Keep your Webflow account secure

At Webflow, we take security seriously, and use a number of internal security and application security measures to keep your account and site data secure.

To safeguard your account and sites, we recommend the following best practices:

1. Use a strong account password
2. Use two-factor authentication or Single Sign-On
3. Don’t share your Webflow account or email address
4. Verify ownership of your domain
5. Avoid phishing and smishing scams
6. Set your creator profile privacy settings
7. Keep your browser and operating system up to date

Use a strong account password

Important: Never, under any circumstances, share your Webflow login information with another person. Make sure others don’t have access to your passwords or other authentication credentials (e.g., two-factor authentication codes). Instead of sharing your account with team members or clients, you can use Workspace plans to collaborate.

To create a strong password for your account, you should:

• Use a unique password
• Use a mix of uppercase and lowercase letters, numbers, and special characters

Don’t:

• Re-use a password you use for another service
• Include personal details like your birthday or name
• Use common, easily-guessed words or sequences like password, 123, etc.

It’s also best practice to change your password regularly. When you update your password, use a new, unique password (i.e., not one you’ve used before).

Pro tip: You can use a password manager to generate and store random, unique passwords — then, you don’t have to remember all your passwords or store them with insecure methods like documents and spreadsheets.

Use two-factor authentication or Single Sign-On

Two-factor authentication (2FA) adds an extra layer of security to your account by requiring a unique authentication code in addition to your account password — so if someone guesses your password, they can’t log in to your account unless they also have access to your authentication codes. 2FA is available for all customers, regardless of Workspace plan.

Customers on Enterprise Workspace plans can enable Single Sign-On (SSO) login, which simplifies the authentication process by allowing users to log in once with a single set of credentials.

Don’t share your Webflow account or email address

It’s against Webflow’s Terms of Service to share your account and/or primary email address with another person. If you need to work on sites with team members or clients, you can use Workspace plans to collaborate. You are responsible for safeguarding your account credentials and taking all steps to prevent unauthorized use of your account. If you know or suspect that your account has been used by any other person, you must notify Webflow immediately.

Verify ownership of your domain

In order to publish your Webflow site to a custom domain, you’ll need to first verify ownership of that domain. This prevents domain hijacking by restricting use of the domain to your site. Learn more about verifying ownership of your domain.

Avoid phishing and smishing scams

Phishing (email) or smishing (SMS text) scams attempt to trick you into sharing sensitive information like your account password or payment details. If you receive a suspicious email or text that looks like it’s from Webflow — or a company claiming to be associated with Webflow — don’t respond, click on any links within, or download any attachments.

You can often spot a phishing email or smishing text based on the following:

• Urgency (e.g., “We can’t process your payment! Your plan will be cancelled in 3 days,” etc.)
• Fake email addresses — make sure to check the actual address, not just the display name
• Links that don’t point to Webflow’s official sites — official sites include but are not limited to: webflow.com, university.webflow.com, etc.

If you clicked on a link or downloaded an attachment from a suspicious email or text, change your password immediately, watch your bank account for unauthorized or fraudulent transactions, and report the email to your email provider. If you aren’t sure whether an email you received came from Webflow, contact our support team with details (e.g., screenshots of the email, the sender’s email address, etc.).

Webflow will never email you to request sensitive information like payment details (including card and bank account numbers), account password(s), social security number, etc.

Set your creator profile privacy settings

Your creator profile is a customizable public page where you can add information about yourself, showcase your Made in Webflow sites, etc. Make sure your profile is set to private or public according to your privacy goals. If your profile is set to public, make sure to only include details you wish to share publicly.

Keep your browser and operating system up to date

Make sure to keep your browser and operating system up to date, as each release implements new security features and patches. You can set your browser and operating system to update automatically to be sure you’re always using the latest version.

Learn more about security at Webflow.

‍