How to Check if Your Shopify Theme Has Malware (Step-by-Step Guide)
# How to Check if Your Shopify Theme Has Malware (Step-by-Step Guide)
Discovering malware in your Shopify theme can be terrifying. One malicious script can steal customer credit cards, redirect your checkout to a scam site, or inject spam into your product pages. And here’s the scary part — most infected store owners have no idea it’s happening.
In this guide, we’ll walk you through exactly how to check your Shopify theme for malware, what signs to look for, and how to remove malicious code safely.
Signs Your Shopify Theme Might Be Infected
Before diving into code inspection, watch for these red flags:
If your analytics show traffic spikes from unknown countries with high bounce rates and zero conversions, bots might be using your store for click fraud.
Malicious scripts often run hidden processes that slow down your site. If your store suddenly takes 5+ seconds to load, investigate immediately.
If customers complain about being redirected to different sites, seeing pop-ups, or encountering phishing pages, your theme likely has injected redirect scripts.
Google actively scans for malware and will warn users before visiting infected sites. If you see “This site may be hacked” in search results, you need to act fast.
If you see JavaScript files or Liquid snippets you didn’t add, someone (or something) has modified your theme.
How to Manually Check for Malware
Step 1: Review Your Theme Files
Go to Online Store → Themes → Edit Code in your Shopify admin. Check these files for suspicious code:
Check theme.liquid first:
Look for any external scripts that you don’t recognize, especially:
- Scripts loading from suspicious domains
- Base64-encoded strings (often used to hide malicious code)
- eval() functions or dynamically generated scripts
- Iframe injections
Check custom Liquid sections:
Navigate through each section in your theme. Look for:
- Hidden tracking pixels from unknown services
- JavaScript that sends data to external servers
- Code that modifies the checkout flow
Check assets folder:
Look for JavaScript files that:
- Were recently modified without your knowledge
- Have obfuscated or minified code you can’t read
- Load resources from unknown domains
Step 2: Use Your Browser’s Developer Tools
Open your store in Chrome, press F12, and check:
- Network tab: Look for requests to suspicious domains
- Console tab: Check for errors or warnings from unknown scripts
- Elements tab: Search for hidden iframes or injected HTML elements
Step 3: Scan Third-Party App Code
Many Shopify apps inject code into your theme. Go through each app’s injected snippets and verify they’re legitimate. Apps you’ve uninstalled may have left behind orphaned scripts.
The Automated Approach: Use ThemeSafe Security
Manual checking works but it’s tedious and you might miss something. This is where automated scanning tools save the day.
ThemeSafe Security scans your entire theme automatically and detects:
- Cross-site scripting (XSS) vulnerabilities
- Malware injections and backdoors
- Leaked API keys and secrets
- Suspicious third-party script injections
- Insecure Liquid template code
- Outdated or vulnerable theme components
It runs daily scans and gives you a security score with specific fix recommendations. The free tier covers basic scanning — enough to catch most common threats.
How to Remove Malware From Your Theme
If you find malicious code, here’s how to remove it safely:
Before making any changes, duplicate your current theme. Go to Online Store → Themes → Actions → Duplicate. This gives you a rollback point if something goes wrong.
Delete the malicious snippets, scripts, or sections you identified. Be careful not to remove code that’s part of your theme’s legitimate functionality.
For apps you’ve uninstalled, find and remove any code they injected. Check your theme.liquid file for app-specific script tags and snippet includes.
If you suspect API keys were leaked, regenerate them:
- Shopify API credentials
- Payment gateway keys
- Any third-party service API keys
Change your Shopify admin password, email password, and any other accounts linked to your store.
If you haven’t already, enable 2FA on your Shopify admin account immediately.
Prevention: How to Keep Your Theme Clean
Prevention is always cheaper than cleanup. Here are daily habits that protect your store:
Install Apps From Trusted Developers Only
Before installing any Shopify app:
- Check the developer’s reputation and review history
- Review what code the app will inject into your theme
- Uninstall and remove code from apps you no longer use
Keep Your Theme Updated
Theme updates often include security patches. Don’t ignore update notifications — outdated themes are prime targets for attackers.
Monitor Theme Changes Regularly
Set up a routine (weekly or monthly) to review your theme files for unexpected changes. Compare your current code against a clean backup to spot modifications.
Use Automated Scanning
Run regular security scans instead of manual checks. Tools like ThemeSafe Security can scan daily and alert you to new vulnerabilities before attackers exploit them.
What to Do If Customer Data Was Compromised
If you discover malware that may have accessed customer data:
Bottom Line
Shopify theme malware is a real and growing threat. Whether it’s a malicious app injection, a compromised theme file, or a hacked developer account — the consequences can be devastating.
The smartest move is proactive scanning. Start with a free ThemeSafe Security scan to see your store’s current security posture. It takes under two minutes and might catch something you’ve been missing.
