How to Keep Your Shopify eCommerce Store Secure

One of the values in using Shopify is that it’s a software-as-a-service (SaaS) platform that helps small businesses build an eCommerce store and online presence with little technical background and knowledge. Shopify sites, as opposed to self-hosted WordPress (WooCommerce), are hosted on Shopify servers, and this has a cybersecurity benefit for store owners in that Shopify protects from numerous attacks that you might not be aware of in a self-hosted solution. However, even when you host your store on Shopify servers, you still have cybersecurity risks that you must be aware of and take the necessary steps to avoid a data breach. We’re covering some basic and more complex exploits that could leave your store vulnerable to data breaches, account takeover, brute-force attacks, or denial-of-service attacks, all of which affect your online reputation and customer trust.

Cybersecurity Benefits of Shopify

Before we get into the bad, let’s first discuss the benefits of a SaaS solution for eCommerce stores, especially for small businesses with no security team or technical knowledge of what could happen in an attack. Shopify itself has basic security, but you also have options to integrate security using third-party tools (e.g., firewalls) from Shopify’s app store.

At a basic level, Shopify has two-step authentication baked into its design, which adds an extra security step in the authentication process. Should an attacker successfully phish you or your staff passwords (we discuss phishing later), they would still need the unique two-factor code sent to the targeted user. You don’t need to configure this process like you would with self-hosted tools, which makes Shopify convenient for basic authentication cybersecurity.

Another benefit is Shopify’s integrated encryption between user browsers viewing your stores and your store’s servers. Without getting too detailed, several older encryption versions were found to be vulnerable to cyber-attacks. Namely, TLS 1.0 and 1.1 are no longer cryptographically secure and Shopify rejects connections using older TLS versions. User browsers must support at least TLS 1.2. This means that users will receive a rejection in their browsers if it does not support TLS 1.2. This might seem like an annoyance, but it protects users from having their data stolen should they connect to your ecommerce store on public Wi-Fi where attackers could collect data from insecure traffic.

Very minimal data is stored on Shopify, so using the SaaS solution eliminates the need to worry about database storage, compliance of sensitive data on your servers, and much of the necessary infrastructure to self-host a secure ecommerce store. Firewalls, a web application firewall (WAF), and other cybersecurity tools can be added easily from the Shopify app store. CloudFlare and other content delivery networks can be used to improve performance and stop denial-of-service attacks.

Even with these advantages, you still need to follow your own cybersecurity best practices and be aware of the many issues that could affect your business.

If you’re worried about compliance, Shopify is also PCI-DSS compliant. PCI-DSS defines many standards for communication of financial information across the internet. For eCommerce stores, this benefit is especially critical in avoiding hefty fines for poorly managed data.

Phishing

Although the basics of phishing are common knowledge for many people, even those aware of phishing attacks still fall victim occasionally. Many people don’t understand the anatomy of a phishing attack and its severe risk when a sophisticated campaign is launched along with social engineering.

Some email hosts are great with spam filters that catch phishing messages and emails with malicious attachments. For example, if you use Google Suite for your email, you get the benefit of artificial intelligence that detects and spam filters most attacks, but clever attackers can still bypass filters. In addition to bypassing filters, an attacker who gains access to an email address of one of your friends or acquaintances will often use the compromised account to send malicious messages to everyone in the victim’s stored contacts. This makes phishing incredibly effective, as targets think the message is from a trusted source.

In many phishing attacks, the sender’s address is spoofed to look like an official account. Unless you know how to read email headers, never trust the sender address as definitive proof that a message is safe. Any suspicious attachments should never be opened. Malicious attachments can contain keyloggers that steal your Shopify credentials and send them to the attacker.

For business emails, it’s important to use a platform or email service that offers phishing and malicious attachment filters. Even with filters, the occasional phishing email could bypass it, so be aware of suspicious messages. If a message contains a link that opens a website and asks for credentials, never authenticate into the linked site. Instead, type the site directly into your browser and authenticate there. Never provide credentials for any of your accounts in email, and never run executable files attached to messages even if the sender is a friend or coworker.

Third-Party Coding and Tools

Shopify stores are completely customizable. You can install your own third-party tools and customize the backend CSS and code. This is great for flexibility of site controls and design, but it opens up risk and could introduce vulnerabilities. Although the core functionality of Shopify is safe, poorly designed code could result in a compromise.

When vulnerabilities are found in any application, they’re added to a database called Common Vulnerabilities and Exposures (CVE). When vulnerabilities are made public, if your Shopify stores use the third-party application added to the CVE database, your store could be vulnerable to exploits. As an example, CVE-2020-8176 introduced Cross-SIte Scripting (XSS) into Shopify stores that used a third-party tool for admin authentication. XSS vulnerabilities are used for multiple reasons including theft of user cookies, session variables, and potentially theft of credentials and secrets.

You can’t control vulnerabilities in custom code unless you can remediate them, but you can take steps to reduce your risk. Always keep your third-party applications up-to-date, which is often an overlooked aspect of site cybersecurity. When a new patch is released by developers, install the latest update as soon as possible. The longer you leave software unpatched, the bigger the window of opportunity for an attacker.

