ecommerceshopify securitystore management

Shopify Store Security Checklist for 2026

Shopify store security checklist with shield icon and lock symbols on a soft blue background

43% of small businesses faced at least one cyber attack in the past 12 months. And 60% of all breaches start with a human element — stolen credentials, a phishing link clicked too fast, or a staff account that never got deactivated.

Shopify handles the infrastructure security: PCI compliance, SSL certificates, server uptime. But everything inside your admin — who has access, what apps can read your data, whether your login is protected — is your responsibility. Most merchants never think about it until something breaks. This Shopify store security checklist covers the seven areas you need to lock down, from 2FA to API keys to what to do if your account gets compromised.

Turn On Two-Factor Authentication for Every Account

Two-factor authentication (2FA) blocks 99.9% of automated attacks. If you only do one thing on this list, do this.

Go to Settings > Users and permissions > your account > Security, and enable 2FA using an authenticator app like Google Authenticator or Authy. Don't rely on SMS alone — SIM swapping attacks can intercept text messages.

There's a catch: on non-Plus plans, you can't force staff to enable 2FA. Each staff member has to set it up on their own account. So you need to make it a policy, check in with your team, and verify it's done. On Shopify Plus, you can enforce 2FA at the organization level.

When you set up 2FA, Shopify gives you recovery codes. Save these somewhere secure — a password manager, not a sticky note. If you lose your phone and don't have recovery codes, you'll need to contact Shopify support and prove store ownership to regain access.

Audit Staff Accounts and Permissions Monthly

The freelancer who redesigned your theme six months ago — do they still have admin access? The VA you hired for a holiday rush — can they still view customer data?

Unused staff accounts are the easiest way into your store. Every account with access is a potential entry point, and 52% of small businesses rely on untrained internal staff or the owner to manage security entirely. That means nobody is watching the door.

Run this audit every month:

  1. Go to Settings > Users and permissions
  2. Review every staff account. If someone hasn't logged in for 30+ days and doesn't need ongoing access, remove them
  3. For active staff, check their permission level. Does your social media person need access to Finances? Does your shipping coordinator need to edit the theme?
  4. Use collaborator accounts for agencies and freelancers instead of full staff accounts — they provide scoped access that expires and don't count against your staff limit

The principle is simple: every account should have the minimum permissions needed to do the job. The fewer permissions an account holds, the smaller the damage if it gets compromised.

Review Installed Apps and Their Permissions

Every Shopify app you install gets access to specific parts of your store data. Some apps request read/write access to customers, orders, products, and even your theme code. A leaked third-party app database exposed sensitive data from over 4,000 Shopify stores in 2025 — including Shopify access tokens and customer information — because a single app had a misconfigured database.

Go to Settings > Apps and sales channels and review each app:

  • Do you still use it? Uninstall apps you haven't used in 30+ days. They still have API access to your store even when you're not actively using them.
  • What permissions does it have? Click on each app to see what data it can access. If a countdown timer app has access to customer data, that's a red flag.
  • Is the developer reputable? Check the app's Shopify App Store listing. Look at review count, recent updates, and whether the developer has a privacy policy and data handling documentation.

If you're running 20+ apps (the average Shopify store runs about 6), you're increasing your attack surface with every install. Each app is a third party with access to your store. Treat new installs like you'd treat giving someone a key to your office. For a deeper look at trimming your app stack, see our Shopify app dependency audit guide.

Secure Your API Keys and Access Tokens

If you've created custom apps, private apps, or API integrations, your API keys and access tokens are the most sensitive credentials in your store — more dangerous than your admin password, because they bypass 2FA entirely.

Checklist for API security:

  • Never share API keys via email, Slack, or chat. Use a password manager or secrets management tool.
  • Rotate keys periodically. If you created a custom app 18 months ago and never changed the credentials, rotate them now.
  • Delete unused custom apps. Go to Settings > Apps and sales channels > Develop apps. If you see apps you no longer use or don't recognize, remove them.
  • Scope API access narrowly. When creating a new custom app, grant only the specific API scopes it needs — not full read/write access to everything.

If you hired a developer who set up integrations using your API credentials and the project is done, change those credentials. Don't assume they deleted them from their end.

Set Up a Backup Routine

Shopify doesn't offer a native one-click backup of your entire store. If something goes wrong — a rogue app overwrites your theme, a bulk product edit goes sideways, or someone deletes critical pages — you need your own backup.

What to back up and how often:

  • Theme files: Download a copy of your live theme before making any changes. Go to Online Store > Themes > Actions > Download theme file. Do this monthly at minimum, and always before a developer touches anything.
  • Product data: Export your products as CSV from Products > Export. Monthly for most stores, weekly if you update inventory frequently.
  • Customer data: Export from Customers > Export. Monthly.
  • Order data: Export from Orders > Export. Keep records for accounting and disputes.

Store exports in cloud storage (Google Drive, Dropbox) with clear date-labeled folders. If you want automated backups, apps like Rewind or BackupMaster can run daily snapshots of your entire store. We cover the full backup process in our Shopify store backup guide.

Protect Against Phishing Attacks

Phishing accounts for 43% of all attacks targeting ecommerce businesses. The attacks are getting more sophisticated — fake Shopify emails asking you to "verify your account," fake app developer messages with malicious links, and even fake Shopify Partner invitations.

Rules to follow:

  • Shopify will never ask for your password via email. If an email asks you to log in, don't click the link. Go directly to admin.shopify.com instead.
  • Check the sender address carefully. Shopify emails come from @shopify.com. Look for misspellings like @shopfy.com or @shopify-support.com.
  • Don't install apps from direct links. Always search for the app in the Shopify App Store and install from there.
  • Be skeptical of urgency. "Your store will be suspended in 24 hours" is almost always a scam. Real Shopify notifications appear in your admin dashboard.

If you suspect a phishing attempt, report it to Shopify's security team at safety@shopify.com and change your password immediately.

What Should You Do If Your Shopify Account Gets Compromised?

If you notice unauthorized changes, unfamiliar staff accounts, or orders you didn't process, act fast:

  1. Change your password immediately from a trusted device. If you can't log in, use Shopify's account recovery flow or contact support directly.
  2. Revoke all staff access temporarily until you've confirmed which accounts are legitimate.
  3. Check recent activity: Review the Timeline in your Shopify admin for changes you didn't make — theme edits, new apps installed, settings changed.
  4. Rotate all API keys for custom and private apps.
  5. Review installed apps for anything you didn't install. Uninstall suspicious apps.
  6. Contact Shopify Support and explain the situation. They can help investigate and lock down your account.
  7. Notify affected customers if any personal data may have been exposed. This isn't optional — most jurisdictions require breach notification.

The speed of your response matters. The average retail data breach cost $3.54 million in 2025. You're not a major retailer, but even a small breach can mean lost customer trust, disputed orders, and weeks of cleanup.

Your Monthly Shopify Store Security Checklist (5 Minutes)

Security isn't a one-time project. Build this into your monthly store maintenance:

  1. Verify 2FA is active on all staff accounts
  2. Remove any staff or collaborator accounts no longer needed
  3. Uninstall unused apps
  4. Download a theme backup
  5. Export products and customer data
  6. Check for any unrecognized login activity

Five minutes a month. That's all it takes to close the gaps that 52% of small businesses never think about. The merchants who get compromised aren't unlucky — they're unprepared. Put the checklist on your calendar, run through it once, and you'll spend less time worrying about what could go wrong and more time running your store.