Most Weebly users thinks the platform is safe and secure. However, do you know that once Weebly sent out a security notification to users for changing their account password? This was due to the possible hacking on their system and you can find more details of the issue on this publicly archived article by Weebly. Though it was claimed no impact to users, it is an indication to Weebly users on how important to protect their data from hackers. Here is an extract from the article on what Weebly was saying:
When and how did you find out about this?
Weebly recently became aware within the last few days that an unauthorized party has obtained email addresses and/or usernames, IP addresses, and encrypted (bcrypt hashed) passwords for a large number of our customers. We immediately launched an investigation, confirmed the authenticity of certain data in the file and began taking steps to further enhance our network security and protect and inform our customers.
If you are worrying about protecting your site, in this article we explore all basic steps needed to secure your Weebly site and protect it from hackers.
Ultimate Security Guide to Protect Weebly Site
Below is the security checklist for your Weebly site. Prevention is better than cure, so nothing wrong in following simple security steps to protect your account and keep the danger away. All the points are for those hosting freely on Weebly.com. Later in this article there are few additional points given for those hosting their Weebly site on paid hosting platforms like Bluehost, HostGator or SiteGround.
1. Keep Your Computer Virus Free
Ensure to have a clean laptop and mobile before accessing your Weebly account. The virus infection on your computer can spread to your website through the files you upload and may distributed to multiple users accessing your site. Install an anti virus software and run scheduled checks to keep your documents and files free from virus. Also avoid accessing your account from unsecured public networks to protect your privacy and data.
2. Use Strong Password
Password is the first thing hackers try to guess using automated bots to login to your account. Hence it is very important to have a strong password for your Weebly account. Do not share it with anyone including your editors. There are many online password generator tools to create a strong password for you. You can also check the strength of your password using password strength checker tools.
3. Change Password Frequently
Remember to change your password every few months regularly. When you are in Weebly dashboard, click on the site name showing on top right corner of the screen. Navigate to “Account Setting” link and click on “Manage Account” option. Select “Change Password” option to create a new password for your account.
If you saved the password in browser by choosing “Remember me” during login, then ensure no other person is accessing your site content by automatically logging in to your account. Also, don’t forget to update new password in the browser so that correct password is automatically suggested.
Note: Most Weebly users need to use Square account for logging in to dashboard. If you are using Square account, make sure to use strong password and change the password frequently.
4. Keep Your Email Safe
Weebly allows anyone to reset the password just by entering your account email address. If the person has access to your emails on smartphones then he / she can reset the password and access your account. Ensure your email is not shared with anyone especially with your co-workers when you work in an organization.
5. Social Logins
Weebly allows you to login to your account through Facebook, Google or Square account. Though this makes life easier, it also opens up security issue. Anyone having access to your social accounts can login to your sites and inject malicious content. Here is a question related to this on Weebly’s security update:
Are any of my other accounts (outside of Weebly) at risk?
No. However, if you are using the same password on multiple accounts, we would suggest resetting your passwords. Security experts suggest having a unique password for each account you log into online.
So, Weebly guys themselves are recommending to change passwords for all your associated accounts.
6. Remove Payment Methods Associated with Your Account
The details of the payment method associated with your Weebly account are stored in Weebly’s database. Any security breach on Weebly’s server will impact the customers like you. For example, you can see the credit card details on your account under “Account > Payment Methods” as shown below:
Though Weebly claims they will not store full credit card numbers, we believe the payment information stored at the back end is sufficient to hack your financial accounts. It is recommended to remove the card details in the following scenarios:
- If the payments are done once in a year or once in two years as Weebly offers two years service on certain plans.
- If your card is expiring before next payment.
- You created testing site with premium plan for the purpose of testing, training or development.
At any case you will get reminder emails when the due date for renewal is approaching. You can add the payment method whenever required to keep the plan running.
Note: Weebly offers performance plan for developer accounts to help developers to build apps working on all plans. If you want to check how performance plan works then create a developer account and test it out instead of creating a test site with premium plan.
