Shopify Security Checklist: 15 Things Every Merchant Must Do in 2026
# Shopify Security Checklist: 15 Things Every Merchant Must Do in 2026
Security isn’t a one-time thing โ it’s a habit. Most Shopify stores get hacked not because of sophisticated attacks, but because merchants skip basic security practices.
Here’s your complete Shopify security checklist. Print it, bookmark it, and follow it.
๐ Account Security (Do Today)
- [ ] Enable two-factor authentication on your Shopify admin account (Settings โ Account โ Two-step authentication)
- [ ] Use a strong, unique password โ minimum 12 characters, mixed case, numbers, symbols
- [ ] Remove unused staff accounts โ fewer accounts means fewer attack targets
- [ ] Limit staff permissions โ only give access to what each team member needs
- [ ] Use a password manager โ never reuse passwords across services
๐ Store Security (Do This Week)
- [ ] Audit installed apps โ remove anything you’re not actively using
- [ ] Review app permissions โ check what each app can access (Settings โ Apps)
- [ ] Clean orphaned theme code โ uninstalled apps often leave behind scripts
- ] Scan theme for vulnerabilities โ use [ThemeSafe Security for a free automated scan
- [ ] Update your theme โ outdated themes have known vulnerabilities
- [ ] Review payment settings โ ensure only authorized payment providers are active
๐ Monitoring (Set Up Ongoing)
- [ ] Connect Google Search Console โ monitors for malware and security issues
- [ ] Enable Shopify email notifications โ get alerted for staff changes, logins
- [ ] Set up uptime monitoring โ use UptimeRobot (free) to detect if your store goes down
- [ ] Review Shopify activity logs weekly โ Settings โ Activity shows all admin actions
๐งน Maintenance (Monthly)
- ] Run a full theme security scan โ [ThemeSafe Security does daily scans on paid plans
- [ ] Update all apps โ keep every app on the latest version
- [ ] Rotate API credentials โ regenerate Shopify API keys monthly
- [ ] Check webhooks โ remove any you don’t recognize (Settings โ Notifications โ Webhooks)
- [ ] Review third-party scripts โ check your theme for external scripts you didn’t add
๐จ Emergency Response (If Hacked)
- [ ] Change admin password immediately
- [ ] Remove unauthorized staff accounts
- [ ] Contact Shopify Support
- [ ] Check for unauthorized app installations
- [ ] Scan theme for malware
- [ ] Regenerate all API keys
- [ ] Notify affected customers
- [ ] Document everything for your records
๐ค The Automated Approach
Running through this checklist manually every month is tedious and error-prone. That’s why automated security scanning exists.
ThemeSafe Security automates the most important items on this checklist:
- Daily theme vulnerability scanning
- Third-party script monitoring
- API key leak detection
- Security scoring with actionable recommendations
- Alerts when new vulnerabilities are introduced
The free tier covers basic scanning โ enough to catch the most common threats. Paid plans ($19/month, $49/month) add daily monitoring, priority alerts, and advanced vulnerability detection.
Pro Tips From Security Experts
Make all code changes on a duplicate theme first, test thoroughly, then publish. This prevents a small mistake from taking your store offline.
Check the developer’s other apps, review history, and support responsiveness. A poorly coded app is the fastest way to compromise your store.
Shopify supports CSP headers that prevent unauthorized scripts from running. Configure these in your theme or through apps.
Apps often request more permissions than they need. Periodically review and restrict what each app can access.
Maintain a clean, updated version of your theme without any customizations. Use it as a baseline to compare against when checking for suspicious changes.
Share This Checklist
If you found this checklist helpful, share it with other Shopify merchants. Security awareness protects the entire ecosystem.
And if you haven’t scanned your theme recently, run a free ThemeSafe Security scan now. It takes two minutes and might catch something you’ve been missing.
