← Blog

Shopify Security Best Practices: 2026 Checklist

Every documented Shopify account breach has one thing in common: two-factor authentication was off. Account security is the first layer. Shopify security best practices start there but don’t end there. A properly secured account with 23 apps loaded with excessive permissions and no data compliance setup is still a security problem. Here’s the complete stack.

These practices are not a one-time setup. They’re a maintenance discipline — quarterly app audits, monthly permission reviews, regular password rotations. This checklist organizes what to do and when.

Key Takeaways

  • 2FA via authenticator app (not SMS) is the foundational security control — enable it first
  • Dormant app permissions remain active after you stop using an app — remove them
  • GDPR non-compliance fines have reached €20 million or 4% of global annual turnover
  • Shopify handles PCI DSS compliance for payments — but your app stack, forms, and data handling are still your responsibility

Account Security — The Foundation of Shopify Security

Enabling 2FA: Authenticator App vs. SMS

Enable two-factor authentication immediately if it isn’t active. In Shopify admin, go to Profile > Security > Two-step authentication.

Authenticator app (Google Authenticator, Authy, 1Password) is significantly more secure than SMS. SMS-based 2FA is vulnerable to SIM swapping attacks — where an attacker convinces a carrier to transfer your phone number to a SIM they control. This is not a theoretical threat; it’s documented in numerous high-profile account takeovers.

An authenticator app generates codes locally on your device, requiring physical access to your phone. SIM swapping cannot compromise an authenticator app-based 2FA.

Require 2FA for every staff account in your Shopify organization, not just the owner account.

Password Hygiene: Unique, Long, Never Reused

Your Shopify admin password should be:

  • Minimum 16 characters
  • Unique to Shopify — not reused from any other service
  • Stored in a password manager (1Password, Bitwarden, Dashlane)
  • Changed if there’s any possibility the previous password was exposed

“I’ll remember it” is not a password strategy. Password managers generate and store unique 20+ character passwords for every account. The cost of not using one is eventual credential reuse across a breach notification — which happens to almost everyone using the same password across multiple services.

Reviewing and Limiting Staff Account Access

Every staff account is a potential attack vector. Review your staff accounts quarterly:

  • Remove accounts for employees who’ve left
  • Reduce permissions for accounts that don’t need broad access
  • Never create shared login accounts for multiple people

Shopify’s staff permission system allows granular control: an order fulfillment employee doesn’t need access to products, themes, or app management. Principle of least privilege — give each account only the permissions it actually needs.

Shopify’s 2026 Granular Staff Permission Settings

Shopify updated its staff permission model in recent releases to include more granular controls by area. Review the available permission granularity for your current plan:

  • Order management: separate permissions for viewing, editing, fulfilling, and refunding
  • Product management: read vs. write vs. publish
  • Customer data: read vs. write vs. export
  • Financial reports: view-only access for reporting staff

Configure each staff role precisely. An employee who only needs to process returns does not need product write access.

Sarah hired a virtual assistant to handle customer service. She created a staff account with full Shopify access because it was faster than figuring out permissions. The VA account was eventually used from an unrecognized IP in a different country — whether compromised or misused, the result was 200 customer orders with falsified refunds processed before the activity was noticed. The financial loss was $4,200. A customer-service-only permission set would have prevented access to the refund processing entirely.

App Security — The Most Overlooked Shopify Security Risk

Only Install From the Official Shopify App Store

The Shopify App Store applies a review process before apps are listed. It’s not a perfect security guarantee, but it filters out obvious malicious code. Third-party app installations from direct download links or custom installations bypass this review entirely.

Do not install apps from URLs shared in forums, by email, or from unknown developers requesting direct installation access to your store.

Review Permissions Before Installation

Before installing any app, read the permission request list. Every item in that list is data access you’re granting. The standard question: does this app’s stated function require this permission?

A size chart app requesting customer order history has no legitimate reason. Deny installation and find an alternative.

Uninstall Apps You No Longer Use

Dormant app permissions remain active after you stop actively using an app — often even after uninstallation if the app’s OAuth token wasn’t properly revoked. Permissions are only revoked when you explicitly delete the app and the app properly handles token revocation.

Review your app list every 60 days. Any app not actively used in the last 30 days should be removed. After removal, verify in your theme code that the app’s script tags are gone. For a full breakdown of app risks and how to conduct a security-focused app audit, see our guide on Shopify third-party app risks.

App Audit Cadence: Every 60 Days

Set a calendar reminder for every 60 days: app permissions audit. Takes 20 minutes. Review:

  • Apps installed (any new ones since last audit?)
  • Data permissions for each app (still appropriate?)
  • Apps with zero activity in last 30 days (remove them)
  • Theme code for orphaned scripts from previously removed apps

Data Protection and Compliance

GDPR Requirements for EU Customers

If you sell to customers in the EU — and if your Shopify store is publicly accessible, you do — GDPR applies. Key requirements:

Cookie consent: You must obtain explicit consent before loading non-essential cookies (analytics, marketing, personalization). A cookie banner that says “By using this site, you agree to cookies” does not satisfy GDPR. A genuine opt-in/opt-out mechanism is required.

