Clone Detection beginner

How to Protect Your Shopify Store from Being Cloned

Learn how to prevent, detect, and respond to store cloning. Protect your brand, products, and customers from clone site scams.

15 minutes
6 steps
beginner level

Before You Start

  • SecurEcommerce installed
  • Access to your Shopify admin

What Is Store Cloning?

Store cloning is when someone creates a replica of your Shopify store — copying your design, product listings, images, descriptions, and branding — to create a fake store that tricks customers into thinking they are buying from you. These clone sites are a form of online fraud that is growing rapidly across ecommerce.

Clone sites typically operate in one of two ways:

  • Payment theft — The clone accepts payments for products but never ships anything. Customers believe they purchased from your brand and blame you when orders never arrive.
  • Counterfeit sales — The clone sells low-quality knockoff products using your branding and product images. Customers receive inferior goods and associate the bad experience with your brand.

In both cases, you suffer real damage. Your brand reputation takes a hit, your customer trust erodes, you lose sales to the fake site, and you may face support requests from people who never actually bought from you.

The problem is particularly severe for stores with strong branding and social media presence. The more visible and desirable your brand is, the more attractive it becomes as a target for cloners.

How Cloners Steal Your Content

Understanding the cloning process helps you know what to protect and where your vulnerabilities lie.

Automated Scraping

The most common method is automated scraping. Cloners use tools that crawl your entire store and download everything — product images, descriptions, pricing, page layouts, and even your custom CSS. Tools like HTTrack or custom scripts can clone an entire Shopify store in minutes. The scraped content is then uploaded to a different domain, often on a different platform, creating a near-perfect copy.

Manual Copying

Some cloners manually copy your content, especially if they are targeting specific high-value products rather than your entire store. They right-click to save images, copy-paste product descriptions, and screenshot your page layouts to recreate them. This is slower but harder to detect with automated tools because the clone may not be an exact replica.

Source Code Theft

Cloners may also view your store’s source code to copy your theme structure, custom JavaScript, and CSS styling. This lets them replicate not just your content but your store’s look and feel down to the details.

Domain Spoofing

Cloners register domains that are similar to yours — typosquats like “yourstoer.com” instead of “yourstore.com,” or variations using different TLDs like “yourstore.shop” instead of “yourstore.com.” These deceptive domains fool customers, especially when shared through social media ads or phishing emails.

Signs Your Store Has Been Cloned

Watch for these warning signs that suggest your store has been duplicated.

Customer Reports

The most common way store owners discover clones is through customer reports. Customers may:

  • Contact you about an order they placed that you have no record of
  • Send you screenshots of a site that looks like yours but has a different URL
  • Report seeing ads on social media for your products that link to an unfamiliar website
  • Complain about receiving counterfeit products they believe they purchased from you

Take every customer report seriously. Even a single report may indicate a large-scale cloning operation.

Search Engine Discoveries

  • Search for your brand name and unique product names on Google
  • Look for results that point to domains you do not own
  • Search for your product descriptions in quotes to find exact copies
  • Set up Google Alerts for your brand name and key product names to receive automatic notifications

Social Media Monitoring

Cloners often promote their fake stores through social media advertising. Watch for:

  • Ads using your product images on platforms like Facebook and Instagram
  • Social media accounts using your brand name or slight variations
  • Customer comments on your social posts mentioning pricing or promotions you did not offer

SecurEcommerce Alerts

If you have clone detection enabled, SecurEcommerce will alert you when potential clones are discovered. These alerts include the clone’s URL, a risk score, and recommendations for action.

Step 1: Set Up Clone Detection

The foundation of clone protection is detection. The sooner you know about a clone, the faster you can take action.

Enable the Canary Token System

SecurEcommerce’s canary token is an invisible tracker embedded in your store’s code. When someone copies your store, the token is copied along with it. When the clone site is visited, the token sends a signal back to SecurEcommerce, revealing the clone’s URL.

  1. Open SecurEcommerce and navigate to Clone Detection
  2. Click Enable Canary Token
  3. The token is automatically embedded in your store’s code
  4. No changes are visible to your customers

The canary token is one of the most effective clone detection methods because it works passively. You do not need to actively search for clones — they reveal themselves.

Enable Domain Monitoring

SecurEcommerce uses DNSTwist technology to scan for domains that are similar to yours:

  1. In Clone Detection settings, find Domain Monitoring
  2. Click Enable Typosquat Scanning
  3. The system will scan for domain variations including:
    • Typosquats (character swaps, additions, deletions)
    • Homoglyphs (look-alike characters from different alphabets)
    • Different TLDs (.com, .co, .net, .shop, .store, etc.)
    • Prefix and suffix variations (e.g., “shop-yourstore.com”)
  4. Click Save

Configure Alert Settings

Set up how you want to be notified about potential clones:

  1. Go to Alert Settings within Clone Detection
  2. Enable Email Alerts for immediate notifications
  3. Set sensitivity to Medium to start (alerts on likely threats without excessive false positives)
  4. Optionally enable in-app notifications for dashboard visibility
  5. Click Save

For a detailed walkthrough of all clone detection features, see the Enable Clone Detection guide.

Step 2: Deploy Canary Tokens Strategically

While the basic canary token covers your homepage and main pages, you can strengthen detection with additional strategic placement.

Product Page Tokens

  1. In Clone Detection, go to Advanced Token Settings
  2. Enable Product Page Tokens
  3. This embeds unique tokens in individual product pages
  4. If a cloner copies only select products (rather than your entire store), these tokens will still trigger detection

Image-Based Tokens

  1. Enable Image Canary Tokens
  2. This embeds tracking data in your product images
  3. When cloned images are loaded on another site, the token reports back
  4. Effective against cloners who scrape only images and descriptions

Custom Token Placement

For maximum coverage, you can add tokens to specific pages or content areas:

  1. Go to Custom Tokens
  2. Select the pages or sections where you want additional tokens
  3. High-value targets include: your most popular product pages, your about page, and your collections pages
  4. Click Save

Step 3: Enable Content Protection

Making it harder to copy your content in the first place reduces the likelihood of successful cloning.

