Shopify handles the hard infrastructure: PCI DSS compliance, payment processing security, and platform hosting. That's genuinely valuable. But there are important security configurations that remain your responsibility as the store owner. A misconfigured Shopify account can be compromised through account takeover, malicious app installations, or staff account abuse, none of which Shopify's infrastructure prevents. Here is the hardening checklist.
Account Security: The Non-Negotiables
Enable two-step authentication on every staff account. Go to Settings > Users and Permissions. Require two-step for all staff, including your own account. Shopify supports TOTP authenticator apps (Google Authenticator, Microsoft Authenticator) and hardware security keys. Do not rely on SMS two-step as the only option, SMS is vulnerable to SIM-swapping.
Audit and trim your staff account list. Remove accounts for:
- Former employees, no exceptions, no "just in case" accounts
- Staff who changed roles and no longer need admin access
- Agency or contractor accounts from projects that have ended
Orphaned staff accounts with admin rights are the most common entry point for Shopify account takeovers. When a former employee's credentials surface in a credential dump from an unrelated breach, that Shopify account becomes a door into your store.
Review staff permission levels. Not every staff member needs full access. Shopify's permission system allows you to restrict by section (orders, products, reports, settings). Staff who only process orders don't need access to billing or store settings.
App Permissions Audit
Every Shopify app you install receives API access to your store data. Often more access than it actually needs.
Conduct a quarterly app audit:
- Go to Settings > Apps and Sales Channels
- For each app: do you still actively use it? Does it still need the permissions it has?
- Uninstall any app you haven't used in the past 60 days
Dormant apps with broad API access are risk exposure you're not aware of. App vendors get acquired, go dormant, or have security incidents. A rogue update or compromised app can exfiltrate your customer data or inject malicious JavaScript into your storefront checkout, a serious PCI concern even if Shopify's core checkout is PCI-compliant.
Prefer apps with minimal necessary permissions. An app that only needs to read product data should not have write access to customer records. If an app requests excessive permissions relative to its stated function, that's a flag.
Notification and Webhook Review
Review Shopify notification settings. Are order confirmation emails and shipping notifications going to the correct addresses? Have any notification email addresses been changed to unfamiliar addresses?
Audit webhook endpoints. Go to Settings > Notifications > Webhooks. Every webhook sends your store data to an external URL. Webhooks you didn't configure, or webhooks pointing to URLs you don't recognise, are a compromise indicator.
Monitor for new staff accounts. Set up a Shopify notification (or an alert via your monitoring tool) for new staff account creation. New staff account created without your knowledge is a red flag.
Customer Data Handling
Your Shopify store collects personal information, names, email addresses, shipping addresses, purchase history. Under BC PIPA and PIPEDA, this data has handling obligations:
- Your privacy policy should accurately describe what data you collect and how you use it
- Customer data should not be exported to non-approved third-party services without disclosure
- If you use a third-party marketing platform (Klaviyo, Mailchimp), ensure your data processing agreement with that vendor is in place
- If a customer requests deletion of their data, Shopify's built-in customer data request tools support this workflow
For businesses selling to EU customers: GDPR requirements apply independently of Canadian law. If more than a small fraction of your orders ship to the EU, consult a privacy adviser.
Theme and Custom Code Security
Review custom app and theme code. If your store uses a custom theme or custom apps, the code may contain vulnerabilities. At minimum:
- Don't store credentials (API keys, passwords) in theme code or liquid templates
- Review any JavaScript in custom theme files for suspicious or obfuscated code
- Ensure custom apps authenticate via Shopify's official OAuth, not by storing user credentials
Keep your theme and apps updated. Outdated apps are a common vector for Shopify store compromise. Update apps promptly when security updates are available.
Monitoring and Alerting
Enable Shopify's fraud analysis. For stores with any manual review process, use Shopify's built-in fraud analysis indicators. High-risk orders warrant review before fulfilment.
Monitor for suspicious orders. Sudden increases in high-value orders from new customers, orders shipping to package forwarding addresses, and multiple orders from the same email to different addresses are fraud indicators.
Log and review your Shopify admin activity log. Settings > Users and Permissions includes an activity log showing what each staff account has done. Review this monthly or after any suspicious event.
Talk to a Prince George-based IT team about e-commerce security and Shopify IT integration, call 672-983-1174 or book a free assessment at northstarit.ca.
Need an e-commerce security audit?
North Star reviews Shopify security configurations and builds secure e-commerce setups for BC businesses. Book a free assessment to see where your store stands.
Book a Free Assessment Read more Insights