Data subject rights: EU customers can request access to their data, correction, deletion, and export. You must be able to respond to these requests within 30 days. Shopify’s customer export feature handles data access requests; deletion requires removing the customer record from Shopify and from any connected apps.

Data processing records: You must document what data you collect, why, and how it’s processed. This doesn’t require a lawyer — a one-page internal document suffices for most SMBs.

GDPR fines for non-compliance are real: up to €20 million or 4% of global annual turnover. SMBs aren’t immune — supervisory authorities have fined businesses with revenues under €1M for cookie consent violations.

CCPA Requirements for California Customers

California’s Consumer Privacy Act gives California residents similar rights to GDPR: right to know, right to delete, right to opt out of sale of personal data. If you serve California customers and your business meets the thresholds (annual revenue over $25M OR data on 50,000+ consumers OR 50%+ revenue from selling data), CCPA applies.

For most SMB Shopify merchants, the practical requirement: a “Do Not Sell My Personal Information” link in the footer and a process to handle deletion requests.

CCPA and GDPR requirements often overlap. A privacy policy and consent mechanism compliant with GDPR satisfies most CCPA requirements for the data handling aspects.

Shopify’s native cookie consent banner is available through the Shopify admin. For more configurable options:

  • Cookiebot: Comprehensive consent management, auto-scans cookies, handles both GDPR and CCPA
  • Pandectes GDPR: Shopify-specific, handles consent categorization
  • OneTrust: Enterprise-grade option for stores with complex compliance requirements

Whatever solution you use, verify it actually blocks non-essential cookies before consent is given. Many “consent banners” display the banner but load all cookies immediately — which is non-compliant.

How Shopify Handles PCI DSS Compliance (and What You Still Own)

Shopify is PCI DSS Level 1 compliant — the highest level. This means Shopify’s payment infrastructure, card data handling, and transaction processing meet the strictest security standards.

What this covers: card data is never stored on Shopify’s servers after authorization. Payment transactions are encrypted. Shopify maintains security certifications.

What this doesn’t cover: your own practices around customer data outside of payment processing. If you export customer lists to a spreadsheet stored on an unsecured Google Drive, that’s your compliance gap, not Shopify’s. If your apps handle customer payment references insecurely, that’s your responsibility too.

For Shopify stores handling complex compliance requirements, our Shopify security configuration includes proper cookie consent implementation, data handling review, and staff permission setup. The Shopify Store Health Audit at $299 includes a basic security review as part of the package.

Fraud Prevention Integration

Shopify’s Built-In Fraud Analysis Indicators

Every order in Shopify includes fraud risk indicators: High, Medium, Low. These are generated by Shopify’s fraud analysis system based on AVS (address verification), CVV matching, IP geolocation, and order pattern analysis.

Check every High and Medium risk order before fulfilling. Review the specific indicators flagged (billing/shipping address mismatch, IP mismatch, multiple orders with different cards) before deciding whether to fulfill or hold.

AVS and CVV Matching Setup

Shopify Payments includes AVS and CVV verification as standard. For stores using third-party payment gateways (Authorize.net, Stripe direct), verify AVS and CVV checking is configured in your gateway settings — it may not be enabled by default.

AVS matches the billing address submitted by the customer to the address on file with the card issuer. A full mismatch is a strong fraud indicator. CVV verification confirms physical possession of the card. Both should always be enabled.

Shopify Flow Automations for High-Risk Orders

Shopify Flow (available on all plans as of 2023) can automate responses to fraud indicators:

  • Auto-cancel orders flagged as high-risk with a specific card testing pattern
  • Send internal notification for manual review when risk score exceeds threshold
  • Auto-capture payment for low-risk orders to reduce cart abandonment

These automations don’t require code — they’re configured through Shopify Flow’s visual editor. Setting up basic fraud automations takes approximately 30 minutes.

Backup and Recovery

Shopify Doesn’t Have Native Version Control — What That Means

Shopify doesn’t offer a “restore to yesterday’s state” feature. If a theme update breaks your store, if a staff member accidentally deletes a product category, or if an app modification damages your theme code, recovery requires:

  • A manually saved theme backup
  • Manual data export backups
  • Or a third-party backup app

This is a real gap in Shopify’s infrastructure. Build backup processes around it.

Manual Data Export Schedule

Shopify admin provides manual export options for:

  • Customers (CSV)
  • Products (CSV)
  • Orders (CSV)

Export frequency recommendations:

  • Products: after any major catalog change, minimum monthly
  • Customers: monthly
  • Orders: weekly for active stores, monthly for lower volume

Store exports in an encrypted cloud storage location (Google Drive, Dropbox, or similar) with access restricted to store owners.

Theme Backup Before Updates

Before any theme update (whether Shopify’s automatic theme updates or manual edits), duplicate your current theme:

  • Shopify admin > Online Store > Themes > Actions > Duplicate

This creates a backup version you can reactivate immediately if the update causes issues. Keep the last 2–3 theme backups.