As an additional way to check your site for vulnerabilities and to show visitors that your site is safe, you can install TrustedSite Certification on your Shopify store. On a weekly basis, TrustedSite will run a security scan on your site to ensure the following: that there is no malware or malicious links, the site is not Google blacklisted, the site is not a phishing site, an attack site, or a compromised site. After passing the scan, you will then be able to display the TrustedSite trustmarks letting buyers know that you as a business owner are who you say you are and that your site is secure to shop on with a credit card and personal information. If your brand isn’t yet a household name, this is especially important to show buyers who might worry about sharing credit card information and their address with a brand they just heard about. TrustedSite Certification is proven to give shoppers added confidence when shopping on your Shopify or other online store and convert more customers along the way. Here’s how TrustedSite helped Mountain House increase conversions by 26.9%. Get started with TrustedSite here.

Password Security

Even with two-factor authentication, you should still take necessary precautions to protect your admin credentials. Knowing the signs of phishing explained in a previous section is the first step, but it doesn’t cover every attack that could compromise your site. Your password should be cryptographically secure, which means it should be at least 8-10 characters long with a mix of capital letters, lowercase letters, special characters and numbers.

When attackers steal data from sites you frequent, your credentials are put on a public list. If you use the same credentials across multiple sites, those accounts would also be vulnerable to brute-force password attacks. Compromised credentials are available on several sites, so anyone could have access to your private accounts. A good rule of thumb is to use different passwords across all sites, especially with credentials that provide access to sensitive controls such as your Shopify admin.

Tracking all your passwords is difficult, and that’s why many people use the same credentials across multiple sites regardless of the risks. Chrome and other browsers offer you the ability to randomly create a cryptographically secure password, but this means remembering random characters for your credentials. The alternative is to get a password vault where you can store all your passwords, and you access them with one main vault key. A popular password vault on the market is LastPass. It plugs into your browser and automatically fills in the password from your vault when you access a site including the Shopify admin. It also has a mobile app so that you can access your passwords at any time.

Protecting API Keys

If you use the Shopify API, then your keys are equivalent to your password. Many new ecommerce store owners don’t understand the significance of exposing their Shopify API keys to a third-party. If you hire a Shopify developer to customize a tool, ensure that the code does not disclose your keys and never give your keys to a third party.

Depending on the way your API is used and the Shopify API endpoint, disclosure of your keys could expose your entire store data to an attacker, or it could give an attacker access to your Shopify admin allowing the attacker to take control of your site.

Incident Response after a Data Breach

Cybersecurity is more than just avoidance of exploits. It includes the ways you handle a data breach after the fact. Since your ecommerce site stores data on Shopify servers, you entrust your data to stay safe. Unfortunately, insider threats are a real concern for cybersecurity. Many data breaches are from human errors or malicious employees. Shopify has been breached by rogue employees where they exposed about 200 merchants’ data.

Whether your own store was breached or Shopify was compromised, always alert users affected by the breach. Several compliance regulations require that you notify affected parties and failing to notify customers could result in hefty fines.

Secure Payment Gateways

Shopify stores limited information, but every ecommerce store needs a payment gateway to take payments and manage orders. To keep your money safe as well as your customers data safe, you need a payment gateway that implements the right cybersecurity standards.

Payability is different from a standard merchant account. We provide capital to eCommerce businesses to help them grow faster. Our systems are secure and provide an encrypted route from your browser to our systems. Our Instant Advance for Shopify can be used alongside or in the place of Shopify Capital or other financial products. There are no credit checks associated with applying and you can get approved in just 24 hours. Apply for a Payability Instant Advance here.

Conclusion

Understanding the cybersecurity rules that create a safe shopping experience for customers is difficult for small businesses with Shopify stores. Data breaches create an unsafe environment for customers and affect your business reputation. By following these few cybersecurity suggestions, you can avoid many of the attacks that could make your business a victim of a cyber-attack.

For ways to keep your Amazon and other marketplace accounts secure, check out this guide.

Cookie	Duration	Description
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
__hstc	5 months 27 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
__tld__	session	No description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_C1H34MN9LM	2 years	This cookie is installed by Google Analytics.
_gat	1 minute	This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hp2_hld8523682847238457.1159916838	5 minutes	No description
_hp2_id.1159916838	1 year 1 month	No description
_hp2_ses_props.1159916838	30 minutes	No description
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.
ajs_anonymous_id	1 year	This cookie is set by Segment to count the number of people who visit a certain site by tracking if they have visited before.
ajs_user_id	never	This cookie is set by Segment to help track visitor usage, events, target marketing, and also measure application performance and stability.
AnalyticsSyncHistory	1 month	No description
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
hubspotutk	5 months 27 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
li_gc	5 months 27 days	No description
player_session	7 days	No description
pybUserID	9 years 9 months	No description
wmc	10 years	No description available.