Skip to content
  • Trusted by over 100,000 merchants

Must-read techniques for securing your Shopify theme's store and data

Must-read techniques for securing your Shopify theme's store and data

After working for countless hours developing products and setting up your Shopify theme, it’s only natural that you want to protect your store as much as possible.

In this post, we’ll discuss a variety of frequent concerns that Shopify store owners have about securing their stores and their content as well as offer some frank and practical advice on how to utilize a variety of best practices and strategies.


“Scraping” is a term that refers to automated software that is designed to scan websites and gather information such as phone numbers, email addresses and other data listed on the site. A broader form of scraping, meanwhile, involves automatically filling out contact forms with spam.

Unfortunately, this type of activity is difficult to stop and can quickly become a losing battle.

Shopify’s default contact form doesn’t allow adding a CAPTCHA or other type of user verification method, but there are many form apps that do add this capability.

Rendering your email address or phone number as an image is one possible way to prevent this type of situation, but keep in mind it also makes it difficult to copy the information or tap it to start a phone call or click to send an email; these are things that your site visitors may intuitively expect to be able to do in your shop..

Another common technique is email obfuscation, which attempts to render clickable email addresses using a variety of behind-the-scenes techniques that make it harder for scrapers to detect.

The advantage to this is that most users will still be able to click the link without knowing anything is different and it can potentially cut down on some spam.

However, none of these solutions are foolproof — there are scrapers that can “read” images and they are getting better and better every day. In addition, some spammers actually rely on real life people to scrape data, rather than automated programs, meaning all of these tactics would be thwarted.

Ultimately, it’s a fine line of deciding how difficult you want to make it for scrapers to pick up your contact information while not making it too difficult for legitimate messages to get through. Although it can be annoying to deal with, you may ultimately be better off becoming efficient at sorting through spam messages than risk losing a potential customer contact.

A good way to manage the amount of email could be to use a service known as a "team inbox" which creates a team mailbox that multiple users can help manage, so if you have other team members, you can divide up the responsibility of sorting through messages.

There are also numerous email apps for mobile devices that focus on the concept of “inbox zero” that have unique ways to make managing email easier. For some suggestions, try searching for “inbox zero apps” or similar terms.

Lastly, it’s worth noting that you should always create a dedicated email and phone number for your business or shop rather than ever using your own personal contact info here.

You can create a new Gmail address just for your shop and get a virtual phone number that forwards to your personal number so that the latter is never exposed.

Note that Shopify will always use the email listed in your Settings > General > Store Details > “Customer Email” field (rather than your “Account Email”) for all communications with customers such as newsletter signups or contact form submissions, so it's a good idea to make sure this is updated as well.

Image protection

Many store owners are rightfully concerned about product images and other artwork being downloaded and used by competitors or other third parties without authorization.

Right click prevention

Many store owners like to add “right click prevention.”

This approach typically uses JavaScript to detect if a user has clicked the right mouse button in an attempt to save an image. While it’s fairly easy to implement this, it’s also easy for someone with intermediate Web skills to circumvent — and a sophisticated user can bypass it without blinking an eye.

Right click prevention can also cause significant user experience and accessibility issues with your site. Combined with the fact that it’s typically pretty ineffective in thwarting the issue at hand, it’s typically not worth adding this feature.

Watermarking your images

Watermarking is another common approach to protecting your images. This involves adding either your logo, company name or other marking directly within the image file, typically directly over the image.

Some watermarks can be semi-transparent, while others are more obvious.

Watermarking can be a good way to prevent your images from being used by competitors, but it’s also not a perfect solution.

First, adding a watermark to your image obviously affects how it looks to shoppers — who may find it distracting to see the product with a logo or text over it.

In addition, in many cases, it’s fairly easy to remove a watermark using Photoshop or similar image editing program — so if someone really wants to download and use your images, it can still be pretty easy to do so without a whole lot of effort.

