Is Wix Secure? Everything You Should Know About Wix Security
When building a website, the last thing you want is to go through the tireless design work, only to end up wondering if the site is secure. This is especially true for online stores. In today’s site building world, many entrepreneurs turn to DIY site builders, like Wix, Squarespace, and Shopify. If you’re using Wix, you may wonder, is Wix secure? And what elements of Wix security make it better than the competition?
Users tend to feel weary about the security of DIY ecommerce platforms, since you have less control over hosting (the #1 way to secure your website), and there’s not as much transparency about how DIY platforms keep your site secure.
As a result, there’s confusion as to whether platforms like Wix are secure in the areas of payment processing, hosting, fraud, and malware. In this article, we explore everything you need to know about Wix security, and answer the question, is Wix secure?
Wix Threat Prevention
The threat prevention from Wix is broken down into four lines of defense:
- 3rd-party risk management: This involves the apps that integrate with Wix. Essentially, any third-party app could cause security vulnerabilities on your site, or on the entire Wix infrastructure. Due to that, Wix has a strong threat prevention and removal management) program, meaning that they only approve Wix apps and vendors that agree to and align with the Wix security standards, and the industry standards.
- Anti-fraud and payment security: Wix follows rules set forth by the Payment Card Industry Data Standards. As a result, Wix protects transactions with the highest level of anti-fraud protection available.
- Powerful data encryption: Data encryption comes into play when customers type in payment information. Wix encrypts all sensitive data with several tools: SSL, TLS 1.2+, and HTTPS. Stagnant, stored data, is protected with AES-256.
- A development lifecycle that’s secure: During development, bugs happen. To prevent against that, Wix has strict processes for testing penetration potential, along with ongoing code reviews and threat modeling.
Wix Real-time Monitoring
It’s excellent that Wix has threat prevention tools (like encryption) already implemented for online stores and websites. Yet, it’s also important to see ongoing, real-time monitoring with a combination of both humans and bots watching out for intruders.
From our Wix security research, we uncovered the following real-time monitoring practices from Wix:
- A bug bounty program: Perhaps one of the most unique parts of Wix’s security protocol is its Bug Bounty Program, where independent hackers, developers, and security experts are invited to submit vulnerabilities in the Wix application layer. If a security hole (bug) is discovered, they receive a payment. This type of incentivizing of independent workers is an exceptional way for the unbiased patching of security weaknesses.
- SIEM and SOC: Wix operates what’s called a Security Operations Center. This organization functions on a 24/7 basis, and is even available for users to contact them if threats arise. Their main tool is called System Information and Events Monitoring (SIEM), which speeds up the process for them to see and respond to security issues.
- Data analysis: Wix utilizes machine learning to track usage patterns and suspicious behavior on its own infrastructure and its users’ stores. If any misuse of data or account content is detected, Wix acts to block the attacks.
- Protection with anti-DDoS: Using an automated threat prevention system, Wix responds to any denial of service (DDoS) attacks, even if they only stem from your domain name.
- Security transparency: Although it’s unclear as to the tools used for this, Wix claims it strives to keep all of its security processes transparent, allowing the security team to take action at a moment’s notice. This is also helpful for users to understand how their sites are protected. Information is vailable on their security gate and trust pages.
Wix Rapid Response
Security automation tools and active monitoring serve to identify and squash some problems along the way, but we want to see the exact procedures used by Wix to respond to those threats in a fast and reliable manner.
As of this article, Wix uses the following rapid response methods:
- Incident response: All cybersecurity issues go through the Wix Incident Response team, who’s job it is to create a plan of action for each unique security breach.
- Simulations and trainings: Wix performs ongoing security breach simulations so that the security team is ready to respond quickly. These are structured around a “business continuation plan” so they’re training to keep all websites up, even during times of crisis. This way, merchants and website owners can maintain a running website and not see interruptions to their service.
- The Business Continuation program: Business continuation, or keeping Wix websites active and uninterrupted during infrastructure attacks, works by securing every aspect of the Wix system while attacks occur. The Wix security team follows a plan of action to maintain smooth website functionality for all users, and to address any necessary recovery tasks.