7. Check Account Login History
Most of the users not aware of the functionality to check login history at account level. Navigate to your account settings and look out under “Login History” tab. Here you can see the details of time stamp, country and IP address of each login. When you are in doubt, check login the history to see anyone other than you logged into your account.
8. Check Editors Last Login
Weebly allows “Editors” permissions settings to help multiple users handling single site with different roles and permissions. Multiple users editing single site increases the possibility of security risk as everyone can access the site content directly from their dashboard. Ensure to provide “Author” access to your editors instead of admin access, so that they can only access the required pages.
Also editors permission is the only way to invite third party developers to access your Weebly site without sharing your account details. This is a common case especially when you have purchased apps or themes from third party developers and want them to troubleshoot an issue on your site. It is highly recommended to remove the admin access to third party developers once the troubleshooting is finished. Most of the times we have noticed users never remove the access and the developer can login and inject any type of code on your site.
When you suspect something is wrong on your site, check the last login details of your editors and developers under “Settings > Editors” section. This will give you a clue if someone accessed your site without your knowledge.
9. Enable Login / Registration Only if Required
Login and registration functions are useful for creating a complete membership site. We noticed many users enable these features without any further use. If your intention is only to collect emails for newsletter then you can use “Newsletter” element. Hackers can create dummy account to login and check out the possibilities of tracking your content. So enable these features only if you are capable of handling it on long term.
10. Don’t Install Unnecessary Apps Based on Reviews
Weebly opened up a big back door for hackers through its App Center. You can really count the quality apps available on the app center with your fingers. We highly recommend not to install or test any unnecessary apps and understand the below points:
- Most of the reviews are fake reviews. We can see an app has over 150 reviews with only 3 single star reviews and remaining all are 4 / 5 stars. This is almost impossible case even with the high quality apps as users tend to leave a review mostly for issues and problems.
- Weebly’s own apps are not working as intended, this indicates the poor quality of code and integration which is an easy entry point for hackers.
- Some of the apps collect personal data directly from your Weebly account and create account on external developer site. Avoid using such apps as they have your Weebly credentials and there are no guarantee they will dispose your details any other third parties.
We highly recommend discussing with the developer before buying an app and avoid installing free apps to safeguard your content.
11. Use Embed Code from Reliable Sources
We have seen users using embed code element throughout the site without testing appropriately. When we were running this website (webnots.com) on Weebly, we came across a strange problem. We were using two lines of widget code to display social sharing icons using embed code element. The page was loading perfect with social icons on desktop. But on mobiles, it was automatically redirected to a pornography site. It took quite sometime to find out the issue as we did not test it on mobile devices.
Over the period of time you will forget what codes are added on which pages of your site. So, use embed code element only if you need and know what you are doing. Ensure to keep an eye on readymade widgets (like weather, clock, calendar, social icons, etc.) regularly to protect your site from the malware.
12. Modify HTML / CSS Only if Required
Similar to embed code, modifying source HTML and CSS can also lead to security problems for your site. If you don’t have sufficient knowledge avoid modifying template files with codes copied from unreliable sources. Unfortunately there are many tutorial sites on the web offering modification codes and scripts for Weebly themes. You may need to check the reliability of such sources before using the codes and scripts on your site.
13. Don’t Upload Executable Files
14. Buy Custom Theme from Reliable Vendor
Weebly offers less variety of themes which can’t satisfy all user groups. This leads to many developers popped up recently and selling custom themes from their own sites. If you like any of the third party themes then first discuss with the developer and ask for a demo. Ensure the developer is reliable and you can provide access to your site when needed.
Especially if you are running an online store, we highly recommend to choose one of the default Weebly themes instead of buying a third party theme. This helps to maintain and protect your customer data with single administrator and easy to get help from Weebly support.
Note: Weebly does not support the issues coming out of embed code, site modifications, third party themes and apps. So it is necessary for you to understand the security impact if you are using any of these on your site.
