You've got that sinking feeling. Someone had placed an order on your Shopify store for $500, and somehow the total had come down to $10. Your first thought: you've been hacked.
You haven't. What actually happened is simpler, and luckily easier to fix. You had a discount code sitting in your Shopify account called "FREE", or something equally easy to guess. Someone at checkout has just ... typed it in. And it worked.
No hacking required. No special skills. Just someone having a go.
Why this happens more than you'd think
People who want something for nothing, or are just curious, will try obvious discount codes at checkout. SAVE10. DISCOUNT. WELCOME. And yes, FREE.
It's the online equivalent of trying a door to see if it's unlocked. Most of the time it isn't. But if you've accidentally left the door wide open, in they come.
Shopify makes it very easy to create discount codes, which is great. What it doesn't do is warn you when the code you've created is so logical that anyone can guess it.
Log in to your Shopify Admin and go to Discounts in the left-hand menu. Have a look at what's in there. Ask yourself:
Is this code guessable? Anything generic, FREE, SALE, DISCOUNT, SAVE, VIP, TEST, PROMO, WELCOME10, 50%OFF is worth reconsidering.
Does it have a usage limit? If there's no limit set, anyone who finds the code can use it as many times as they like. Check the settings and set a cap, e.g. one per person.
Does it have an expiry date? Codes created for a specific promotion and then forgotten are a common culprit. Set an end date, or disable codes that have served their purpose.
Is it 100% off? A code that takes the full price off is the highest-risk scenario. Make sure that's intentional, and if so, that it's locked down tightly with a usage limit, an expiry, and ideally restricted to specific customers or a minimum order value.
Disable it immediately. In Shopify Admin → Discounts, click on the code and set its status to inactive. Done.
If you still need a discount code, for a promotion, for loyal customers, for a freebie offer, recreate it with a better name. Something random and non-obvious works well: SUMMER-K7X2 is a lot harder to guess than SUMMER. Then set a usage limit, set an end date, and consider restricting it to specific customer segments or requiring a minimum spend.
This is a slightly different problem. If you've got a code like WELCOME10 sitting in an automated welcome email that goes out to every new subscriber, you can't just delete it, real customers are using it legitimately, and they'll have a bad experience if it stops working mid-flow.
Here's how to tighten it up without breaking things for genuine customers.
Step one: limit who can use it
In the discount settings, you can restrict a code so it only applies to customers who are on a specific list, or who meet certain conditions. The most useful one here: set it to apply only to a customer's first or second purchase. Someone who's already bought from you five times with your welcome discount is certainly not a new customer, they've just held onto the code!
In Shopify Admin → Discounts → [your code] → Customer eligibility, you can restrict to specific customer segments. The built-in segment "Customers who haven't purchased" is your friend here.
Step two: set a per-customer usage limit
Even if you don't restrict by segment, you can limit each customer to using the code once. That won't stop different people using it, but it stops one person using it repeatedly.
Go to the discount settings → Usage limits → tick "Limit to one use per customer."
Step three: retire the old code and update your emails
Once you've tightened the rules on the existing code, plan to phase it out properly. Create a new code with a less guessable name. Then update your welcome email sequence to use the new code, and set an expiry date on the old one to give existing subscribers a reasonable window to use it.
Yes, updating the email sequence is a bit of work. But it means your next welcome discount goes to the people it's meant for, not anyone who happens to try it at checkout.
The key principle: a published discount code is always going to be more vulnerable than a private one. The goal isn't perfection, it's making the effort required to abuse it higher than the reward. Usage limits, customer restrictions, and expiry dates all raise that bar significantly.
This gets a little more complicated, and we'd encourage you to check with someone familiar with consumer law in your jurisdiction before acting.
In some cases, a valid discount code applied at checkout creates a legitimate transaction, even if you didn't intend that code to be public. Cancelling the order without care could create a dispute. In other cases, where there's clear evidence of exploitation rather than a genuine customer who received the code legitimately, you have more options.
The short answer: don't just cancel the order without thinking it through first.
✓ Go to Shopify Admin → Discounts right now
✓ Disable any codes that are guessable, unlimited, expired-but-still-active, or that you no longer need
✓ For any code you're creating: set a usage limit, set an expiry date, and make the code itself non-obvious
✓ Tighten usage criteria on any codes that you can't just delete
✓ If you have a suspicious order: don't panic, don't just cancel, get advice first
It's a small thing to fix, but a lot easier to deal with before it becomes a big thing.
Questions about your Shopify discount settings? Drop us a line, we're happy to take a look.
Here's what it means and what to do.
This is a stellar example of what happens when you consistently show up and put your genuine self into your content.
Writers and journalists are always looking for authentic voices, and if you're publishing regularly, you're infinitely easier to find. Read how Chris did it.
From June 3 2026, Shopify is making some small changes to the information it asks your customers for when they check out. Nothing big, but it's worth knowing about so there are no surprises.
