Shopify Store
Security Checklist

Force HTTPS on all pages

Shopify provides a free SSL certificate, but you need to ensure all traffic is redirected. Go to Settings > Domains and confirm HTTPS is enforced. Mixed HTTP/HTTPS can trigger browser warnings and erode customer trust.

Check for mixed content warnings

Mixed content occurs when your HTTPS page loads images, scripts, or stylesheets over HTTP. Use your browser's developer console to find these warnings, then update the offending URLs to HTTPS in your theme code or app settings.

Verify SSL certificate validity

Click the padlock icon in your browser's address bar to inspect your certificate. It should show a valid chain issued to your domain. Shopify manages renewal automatically, but custom domains occasionally have configuration issues worth checking.

Monitor certificate expiry dates

While Shopify handles auto-renewal, stores using custom SSL certificates or third-party CDNs should set calendar reminders 30 days before expiry. An expired certificate will display a full-page browser warning that stops all sales.

Use strong, unique passwords for every account

Reusing passwords across services is the single biggest security risk for store owners. A password manager generates and stores complex passwords so you only need to remember one master password. NordPass →

Enable two-factor authentication on Shopify admin

Go to Settings > Users and permissions and enable 2FA for every staff account. Use an authenticator app rather than SMS — SIM-swap attacks can intercept text codes. This is non-negotiable for any store handling customer data.

Audit staff account permissions regularly

Review who has access to your Shopify admin at least quarterly. Remove accounts for former employees or agencies immediately. Use Shopify's granular permissions to limit each staff member to only what they need.

Store credentials securely with a password manager

Beyond your Shopify admin password, you have payment gateways, email services, supplier portals, and more. A dedicated password manager keeps all of these encrypted and accessible across your devices. NordPass →

Use a VPN when managing your store on public WiFi

Coffee shop and hotel WiFi networks are trivial to intercept. A VPN encrypts your entire connection, making it impossible for attackers on the same network to capture your Shopify admin credentials or customer data. NordVPN →

Protect admin access from untrusted networks

Even on home WiFi, consider using a VPN to add a layer of encryption. If your ISP or network is compromised, a VPN ensures your admin sessions remain private. This is especially important when travelling. NordVPN →

Block malicious sites and trackers

Phishing attacks targeting Shopify store owners are increasingly common. A VPN with built-in threat protection can block known malicious domains and trackers before they load, reducing the risk of credential theft. NordVPN with Threat Protection →

Secure your home and office network

Change your router's default admin password, enable WPA3 encryption, and keep firmware updated. Segment your network if possible — a separate VLAN for business devices prevents a compromised IoT gadget from reaching your work machine.

Use Shopify Payments or PCI-compliant gateways

Shopify Payments is PCI DSS Level 1 compliant out of the box. If you use a third-party gateway, verify their compliance certificate. Non-compliant payment processing exposes you to data breaches and legal liability.

Never store card data outside Shopify

Do not copy card numbers into spreadsheets, emails, or notes. Shopify's vault handles tokenisation securely. Storing card data outside a PCI-compliant environment violates payment card industry standards and can result in fines.

Enable fraud analysis tools

Shopify includes basic fraud analysis on every plan. Review flagged orders before fulfilment. For higher-volume stores, consider Shopify Flow automation rules to auto-cancel orders matching known fraud patterns.

Review third-party app data access

Every installed app has specific data permissions. Go to Settings > Apps and sales channels and check what each app can access. Apps requesting customer payment data or full admin access should be scrutinised carefully.

Audit installed apps quarterly

Remove apps you no longer use. Each installed app is a potential attack surface — unused apps still have access to your store data and may not receive security updates from their developers.

Only install apps from the Shopify App Store

Shopify App Store apps undergo a review process. Third-party scripts installed via theme code bypass this vetting entirely. If a developer asks you to paste code into your theme, verify their identity and the code's purpose first.

Check app permissions before installing

Before clicking "Install", read the permissions screen carefully. A reviews app should not need access to your customer payment data. If the permissions seem excessive for the app's purpose, choose an alternative.

Keep your theme updated

Theme updates often include security patches alongside new features. If you use a third-party theme, check for updates monthly. For heavily customised themes, maintain a changelog of your modifications so updates can be merged safely.

Export products, customers, and orders regularly

Shopify does not offer automatic backups. Use Settings > Export to download CSV files of your critical data monthly. Store these exports in encrypted cloud storage — not just on your laptop.

Document your theme customisations

Keep a record of every Liquid code change, custom CSS addition, and app-injected snippet. If your theme is corrupted or you need to switch, this documentation lets you rebuild without starting from scratch.

Have a recovery plan for compromised accounts

Know the steps before you need them: Shopify support contact method, list of all connected services that need password resets, customer communication template, and a plan for reviewing recent orders for fraud.

Test backup restoration periodically

A backup you have never tested is not a backup. Create a development store and import your CSV exports at least once to verify the data is complete and usable. Fix any export gaps before you actually need the data.