EasyApps Ecommerce1. Account & Access Security
Your Shopify admin account is the keys to the kingdom. A compromised admin account gives attackers full access to customer data, payment settings, and the ability to inject malicious code into your storefront.
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Two-factor authentication (2FA) enabled on owner account | Critical | 2FA blocks 99.9% of automated attacks. Use an authenticator app (Google Authenticator, Authy), not SMS — SMS can be SIM-swapped. |
| ☐ | 2FA enabled on ALL staff accounts | Critical | One staff account without 2FA is one entry point for attackers. Make 2FA mandatory for every person with admin access. |
| ☐ | Owner account uses unique, strong password (16+ characters) | Critical | Use a password manager. The owner account password should not be used on any other service. A reused password from a breached service compromises your store. |
| ☐ | All staff accounts use unique passwords | Critical | Require unique passwords. Shared passwords mean one compromised person compromises everyone. Recommend password managers to staff. |
| ☐ | Former employee/contractor accounts deactivated | Critical | Review all staff accounts. Remove anyone who no longer needs access immediately. Former employees with active accounts are a top vulnerability. |
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Admin activity log reviewed for unusual logins | Important | Check Settings > Activity log for logins from unfamiliar locations, unusual hours, or IP addresses. Investigate anything suspicious immediately. |
| ☐ | Recovery email and phone number verified and current | Important | Ensure account recovery information is current. An outdated recovery email means you could be locked out of your own store. |
| ☐ | API keys and access tokens reviewed | Important | In Settings > Apps and sales channels > Develop apps, review all API tokens. Revoke any that are unused or belong to former developers. |
2. Staff Permissions & Roles
The principle of least privilege: every person should have only the minimum access they need to do their job. Excessive permissions increase risk without providing value.
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Each staff member has minimum required permissions | Critical | Customer service does not need theme editing. Marketing does not need payment settings. Review each staff member's permissions against their actual role. |
| ☐ | Only 1-2 people have full admin/owner access | Critical | Limit full admin to the store owner and one trusted backup. Everyone else gets role-specific permissions only. |
| ☐ | Contractor/agency access is time-limited | Critical | Give contractors collaborator accounts with specific permissions. Set calendar reminders to review and revoke access when projects end. |
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Staff permission audit documented and dated | Important | Record who has what access and when it was last reviewed. This documentation is valuable for compliance and incident response. |
| ☐ | Theme editing permission restricted | Important | Theme code access allows injecting any script into your storefront. Restrict to developers and the store owner only. |
3. App Security & Permissions
Every installed app has access to some of your store data. Some apps request far more access than they need. Treat app permissions like staff permissions — minimal and reviewed regularly.
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | All installed apps reviewed for appropriate permissions | Critical | Check each app's data access. A popup app should not need customer financial data. A timer app should not need order history. See our app audit checklist. |
| ☐ | Unused apps uninstalled (not just disabled) | Critical | Disabled apps still have data access and may still load code. Uninstall completely and verify leftover code is removed from your theme. |
| ☐ | All apps are from reputable developers (App Store listed) | Critical | Shopify App Store apps go through review. Custom apps bypass this. Audit any non-App Store apps carefully. |
| ☐ | Apps with customer data access have privacy policies | Critical | Apps that access customer data should have their own privacy policy. If they cannot explain how they handle your customers' data, that is a red flag. |
4. Payment & Checkout Security
Shopify is PCI DSS Level 1 compliant, but you can undermine that protection through poor practices. These items ensure you do not create vulnerabilities in your payment flow.
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Never store credit card numbers in order notes or metafields | Critical | Some staff ask customers for card details over chat/email and paste them into notes. This violates PCI and creates massive liability. Never do this. |
| ☐ | SSL certificate active on all pages (no mixed content) | Critical | Verify HTTPS on all pages. Mixed content (HTTP resources on HTTPS pages) triggers browser warnings and breaks trust. |
| ☐ | Payment gateway credentials stored securely | Critical | Never share payment gateway API keys via email, Slack, or text. Use secure credential sharing tools (1Password, LastPass). |
| ☐ | Test mode disabled on payment gateway (verify live mode) | Critical | An embarrassing and costly mistake: running in test mode means no real payments are processed. Verify live mode after any gateway configuration change. |
5. Fraud Prevention
Ecommerce fraud costs $48 billion globally. Chargebacks cost you the product, the revenue, and a chargeback fee. Prevention is far cheaper than remediation.
