The collections/vendors page can be a massive security risk for your Shopify store

07 July 2023 security shopify ← Blog

black laptop computer turned on

I recently discovered an unused URL on a client’s Shopify store: /collections/vendors, which can be a huge security issue. This URL path exists on every Shopify website, takes a query string parameter (?q=), and allows content, such as titles and page details, to be overwritten.

This URL is supposed to be a “feature” of Shopify and allows you to create customised pages for partners and vendors. But, for a link hacker, it is an opportunity to fill up Google with harmful content under your website:

Here’s how it works:

  1. Hackers create links to your collections/vendor pages on another website.
  2. Google picks up these links.
  3. Google eventually indexes and displays these links.

How to stop this

If you are not using /collections/vendors, you should block it from your site:

See if your site displays something bad on /collections/vendors. To check this out, go to https://yoursite.com/collections/vendors?q=SOME+HORRIBLE+TEXT.

If you see that query string text on the page or in the source, then you need to do the following:

Add redirects

In the Shopify Admin, go to Online Store > Navigation and then use the View URL Redirects link at the top of the page. Redirect /collections/vendors to /404.

Add robots meta tag

Edit your theme.liquid file. Add the following in the <head> section: 

{%- if request.path == '/collections/vendors' -%}
<meta name="robots" content="noindex">
{%- endif -%}

Create a robots.txt

Optionally, create a custom robots.txt file and add the following code to tell search engines to ignore all /collections/vendors pages. This can be a bit tricky to add, so best to get your Web Developer to do this, as it can have a disastrous effect if done wrong.

{%- if group.user_agent.value == '*' -%}
  {{ 'Disallow: /collections/vendors*' }}
{%- endif -%}

Protect your templates

Consider editing your collections.liquid and theme.liquid to protect the <title> element of the page and the page’s body content (typically anywhere where collection.title is used in the code).

Check to see if your website has already been a target

Search Google for “site:yourstore.com/collections/vendors” (minus quotes). If it returns a lot of bad URLs, the steps outlined above should help. You can also log into the Google Search Console and request the immediate removal of all links that begin with https://yoursite.com/collections/vendors.

Subscribe to my newsletter

Sign up to get my latest blog articles direct to your inbox.