We Don't Think About Security — Says Nobody

Nobody admits they don't think about security. Almost everyone, in practice, doesn't. I asked five Shopify founders last quarter how they'd handle a staff-account takeover at 2am on a Saturday — four paused, one laughed, and zero had a written answer. That is the entire ecommerce security problem, in one sentence.

This is the Monday-morning checklist for a fashion DTC store doing $300k/month — call them Brand A. Not a checklist for an enterprise with a CISO. Not a checklist for a single-founder hobby store. Just the ten things an operator at this revenue band should run through before opening the dashboard, plus the five real threats at this size and the expensive things to explicitly ignore for now.

Almost no one at $300k/month is doing this. The ones who do sleep better and lose less revenue when something goes sideways.

What ecommerce security actually means at $300k a month

Before the checklist, a vocabulary list. Most of the words in this space are acronyms, and most operators nod through them and quietly google later. Consolidate up front.

2FA — Two-Factor Authentication

A second proof-of-identity step on top of the password, usually a code from an app on your phone.

MFA — Multi-Factor Authentication

Same idea as 2FA but allows more than two factors. In practice, treat them as the same thing for a Shopify store.

CSP — Content Security Policy

A browser security header that tells the browser which scripts are allowed to load on your storefront.

SRI — Subresource Integrity

A hash you put on a script tag so the browser refuses to run the script if its contents have changed.

IR — Incident Response

The written plan for what you do when something goes wrong: who calls who, in what order, and what gets shut off first.

OSINT — Open-Source Intelligence

Information an attacker can gather about your team and store from public sources alone (LinkedIn, social posts, exposed breach lists).

OWASP — Open Worldwide Application Security Project

The non-profit that publishes the canonical list of common web attacks and how to defend against them.

CVE — Common Vulnerabilities and Exposures

The public catalog of known software bugs that have a security impact, each with a unique ID.

MSP — Managed Service Provider

An outside team you pay to run a piece of infrastructure for you, instead of staffing it in-house.

CISA — US Cybersecurity and Infrastructure Security Agency

The US government agency that publishes free, vendor-neutral guidance on common ecommerce-relevant threats.

WAF — Web Application Firewall

A filter sitting in front of your store that blocks obviously hostile requests before they hit the application.

Magecart

A loose family of attacks where someone injects card-stealing JavaScript into a store's checkout. Named after the original Magento targets, applies to Shopify just the same.

Good. With the vocabulary out of the way, here is the actual ecommerce security model at this size.

The five real threats at $300k a month

You are not, at this revenue band, a target for a nation-state. You are also not low-stakes enough to be ignored. You are interesting to small-to-mid criminal crews running automated tooling against thousands of Shopify storefronts a week, looking for the ones that didn't change their defaults. The threats that actually matter for Brand A are:

1. Credential stuffing on staff accounts. Reused passwords from old breaches get tried against your Shopify admin login. If 2FA is off and the password lives somewhere in a five-year-old breach dump, the attacker walks in.
2. Compromised app supply-chain. Brand A has 23 Shopify apps installed. Any one of those vendors getting popped means the attacker now has whatever permissions that app was granted on the store — sometimes including order data, sometimes including the ability to inject script tags.
3. Magecart-style checkout skimmers. Card-stealing JavaScript lives somewhere in the storefront's loaded scripts — either injected directly through a compromised app, or via a third-party tag that the store's tag-management setup loaded without strict review. OWASP keeps a running technical reference on the web-skimming attack family.
4. Phishing of staff via fake order notifications and abandoned-cart alerts. Attackers know what a Shopify ops email looks like; copying the chrome of one is trivial. A staff member clicks "review the suspicious order", lands on a lookalike admin login, and types credentials into someone else's form.
5. Exposed admin tokens and API keys in repositories. The dev who set up the storefront six months ago accidentally committed a Storefront API token to a public repository. The token has read-customer permissions. Nobody noticed; the token still works.

That's the ecommerce security threat model at $300k/month. Now the checklist.

The Monday-morning ten-item ecommerce security checklist

Run through this once a quarter, not once. The Shopify Help Center has a longer reference page on securing your Shopify account worth bookmarking; the ten items below are the operator subset to do hands-on.