Marcus ran a $150K/month Shopify store without a formal backup process. A developer installing a new app incorrectly edited theme.liquid and broke the navigation structure across the entire store. Without a theme backup, recovery required reconstructing the navigation from memory and reviewing Google Cache for previous states. Downtime: 6 hours. Revenue lost: approximately $3,700. A 5-minute theme duplication before the installation would have reduced recovery time to under 2 minutes.

Monitoring and Incident Response

Shopify Activity Log: What It Captures and How to Review It

Shopify admin > Settings > Activity log (or search “activity” in admin). The log records: admin logins, product edits, order changes, app installations, theme modifications, permission changes.

Review the activity log weekly. You’re looking for: logins from unrecognized locations, changes made outside of business hours, app installations you didn’t authorize, and mass product or order modifications.

Setting Up Alerts for Unusual Login Activity

Shopify sends email notifications for new device logins by default. Verify these notifications are enabled and going to an email address actively monitored.

For stores with multiple staff accounts, consider Shopify Flow automations that trigger notifications for bulk operations: more than 10 order modifications in an hour, unusual order cancellation volume, or product bulk edits.

Steps to Take If Your Store Is Compromised

If you suspect a breach:

  1. Immediately revoke all staff account access (disable accounts you didn’t create or don’t recognize)
  2. Change the Shopify owner account password
  3. Review all installed apps and remove any you didn’t install
  4. Check Shopify activity log for the past 30 days
  5. Review orders for fraudulent refunds or address changes
  6. If customer data was accessed: consult your GDPR obligations for breach notification (72 hours in the EU)
  7. Contact Shopify Support to report the incident and get assistance

Don’t wait to assess the full scope before taking protective action. Revoke access first, investigate second.

Security Audit Schedule

These are the core Shopify security best practices organized by maintenance frequency. Build these tasks into a calendar:

Weekly (15 minutes):

  • Review Shopify activity log
  • Check for High-risk orders not yet reviewed

Monthly (30 minutes):

  • Review staff permissions — any changes needed?
  • Rotate passwords if any staff changes occurred
  • Verify 2FA is active on all staff accounts

Quarterly (2 hours):

  • Full app audit: permissions, usage, cost, script weight
  • Review GDPR/CCPA compliance status
  • Test data export backup process
  • Review fraud indicators and Shopify Flow automations
  • Update all admin passwords

Conclusion

Shopify security is not a configuration you complete once and check off. It’s an ongoing maintenance practice. The stores that get breached aren’t typically those that never set up security — they’re the ones that set it up in 2021 and never reviewed it again as staff changed, apps accumulated, and the store grew.

The three highest-priority Shopify security best practices for most stores: enable 2FA via authenticator app, audit and trim your app stack, and implement a GDPR-compliant cookie consent mechanism. Everything else in this guide is important, but those three changes close the most common vulnerabilities.

If you need a systematic security review for your Shopify store, our Shopify Store Health Audit at $299 includes account security, app permissions, and data compliance as part of the full audit. Our Shopify agency team includes security hardening — 2FA enforcement, permission setup, cookie compliance — in all store builds as standard.

Frequently Asked Questions

Is Shopify secure for selling online?

Shopify’s infrastructure is highly secure — PCI DSS Level 1 compliant, SSL/TLS encryption on all storefronts, DDoS protection, and regular security audits. The security risks for Shopify merchants come from the application layer above that infrastructure: weak account credentials, overpermissioned apps, unpatched third-party code, and inadequate data handling practices. Shopify protects the platform; merchants are responsible for their own accounts and configurations.

Does Shopify protect customer payment data?

Yes. Shopify Payments and Shopify’s checkout handle card data in a PCI DSS Level 1 compliant environment. Card numbers are never stored on Shopify’s servers after authorization. Payment tokens are used for recurring charges. This protection applies to payments processed through Shopify Payments — stores using third-party gateways should verify those gateways’ PCI compliance independently.

How do I enable two-factor authentication on Shopify?

In Shopify admin, click your profile picture (top right) > Manage account > Profile > Security > Two-step authentication > Turn on. Select “Authenticator app” (recommended over SMS). Download Google Authenticator or Authy. Scan the QR code displayed in Shopify. Enter the 6-digit code to confirm. Save your backup codes in a secure location. Require all staff accounts to enable 2FA through Shopify’s staff management settings.

What happens if my Shopify store is hacked?

First: disable or change credentials for all staff accounts. Second: change the Shopify owner account password and verify 2FA. Third: review the activity log for the past 30 days. Fourth: audit installed apps and remove any you didn’t install. Fifth: review recent orders for fraudulent modifications. Sixth: contact Shopify Support to report the incident. For GDPR-regulated stores with EU customers: you may have a 72-hour data breach notification obligation to your relevant supervisory authority.

Do I need to comply with GDPR if I use Shopify?

If you sell to EU residents — which any publicly accessible Shopify store can — GDPR applies to your processing of their personal data. Shopify’s infrastructure is GDPR-compliant, but your responsibilities extend to: cookie consent implementation, privacy policy accuracy, data subject rights response, app data handling, and marketing consent management. These are merchant responsibilities, not platform responsibilities.