My Shopify store redirects to spam or got hacked — what to do

The short version

A “hacked” Shopify store usually shows up in one of a few ways: visitors get bounced to a sketchy site, search results list pages you never created, your homepage flashes something odd for a second before loading, or Google flags your domain as deceptive. It’s alarming — but on Shopify it’s also more contained than people fear, because you’re not running your own server that someone can root.

What you’re almost always dealing with is a small piece of unwanted code that got into your storefront, plus whatever door let it in. Close the door, remove the code, and the symptoms stop. Below I’ll walk through how to confirm it’s real, where the bad code actually lives on Shopify, the immediate steps to take, and when it’s worth handing the cleanup to someone who does this for a living.

First: confirm it’s actually your store (not a lookalike)

Before you panic, rule out the cases that look like a hack but aren’t. A surprising number of “my store got hacked” reports turn out to be one of these:

• A copycat store on a different domain. Scammers sometimes clone a brand’s look on a lookalike URL. If the spammy site isn’t on your myshopify.com domain or your real custom domain, your store may be fine — someone is impersonating you, which is a different (still worth acting on) problem.
• Something on your own device. A browser extension or malware on your computer or phone can inject redirects that only you see. Test the store in an incognito window and on a second device or network before assuming the store itself is compromised.
• A misconfigured app or redirect rule. A redirect app, a URL redirect you set up in Online Store → Navigation, or a marketing tool gone wrong can send traffic somewhere unexpected without any “hack” at all.
• A DNS or domain issue. If you recently moved your domain, an old or wrong DNS record can point visitors at the wrong place. That’s a registrar/DNS fix, not a storefront cleanup.

If the bad behaviour shows up in incognito, on someone else’s phone, and on your genuine Shopify domain, then yes — treat it as a real storefront compromise and keep reading.

Why most “hacked Shopify” advice online is wrong for Shopify

Search “my store got hacked” and almost every result is written for WordPress or a self-hosted site. They tell you to edit your .htaccess file, scan your server with a security plugin, restore from a server backup, or change your hosting password. None of that applies to Shopify. Shopify is fully hosted — you don’t have a server, an .htaccess file, or filesystem access, so there’s nothing there for you to scan or edit.

Following WordPress steps on a Shopify store wastes time and, worse, leaves the real source untouched while you chase files that don’t exist. On Shopify there are really only three places a storefront compromise can come from, and the cleanup happens in each of them — not on a server.

Where the bad code usually lives on Shopify

Because Shopify hosts the platform, a true breach of Shopify’s own servers is rare. A storefront compromise on Shopify almost always traces to one of these three:

• Injected theme code. The most common one. A snippet of JavaScript or Liquid gets added to your theme — often inside theme.liquid, the header or footer, or a buried snippet file — and it does the redirecting or loads the spam. It usually arrives through pasted “custom code” from an untrusted source, or through access someone shouldn’t have had.
• A malicious or compromised app. An app with broad permissions can inject code into your storefront. That can be a deliberately bad app, or a legitimate one whose developer got compromised. Apps you installed, trialed, and forgot are the usual suspects.
• Leaked admin or collaborator access. If someone gets your admin password (reused or phished), or a collaborator or staff account is compromised, they can add the code themselves — no “hacking” required, just a borrowed key.

Immediate steps to take right now

If you’ve confirmed it’s a real compromise, work through these in order. The goal is to stop the bleeding and lock the doors before you start the detailed cleanup:

1. Step 1

   Change your Shopify admin password and turn on two-step (two-factor) authentication if it isn’t already. If the entry point was a leaked login, this is the single most important move — do it first.

2. Step 2

   Review who has access. In Settings → Users and permissions, check every staff and collaborator account. Remove anyone you don’t recognize or no longer work with, and revoke stray collaborator access.

3. Step 3

   Audit your installed apps. In Settings → Apps and sales channels, look for anything you don’t recognize or didn’t install. Note the high-permission ones — you’ll dig into these in the next section.

4. Step 4

   Don’t delete your live theme. Instead, duplicate it so you have an untouched copy to work on and a record of exactly what the bad code looked like. Deleting in a panic can cost you a working store and the evidence of what happened.

5. Step 5

   Resist the urge to “just reinstall a theme.” If the entry point is still open — a bad app or leaked access — a fresh theme gets re-infected. Close the door first, then clean the code.