Wix Payments Security
One of the biggest questions looming over users when choosing an ecommerce platform or website builder is how the platform secures payments. We’ve talked a little about how Wix handles the encryption and monitoring of payment data, but this section is for diving deeper into the topic, due to its sensitive nature.
To begin, the Wix Security protocol protects all ecommerce payments and transactions with:
- PCI DSS Level 1 certification (Payment Card Industry Data Security Standard)—ensuring all payment processors transmit user and transactional data over secure environments
- Ongoing transaction monitoring, looking for attacks and vulnerabilities in the system
- Data analysis for fraud blocking
- Machine learning for fraud prevention
- Third-party audits and bug bounty programs for identifying vulnerabilities during development and beyond
A Note on PCI DSS compliance:
This standard for payment processing has six rules. In order to maintain a status of PCI certification, payment processors and ecommerce platforms must abide by each of the requirements.
The requirements include:
- Running a secure network for transactions and user data
- Protecting data passed on from cardholders
- Creating a program for vulnerability management
- Managing a policy for information security
- Testing and monitoring network security
- Implementing measures for high-strength access controls
Site Visitor Protection
Furthermore, Wix utilizes a collection of on-site and infrastructure-based tools to protect site visitor data that gets passed from the user to the merchant. When accepting elements like credit card information and personal data from a customer, it all goes through security checks and encryption, using tools like SSL, TLS 1.2+, and HTTPS.
Every website comes with an SSL certificate, which is the primary protection used on most ecommerce sites to encrypt user transactional data. There’s no need to pay for your own SSL certificate, or to go out and install one on your own. It’s all included with your Wix pricing plan.
Fraudulent Transaction and Chargeback Prevention
Fraud ties into transactional security, seeing as how merchants also want to protect themselves from attacks. We know that your user data is safe, but Wix also provides built-in features for analyzing, identifying, and blocking the various types of ecommerce fraud that come along, particularly credit card and chargeback fraud.
Fraudulent chargebacks occur when someone uses a stolen credit card to purchase from your store, then the real owner of that credit card reports a chargeback since they didn’t make the purchase. Some fraudsters even use their own credit cards and report that items never arrived to their home, asking for a refund while still getting the product you sent. Either way, it’s fraud.
Regardless of the type of chargeback fraud, the goal is to prevent it as much as possible.
Why? Because if a credit card company decides the chargeback is valid, your company loses the inventory, and you usually need to pay a steep chargeback fee.
How does Wix defend against chargeback fraud, and all fraud for that matter?
- Wix only uses secure payment providers (such as Wix Payments and over 50 other payment gateways) to automatically check the authenticity of each transaction. The best payment processors will decline transactions for a variety of reasons, ranging from invalid CVV numbers, or a delivery address that doesn’t match up to the payment address.
- Wix has a chargeback dispute feature for merchants to file information on why they think the chargeback was fraudulent or invalid. The advantage of this tool is its accessibility, seeing as how many merchants don’t even know you can dispute a chargeback, and some ecommerce platforms don’t make it as simple as Wix to file a dispute with a few clicks in the dashboard.
Payment Services Directive 2 (For European Merchants Only)
PSD2, or the Payment Services Directive 2, serves as a set of regulatory laws in the European Economic Area (EEA) and European Union (EU).
The idea behind the laws is to ensure the utmost security for online payments, at least those made between merchants and buyers both located within the EEA or EU.
Here’s how it works:
- The laws are set forth to push payment processors within the designated European areas to implement additional fraud and attack prevention techniques.
- Shoppers may have to verify their identify prior to making any payments. This would mean an extra step on the merchant’s checkout page.
- The verification process varies depending on the payment processor and bank.
- Wix is actually compliant with every aspect of PSD2, so Wix merchants don’t have to change anything on their sites. All the verification requirements are built into Wix sites in Europe.
Ways to Make Your Wix Site More Secure
There are several other ways—besides the standard security measures in place by Wix—to heighten security levels on your Wix site.
- Setting roles and permissions for all users working on your site, from writers to content creators and developers to marketing agencies. Prevent users from accessing important admin tools by locking everyone out except the main stakeholders at your company.
- Implement a rule at your company that every user with access to the Wix site has a strong password and two-factor authentication process for logging in. This is the best way to prevent brute force logins, and you can manage this setup with a simple, free password manager, and a device with two-factor apps or text capabilities.