1. Turn on 2FA for every staff account, no exceptions. Not just the owner account. Every single staff member with admin access. Use an authenticator app, not SMS — SMS-based 2FA can be defeated by SIM-swap attacks, which are unfortunatelly common enough at this revenue band to matter.
2. Review the Shopify admin audit log for the last 30 days. Look at every login event, every staff permission change, every app install. Anything you don't recognize is a question to answer Monday, not Friday. The audit log is the single most under-used feature in the Shopify admin at this revenue band.
3. Walk through every installed app. Brand A has 23 apps. Go down the list. For each: do we still use it? What permissions does it have? When was it last updated? Uninstall the four you don't recognize and the three you stopped using six months ago.
4. Rotate every API token issued in the last 12 months. Storefront tokens, custom-app tokens, admin API keys, webhook secrets — all of it. Treat anything older than a year as already-exposed-by-default. Generate new ones, update the consumers, revoke the old ones.
5. Inventory every script that loads on checkout. Every analytics tag, every conversion pixel, every customer-data integration. For each one, write down: what vendor owns it, what data it reads, what it would do to the store if its source domain got compromised tomorrow morning. If your data layer pipes events through a vendor, confirm the vendor's posture explicitly — for what it's worth, we forward consent signals you set, unchanged. The list itself is the deliverable; you are looking for the script you forgot was there.
6. Add a Content Security Policy header to your storefront. Even a starting CSP that allow-lists only the domains you currently use is meaningfully better than no CSP. The point isn't a perfect policy, the point is that an injected script from an unfamiliar domain stops loading. Tighten the policy quarterly.
7. Write a one-page incident response plan and tape it to the wall. Three sections only: who do I call first, what do I shut off first, and where is the customer-comms template. If a staff account gets popped at 2am, you don't want to be drafting your first-ever IR plan with one hand while logging out sessions with the other.
8. Set a rate limit on the admin login page. Either through a WAF in front of the store or through the Shopify admin's built-in protections. The point is to make automated credential-stuffing slow enough that the attacker moves on to a different store.
9. Run a five-minute OSINT sweep on yourself. Search your own domain on a public breach-checking service. Search every staff member's work email the same way. Anything that comes up: rotate the password on every system that account uses, today.
10. Tabletop one phishing scenario with the team. Pick the most plausible one — a staff member receives an email that looks like a Shopify chargeback notice asking them to log in. Walk through it out loud at the next standup. The drill costs fifteen minutes; the muscle memory it builds saves a real account on a real Tuesday.

Ten items. None exotic. None requiring a security vendor. None costing more than staff time. And almost no Shopify store at $300k/month has done all ten this year — which is why these ten items, in this order, are the entire ecommerce security curriculum at this revenue band.

What to do versus what to ignore

Same list, simpler view — do these Monday, ignore those for now.

The left column is the practical ecommerce security stack at this size. The right column becomes worth doing later. The ignore column is not permanent — it's a "not at $300k/month" ignore. A pen-test at this size buys a list of issues you already know about and a five-figure invoice. Wait until $1.5M+ a month and a real cardholder-data scope problem before spending on it.

The operator threat-model questions

If you only have twenty minutes to think about ecommerce security all quarter, these are the six questions worth sitting with. Write the answers down. Send them to your co-founder. The exercise is the value.

1. If a staff account gets compromised tomorrow, what's the first thing the attacker would do — and how would I know?
2. Which of my 23 installed apps would do the most damage if the vendor itself got compromised?
3. If I had to remove every checkout script tomorrow morning except three, which three would I keep?
4. Which staff member is most exposed to a targeted phishing attempt — and what training have they actually had?
5. If my admin password is exposed tonight, would 2FA actually save me, or have I left a backup login route open somewhere?
6. What's the longest a card-skimming script could live on my checkout before I would notice it?

Not gotcha questions. Operator questions. If you don't have an answer, that is an answer — it tells you what the next two weeks of Monday-morning work should be.

What expensive things to ignore for now

The single biggest ecommerce security mistake at $300k/month is over-investing in security theater. A pen-test at this size, run before the ten checklist items, finds the same things the checklist would have found — except you've spent $15–30k for a small scope to find out your 2FA was off. ISO 27001 at this stage is a $50–150k all-in over 12–18 months commitment that buys a wall plaque your customers don't care about. A bug-bounty program with no IR plan behind it just creates a queue of valid reports you can't respond to.

Order of operations matters. Do the ten checklist items first. They are obviouse on paper and almost invisible if you don't write them down. Expensive ecommerce security certifications come later, when an enterprise customer asks for a SOC 2 report before signing — not as a default.

The Monday-morning re-affirmation

The whole point of this checklist is that ecommerce security at $300k/month is unglamorous. No single product to buy, no certification to wave around, no vendor to outsource it to entirely. It is ten boring things, done on a recurring Monday, by an operator who took fifteen minutes a week instead of zero. The ones who do it lose less when something goes wrong, and recover faster when it does. The ones who don't are running on the assumption that nothing will go wrong, which is a strategy until it isn't.

Pick the first item. Do it before lunch. Pick the second tomorrow. By month-end you will have done more for your store's ecommerce security posture than 90% of the ecommerce security stack a vendor would try to sell you.

References

• OWASP Foundation — Web Skimming attack reference: https://owasp.org/www-community/attacks/Web_skimming
• Shopify Help Center — Securing your Shopify account: https://help.shopify.com/en/manual/your-account/account-security