At Squarespace, we take account security very seriously. To take more steps to protect your account and site, we recommend following these best practices.
Choose a strong password
A password that’s easy to guess leaves your Squarespace account–and any account that uses the same password–vulnerable to being compromised. If someone guesses your password, they could log into your accounts, access your private information, cause harm, or steal your data.
On Squarespace, you have control over your password. It can be as long as you want, with any combination of letters, numbers, and symbols.
Here are some dos and don’ts for passwords:
- Use different passwords for each service you use
- Change your passwords often.
- Use long phrases you can remember instead of a single word
- Use a mix of uppercase letters (“A”), lowercase letters (“a”), numbers (“1”), and symbols (“!”, “@”)
- Enable two-factor authentication as an extra layer of protection
- Consider using a password manager app that generates and stores random passwords for you. This way, you won’t have to try to remember every password or store them in an insecure document.
- Log in with a social account
- Use your birthday, name, or physical address
- Use your email address as your password
- Use common words like password or Squarespace
- Use easy-to-guess sequences like 123 or ABC
- Use the same password for multiple services, especially your email address, payment processor account, or third-party domain provider
- Assume that an email is from a company just because it contains the company logo or their name appears in your inbox as the “From” name.
- Send your login information or other sensitive information via email, no matter how convincing the person sounds.
- Publish your email address on your site. Ask visitors to contact you through a Form Block instead.
To learn how to change your password, visit Changing your account password. Note that this password will give you access to all Squarespace sites on your account.
Change your password regularly
Update your password at least every few months. When you update your password, don’t use one you used in the past.
Don’t share your password
Never share your password with anyone, even someone you trust. Instead of sharing the same account with another person or team, there are other options:
- Each person who needs access to your site can have their own accounts. You can set this up by adding them as contributors.
- To let someone see a private page without giving them editing access, you can protect the page with a separate password.
Add extra protection with two-factor authentication
Enable two-factor authentication on Squarespace
A strong password helps with security, but adding two-factor authentication is the best line of defense from unauthorized access. After it’s enabled, you’ll need a code sent to an authenticator app on your mobile device before you can log in. This means that if someone guesses your password, they won’t be able to log in unless they also have your mobile device.
Squarespace two-factor authentication requires an authentication app like Google Authenticator. We don't send codes via email or text message.
Anyone who has a contributor account for your website should have two-factor authentication enabled. To get started, visit Protect your account with two-factor authentication.
Use two-factor authentication whenever you can
We recommend using two-factor authentication on any service you use that offers it, at least for services you can connect to Squarespace, such as:
- Social media accounts
- Email accounts
- Payment processor accounts
- Bank accounts
- Third-party domain providers
Avoid phishing scams
Phishing emails impersonate trusted companies like Squarespace to try and trick you into sharing personal information. If you received a suspicious email that looks like it’s from us–or another company claiming to be associated with us–don’t click any links, reply to the message, or download any attached documents.
To spot a phishing email, look for an urgent tone, requests for your password or private information, fake email addresses, and links that don’t lead to www.squarespace.com. If you clicked a link or downloaded anything, change your password immediately, watch your bank account for unauthorized transactions, and report the email to your email provider.
For more tips, visit I received a suspicious email. Is it from Squarespace?
Remove unused contributors
If a contributor is inactive or no longer needs access to your site, consider removing them. This way, if their account gets compromised, the hacker can’t log into your site because it’ll be disconnected from their account.
To learn more, visit Removing a contributor.
Force devices and apps to log out
If you forgot to log out on a public computer, lost your device, or suspect that someone logged into your account without permission, you can force one or all devices to log out. This ends the login session and will require the user to re-enter a password the next time they log in. You can view active login sessions for your account from the Login History panel.
Similarly, you can disconnect mobile apps from your account. If you lost your phone, anyone who tries to open a Squarespace mobile app on it won’t be able to see your account or use the app unless they log in. You should also review your App Password history periodically to watch for unusual entries. If you see a password entry you don’t recognize, remove it.
Keep your browser and operating system up to date
Set your operating system and browsers to update automatically, so you’re always using the latest versions with up-to-date security features.
To learn more, visit Supported browsers.
Keep your antivirus software up to date
Antivirus software helps you fight against viruses and other malicious third-party programs. If you use antivirus software on your device, keep it up to date and set it to update automatically.
Our Security, Engineering, and Operations teams work 24/7 to monitor unusual behavior on our platform. If you’re a security professional or researcher, we encourage you to let us know if you’ve discovered a vulnerability on our Security page.