Shopify handles most of the hard security infrastructure for you: PCI compliance, payment processing, and hosting. But there are important security configurations that are your responsibility as the store owner. A misconfigured Shopify account can be compromised through account takeover, app vulnerabilities, or staff account abuse. Here is the hardening checklist.
Account Security: The Non-Negotiables
Enable two-step authentication on every staff account in your Shopify admin, including your own. Shopify supports TOTP authenticator apps and security keys. Do not rely on SMS two-factor alone. Go to Settings, then Users and Permissions, and verify that two-step is required for all accounts.
Review your staff account list and remove anyone who no longer works for you or no longer needs access. Orphaned staff accounts with admin rights are a common entry point for account takeovers, especially when former employees reuse passwords.
App Permissions Audit
Every Shopify app you install gets API access to your store data - often more access than it actually needs. Go to Settings, then Apps and Sales Channels, and review every installed app. For each app, ask: do we still use this? Does it need the permissions it has?
Uninstall any app you no longer actively use. Dormant apps with broad API permissions are a risk: the app vendor's own security posture becomes your exposure. App compromise or rogue app updates can exfiltrate customer data or inject malicious code.
Notification and Webhook Review
Review your Shopify notification settings. Are order confirmation emails going where they should? Are staff notification emails going to active staff accounts? Attackers who compromise a Shopify admin account sometimes redirect notification emails to collect order data covertly.
Check your webhooks under Settings, then Notifications. Webhooks are automated data pushes to external systems. Any webhook sending order or customer data to an unrecognised URL should be investigated and removed.
Customer Data Handling
Under BC PIPA, customer information collected through your Shopify store - names, addresses, purchase history - is personal information you are responsible for protecting. Review your Shopify privacy policy to ensure it accurately describes how you collect and use customer data.
Enable Shopify's data deletion request feature if you are selling to customers who may have GDPR rights (European customers) or who request data deletion under PIPEDA. Shopify has built-in tools for this under Settings, then Customer privacy.
Theme and Custom Code Security
If your Shopify theme includes custom code or third-party scripts injected via theme files, review those scripts annually. Malicious or compromised third-party JavaScript can skim payment information from checkout pages in what is called a Magecart attack. Shopify's hosted checkout mitigates most of this risk, but custom theme code on other pages can still be a vector.
Use a Content Security Policy (CSP) header if your theme supports it. CSP limits which scripts can run on your pages and reduces the risk from injected malicious scripts.
Monitoring and Alerting
Enable email notifications for key events: new staff accounts created, permissions changed, and significant changes to payment settings. Shopify logs most admin actions - if you suspect account compromise, review the audit log under Settings, then Activity log.
Set a Google Alert or similar notification for your store domain name appearing in unexpected contexts. Phishing sites that impersonate Shopify stores often use look-alike domain names. Catching these early lets you notify Shopify and report to the CRTC.