Reset your https://my.volusion.com password. We recommend a strong password that you are not using on any other website.
Login to my.volusion.com and under https://my.volusion.com/FTP_Accounts.aspx review your FTP accounts. If you don’t recognize any, or no longer need them, delete them. You can always create an FTP account when you need one. Do not save the FTP credentials in your FTP client. Having no FTP accounts is fine.
Go to your store’s admin area (under /admin/TableViewer.asp?table=Admins) and review your administrators. If you don’t recognize some - disable access. If you delete the account the access history will be lost, so disabling is better.
Review your Admin History (under /admin/AccessManager.asp) and make sure there are no unknown Admin accounts or IPs listed in the table. Please note that if a regular shopper navigates to any "/admin" page the attempt will be logged in the admin history table too. This will also happen when you go to a shopper account and click “Login As This Customer” and then try to visit your "/admin" pages. Your IP Address and the email of the shopper you selected will be listed in your Admin History table. Contact us at firstname.lastname@example.org to report any suspicious activity.
We recommend resetting all your store Administrator passwords today, and do so every 3 months (the software should prompt you to do this). Again, we recommend strong and unique passwords each time.
Review your code especially your custom html template and js files used by that template and makes sure you recognize and trust all scripts that are loaded on your site. This can be done by going to File Edit in the admin area, and opening the following files for your template: HTML and JS.
Check if the secure iframe checkout is enabled on your store by navigate to your storefront and visiting the checkout page (/one-page-checkout.asp). Then view the page source in the browser. It should have an HTML element with ID “paymentFrame”.
Beware of phishing emails and websites that may attempt to steal your credentials https://helpcenter.volusion.com/en/articles/424791-don-t-fall-for-phishing
Ensure that the devices from where you manage your Volusion store are protected with Antivirus software.
If you access your admin area from a limited number of IPs such as your office and home static IPs - you can whitelist them via the store’s Firewall page (/admin/TableViewer.asp?table=IP_Address_Security_Rules) and your admin area won’t be accessible from other IPs. To do that follow the steps described in this article https://helpcenter.volusion.com/en/articles/3363712-blocking-unapproved-ips-from-your-admin
In your custom asp files never store cleartext credentials, such as hardcoded API username and password. Review your custom code (under /v) especially custom .asp files, and make sure they are still needed and are free of vulnerabilities such as SQL injection.