15. Don’t Reveal Sensitive Information
Most of Weebly users leave the security part to Weebly as all the content is freely hosted on Weebly’s server. The security is not only on storing information on Weebly’ server but also on not revealing confidential information. If there is a security issue, you are going to get affected more than Weebly. Below are some of the content guidelines:
- Remember all content on your site will be indexed by search engines and shown to public. Even if you have hidden the page or site from search engines, there are many possibilities search engine bots can reach your content through external sites. Also anyone can open the robots.txt file and check the restricted URLs to open directly on the browser.
- Use password protected content only non-sensitive information. For example, never store credit card number and set the password for that page.
- Hackers who get access to your Weebly account can easily access the password protected pages even if the page details are not publicly visible on search engines.
- Don’t use plain email ids on the content, always use contact form for communication. Also use file upload function on forms only it is required for your business.
- Avoid discussing with customers on comments section and request them to send queries over contact forms. Always review the comments and approve it manually instead of enabling auto approval. This will help to avoid spammers targeting your site for leaving junk comments.
16. Keep a Backup – Site and Contact Form details
Download the site archive and contact forms details regularly to keep a backup for emergency purpose. Though Weebly does not allow restoring the backup, you can at least migrate to other platforms or copy / paste the content if your site is small. You can download the entire site content except individual blog posts and product pages as zip archive under “Settings > General > Archive” section.
And the contact form details can be exported from your dashboard. If you have a big blog on Weebly then organize yourselves to keep articles offline in Word or PDF format instead of directly writing on the editor.
17. Use SSL for Store Transactions
Use HTTPS protocol if you are running an online Weebly store. This helps to send all information over secured protocol compared to plain HTTP and protect your customer’s data. Besides hackers, it is also important to handle your colleagues or co-workers having access to your Weebly account.
Were any of my ecommerce customers’ information involved?
No, not to our knowledge. The file that was provided to us does not include information from our customers’ customers or any financial information that could be used for fraudulent charges. Weebly does not store full credit card numbers.
18. Use Google Safe Browsing Checker Tool
Scan your site regularly for malware and other injections. There are plenty of third party tools to do the website scanning. If you are running a mission critical website then outsource the scanning task to any security companies and get the report periodically. If you have normal website with proper offline backup then use Google malware detection tool to check the status of your site.
Also the first indication of malware infection is the loss in traffic as search engines will demote the ranking of infected site. When you notice a sudden traffic drop on Weebly Stats, check your Google Search Console account whether any warning messages are received. Then use Google malware detection tool to ensure the status of your site is not infected.
If you strongly believe your data is compromised then report to Weebly and discuss with them on how to proceed further. You can also check your Google Search Console account which will show you the possible security issues on your site.
For Weebly Sites Using Paid Hosting Platforms
Paid hosting has its own pros and cons. Here are some more security tips if you are hosting Weebly site on paid platforms like HostGator or SiteGround.
19. Misunderstanding of Content Backup
Many users think that they get additional features when using paid hosting platforms for creating Weebly site. This is completely a misunderstanding and you will actually face more risks with less features compared to standard Weebly.com account.
- Backup – when you use platforms like WordPress on paid hosting platforms, the backup is complete and can be restored with single click. However, this is not the case using Weebly with paid hosting companies. They use Weebly Cloud simply for logging in and it is not possible to backup your Weebly blog posts and product pages similar to standard Weebly.com account.
- Login – you need to use your hosting account to login to Weebly Cloud. This is a risk if your hosting account password is compromised. Similarly, if anyone having FTP password for the root directory can able delete your Weebly site.
- You will have no access to Weebly server which essentially means you can’t use robots.txt or .htaccess to control or configure Weebly server like IP blocking.
Security is a habit and not one time activity that you do and forget. As a platform, Weebly has more liability and responsibility to take care of their customer’s data. But on an unfortunate event, it is you the one going to get affected rather than Weebly. Hence, we strongly recommend following the simple guidelines provided in this article to protect yours and your customer’s data.