Shopify Store Protection Checklist for 2026 (30-Point Audit)

Most Shopify stores are protected against one specific threat (chargebacks, scrapers, fake accounts) — but few have a layered, comprehensive setup. This checklist walks through 30 specific protections every serious store should have in 2026.

Use it as a quarterly audit. Score yourself and address weak points.

Section 1 — Fraud prevention (10 items)

1. Install a fraud filter app

Action: install Shieldy (free) or equivalent. Required baseline.

2. Block known high-risk countries

Action: Block rules → Location → add 3-5 highest chargeback countries from your order history.

3. Enable VPN/Proxy detection

Action: Bot Killer → Auto-block VPN/Proxy → ON. (Premium)

4. Enable Tor blocking

Action: Bot Killer → Auto block Tor → ON. (Enterprise)

5. Set auto-cancel risk threshold

Action: Fraud Order Filter → Auto-block fraud orders ON, threshold 0.7 (start), 0.5-0.6 if high chargeback rate.

6. Configure AVS / CVV requirements

Action: Shopify Payments → Fraud protection → Reject AVS mismatch + CVV mismatch.

7. Enable 3D Secure for high-risk

Action: Shopify Payments → 3DS → Always require for orders >$200 + first-time buyers from high-risk regions.

8. Block disposable email domains

Action: Block checkout → Email rule → *@tempmail.com, *@yopmail.com, etc.

9. Block freight-forwarder addresses

Action: Block checkout → Address keywords → "freight forwarder", "myUS", common forwarder patterns.

10. Set minimum order subtotal

Action: Block checkout → Subtotal rule → < $5 blocks card-testing.

Section 2 — Bot and scraper protection (8 items)

11. Enable bot user-agent filtering

Action: Bot Killer → User agent filtering → ON (default list).

12. Block datacenter IPs at storefront

Action: Bot Killer → Block datacenter IPs → ON. Blocks AWS, GCP, OVH, Hetzner.

13. Block spy browser extensions

Action: Bot Killer → Spy extensions blocker → ON. Blocks PPSpy, AliHunter, Minea.

14. Enable rate limiting

Action: Settings → Rate limiting → 30 requests/min per IP, action: Challenge.

15. Enable behavioural fingerprinting

Action: Bot Killer → Behavioural detection → ON. (Premium plan).

16. Configure IP whitelist for your team

Action: Block rules → Whitelist → office IPs, remote team IPs, monitoring tools.

17. Audit your installed app permissions

Action: Shopify Admin → Apps → review each app's scope. Remove unused apps.

18. Whitelist verified search crawlers

Action: Already on by default in Shieldy — verify Googlebot, Bingbot, Applebot allowed.

Section 3 — Content protection (5 items)

19. Disable right-click on product pages

Action: Content Protection → Deactivate right click → ON for /products/*.

20. Disable copy/text selection

Action: Content Protection → Protect content → ON.

21. Disable inspect element shortcuts

Action: Content Protection → Deactivate inspect → ON.

22. Watermark product images

Action: Pre-process images with semi-transparent logo before upload. Use Cloudinary or manual.

23. Set up hotlink protection

Action: Content Protection → Hotlink protection → ON. Allows only your domain to embed.

Section 4 — Account and operational security (7 items)

24. Enable two-factor authentication

Action: Shopify Admin → Settings → Account → 2FA. Use an authenticator app, not SMS.

25. Audit staff account permissions

Action: Settings → Users → review each staff member's scopes. Apply principle of least privilege.

26. Set up admin login alerts

Action: Settings → Notifications → Email on new admin login from unknown device.

27. Use unique passwords for connected apps

Action: For each app integration (especially payment processors), unique credential.

28. Set up regular backups

Action: Use a backup app (e.g. Rewind) to snapshot product, theme, and order data weekly.

29. Monitor for app-store updates

Action: Subscribe to security advisories for your installed apps. Apply updates promptly.

30. Document an incident response plan

Action: Write a 1-page playbook: "If we see a card-testing attack, the first three steps are…"

How to score yourself

• 0-10 items checked: Vulnerable. Address Section 1 (fraud prevention) immediately.
• 11-20 items checked: Standard protection. Focus on Sections 2-3 for the next quarter.
• 21-25 items checked: Strong. Audit Sections 3-4 for the residual gaps.
• 26-30 items checked: Comprehensive. Quarterly re-audit for emerging threats.

What this checklist does not cover

A few important areas worth addressing separately:

• PCI-DSS compliance — Shopify handles most of this, but stores using custom checkout extensions should review.
• GDPR / CCPA — privacy compliance. Ensure your Shieldy data retention setting aligns with your privacy policy.
• Supplier and dropshipper risk — third-party providers can be a fraud vector. Vet vendors carefully.
• Email security — DMARC, SPF, DKIM for your customer email domain. Use Shopify Email or a dedicated provider.

Quarterly audit cadence

Mark these dates:

• End of Q1, Q2, Q3, Q4 — full 30-point audit.
• Monthly — review Shieldy Visitor Analytics for new patterns.
• Weekly during high-risk seasons (Q4 holidays) — chargeback rate monitoring.
• Immediately after any incident — root-cause review, add new rules.

Common audit findings

Stores that complete this checklist for the first time typically find:

1. No VPN/Tor blocking — biggest single chargeback predictor missed.
2. No subtotal threshold — card-testing attacks slipping through.
3. AVS/CVV checks disabled — old Shopify default, never re-enabled.
4. 3DS off entirely — easy enablement, immediate effect.
5. Many staff with full admin — least-privilege not applied.
6. Old / abandoned apps with active permissions — risk vectors.

Where Shieldy fits

Shieldy covers items 1-21 in this checklist (most of Sections 1-3). Items 24-30 are handled in Shopify admin directly. The cost ($4.99-$16.99/mo depending on plan) typically pays for itself within the first prevented chargeback.

Frequently asked questions

Is this checklist overkill for a small store?

For stores under 50 orders/month, items 1-10 are essential; 11-23 nice-to-have; 24-30 essential regardless of size. Account security is universal.

What changes year-over-year?

The threat landscape evolves — new spy extensions launch, new VPN providers emerge, fraud patterns shift. Shieldy's database updates continuously so users stay current without manual work.

How long does this take to implement?

First-time setup: 2-3 hours. Quarterly audit: 30-45 minutes.

Should I hire someone to audit my store?

For stores over $5M/year revenue, an annual security audit by a Shopify Plus partner is worth the cost. Below that, this checklist is sufficient.

Do I need both Shieldy and Shopify Protect?

Yes — they cover different layers. Shopify Protect is order-level fraud risk; Shieldy is network/checkout-level blocking. Use both.

Wrapping up

Store security is a series of small, consistent practices — not a one-time setup. Walk through this checklist quarterly and your store will sit far above the median in protection. Start with Section 1 if you have not started already.

Install Shieldy free → · See pricing →