Prevent Easy Copying

  1. Navigate to Protection > Content Protection
  2. Enable the following features:
    • Right-Click Protection — Prevents right-click context menus that allow “Save Image As” and “View Page Source”
    • Text Selection Protection — Prevents copying product descriptions and other text
    • Image Drag Protection — Prevents dragging images to save them
    • Keyboard Shortcut Protection — Blocks Ctrl+C, Ctrl+U, and other copy-related shortcuts
  3. Click Save

Note: These protections will not stop a determined attacker using developer tools or automated scraping software. They do, however, prevent casual copying and raise the effort required for manual cloning.

Source Code Protection

  1. In Content Protection settings, enable Source Obfuscation
  2. This makes your page source code harder to read and copy
  3. While not unbreakable, it discourages cloners who rely on clean source code to build their replicas

For the complete content protection setup, see the Enable Content Protection guide.

Step 4: Set Up Preventive Monitoring

Beyond reactive detection, proactive monitoring helps you catch clones early.

Google Alerts

Set up Google Alerts for:

  • Your exact brand name
  • Your store URL
  • Unique product names
  • Distinctive phrases from your product descriptions

Google will email you when new content matching these terms appears online.

Periodically run reverse image searches on your most important product images:

  1. Go to Google Images (images.google.com)
  2. Click the camera icon and upload your product image
  3. Review results for unauthorized use on other sites
  4. Do this monthly for your top-selling products

Social Media Monitoring

  • Search for your brand name on Facebook, Instagram, and TikTok
  • Look for ads using your product images
  • Report any unauthorized accounts or ads immediately
  • Ask loyal customers to report suspicious accounts they encounter

Step 5: Respond to Detected Clones

When a clone is detected, acting quickly minimizes the damage. SecurEcommerce provides tools and guidance for each step of the response process.

Assess the Threat

When you receive a clone alert, start by evaluating the severity:

  1. Open the alert in SecurEcommerce to see the clone details
  2. Review the risk score (0-100):
    • 0-30: Low risk — may be a false positive or inactive site
    • 31-60: Medium risk — likely a clone, investigate further
    • 61-80: High risk — active clone, take action
    • 81-100: Critical — active clone with traffic, act immediately
  3. Visit the clone site (using a VPN for safety) to verify it is actually copying your store
  4. Take screenshots and document everything for your records

Collect Evidence

Before taking action, document the clone thoroughly:

  • Screenshot every page of the clone site
  • Record the clone’s URL and any associated domains
  • Note the hosting provider (a WHOIS lookup will reveal this)
  • Save copies of any social media ads linking to the clone
  • Document the date and time of discovery
  • Use the Wayback Machine to check when the clone first appeared

Report to the Hosting Provider

Most hosting providers will take down sites that are clearly infringing on intellectual property:

  1. Identify the clone’s hosting provider through a WHOIS lookup
  2. Find the provider’s abuse reporting page or email
  3. Submit a detailed report including your evidence
  4. Reference your intellectual property rights (trademarks, copyrights)

File a DMCA Takedown

If the hosting provider does not respond or the clone persists:

  1. Prepare a formal DMCA takedown notice
  2. Include: your contact information, identification of the copyrighted work, the infringing URL, a statement of good faith, your signature
  3. Send to the hosting provider and to any search engines indexing the clone
  4. SecurEcommerce provides DMCA templates in the Clone Response section to simplify this process

For a comprehensive guide to the full response process, see the Respond to a Clone Site guide.

Step 6: Strengthen Ongoing Protection

Clone protection is not a one-time setup. Build these practices into your ongoing operations.

Regular Audits

Schedule monthly checks:

  • Review clone detection alerts and dismiss false positives
  • Run reverse image searches on key products
  • Check Google Alerts results
  • Review canary token activity logs
  • Verify all detection features are still active

Update Your Protection

As your store evolves, update your protection accordingly:

  • Add canary tokens to new product pages
  • Update domain monitoring when you register new domains
  • Refresh content protection settings when you redesign your store
  • Review and update your alert sensitivity based on false positive rates

Educate Your Customers

Help your customers identify your real store:

  • Communicate your official URL clearly on social media and packaging
  • Consider using a verified badge or trust seal on your site
  • Encourage customers to bookmark your real URL
  • Include your official URL on invoices, shipping labels, and emails
  • If a clone is actively targeting your customers, post a warning on your social media channels

Protect Your Brand Legally

Strengthen your legal position against cloners:

  • Register your trademark if you have not already
  • Register your brand name across common TLDs (.com, .net, .co, .shop, .store) to prevent typosquatting
  • Consider trademark monitoring services that watch for infringement
  • Keep records of your original content creation dates as proof of ownership

What’s Next

With clone protection in place, continue strengthening your store’s security:

Related Guides

Guide

Enable Clone Detection

Activate clone site detection to know immediately when someone copies your store. Step-by-step setup guide.

Read more Guide

How to Respond When Your Store Is Cloned

Discovered a clone site? Follow this step-by-step guide to document, report, and shut down fake stores.

Read more Guide

Enable Content Protection

Competitors and scrapers are copying your product images and descriptions in seconds. Enable content protection to deter right-click theft and bulk scraping.

Read more

Let SecurEcommerce Handle This For You

This guide works, but it takes time. SecurEcommerce automates security so you can focus on growing your business.

Install SecurEcommerce Free
★★★★★ 5/5 on Shopify 7-day free trial No credit card required