved list of passwords & other private information from anywhere that matters.
Keeps passwords organized
Helps you generate new secure passwords when needed
If you create your own passwords, STOP using the following types of info in them:
anything publicly available through background checks, phone-book type listings, or social media profile information, such as:
current or past streets or house address numbers
birth dates of immediate family members or loved ones (spouses, etc.)
names of immediate family members or loved ones (spouses, etc.)
parts of anyone’s social security number
your business name
the word “password” in any form (yes, … I know.)
anything that could be publicly known about you, such as your pet’s name(s) or your nickname if widely known
If you create your own password, START using the following suggestions:
use dashes, underscores, or other special characters
use alphanumeric (use letters and numbers) passwords
use upper and lowercase letters
if you need it to be readable, try to create a memorable phrase but not necessarily one that makes sense in sentence form
example: Wall-tirE-lAke-mOUntains! –vs.– wall-of-China!
The best passwords may be ones that are not readable, hard to remember, and usually generated by a password manager.
example: )WpQizZR[+tz
usually password managers allow you to dictate things like:
how readable it might be,
how many characters you want it to have,
whether it has words, digits or symbols
(see the images below #5 for reference) ⬇️
Change your passwords regularly, especially for accounts with connected payment cards or other sensitive (private) information.
This is another situation where password managers come in handy! Not only do you have them saved, but you also (by default) have a list of accounts to scroll through in order to remember all the accounts that you have.
I can’t promise you that these tips will definitely keep your account from being hacked, but I can say that keeping these kinds of best practices will certainly help make that possibility a lot smaller.
How we began to resolve the situation
After talking with Squarespace’s Support, this is what we did to work toward setting things right again.
Squarespace Support suggested she (the website owner) try logging into the site through a Private browser window where NO extensions were enabled. That helped her finally get back in with a password reset. (Previously she’d try ‘forgot password’ and she’d never get the associated email with the link or code to help her get in to establish a new one!)
She was still having trouble editing contributor permissions at this point, so she transferred ownership of the site to me & I immediately removed ALL other contributors to the site (besides myself), her included.
during this process, I found multiple guest authors that were “unnamed” which were removed as well (they hadn’t been visible, prior to switching ownership…)
She changed the account email address AND password inside her own Squarespace account.
I invited her as an Admin Contributor once her new email & password had been set.
Then I transferred ownership back to her, once she accepted the invitation.
She then added necessary staff contributors back in.
I showed her where the Account & Security Settings were, and we:
reset her password AGAIN, just for good measure & choosing one that’s stronger
turned on Two-Factor Authentication
setup Account Recovery options
and checked the login activity, logging everything off except the 2 of us
I reminded her to log out of the site when she was done, each time and change the password regularly.
She continued on with Squarespace Support to work out refunds for the unauthorized domain purchases, and any other issues that would need to be handled privately.
Thankfully, Squarespace’s Support gurus were super helpful, readily available & gave us plenty of tips to get through this unscathed!
Does Wordpress give that same kind of standardized, platform-wide support? Uh, no. Any support Wordpress has is public forum-based, theme-based, theme-builder-based, or plugin-based, –meaning whether you have support or not depends on who/where you got your theme-builder, theme, or plugins from and as those are a dime a dozen, so who knows what kind of support you’re getting from each of them, if any! 😳