How to find injected scripts and spam redirects

This is the part that takes a careful eye. Injected code is usually written to blend in. Here’s how to hunt for it on Shopify, working on a duplicated theme so you never touch the live one:

1. Step 1

   Start in theme.liquid. Open the theme code editor (Online Store → Themes → Edit code) and read the <head> and the area just before </body>. Redirect and spam scripts love to sit there so they run on every page.

2. Step 2

   Look for the tell-tale shapes. Be suspicious of <script> tags pointing at a domain you don’t recognize, code that’s obfuscated or base64-encoded into a wall of gibberish, eval() or document.write, or anything that sets window.location to redirect the visitor.

3. Step 3

   Check snippets, sections, and recently edited files. Bad code often hides in a snippet with an innocent-sounding name. In the code editor, sort or scan for files with a recent “last edited” date that doesn’t match any change you made.

4. Step 4

   Don’t forget the data, not just the code. Check Settings → Notifications and your theme’s custom scripts/additional-scripts areas, plus any “custom HTML” blocks in the theme editor — injected content sometimes lives in content fields, not template files.

5. Step 5

   Use your browser’s tools to catch it in the act. Open the store, then right-click → Inspect → Network tab and watch for requests to unfamiliar domains as the page loads or redirects. That often points straight at the offending script.

6. Step 6

   Remove, then re-test on the copy. Delete the offending code on the duplicated theme, preview it, and confirm the redirect or spam is gone before you ever publish. Keep a note of exactly what you removed.

If reading theme code makes your eyes glaze over, that’s completely normal — this is fiddly work where it’s easy to either miss the real culprit or break the store removing it. That’s exactly the point to hand it over.

Check apps and permissions you don’t recognize

Removing the injected code without closing the entry point just buys you a few hours before it comes back. Apps are one of the two most common doors, so go through them properly:

• Uninstall anything unfamiliar. In Settings → Apps and sales channels, remove apps you don’t recognize, didn’t install, or no longer use. An app you forgot about a year ago is a classic source.
• Be wary of apps installed outside the App Store. Apps you can’t find listed in the official Shopify App Store, or that were installed via a custom link, deserve extra scrutiny — that’s a common route for a malicious one.
• Remember uninstalling doesn’t always clean up. Removing an app from your admin doesn’t always remove the code it injected into your theme. So even after you uninstall the bad app, you still need to find and delete its leftover snippet.
• Re-check after each removal. If you’re not sure which app is responsible, remove suspects one at a time and re-test the storefront, the same way you’d isolate any app conflict.

Rotate access and close the entry point

The third door — and the one people most often leave open — is access itself. Even after the code is gone and the bad app is removed, you want to be sure no borrowed key still works:

• Reset the admin password and enable two-step authentication if you haven’t already, and make sure it’s a password you don’t reuse anywhere else.
• Remove stale staff and collaborator accounts. Anyone who no longer needs access shouldn’t have it. Collaborator access can be revoked from your admin in one click.
• Ask everyone with access to secure their own accounts too. A compromise can come through a staffer’s phished login, not yours — so the whole team should reset passwords and turn on two-step.
• Be careful where you paste code in future. Most injected code arrives as a “helpful” snippet from an untrusted tutorial or a stranger offering to “fix” something. If you don’t fully trust the source, don’t paste it into your theme.

If you want a deeper walkthrough of how store access should work — scoped permissions, collaborator requests, and never sharing your password — I wrote a whole guide on whether it’s safe to give a developer access to your Shopify store. Getting access right is the single best way to make sure this doesn’t happen again.

When to bring in a developer to clean it properly

A lot of the steps above you can do yourself, and if you find one obvious script and pull it out, great. Bring in a developer when:

• The code is obfuscated or scattered across several files and you can’t tell what’s safe to remove.
• You remove it and the redirect comes back — a sign the real entry point is still open.
• You’d be editing live theme code on a store that’s actively selling, where one wrong deletion breaks the storefront.
• Google has flagged your site and you need it genuinely clean before requesting a review.

That’s exactly what my Malware & Spam Script Removal task is for. I find and remove the injected scripts and redirects, track down which app or access let them in, and close that entry point so it doesn’t simply come back. Most cleanups land in the bug-fix range — about 1 to 2 business days from store access — though a heavily compromised store can take longer, and I’ll tell you that up front.

And it’s done safely. All of it happens on a duplicated, unpublished copy of your theme, so your live store keeps selling untouched while I work, and you preview the clean version before anything goes live. I never need your password — just scoped collaborator access that you remove when it’s done — and every change is recorded with how to undo it, the same safety protocol I run on every job. The fix carries a 30-day warranty, so if anything tied to it resurfaces, I make it right.