Locking Down Shopify: The Security Settings That Actually Matter

Shopify handles a lot of the heavy lifting on infrastructure security — PCI compliance, server patching, DDoS mitigation. But the parts you control as a merchant or developer are exactly where most stores get breached: weak admin access, over-permissioned staff, sketchy third-party apps, and misconfigured custom domains. This Shopify security settings guide walks through the configurations that meaningfully reduce risk, with the exact clicks and checks involved.

Admin Account and Staff Access

The Shopify admin is the single most valuable target on your store. Anyone who gets in can change payout bank details, install malicious scripts, or export your customer database.

1. Enforce two-step authentication for everyone

Go to Settings → Users and permissions, then enable Require two-step authentication for all staff. Don't rely on staff turning it on individually. Use an authenticator app (Authy, 1Password, Google Authenticator) rather than SMS — SIM-swap attacks on Shopify accounts are well documented.

2. Audit staff permissions quarterly

Most stores hand out full admin access by default. Instead:

• Give designers and marketers only the Themes, Blog posts and pages, and Marketing permissions.
• Restrict Customers and Orders access to people who genuinely need PII.
• Never share login credentials — create individual staff accounts so audit logs are meaningful.
• Revoke access for departed contractors the same day. Check Settings → Users and permissions for stale accounts now.

3. Review collaborator and Shopify Partner access

Under Users and permissions → Collaborators, set Only people with a collaborator request code can send a request. Generate a unique code and treat it like a password. This stops random Partner accounts from requesting access to your store.

App Security and Third-Party Risk

The biggest Shopify breaches in recent years haven't come from Shopify itself — they've come from compromised apps with broad data access.

Audit installed apps

1. Open Settings → Apps and sales channels.
2. For each app, click View details and review the data access scopes. Look for apps that read customers, orders, or payment information when they don't need to.
3. Uninstall anything you haven't used in 90 days. Uninstalling revokes API tokens.
4. Prefer apps from the official Shopify App Store with Built for Shopify status and a public security page.

Custom apps and private API tokens

If your developers created custom apps under Settings → Apps and sales channels → Develop apps, rotate the Admin API access tokens every 6 months, and immediately when a developer leaves. Limit each token's scopes to the minimum required — a shipping integration shouldn't need write_customers.

Checkout, Payments, and Fraud Settings

Enable Shopify's fraud signals

Under Settings → Checkout, turn on:

• Require CAPTCHA on login, account creation, and password recovery pages.
• Address verification — require shipping address to match billing for high-value orders.

In Settings → Payments, enable Automatic fraud analysis and configure auto-cancel for orders flagged as high risk above a $200 threshold, depending on margin.

Customer accounts

Switch to new customer accounts (passwordless email code login) under Settings → Customer accounts. This removes the password attack surface entirely for your customers — no credential stuffing risk.

Domain, SSL, and DNS Hardening

Shopify handles SSL certificates automatically for your .myshopify.com domain and any custom domain pointed correctly. The problems start at the DNS layer, which you control.

DNS records to verify

• A record for your apex domain points to 23.227.38.65 (Shopify's IP).
• CNAME for www points to shops.myshopify.com.
• CAA record restricting which certificate authorities can issue certs for your domain — add 0 issue "digicert.com" and 0 issue "letsencrypt.org" based on what Shopify currently uses.
• SPF, DKIM, and DMARC records to stop attackers spoofing transactional emails from your domain. Set DMARC to at least p=quarantine.

Running a scan with WebSentry on your storefront URL surfaces missing CAA, weak DMARC policies, and SSL chain issues in one report — useful when you're checking a client store before launch.

Force HTTPS and check HSTS

Under Settings → Domains, confirm SSL certificates: Available shows for every domain and that your primary domain redirects all traffic. Shopify sets HSTS on the storefront, but if you've added custom subdomains via a reverse proxy or headless setup, you'll need to verify the HSTS header yourself.

Headers, CSP, and Theme-Level Security

Shopify limits how much you can customise HTTP security headers on the storefront — there's no way to set a strict Content-Security-Policy globally without a headless setup. That said, you can still tighten things up:

• In your theme's theme.liquid, add a <meta http-equiv="Content-Security-Policy"> tag scoped to your trusted script sources. It's weaker than a real CSP header but blocks common XSS payloads.
• Audit every <script src="..."> in your theme and remove anything from defunct analytics vendors or old marketing pixels.
• Avoid pasting unknown JavaScript snippets into Online Store → Preferences → Google Analytics / Additional scripts — this is the most common Magecart-style entry point on Shopify.
• Use Shopify's Web Pixel API for tracking instead of injecting third-party tags directly. Pixels run in a sandboxed worker.

Checkout extensibility

If you're still on checkout.liquid, migrate to Checkout Extensibility before Shopify's deprecation. The new checkout runs custom code in isolated extensions, which eliminates a huge class of script injection risks.

Monitoring and Incident Response

Set up alerts

• Enable login notifications under your account settings so every new device login emails you.
• Review the Settings → Users and permissions → View login history log monthly for unfamiliar IPs.
• For Shopify Plus, configure the audit log API to stream events to your SIEM or a Slack channel.

Know your recovery path

Store recovery codes for the store owner account in a password manager — not in email. If the owner's 2FA device is lost without recovery codes, you're looking at days of support tickets and notarised identity verification to regain access.

Run external checks regularly

Shopify's admin won't tell you if your DMARC is misconfigured, your CAA is missing, or a marketing pixel is loading from an expired CDN. External scanners catch what the platform won't. Drop your storefront URL into WebSentry for a free scan that grades your SSL, headers, DNS, and cookie configuration A–F, with specific fixes for each finding — a quick sanity check before you push a theme update or hand a store over to a client.