18 min read•Checklist

Shopify Security Checklist

Protect your store, customers, and revenue. Use this 80-point checklist to secure your Shopify store against common threats.

80 items10 sections

Why Security Matters

While Shopify provides robust platform-level security, store owners bear responsibility for account access, staff permissions, app choices, and fraud prevention. A single compromised staff account or malicious app can expose customer data, enable fraudulent transactions, or lock you out of your own business.

0 of 80 completed

Account Security

0 of 8 completed

Enable two-factor authentication (2FA) on owner account

Use unique, strong password (16+ characters)

Use password manager for credentials

Set up backup authentication methods

Review login history regularly

Log out of unused sessions

Use dedicated email for Shopify account

Enable login notifications

Staff Account Security

0 of 8 completed

Require 2FA for all staff accounts

Use principle of least privilege

Only grant permissions staff need

Review staff permissions quarterly

Remove accounts for departed staff immediately

Use individual accounts (no shared logins)

Audit staff account activity

Document who has access to what

App Security

0 of 8 completed

Only install apps from Shopify App Store

Review app permissions before installing

Check app developer reputation and reviews

Remove unused apps

Review apps with broad data access

Check for apps accessing customer PII

Verify apps have privacy policies

Monitor for suspicious app behaviour

API & Integration Security

0 of 8 completed

Review all API access tokens

Remove unused API credentials

Use private apps only when necessary

Limit API permissions to required scopes

Rotate API keys periodically

Monitor API usage for anomalies

Document all integrations

Secure webhook endpoints

Fraud Prevention

0 of 8 completed

Enable Shopify Fraud Analysis

Set up fraud protection app if needed

Configure high-risk order alerts

Review orders from new customers

Check mismatched billing/shipping addresses

Verify large or unusual orders

Set up address verification (AVS)

Enable CVV verification

Payment Security

0 of 8 completed

Use Shopify Payments or PCI-compliant gateway

Never store card details outside Shopify

Enable 3D Secure for high-risk regions

Review payment method settings

Set up chargeback alerts

Monitor for unusual payment patterns

Document payment disputes

Train staff on payment security

Data Protection

0 of 8 completed

Theme & Code Security

0 of 8 completed

Keep theme updated

Review custom code for vulnerabilities

Remove hardcoded credentials

Validate all form inputs

Use HTTPS for all resources

Avoid inline scripts where possible

Review third-party script sources

Check for outdated JavaScript libraries

Backup & Recovery

0 of 8 completed

Set up automated theme backups

Export product data regularly

Export customer data for backup

Document recovery procedures

Test restoration process

Store backups securely off-platform

Have incident response plan

Know how to contact Shopify support urgently

Monitoring & Alerts

0 of 8 completed

Set up uptime monitoring

Configure security alert notifications

Monitor for unusual traffic patterns

Check for brute force attempts

Review Shopify security notifications

Monitor domain for expiry

Check SSL certificate status

Review third-party service status

The Real Cost of Security Failures

Security breaches in ecommerce are not abstract risks. They result in real financial losses, damaged customer relationships, and sometimes complete business failure. Understanding these consequences helps prioritise security measures.

Consequences of a Breach

1.Stolen customer payment information leading to fraud and liability
2.Fraudulent orders shipped at your expense before detection
3.Hijacked accounts with attackers demanding ransom
4.Regulatory penalties for data protection failures under GDPR
5.Permanent reputation damage and lost customer trust

Most Common Attack Vectors

The most common attacks are not sophisticated hacking but simple credential theft:

•Weak passwords or passwords reused from other breached sites
•Phishing emails targeting staff with admin access
•Lack of two-factor authentication on admin accounts
•Malicious apps requesting excessive permissions
•Former staff retaining account access after departure

Security Quick Wins

Enable 2FA Everywhere

Two-factor authentication on all admin accounts prevents most credential theft attacks immediately.

Audit Staff Access Monthly

Remove access for departed staff and review permissions for current team members.

Remove Unused Apps

Every installed app is a potential vulnerability. If you are not using it, remove it.

Review Fraud Alerts Daily

Catch fraudulent orders before shipping by reviewing Shopify's fraud analysis.

Related Checklists

Security works alongside operational best practices:

App Audit →

Review and secure your installed apps

Launch Checklist →

Security settings to verify before going live

B2B Wholesale →

Additional security for business customers

GDPR Compliance →

Data protection and privacy requirements

Frequently Asked Questions

Shopify provides excellent baseline security. All stores automatically get SSL certificates, PCI DSS compliance for payments, and protection against common attacks like SQL injection and cross-site scripting. However, store owners remain responsible for account security, staff access management, app permissions, and fraud prevention. The platform is secure; the challenge is ensuring your configuration and practices do not create vulnerabilities.

Two-factor authentication is essential. Your Shopify admin contains customer data, payment information, and complete control over your business. A compromised account could result in data theft, fraudulent orders, or complete loss of access. Enable 2FA for all accounts with admin access, not just the store owner. Use authenticator apps rather than SMS where possible, as SMS can be intercepted through SIM swapping attacks.

Apply the principle of least privilege: give each person only the access they need to do their job. A customer service representative needs order and customer access but not theme editing or app installation rights. Review permissions quarterly and remove access immediately when someone leaves. Never share login credentials between team members as this makes auditing impossible and creates security risks.

Enable Shopify's built-in fraud analysis, which flags high-risk orders. Review flagged orders manually before fulfilment. Watch for warning signs: mismatched billing and shipping addresses, unusually large orders from new customers, multiple failed payment attempts, and orders from high-risk regions. Consider additional fraud protection apps for high-volume stores. Verify suspicious orders by phone before shipping.

Apps from the Shopify App Store undergo review, but this does not guarantee they are risk-free. Before installing, check the developer's reputation, read recent reviews, and carefully review requested permissions. Be wary of apps requesting broad access like customer data or order information if their function does not require it. Remove unused apps promptly. Regularly audit your installed apps as part of security maintenance.

Act immediately. Change all passwords and revoke all API tokens. Remove any unfamiliar apps or staff accounts. Contact Shopify support through official channels to report the incident and get guidance. Review recent orders for fraud. Notify affected customers if their data may have been exposed. Document everything for potential legal or compliance requirements. After resolution, review how the breach occurred and implement measures to prevent recurrence.

Need Security Help?

Our team can audit your store's security and implement best practices to protect your business.

Get Security Audit Talk to Us