--- title: "Shopify Security Audit Checklist 2026 — 50+ Items to Protect Your Store" description: "Complete Shopify security audit checklist with 50+ items. Covers account security, payment protection, data privacy, app permissions, fraud prevention, and incident response." url: https://easyappsecom.com/guides/shopify-security-audit-checklist.html date: 2026-03-19 --- STORE SECURITY • March 2026 # Shopify Security Audit Checklist 2026 A security breach does not just cost money — it destroys customer trust permanently. While Shopify handles platform-level security, store-level security is your responsibility. This checklist covers every aspect you control: admin account protection, staff permissions, app security, fraud prevention, data privacy, payment security, and incident response planning. Run this audit quarterly and after any staff or app changes. > **TL;DR — Shopify Security Stats:** - **81%** of ecommerce breaches involve compromised credentials (weak/reused passwords) - Average cost of a data breach for small businesses: **$120,000-$150,000** - **60%** of small businesses close within 6 months of a significant security breach - Ecommerce fraud losses exceed **$48 billion globally** (2025) - Two-factor authentication blocks **99.9%** of automated account attacks - **1 in 4** Shopify stores has at least one staff member with excessive permissions ## 1. Account & Access Security Your Shopify admin account is the keys to the kingdom. A compromised admin account gives attackers full access to customer data, payment settings, and the ability to inject malicious code into your storefront. CRITICAL **** **** **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Two-factor authentication (2FA) enabled on owner account | Critical | 2FA blocks 99.9% of automated attacks. Use an authenticator app (Google Authenticator, Authy), not SMS — SMS can be SIM-swapped. | | ☐ | 2FA enabled on ALL staff accounts | Critical | One staff account without 2FA is one entry point for attackers. Make 2FA mandatory for every person with admin access. | | ☐ | Owner account uses unique, strong password (16+ characters) | Critical | Use a password manager. The owner account password should not be used on any other service. A reused password from a breached service compromises your store. | | ☐ | All staff accounts use unique passwords | Critical | Require unique passwords. Shared passwords mean one compromised person compromises everyone. Recommend password managers to staff. | | ☐ | Former employee/contractor accounts deactivated | Critical | Review all staff accounts. Remove anyone who no longer needs access immediately. Former employees with active accounts are a top vulnerability. | IMPORTANT **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Admin activity log reviewed for unusual logins | Important | Check Settings > Activity log for logins from unfamiliar locations, unusual hours, or IP addresses. Investigate anything suspicious immediately. | | ☐ | Recovery email and phone number verified and current | Important | Ensure account recovery information is current. An outdated recovery email means you could be locked out of your own store. | | ☐ | API keys and access tokens reviewed | Important | In Settings > Apps and sales channels > Develop apps, review all API tokens. Revoke any that are unused or belong to former developers. | ## 2. Staff Permissions & Roles The principle of least privilege: every person should have only the minimum access they need to do their job. Excessive permissions increase risk without providing value. CRITICAL **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Each staff member has minimum required permissions | Critical | Customer service does not need theme editing. Marketing does not need payment settings. Review each staff member's permissions against their actual role. | | ☐ | Only 1-2 people have full admin/owner access | Critical | Limit full admin to the store owner and one trusted backup. Everyone else gets role-specific permissions only. | | ☐ | Contractor/agency access is time-limited | Critical | Give contractors collaborator accounts with specific permissions. Set calendar reminders to review and revoke access when projects end. | IMPORTANT **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Staff permission audit documented and dated | Important | Record who has what access and when it was last reviewed. This documentation is valuable for compliance and incident response. | | ☐ | Theme editing permission restricted | Important | Theme code access allows injecting any script into your storefront. Restrict to developers and the store owner only. | ## 3. App Security & Permissions Every installed app has access to some of your store data. Some apps request far more access than they need. Treat app permissions like