Alternatives to watermarking

One potential alternative to a traditional watermark is to stage your product photography in a way that makes it not only easy to recognize as your photography but also less desirable for someone else to use.

For example, if you sell handbags or luggage, consider tying a tag on the handle that has your store name or logo on it when photographing it. If you make beauty products, teas, oils, wine, etc. take the time to develop branded labels for all your items to literally put your stamp on them like Beard & Company does. If you sell clothing, shoot the products on models wearing the items in unique environments like NanaMacs does; don’t just photograph the items isolated on blank backgrounds.

If none of these options work, consider using a unique background texture or material that’s harder to replicate. You can also consider surrounding your products with decorative accessories. Soul Peaces does a great job of using this strategy.

Not only can this add a little bit of character to your product photography, it also could make it easier to prove that a photograph was stolen from your site.

Hidden pixels

Some stores also use a hidden pixel in their product photography. This involves adding a single pixel of a unique color that’s hidden somewhere in the photo. This is a clever way to “tag” your image and can, again, be a great way to prove that the photo was yours originally and was subsequently stolen.

For example, in this image of a coffee cup, we’ve added a red pixel, as shown in this extreme close-up:

Despite the fact that color is rather bright, it's almost impossible to see when fully zoomed out:

Trust us. It's still there!

Reporting copyright violations

If you do run into unauthorized use of your images, consider contacting the store’s hosting company (use a tool such as DomainTools) to look up this information.

Most hosting companies have an “abuse” or “DMCA” team that investigates this type of theft. When contacting them, be sure to include any evidence, including any of the tricks mentioned above that you’ve employed.

At the end of the day, however, any image that you place on your website is typically very easy for someone to download, alter and reuse, no matter what protections you have in place. It’s also fairly easy to get caught up in trying to squash every unauthorized use of your images and devoting large amounts of time to it, so be careful not to let this get in the way of running your business.

Securing the admin

One of the most important things you can do to protect your Shopify theme and business is to ensure your backend access is secure.

First and foremost, be sure that the store owner’s admin password is extremely secure. Ideally, the password should be a combination of upper and lower case letters, numbers and symbols and not contain any words. For an easy way to create a memorable but secure password, check out this article.

Using your business name, phone number or address as even part of your password is not recommended as this type of information is easy to find out with some simple Internet searches.

Remember that the store owner account has “super” admin rights and can be used to grant spammers access to your store; it also has access to all of your customer and financial data.

It’s also recommended that you change your password regularly and not use a password that you've used on any of your other other online accounts.

All in all, this might seem a bit like overkill to some store owners, but keep in mind that your customers are often trusting you with a large amount of personal information, including their name, address and order history.

From a business standpoint, there are also a variety of reasons to keep info such as sales reports, analytics and other data contained in the Shopify admin confidential so as not to give a competitor an advantage.

For even more security, consider these additional tips:

  • Add a reminder to your calendar to check, at least monthly, who has access to your store under Settings > Account > Staff and promptly delete any authorized or outdated logins.
  • At the same time, review what apps you’re using and remove any that are outdated. Many apps have access to key store data, so removing any unused ones is a good extra security step.
  • Also check staff member login timestamps for unusual activity. If you spot anything suspicious, have the admin change that account’s password immediately. This can be especially useful if you’re the only one with login access — if you notice that your last login wasn’t at a time you were using Shopify, this could be a sign that your account has been compromised.
  • Click the “expire user sessions” button periodically to force everyone to log back in. While this can be a bit of a pain, it’s also a good measure to erase any logins from public terminals, lost devices or hacked accounts.
  • If anyone with shop admin access loses a device that’s used to access Shopify, be sure to change that person’s password immediately — even if the device is recovered. This also is a good opportunity to have everyone update their passwords.
  • Finally, if you ever have any suspicions that your account security has been compromised, change your password immediately. It’s better to err on the side of caution than have your store hacked!

Your cart is empty

Continue shopping