Weebly recently sent out a security notification to most of the users to change the account password. This is due to the possible hacking on their system and you can find more details of the issue on this publicly released article by Weebly. Though it was claimed no impact to users, it is an indication to Weebly users how important to protect your data from hackers. Here is an extract from the article on what Weebly is saying:
When and how did you find out about this?
Weebly recently became aware within the last few days that an unauthorized party has obtained email addresses and/or usernames, IP addresses, and encrypted (bcrypt hashed) passwords for a large number of our customers. We immediately launched an investigation, confirmed the authenticity of certain data in the file and began taking steps to further enhance our network security and protect and inform our customers.
In this article we explain basic steps to secure your Weebly site and protect it from hackers.
All the below points are for those hosting freely on Weebly.com. Later in this article there are few additional points given for those hosting their Weebly site on paid hosting platforms like Bluehost, HostGator or SiteGround.
Ensure to have a clean laptop and mobile before accessing your Weebly account. The virus infection on your computer can spread to your website through the files you upload and may distributed to multiple users accessing your site. Install an anti virus software and run scheduled checks to keep your documents and files free from virus. Also avoid accessing your account from unsecured public networks to protect your privacy and data.
2. Use Strong Password
Password is the first thing hackers try to guess using automated bots to login to your account. Hence it is very important to have a strong password for your Weebly account. Do not share it with anyone including your editors. There are many online password generator tools to create a strong password for you. You can also check the strength of your password using password strength checker tools.
3. Change Password Frequently
Remember to change your password every few months regularly. Navigate to your account setting and change the password using “Edit Profile” link.
If you saved the password in browser by choosing “Remember me” during login, then ensure no other person is accessing your site content by automatically logging. Also don’t forget to update new password in the browser so that correct password is automatically suggested.
4. Keep Your Email Safe
Weebly allows anyone to reset the password just by entering your account email address. If the person has access to your emails on smartphones then he / she can reset the password and access your account. Ensure your email is not shared with anyone especially with your co-workers when you work in an organization.
5. Social Logins
Weebly allows you to login to your account through Facebook and Google+. Though this makes life easier, it also opens up security issue. Anyone who can access your social accounts can login to your sites and inject malicious content. Here is a question related to this on Weebly’s security update:
Are any of my other accounts (outside of Weebly) at risk?
No. However, if you are using the same password on multiple accounts, we would suggest resetting your passwords. Security experts suggest having a unique password for each account you log into online.
So, Weebly guys themselves are recommending to change passwords for all your associated accounts.
6. Remove Payment Methods Associated with Your Account
The details of the payment method associated with your Weebly account are stored in Weebly’s database. Any security breach on Weebly’s server will impact the customers like you. For example, you can see the credit card details on your account under “Account > Payment Methods” as shown below:
Though Weebly claims they will not store full credit card numbers, we believe the payment information stored at the back end is sufficient to hack your financial accounts. It is recommended to remove the card details in the following scenarios:
- If the payments are done once in a year or once in two years as Weebly offers two years service on certain plans.
- If your card is expiring before next payment.
- You created testing site with premium plan for the purpose of testing, training or development.
At any case you will get reminder emails when the due date for renewal is approaching. You can add the payment method whenever required to keep the plan running.
7. Check Account Login History
Most of the users not aware of the functionality to check login history at account level. Navigate to your account settings and look out under “Login History” tab. Here you can see the details of time stamp, country and IP address of each login. When you are in doubt, check login the history to see anyone other than you logged into your account.
8. Check Editors Last Login
Weebly allows “Editors” permissions settings to help multiple users handling single site with different roles and permissions. Multiple users editing single site increases the possibility of security risk as everyone can access the site content directly from their dashboard. Ensure to provide “Author” access to your editors instead of admin access, so that they can only access the required pages.
Also editors permission is the only way to invite third party developers to access your Weebly site without sharing your account details. This is a common case especially when you have purchased apps or themes from third party developers and want them to troubleshoot an issue on your site. It is highly recommended to remove the admin access to third party developers once the troubleshooting is finished. Most of the times we have noticed users never remove the access and the developer can login and inject any type of code on your site.
When you suspect something is wrong on your site, check the last login details of your editors and developers under “Settings > Editors” section. This will give you a clue if someone accessed your site without your knowledge.
9. Enable Login / Registration Only if Required
Login and registration functions are useful for creating a complete membership site. We noticed many users enable these features without any further use. If your intention is only to collect emails for newsletter then you can use “Newsletter” element. Hackers can create dummy account to login and check out the possibilities of tracking your content. So enable these features only if you are capable of handling it on long term.
10. Don’t Install Unnecessary Apps Based on Reviews
Weebly opened up a big back door for hackers through its App Center. You can really count the quality apps available on the app center. We highly recommend not to install or test any unnecessary apps and follow understand the below points:
- Most of the reviews are fake reviews. We can see an app has over 150 reviews with only 3 single star reviews and remaining all are 4 / 5 stars. This is almost impossible case even with the high quality apps as users tend to leave a review mostly for issues and problems.
- Weebly’s own apps are not working as intended, this indicates the poor quality of code and integration which is an easy entry point for hackers.