staff permissions — minimal and reviewed regularly. CRITICAL ****[] **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | All installed apps reviewed for appropriate permissions | Critical | Check each app's data access. A popup app should not need customer financial data. A timer app should not need order history. See our app audit checklist. | | ☐ | Unused apps uninstalled (not just disabled) | Critical | Disabled apps still have data access and may still load code. Uninstall completely and verify leftover code is removed from your theme. | | ☐ | All apps are from reputable developers (App Store listed) | Critical | Shopify App Store apps go through review. Custom apps bypass this. Audit any non-App Store apps carefully. | | ☐ | Apps with customer data access have privacy policies | Critical | Apps that access customer data should have their own privacy policy. If they cannot explain how they handle your customers' data, that is a red flag. | ## 4. Payment & Checkout Security Shopify is PCI DSS Level 1 compliant, but you can undermine that protection through poor practices. These items ensure you do not create vulnerabilities in your payment flow. CRITICAL **** **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Never store credit card numbers in order notes or metafields | Critical | Some staff ask customers for card details over chat/email and paste them into notes. This violates PCI and creates massive liability. Never do this. | | ☐ | SSL certificate active on all pages (no mixed content) | Critical | Verify HTTPS on all pages. Mixed content (HTTP resources on HTTPS pages) triggers browser warnings and breaks trust. | | ☐ | Payment gateway credentials stored securely | Critical | Never share payment gateway API keys via email, Slack, or text. Use secure credential sharing tools (1Password, LastPass). | | ☐ | Test mode disabled on payment gateway (verify live mode) | Critical | An embarrassing and costly mistake: running in test mode means no real payments are processed. Verify live mode after any gateway configuration change. | ## 5. Fraud Prevention Ecommerce fraud costs $48 billion globally. Chargebacks cost you the product, the revenue, and a chargeback fee. Prevention is far cheaper than remediation. CRITICAL **** **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Shopify Fraud Analysis enabled and high-risk orders reviewed | Critical | Shopify's built-in fraud analysis flags high-risk orders. Never auto-fulfill flagged orders — review them manually. | | ☐ | AVS (Address Verification) enabled | Critical | AVS checks if the billing address matches the card issuer's records. Mismatches are a fraud indicator. | | ☐ | CVV verification required | Critical | Always require the 3-4 digit CVV code. Stolen card data often lacks the CVV, so requiring it blocks many fraudulent transactions. | | ☐ | High-value order review process established | Critical | Set a dollar threshold (e.g., orders over $500) for manual review. High-value orders are targeted more frequently by fraudsters. | IMPORTANT **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Watch for mismatched billing/shipping addresses | Important | Different billing and shipping addresses are normal for gifts, but combined with other risk signals, they indicate fraud. Review in context. | | ☐ | Monitor for velocity attacks (multiple orders, same IP) | Important | Multiple orders from the same IP in a short period, especially with different cards, is a strong fraud signal. Set up alerts. | | ☐ | CAPTCHA or bot protection on account creation | Important | Bots create fake accounts for credential stuffing and automated fraud. Add CAPTCHA to registration and login forms. | ## 6. Data Privacy & Compliance GDPR fines can reach 4% of annual revenue. CCPA, PIPEDA, and other regulations add more requirements. Data privacy is a security concern as much as a legal one. CRITICAL **** **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Privacy policy is accurate and up-to-date | Critical | Review your privacy policy against what you actually collect. If you added apps that collect new data types, update the policy. | | ☐ | Cookie consent banner properly configured | Critical | Must block non-essential cookies until consent is given (GDPR) or provide opt-out (CCPA). Test that it actually blocks scripts. | | ☐ | Customer data export/deletion process exists | Critical | GDPR gives customers the right to request their data and its deletion. Have a documented process. Shopify provides customer data tools. | | ☐ | Data processing agreements in place with app vendors | Critical | Any app processing customer data on your behalf should have a DPA (Data Processing Agreement). Most major apps include this in their terms. | ## 7. Theme & Code Security Your theme code runs on every page of your