Skip to Content
26 June, 2026

Shopify Security Basics: A Merchant’s 2026 Checklist

Shopify Security Basics: A Merchant’s 2026 Checklist

Table of Content

A homewares merchant in Newtown rang us on a Tuesday morning sounding very calm, which is usually a bad sign. Overnight, someone had logged into her Shopify admin, changed the bank account on the payout settings, and quietly waited for the next deposit to land. Two factor authentication was off. A former contractor still had owner level access. The store had been running for four years without a single security review. By the time we untangled it, she had lost a payout cycle and a fortnight of sleep. Her first question was the right one: what should I have been doing all along?

This checklist is what we hand to Australian Shopify merchants who want to stop relying on luck. It covers the eight areas that come up again and again when we audit stores, and it is written for owners and operations leads rather than developers. If you can tick most of these off in a quarter, your risk profile changes dramatically.

Why Shopify security still needs your attention

Shopify carries a lot of the heavy lifting. The platform is PCI DSS Level 1 certified, the checkout is hardened, and the infrastructure is patched without you lifting a finger. That covers the parts most merchants never think about. What it does not cover is the human layer: who has access, which apps you have installed, how staff authenticate, and what happens when something goes wrong. Almost every Shopify incident we have investigated traces back to that human layer rather than a platform flaw.

The other shift in 2026 is the maturity of attackers. Card testing rings now run automated scripts that hit hundreds of Shopify stores a day looking for weak fraud settings. Phishing kits targeting Shopify admins are sold openly. Browser extensions sometimes ship malicious updates that scrape session cookies. None of this is hypothetical, and none of it requires Shopify to have a bug.

1. Turn on two factor authentication for everyone

This is the single most valuable change you can make today. Shopify supports authenticator apps, security keys, and SMS, in that order of preference. SMS is better than nothing but can be intercepted through SIM swapping, which Australian telcos have been working to reduce but which still happens. Authenticator apps like 1Password, Authy or the Shopify mobile app are the practical default for most teams. Hardware security keys are worth the spend for owner and finance accounts.

Make 2FA mandatory across your organisation in the Shopify admin settings, not optional. We have lost count of the audits where the policy was set but two of seven staff had quietly skipped enrolment.

2. Design staff permissions with least privilege

Most stores hand out owner or full access because it is easier than thinking about roles. The cost of that shortcut shows up when a phishing email catches a customer service rep and the attacker now has the keys to the whole store. Build roles that match real jobs. Customer service needs orders and customers. Marketing needs products, collections and discounts. Finance needs reports and payouts. Almost nobody needs access to apps, themes and settings at the same time.

Review staff access quarterly. Remove contractors the day their work ends, not the week after. Shopify keeps an audit log of staff actions, and it is worth opening it occasionally to see who is doing what.

3. Audit your installed apps

Every app you install asks for permissions. Some ask for customer data, some for order data, some for write access to your products. Over the life of a Shopify store, those permissions accumulate. The average store we audit has eleven apps installed, three of which the team forgot existed and one of which has not been updated in over a year.

Open the apps page, look at the scopes each app requests, and uninstall anything you are not actively using. For the apps that stay, check the developer behind them. A well known agency with a five year track record is a very different proposition from a single developer publishing under a generic name. We dig further into this process in our companion piece on Shopify app audit performance.

4. Protect customer data

Under the Australian Privacy Principles, you are responsible for the personal information you collect, even when Shopify stores it for you. That means knowing what data you hold, where it goes, and who can access it. Customer email lists exported to a marketing platform are still your responsibility. So are CSVs sitting in a shared drive from a campaign two years ago.

Reduce the surface area. Delete old exports. Limit who can export customer data in the admin. Document where customer information flows in your stack so that you can answer a data request without panicking.

5. Lock down payment and payout settings

The Newtown story above is the classic. An attacker who gains admin access does not steal product, they redirect money. Shopify added stronger controls around payout changes, including verification steps and notifications, but only the owner can guarantee the bank details on file are correct. Check them. Set up alerts so that any change to payout settings emails multiple people. If your store turns over enough to justify it, treat the owner account as a break glass credential and use a regular staff role day to day.

6. Reduce fraud at the checkout

Card testing and friendly fraud are the two patterns that hurt Australian merchants most. Card testing shows up as bursts of small dollar orders that get declined, often from the same IP or a narrow geographic range. Shopify has fraud filters, velocity controls and CAPTCHA at the checkout, and Shopify Protect covers eligible Shop Pay orders against chargebacks. Configure these deliberately rather than leaving them on defaults. Our detailed guide to fraud prevention on Shopify covers reducing chargebacks and card testing in depth.

For higher risk categories, add an extra layer at the edge. We often pair Cloudflare with Shopify to filter bot traffic before it ever touches the checkout, which we cover in detail in our guide to running Cloudflare in front of Shopify. For the full rundown of the bot types hitting stores and how to block them, see our guide to Shopify bot mitigation.

7. Back up the things Shopify will not back up for you

Shopify does not give you a one click rollback for products, collections, themes and metafields. If a bulk edit goes wrong, or a rogue app rewrites your product descriptions, you need your own backups. Several apps handle this well: Rewind and BackupMaster are the names that come up most. Pick one, schedule daily backups, and test a restore at least once.

Theme code should live in version control. Even small stores benefit from a Git repository so that you can roll back a CSS change that broke the cart on mobile.

8. Write a simple incident response plan

The worst time to figure out who to call is at 11pm on a Friday when orders have stopped. Write a one page document that lists the people who can log into Shopify, your DNS provider, your payment gateway, and your hosting. Note your Shopify support contact, your agency, and the order in which you would notify customers if their data was exposed. Print it. The version on the shared drive is not useful when the shared drive is the problem.

How to work through this list

  • Week one: enable 2FA for every staff member and remove dormant accounts.
  • Week two: audit installed apps and uninstall anything unused.
  • Week three: review staff roles and tighten permissions to least privilege.
  • Week four: configure fraud filters, payout alerts, and a backup app.
  • Ongoing: schedule a quarterly security review and update your incident response document.

None of this requires a developer. All of it materially reduces the chance that you will spend a quiet Tuesday morning explaining to your bank why your payout went to a stranger.

Where Defyn fits in

If your store has grown faster than its security posture, we can help. Our team runs structured Shopify audits that cover all eight areas above, plus performance work like Core Web Vitals optimisation and edge protection. Take a look at our services page or start a project and we will scope the right level of review for your store. For ongoing protection, our audit and support retainer keeps the checklist current month by month.

Want your store’s access controls, apps and fraud settings reviewed properly? Our Shopify development team runs security audits for Australian merchants.

Insights

The latest from our knowledge base