Most Shopify security guides give you 50-point checklists that nobody actually completes. This one is different: 14 specific actions, ordered by impact, each one takes under 10 minutes. Run through it in an afternoon and you will be in the top 5% of Shopify merchants for store security. Print it, share it with your team, and run through it again every quarter.

The 14-point Shopify security checklist for 2026

Identity (4 items)

• ☐ 1. Enable 2FA on the store owner account. Use an authenticator app (not SMS). 2 minutes.
• ☐ 2. Enable 2FA on every staff account. Make it mandatory in your team policy. 5 minutes.
• ☐ 3. Audit staff permissions. Settings → Users and permissions. Remove anyone who left. Reduce permissions to least-privilege. 10 minutes.
• ☐ 4. Set strong, unique passwords on owner + staff + admin email accounts. Use a password manager. 5 minutes per account.

Storefront (5 items)

• ☐ 5. Install ShopFence (free plan). Enable right-click block, image protection, DevTools block. 3 minutes.
• ☐ 6. Enable country blocking for any country with >5% of your chargebacks. (Upgrade to ShopFence Premium $3.99/mo.) 5 minutes.
• ☐ 7. Enable VPN/proxy detection on checkout. Challenge VPN users with extra verification. 2 minutes.
• ☐ 8. Add corner watermarks to hero images. Brand name in 30% opacity, bottom-right corner. 30 minutes for full catalog, 5 minutes for hero shots only.
• ☐ 9. Disable email/password customer login if you can. Shop Pay magic-link login eliminates credential stuffing entirely. 5 minutes if your theme supports it.

Apps & integrations (3 items)

• ☐ 10. Uninstall unused apps. Each app is a permission surface. Audit Apps → Installed. 10 minutes.
• ☐ 11. Review remaining app permissions. Revoke “theme edit” or “manage orders” from apps that do not actively need them. 10 minutes.
• ☐ 12. Only install from official Shopify App Store. “Free premium” apps from random sites are the #1 malware source. Quick mental policy change.

Monitoring (2 items)

• ☐ 13. Enable Shopify Protect on eligible Shop Pay orders. Settings → Payments → Protect. Free. 1 minute.
• ☐ 14. Upgrade to ShopFence Plus ($8.99/mo) for real-time theme scanning, malware alerts, and fraud dashboard. Set up alerts to your email + Slack. 5 minutes.

Total time: about 90 minutes the first time. Quarterly re-audit: about 30 minutes. Total monthly cost if you upgrade to ShopFence Plus: $8.99 ($0 if you stay on the free tier).

The quarterly re-audit (30 minutes)

1. Pull chargeback report. Are the top countries the same as last quarter? Update country block.
2. Review installed apps. Uninstall anything not actively used.
3. Check staff permissions. Did anyone leave? Remove access.
4. Review ShopFence Threat Dashboard. Any new attack pattern in the last 90 days? Adjust rules.
5. Verify 2FA is still active on every account. Re-enroll anyone who lost their device.
6. Test a fake checkout from a VPN. Confirm it gets challenged.
7. Scan one random theme file for unfamiliar code. If you have ShopFence Plus, it does this continuously.

Annual security review (2 hours, once a year)

• Review every customer-facing integration. Map data flow. Identify any vendor that no longer needs access.
• Review your incident response plan. Update phone numbers and contacts.
• Renew cyber insurance. Confirm coverage matches your current AOV and customer count.
• Run a tabletop exercise: “if our store was infected with a checkout skimmer right now, what would we do in the first hour?”
• Train new staff on the security checklist.

Frequently asked questions

What is the most important Shopify security setting?

Two-factor authentication on the store owner account. If you only do one thing, do this. Combined with strong unique passwords on all related accounts (email, domain registrar), it eliminates 95% of admin-account compromises.

How long does it take to secure a Shopify store?

About 90 minutes the first time, following the 14-point checklist above. Most of that is account setup (2FA) and app configuration. Ongoing maintenance: 30 minutes per quarter.

Do I really need a security app for Shopify?

If you do any meaningful revenue: yes. Shopify covers the platform; you cover the storefront. ShopFence covers content protection, access control, and theme scanning in one app, with a free plan to start.

What does a Shopify security audit cost?

DIY: free (this checklist). With an agency: $1,500-5,000 for a one-time audit, $500-2,000/month for ongoing managed security. Cost-benefit favors DIY for stores under $1M annual revenue.

Where do I download this checklist as a PDF?

Copy this page into a notes app or print directly from your browser. The 14 checkboxes are designed to be tracked on a single page so you can run through them in one sitting.

Start now

Open the checklist, set a 90-minute block on your calendar, and work through items 1–14 in order. The first 4 (identity) are the highest-impact and cost zero. Items 5–9 (storefront) require ShopFence — start free, upgrade only if you need country/IP blocking. For the full picture: complete 2026 Shopify security guide.