What Happens When Your Client Gets "Hacked"
The email arrives at 11pm on a Sunday. Subject line: "URGENT: I think my website has been hacked!!!"
Your stomach drops. You open it. The client's site is showing some kind of spam content, or redirecting to a suspicious URL, or the login isn't working. They're panicking. You're panicking. And neither of you is entirely sure what to do.
Here's the good news: if your client is on Squarespace, they almost certainly haven't been hacked. Not in the way that word usually means. Squarespace's infrastructure is managed, patched, and secured by Squarespace's engineering team. There's no server to compromise, no outdated plugins with known vulnerabilities, no database to inject. The platform-level security is, genuinely, one of the strongest arguments for using Squarespace over self-hosted alternatives.
But "the platform is secure" and "your client's site is secure" are not the same statement. Because the vast majority of "hacks" on Squarespace sites aren't platform breaches. They're account compromises, and the cause is almost always human.
The Actual Threat Model
Let's be realistic about what can go wrong.
Compromised passwords. The client uses the same password everywhere. One of those "everywheres" suffers a data breach. The password ends up in a leaked database. Someone tries it on Squarespace. It works. They now have full admin access to the site.
This is by far the most common "hack" scenario. It's not a Squarespace vulnerability. It's a human vulnerability, and it happens to smart, careful people who just haven't adopted good password practices.
Phishing. The client receives an email that looks like it's from Squarespace, asking them to log in to verify their account or update their payment details. The link goes to a convincing fake login page. The client enters their credentials. The attacker now has them.
Contributor access left open. The client's former employee, ex-business partner, or previous web designer still has active login credentials. The departure wasn't amicable. The site gets modified, content gets deleted, or access gets locked out.
Third-party code injection. Someone with site access (possibly a well-meaning but careless contributor) adds a code block containing a script from a dubious source. The script redirects visitors, displays ads, injects affiliate links, or harvests data. The site hasn't been hacked externally. It's been compromised from within through bad code.
Domain hijacking. If the domain is registered separately from Squarespace (at GoDaddy, Namecheap, or elsewhere), the registrar account can be compromised through the same password/phishing vectors. A compromised domain registration is more serious than a compromised website, because the attacker can redirect the domain to any server, intercept email, and potentially transfer the domain to a different registrar.
Prevention: The Things You Should Be Doing
As the designer, you have a professional responsibility to set up your client's site with reasonable security practices, even if the client doesn't ask for it. This isn't about being paranoid. It's about being professional.
Two-factor authentication (2FA). Squarespace supports 2FA on all accounts. Enable it on the site owner's account during setup, and require it for any contributor accounts. This single step prevents the majority of account compromises, because a stolen password alone isn't enough to log in.
Walk the client through setting up 2FA during the handover meeting. Use an authenticator app (Google Authenticator, Authy, 1Password) rather than SMS, because SMS-based 2FA is vulnerable to SIM-swapping attacks. Yes, this is an extra step every time they log in. Yes, it's worth it.
Unique, strong passwords. Recommend (or insist on) a password manager. 1Password, Bitwarden, and the built-in iCloud Keychain are all good options. The password for their Squarespace account should be randomly generated, at least 16 characters, and used nowhere else.
If the client pushes back ("I can never remember those"), remind them that the password manager remembers it for them. They need to remember exactly one password: the one that unlocks the password manager. Every other password can be long, random, and unique.
Contributor account hygiene. Every person who needs access to the site should have their own account with the minimum necessary permission level. Squarespace offers four roles: Owner, Administrator, Website Editor, and Billing. A content writer needs Website Editor access, not Administrator. A contractor doing a one-off task needs temporary access that's revoked when the work is complete.
Review contributor access annually at minimum. Remove anyone who no longer needs access. This is the boring, administrative work that prevents the "disgruntled ex-employee" scenario, and it takes five minutes.
Domain security. If the domain is registered at a third-party registrar, enable registrar lock (which prevents the domain from being transferred without explicit authorisation), enable 2FA on the registrar account, and ensure the account email is current. If the client doesn't check the email associated with their GoDaddy account, they won't see the warning if someone tries to transfer their domain.
When Things Go Wrong: The Response Plan
Despite best efforts, sometimes things go wrong. Having a plan beats having a panic.
If the client can still log in: Immediately change the site password, check contributor list for unfamiliar accounts (remove any that shouldn't be there), check Code Injection for unfamiliar scripts (in Settings > Advanced > Code Injection, and in individual page settings), review recent activity in Squarespace's audit log, and enable 2FA if it wasn't already active.
If the client is locked out: Contact Squarespace support directly. They have identity verification processes for account recovery. If the account email has been changed by an attacker, this process takes longer and requires additional verification, which is another argument for having 2FA enabled before it's needed.
If the domain has been compromised: Contact the registrar immediately. Domain recovery processes exist but are time-sensitive, particularly if the attacker initiates a domain transfer (which has a short window for the legitimate owner to object). This is genuinely urgent and may require phone support rather than email tickets.
In all cases: Change the passwords on every related account (the Squarespace account, the domain registrar, the associated email, any connected services like Google Workspace or Mailchimp). An attacker who compromised one password probably tried it on every service associated with that email address.
The Code Injection Audit
This is the most overlooked security practice for Squarespace designers, and it's something you should do on every site you manage or inherit.
Squarespace's Code Injection feature (and custom code blocks) can contain any HTML, CSS, or JavaScript. This is powerful for customisation, but it's also an attack vector. A malicious script in the header injection runs on every page of the site, for every visitor. It can redirect users, inject hidden links (for SEO spam), load cryptocurrency miners, display phishing overlays, or harvest form data.
Check three places: Settings > Advanced > Code Injection (header and footer fields), individual page Code Injection (in each page's settings), and any code blocks within the page content. If you see a script tag that loads from an unfamiliar URL, or a block of minified/obfuscated JavaScript that you didn't write, investigate before assuming it's benign.
For sites you're inheriting from a previous designer, audit all code injection fields as part of your initial review. You need to know what's running on the site before you take responsibility for it.
The Conversation with Clients
Most clients don't think about website security until something goes wrong. Part of your job is to raise it without creating anxiety.
The framing I use: "Your Squarespace site is on a very secure platform, so we don't need to worry about the kinds of attacks that affect WordPress sites. But we do need to make sure your account itself is protected, because that's the most common way things go wrong. Two things we're going to set up today: a strong unique password and two-factor authentication. These take five minutes and prevent 95% of potential issues."
That's it. No fearmongering. No technical deep-dive into threat vectors. Just two practical actions, positioned as routine professionalism rather than emergency prevention.
Because that's what security is. It's not dramatic. It's not exciting. It's the boring, five-minute tasks that mean the 11pm Sunday email never arrives in the first place.