Shopify has rock-solid security at its core, but unless you play your part too, cracks can open up wide enough to bring down your business. Fortunately, there are plenty of simple ways to tighten your Shopify store security. Here are 10.
If you’re on Shopify. You’re off to a strong start.
By selecting Shopify or Shopify Plus as your eCommerce platform you can rest-assured that you have a world-class secure cloud-based platform from the ground up.
Shopify means your store is compliant with the Payment Card Industry Data Security Standard (Level 1 PCI DSS) by default, essential for handling credit card information. It also features secure socket layer (SSL) certificates, which encrypt your content to prevent it from being stolen.
Without getting too technical, it’s fair to say Shopify has in place the security best practices to maintain a secure network, continually monitor threats, protect cardholder data, control user access and limit fraud.
That’s great. But the rest is up to you!
Security is always a shared responsibility between platforms and store owners. Shopify does a great job protecting the overall eCommerce platform infrastructure, payment gateways, servers, software and disaster recovery, but that’s where their responsibility ends.
You, the store owner, are responsible for your own store data - product content, images, orders, themes, inventory reviews and customer information - AND store security - password management, user permissions, third party apps, backups and recovery.
There’s a LOT that can go wrong on your side of the equation.
Before they’d made the transition to Shopify Plus, global online fitness brand Gymshark lost an estimated $143,000 in sales when a bug in an app installed on their Magento site crashed their site during peak Black Friday sales.
Read: Behind Gymshark’s Empire
Below we’ll look at common vulnerabilities and how you can tighten up your responsibilities for Shopify store security.
Why does security matter?
Like insurance, security is often one of those things you don’t think about until you’re in trouble. So it’s worth considering the consequences.
What would happen to your sales if you lost all your product, customer and financial information? What about the damage to your reputation if private customer information got into the wrong hands? Could your business survive if your store was shut down by hackers?
Yes, global brands are the prime targets for organised crime, but there are plenty of small-time hackers and automated bots scouring the internet looking for vulnerabilities to break into. And popular global platforms like Shopify can be a target. So even if you’re not a household name (yet!) doesn’t mean you should let down your guard.
Breaches do come from high-tech sources like fraudulent accounts, bots hacking third-party apps or distributed-denial-of-service (DDoS) attacks, but one major risk for your business has nothing to do with technology. It’s human error: weak passwords, lost devices, disgruntled staff, careless mistakes and relaxed access management can leave you vulnerable.
In fact, Verizon’s Data Breach Investigations Report found that 30% of data breaches were caused by people either accidentally or purposely sharing private information.
In an infamous case at Capital One in Canada, one employee exposed personal data of 100 million clients in a breach estimated to cost the bank up to $150 million to fix.
Who’s got the keys to your kingdom?
Even the most secure house with state-of-the-art alarms is vulnerable if the door is left open or the keys handed out to strangers.
It’s just you with the password, right? Or maybe there's that freelancer that helped with those design tweaks, the admin assistant who helped upload your latest product collection, your past employee that moved to Adelaide… oh and that sticky note on your desk!
Applicable to all areas of your online life, user management and password security is one of the simplest and most powerful security features you can tighten up today.
Global fashion retailer Macys.com was ordered to pay $192,000 to settle a data breach lawsuit when it was linked to a website that stole customer payment data during checkout.
10 steps to take TODAY to tighten Shopify store security
To help you take practical and fast steps to enhance Shopify store security, we’ve collated this list drawing on Shopify’s recommendations, with links to tools, resources and instructions.
1. Use a password vault. Seriously, do it!
I bet you have lots of duplicated passwords! Our #1 tip for securing Shopify, and your whole online life, is to use a password vault to make it easy to set, save and submit strong and unique passwords for each account. You just need to remember one master password.
Check out these password vaults: 1password, LastPass, and Dashlane
2. Turn on two-step authentication
When you login to Shopify using a password, two-step authentication means you’ll also need a second step such as a code sent via mobile app or text message. So, even if someone learns or cracks your password they still can’t log in.
- How to turn on two-step authentication
Note: If you use Shopify Plus, you can make two-step authentication mandatory for staff.
3. Verify admin email addresses
To make sure there are no random people with access to your Shopify admin tools, check that your email address (store owner) and all admin staff emails have been personally verified by each person.
- How to send verification requests
4. Audit staff member permissions
When staff come and go, or their roles change, their access permissions need to change too. Whether it’s managing products, processing orders or accessing customer details, double-check to make sure only authorised people still have logins. You can also set permission levels so that team members can access certain areas - for example, you can provide access to content management tools but not access to customer or financial information.
- How to review and edit permissions
5. Scan for compromised passwords
Admit it, you use the same password and email combination for multiple accounts! Which means if an attacker steals one login they’ll have access to other accounts, too. While Shopify proactively looks for this issue, it’s also a great idea to check your credentials across other accounts.
See if you’ve been compromised: Visit have I Been Pwned
6. Turn on fraud prevention
Where banks support it, Shopify Payments offers fraud analysis checks using the filters of Address Verification System (AVS) and Card Verification Value (CVV). So even stolen credit card information is unlikely to work unless the correct address and CVV data also matches up.
- Turn on fraud prevention
7. Set up payout notifications
If you don’t already get them, you can set up alerts for whenever a payout is sent to your bank with a link to the order. That way you can review the order and customer details to quickly spot any issues.
8. Double-check your payment details
If someone malicious has access to your store admin area, there is a risk that they could change your payment details, covertly diverting money into their own accounts. That’s why it’s important to routinely check that your payment and business details are up to date.
- Confirm banking details for Shopify Payments
- Confirm details for PayPal and other payment providers
- Review and update your general account settings
9. Mind the apps
If you’re like most Shopify store owners, you’ll likely have 5, 10 or more third-party apps installed. While they offer a gold mine of functionality, third-party apps can pose a security risk as they have permissions - granted by you - to view or modify data and perform specific actions. It’s worth doing some research on your apps to assess customer reviews, what company developed them, how many installs they have and whether the permissions they request make sense for your store.
- Audit existing apps in your Shopify admin area
- Research new apps in the Shopify App Store
10. We saved the best for last… BACKUP YOUR STORE!
No matter how vigilant you are, security is never 100% foolproof. So the best hedge you can have against a catastrophic event is to have regular, ideally automated, backups of your store. That way, whatever the cause, you can bounce back fast without losing everything you’ve worked for.
Many people mistakenly think that Shopify is responsible for backing up and restoring your store data. But it’s up to you to maintain your own information on products, images, customers, orders, inventory, gift cards, discount codes and financial data. While Shopify has inbuilt options to export CSV files of this information (which you then backup yourself), this process requires some manual effort.
We recommend using an app to automate the process for you. A Shopify Plus Certified App like Rewind Backups enables automated daily backups and also lets you wind back site changes that may be causing problems.
- How to backup your Shopify store manually
- Find a backup app from the Shopify App Store
While these recommendations and resources can help close some of the vulnerabilities you may have overlooked, there’s no magic bullet or one-size-fits all formula for securing your Shopify site. The ideal approach is to consider security in all aspects of your ongoing site development and management.
Need help with Shopify development? Let’s chat.
If you’re looking for a Shopify developer, we’d be happy to chat. Our expert team has 12+ years in the industry, 320+ Shopify builds and 180+ verified reviews.