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Shopify Fraud Analysis enabled and high-risk orders reviewed | Critical | Shopify's built-in fraud analysis flags high-risk orders. Never auto-fulfill flagged orders — review them manually. |
| ☐ | AVS (Address Verification) enabled | Critical | AVS checks if the billing address matches the card issuer's records. Mismatches are a fraud indicator. |
| ☐ | CVV verification required | Critical | Always require the 3-4 digit CVV code. Stolen card data often lacks the CVV, so requiring it blocks many fraudulent transactions. |
| ☐ | High-value order review process established | Critical | Set a dollar threshold (e.g., orders over $500) for manual review. High-value orders are targeted more frequently by fraudsters. |
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Watch for mismatched billing/shipping addresses | Important | Different billing and shipping addresses are normal for gifts, but combined with other risk signals, they indicate fraud. Review in context. |
| ☐ | Monitor for velocity attacks (multiple orders, same IP) | Important | Multiple orders from the same IP in a short period, especially with different cards, is a strong fraud signal. Set up alerts. |
| ☐ | CAPTCHA or bot protection on account creation | Important | Bots create fake accounts for credential stuffing and automated fraud. Add CAPTCHA to registration and login forms. |
6. Data Privacy & Compliance
GDPR fines can reach 4% of annual revenue. CCPA, PIPEDA, and other regulations add more requirements. Data privacy is a security concern as much as a legal one.
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Privacy policy is accurate and up-to-date | Critical | Review your privacy policy against what you actually collect. If you added apps that collect new data types, update the policy. |
| ☐ | Cookie consent banner properly configured | Critical | Must block non-essential cookies until consent is given (GDPR) or provide opt-out (CCPA). Test that it actually blocks scripts. |
| ☐ | Customer data export/deletion process exists | Critical | GDPR gives customers the right to request their data and its deletion. Have a documented process. Shopify provides customer data tools. |
| ☐ | Data processing agreements in place with app vendors | Critical | Any app processing customer data on your behalf should have a DPA (Data Processing Agreement). Most major apps include this in their terms. |
7. Theme & Code Security
Your theme code runs on every page of your store. Malicious or poorly written code in your theme affects every customer.
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Theme purchased from reputable source (Shopify Theme Store or known developer) | Critical | Nulled or pirated themes often contain malicious code (credit card skimmers, data exfiltration). Only use themes from official or trusted sources. |
| ☐ | No unknown or suspicious script tags in theme.liquid | Critical | Review theme.liquid for any script tags you do not recognize. Unknown scripts could be skimming customer data. Check every external domain referenced. |
| ☐ | Theme backup taken regularly | Critical | Download a full theme backup monthly and before any code changes. A clean backup is essential for incident recovery. |
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Third-party scripts audited for necessity | Important | Every external script is a potential attack vector. Remove any third-party scripts that are not actively needed (old analytics, removed chat tools). |
| ☐ | Content Security Policy (CSP) headers reviewed | Important | CSP headers restrict which domains can load scripts on your pages. While Shopify has limited CSP control, review your theme's script sources. |
8. Incident Response Planning
The question is not if something will go wrong, but when. Having an incident response plan means the difference between a manageable event and a catastrophe.
| Checklist Item | Priority | Details / Action | |
|---|---|---|---|
| ☐ | Incident response plan documented | Important | Document steps for: account compromise, data breach, payment fraud, store defacement. Include who to contact and in what order. |
| ☐ | Shopify Support contact info readily available | Important | Know how to reach Shopify Support urgently: through admin > Help, or by phone. Response time matters during an incident. |
| ☐ | Regular backups of store data (orders, customers, products) | Important | Export critical data monthly: customer list, order history, product catalog. Store backups in a secure, separate location. |
| ☐ | Communication template ready for customer notification | Important | If a breach occurs, you may need to notify customers. Having a template ready saves critical hours when every minute counts. |
| ☐ | Legal counsel identified for breach situations | Important | Know which lawyer to call. Data breach notification laws vary by jurisdiction and have strict timelines (72 hours under GDPR). |
Frequently Asked Questions
Is Shopify secure by default?
Shopify handles platform-level security excellently: server infrastructure, PCI compliance, SSL, DDoS protection. However, store-level security is your responsibility: account access, staff permissions, app permissions, fraud settings, and data handling. Most breaches come from compromised admin accounts or excessive app permissions.
How often should I perform a Shopify security audit?
Full audit quarterly, quick check monthly. Monthly: review admin access logs, check for unusual activity, verify staff permissions, ensure 2FA is enabled. Additionally, audit immediately after any staff change, app installation, or security incident.
What is the biggest security risk for Shopify stores?
Compromised admin accounts. A stolen password gives attackers access to everything: customer data, payment settings, order information, and the ability to inject malicious code. Enable 2FA on every account, use unique strong passwords, and review admin access regularly.
How do I protect my Shopify store from fraud?
Enable Shopify's fraud analysis, require AVS and CVV verification, manually review high-risk and high-value orders. Watch for mismatched billing/shipping addresses, free email providers on large orders, and multiple orders from the same IP with different cards.
Should I worry about PCI compliance for my Shopify store?
Shopify handles PCI DSS compliance at the platform level. Your responsibility is not to compromise it: never store card numbers in notes or metafields, never request card details via email or chat, and ensure third-party payment integrations are PCI compliant.