Staff Accounts and Security Procedures in Shopify


In a previous Shopify blog post, we discussed how to create staff accounts for the purposes of including new team members in store management. But with new staff members being added comes the responsibility of maintaining proper security. Therefore, we want to follow-up by addressing staff accounts and security procedures.

As a business owner and the administrator of your Shopify account, it is up to you to routinely monitor your account to make sure no fraudulent activity is taking place. Shopify recommends reviewing staff account login history on a regular basis to ensure there have been no unauthorized logins from unknown sources.

To do so, go to your Shopify admin and then navigate to Settings> Account. You will see a list of all staff members; just click on the account you want to review. The ‘Recent login history’ section contains the data you need: login dates, locations, IP addresses, and the web browsers and operating systems used to access your site.

For the record, all of this information is included in the Shopify documentation. They thoroughly explain everything you need to know about staff accounts.

Account Removal

In the event you suspect a staff account has been compromised, the safest thing to do is remove it altogether. This is relatively easy to do. Again, go to your Shopify admin and navigate to Settings> Account. You will be presented with a list of all of the staff accounts in your system; just click the trash icon to the far right of the account you believe has been compromised. You will then be presented with a dialogue box to confirm your choice. Click Delete to complete the action.

There may be occasions when reviewing staff accounts in which you suspect someone currently logged on is either not legitimate or is a staff member misusing account privileges. Shopify explains that you can force a logout of the staff account if you are the Shopify account owner or another staff member with full administrative privileges.

To do so, navigate once again to your Account page to bring up a list of all active staff accounts. On that page, click the ‘Staff member’ section, followed by ‘Expire User Sessions’. That will take you to a new page that lists all of the active staff members currently logged in. You will be presented with a dialogue box asking you to confirm that you want to force all users off the system.

How does this help? You could be in a situation where a hacker has taken over one of your accounts and is using it with some sort of automated system on his/her end. Forcing a log-out immediately disconnects the user from the account. It also forces the hacker to log in again to regain control. Given that hackers tend to automate as much as possible, there would likely be some time lag between the forced logout and a new login. This gives you time to investigate whether the account was really being used fraudulently or not.

Leave a Reply

Your email address will not be published. Required fields are marked *