store. Malicious or poorly written code in your theme affects every customer. CRITICAL **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Theme purchased from reputable source (Shopify Theme Store or known developer) | Critical | Nulled or pirated themes often contain malicious code (credit card skimmers, data exfiltration). Only use themes from official or trusted sources. | | ☐ | No unknown or suspicious script tags in theme.liquid | Critical | Review theme.liquid for any script tags you do not recognize. Unknown scripts could be skimming customer data. Check every external domain referenced. | | ☐ | Theme backup taken regularly | Critical | Download a full theme backup monthly and before any code changes. A clean backup is essential for incident recovery. | IMPORTANT **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Third-party scripts audited for necessity | Important | Every external script is a potential attack vector. Remove any third-party scripts that are not actively needed (old analytics, removed chat tools). | | ☐ | Content Security Policy (CSP) headers reviewed | Important | CSP headers restrict which domains can load scripts on your pages. While Shopify has limited CSP control, review your theme's script sources. | ## 8. Incident Response Planning The question is not if something will go wrong, but when. Having an incident response plan means the difference between a manageable event and a catastrophe. IMPORTANT **** **** **** **** **** | | Checklist Item | Priority | Details / Action | | --- | --- | --- | --- | | ☐ | Incident response plan documented | Important | Document steps for: account compromise, data breach, payment fraud, store defacement. Include who to contact and in what order. | | ☐ | Shopify Support contact info readily available | Important | Know how to reach Shopify Support urgently: through admin > Help, or by phone. Response time matters during an incident. | | ☐ | Regular backups of store data (orders, customers, products) | Important | Export critical data monthly: customer list, order history, product catalog. Store backups in a secure, separate location. | | ☐ | Communication template ready for customer notification | Important | If a breach occurs, you may need to notify customers. Having a template ready saves critical hours when every minute counts. | | ☐ | Legal counsel identified for breach situations | Important | Know which lawyer to call. Data breach notification laws vary by jurisdiction and have strict timelines (72 hours under GDPR). | ## Related Guides - [App Stack Audit Checklist] - [Pre-Launch Checklist 2026] - [Weekly Store Maintenance Checklist] - [Accessibility Checklist] - [Checkout Optimization Checklist] ## Frequently Asked Questions ### Is Shopify secure by default? Shopify handles platform-level security excellently: server infrastructure, PCI compliance, SSL, DDoS protection. However, store-level security is your responsibility: account access, staff permissions, app permissions, fraud settings, and data handling. Most breaches come from compromised admin accounts or excessive app permissions. ### How often should I perform a Shopify security audit? Full audit quarterly, quick check monthly. Monthly: review admin access logs, check for unusual activity, verify staff permissions, ensure 2FA is enabled. Additionally, audit immediately after any staff change, app installation, or security incident. ### What is the biggest security risk for Shopify stores? Compromised admin accounts. A stolen password gives attackers access to everything: customer data, payment settings, order information, and the ability to inject malicious code. Enable 2FA on every account, use unique strong passwords, and review admin access regularly. ### How do I protect my Shopify store from fraud? Enable Shopify's fraud analysis, require AVS and CVV verification, manually review high-risk and high-value orders. Watch for mismatched billing/shipping addresses, free email providers on large orders, and multiple orders from the same IP with different cards. ### Should I worry about PCI compliance for my Shopify store? Shopify handles PCI DSS compliance at the platform level. Your responsibility is not to compromise it: never store card numbers in notes or metafields, never request card details via email or chat, and ensure third-party payment integrations are PCI compliant. ## Security-Conscious EasyApps [ ### EA Accessibility WCAG compliance reduces legal risk. Accessibility lawsuits cost $10,000-75,000+ to defend.] [ ### EA Page Speed Booster Reduce third-party script overhead. Fewer external scripts = smaller attack surface.] ## Secure Store, Trusted Brand EasyApps are built with security in mind — minimal permissions, no unnecessary data collection, and regular security updates. [View All EasyApps on Shopify]