- Consider site member validation and single sign-on tools to strengthen your security.
- Look into Wix site security apps, not to improve your site’s security, but to analyze what has been done, and how you can boost its security in the future.
- Take advantage of the automated backup tools from Wix. And know where the backups are located, just in case you have to retrieve them after a site hack.
Who Manages Wix Security? And Who Can I Contact for Questions?
At Wix, they have a dedicated security team. They’re the people in charge of everything Wix security, ranging from site visitor protection to payment security.
The security team is composed of industry-leading experts on fraud, defense systems, and security infrastructure. They’re the ones who constantly monitor what’s going on with Wix web hosting, and they implement fixes to the system if necessary.
Not only that, but the Wix security team manages a Bug Bounty Program, where developers and hackers can report bugs on Wix for payment, incentivizing the further security of Wix as a whole. They also partner with independent researchers to keep the security analysis as unbiased as possible.
That leads us to the question, who can you contact if you have questions about Wix security? Or if you encounter a security problem with your Wix site?
- For any security issues or questions, send an email to the Wix security team at [email protected]. They’ll answer questions, and guide you through processes to fix security vulnerabilities on your store.
Controls in Place for Physical Access to Wix Servers
With all internet hosting, there’s a physical server sitting somewhere, holding the files used to build and serve up your website to the end user. Ecommerce platforms, hosting companies, and website builders must protect those servers from threats, both natural and human. For example, data centers usually implement cooling systems, so the servers run properly, along with fire protection measures to prevent damage.
The location, maintenance, and security at these data centers is paramount, since damaging a server can often be more harmful than standard digital attacks.
At Wix, they use the following physical access controls to ensure your data’s safety on the hosting servers:
- 4 data centers are available at the moment, 2 in the USA, 1 in Europe and another one in Asia.
- Wix’s data centers, and its physical offices, are restricted with identification verification systems, keeping out intruders.
- Wix uses Google Cloud and Amazon Web Services for its hosting. Both have top-notch security measures in place, along with maintenance procedures to protect all servers.
- At its Google Cloud and Amazon Web Services locations, Wix requires that its data center providers hold the necessary security certifications such as SOC 1, 2, and 3; PCI DSS Level 1; and ISO 27001, 27017, and 27018.
Wix’s Policy on Law Enforcement Requests
All ecommerce platforms and website builders must respond in some way with law enforcement if they ask for information about a company or individual. Some platforms have policies for non-compliance, maintaining a structure where they protect every aspect of what the user does on their platform. However, this causes concerns where nefarious activity may occur on the network.
Wix takes somewhat of a middle ground approach, stating that it tries to respect the rights of all customers and end users first, but also takes every governmental or law enforcement request under consideration.
With every consideration, you can expect the following responses:
- Wix checks to make sure the request is legitimate, from a valid law enforcement agency, and made in accordance with all legal procedures.
- Wix never reveals personal data from users, unless it’s required by law.
- All unlawful requests get challenged.
- If legally allowed, Wix will redirect the law enforcement agency to the actual customer so that they can request information from the user.
Is Wix Secure? Our Conclusion
With threat prevention, real-time monitoring, rapid response systems, and payment security solutions, the Wix infrastructure is about as secure an ecommerce platform as you can find. Merchants can gain peace of mind knowing that the Wix Security team monitors fraud and unusual behavior on a regular basis; there’s also automated protections like SSL and HTTPS, ensuring the encryption of data.
Having said that, attacks can still happen due to user error. We highly recommend setting up strong passwords for all Wix accounts (not by creating a complicated password and memorizing it, but with a password manager that generates strong, unique passwords for each of your sites—and you don’t have to memorize them). This way, there’s a lower chance of someone breaking into your website using a brute force attack.
It’s also essential to configure a 2-step authentication app (or by using SMS—but that’s not as secure) where you must type in a confirmation code every time you log into Wix. Make sure every user has this on their phone. Finally, be sure to set roles and permissions to block access to certain parts of your sites; not every contractor, writer, or developer needs full control of the backend.
Good luck with your Wix website, and let us know in the comments if you have any questions about Wix security. Do you feel secure running a Wix online store or website? Have you experienced any security breaches while running a store on Wix?