- Some of the apps collect personal data directly from your Weebly account and create account on external developer site. Avoid using such apps as they have your Weebly credentials and there are no guarantee they will dispose your details any other third parties.
We highly recommend discussing with the developer before buying an app and avoid installing free apps to safeguard your content.
11. Use Embed Code from Reliable Sources
We have seen users using embed code elements throughout the site without testing appropriately. When we were running this site on Weebly, we came across a strange problem. We were using two lines of widget code to display social sharing icons using embed code element. The page was loading perfect with social icons on desktop. But on mobiles it was automatically redirected to a pornography site. It took quite sometime to find out the issue as we did not test it on mobile devices.
Over the period of time you will forget what codes are added on which pages of your site. So use embed code element only if you need and know what you are doing. Ensure to keep an eye on readymade widgets (like weather, clock, calendar, social icons, etc.) regularly to protect your site from the malware.
12. Modify HTML / CSS Only if Required
Similar to embed code, modifying source HTML and CSS can also lead to security problems for your site. If you don’t have sufficient knowledge avoid modifying template files with codes copied from unreliable sources. Unfortunately there are many tutorial sites on the web offering modification codes and scripts for Weebly themes. You may need to check the reliability of such sources before using the codes and scripts on your site.
13. Don’t Upload Executable Files
14. Buy Custom Theme from Reliable Vendor
Weebly offers less variety of themes which can’t satisfy all user groups. This leads to many developers popped up recently and selling custom themes from their own sites. If you like any of the third party themes then first discuss with the developer and ask for a demo. Ensure the developer is reliable and you can provide access to your site when needed.
Especially if you are running an online store, we highly recommend to choose one of the default Weebly themes instead of buying a third party theme. This helps to maintain and protect your customer data with single administrator and easy to get help from Weebly support.
15. Don’t Reveal Sensitive Information
Most of Weebly users leave the security part to Weebly as all the content is freely hosted on Weebly’s server. The security is not only on storing information on Weebly’ server but also on not revealing confidential information. If there is a security issue, you are going to get affected more than Weebly. Below are some of the content guidelines:
- Remember all content on your site will be indexed by search engines and shown to public. Even if you have hidden the page or site from search engines, there are many possibilities search engine bots can reach your content through external sites. Also anyone can open the robots.txt file and check the restricted URLs to open directly on the browser.
- Use password protected content only non-sensitive information. For example, never store credit card number and set the password for that page.
- Hackers who get access to your Weebly account can easily access the password protected pages even if the page details are not publicly visible on search engines.
- Don’t use plain email ids on the content, always use contact form for communication. Also use file upload function on forms only it is required for your business.
- Avoid discussing with customers on comments section and request them to send queries over contact forms. Always review the comments and approve it manually instead of enabling auto approval. This will help to avoid spammers targeting your site for leaving junk comments.
16. Keep a Backup – Site and Contact Form details
Download the site archive and contact forms details regularly to keep a backup for emergency purpose. Though Weebly does not allow restoring the backup, you can at least migrate to other platforms or copy / paste the content if your site is small.
The site content except individual blog posts can be downloaded as zip archive under “Settings > General > Archive“.
And the contact form details can be exported from your dashboard. If you have a big blog on Weebly then organize yourselves to keep articles offline in Word or PDF format instead of directly writing on the editor.
17. Use SSL for Store Transactions
Use HTTPS protocol if you are running an online Weebly store. This helps to send all information over secured protocol compared to plain HTTP and protect your customer’s data. Besides hackers, it is also important to handle your colleagues or co-workers having access to your Weebly account.
Were any of my ecommerce customers’ information involved?
No, not to our knowledge. The file that was provided to us does not include information from our customers’ customers or any financial information that could be used for fraudulent charges. Weebly does not store full credit card numbers.
18. Use Google Safe Browsing Checker Tool
Scan your site regularly for malware and other injections. There are plenty of third party tools to do the website scanning. If you are running a mission critical website then outsource the scanning task to any security companies and get the report periodically. If you have normal website with proper offline backup then use Google malware detection tool to check the status of your site.
Also the first indication of malware infection is the lose in traffic as search engines will demote the ranking of infected site. When you notice a sudden traffic drop on Weebly Stats, check your Google Search Console account whether any warning messages are received. Then use Google malware detection tool to ensure the status of your site is not infected.
If you strongly believe your data is compromised then report to Weebly and discuss with them on how to proceed further. You can also check your Google Search Console account which will show you the possible security issues on your site.
For Weebly Sites Using Paid Hosting
19. Backup All Content
The back on paid hosting is complete and can be restored with single click on most of the platforms. Though we did not test whether individual blog posts can be backed up, whatsoever the content you have, it can be restored using FTP. Companies like SiteGround offers single click restore to a specific date. So your entire site can be restored in few minutes with the backup.
20. Use Robots.txt and .htaccess to Restrict Access
On paid platform, you will have access to the root directory of your Weebly site. This helps you to access .htaccess and robots.txt files which you can use to restrict access. For example, you can monitor the bots accessing your site and block specific bad bots using .htaccess directive.
21. IP Blocking
IP blocking is very useful for a membership sites having login / registration URL on its own domain. You can easily track down the IP addresses accessing your site and block all of them from hosting account control panel (cPanel).