A prospect came to my desk recently with a story that is becoming familiar. They had migrated from WooCommerce to Shopify in August 2023. The traffic dropped almost the moment the new site went live, never recovered, and on top of that, an antivirus tool kept flagging the Shopify storefront as carrying malware. They were eighteen months past the migration, paying full Shopify Plus fees, and watching organic revenue stay flat-lined.
This case is worth writing up because the assumptions both founders and developers carry into a WooCommerce to Shopify migration are usually wrong, and those wrong assumptions are exactly what causes the traffic drop and the security flags. The platform did not break this store. The execution did.
The Two Failure Modes Every Migration Hits
Why the Traffic Drops Within Days
WooCommerce stores tend to accumulate URL idiosyncrasies over years. Custom permalink structures, archive pages with their own rankings, blog posts under /shop/news/, category pages with hand-written meta descriptions. By the time a store is mature on WooCommerce, the SEO equity is spread across hundreds of those small decisions, most of which nobody documented.
Shopify imposes its own URL conventions: /products/, /collections/, /pages/, /blogs/. A migration that does not produce a careful, one-to-one redirect map from the old WooCommerce URLs to the new Shopify URLs simply throws that equity in the bin. Google sees a site whose entire URL structure changed overnight and treats most of those URLs as new pages, which means the old rankings reset.
That is what happened to this prospect’s store in August 2023. The migration agency moved the products and the content but did not rebuild the redirects in detail. Within two weeks, organic sessions had collapsed to a fraction of what they were, and the recovery never came because the redirects were never fixed retroactively.
The Redirect Audit I Run on Every Migrated Store
When I am brought into a post-migration recovery, the first three checks I run are the same.
Pull the old WooCommerce URL list from Google Search Console history and crawl it. Every URL that returned 200 on the old site should hit a 301 to a meaningful destination on Shopify, not a 404 and not a redirect to the homepage. Homepage redirects are the single most common mistake. They tell Google the old page is gone and the homepage is unrelated, which is worse than a 404.
Check the canonical tags on the new Shopify product pages. Shopify generates duplicate URLs for the same product when it is in multiple collections (/collections/x/products/y and /products/y). Those need a canonical pointing to the clean /products/ URL or Google indexes the duplicates and the equity splits.
Look at the old internal linking that has now broken. If the WooCommerce blog linked to a category page with hand-written anchor text, that anchor text was carrying SEO value. Shopify migrations almost always strip those links because the importer cannot map them. Restoring those internal links by hand recovers more ranking signal than most agencies expect.
Doing this work eighteen months after the cutover is harder than doing it on day one, but it is not impossible. Most stores I have audited can recover 60 to 80 percent of the lost rankings within four months once the redirect map and canonicals are corrected.
The Malware Flag Nobody Expects
The second part of this case was the antivirus tool flagging the Shopify storefront. The founder’s instinct, which I have heard from a dozen other clients, was that this had to be a false positive. “Shopify is hosted, Shopify can’t have malware.”
That is not how it works. Shopify’s core platform is well-defended. The vulnerable surfaces are everything you bring on top: the theme, the apps, and the JavaScript you inject through Google Tag Manager. Any of those can carry malicious code into a Shopify store, and antivirus tools will rightly flag the store when they detect it.
The most common vectors I see are these.
Themes downloaded from unofficial repositories. Hackers have spent years releasing free or “premium-cracked” versions of popular themes with malicious code embedded in the JavaScript. The theme works perfectly. The malicious payload runs alongside it. Always install themes from the Shopify Theme Store or directly from the theme developer’s official site.
Apps that load third-party scripts you cannot inspect. Some apps inject scripts that pull additional code from external domains at runtime. If that external domain is compromised, your storefront is compromised the moment it loads. Audit the Network tab on a clean browser session and check what every app is loading and from where.
GTM containers with rogue tags. This is the one this prospect’s store hit. Someone with access to the GTM container had injected a script weeks after the migration. The Shopify storefront was clean. The Tag Manager container was the carrier. Antivirus tools that scan client-side execution see this and flag the storefront because that is where the script ends up running.
The Cleanup Order I Would Use
If you are reading this and recognising your own store, here is the order I would work in.
Lock down GTM access first. Rotate the credentials, audit who has been added recently, and review every tag in the container. Pause anything you do not recognise. Re-publish a clean version. Do this before you touch the store itself, because if GTM is the carrier, scrubbing the storefront alone will not fix the antivirus flag.
Reinstall the theme from the official source. Shopify’s developer tools allow you to download a clean copy of any official theme. If you cannot prove the live theme has not been modified, replace it with a fresh install and rebuild the storefront content from the JSON template files. Yes, this is annoying. It is faster than playing whack-a-mole with malicious code embedded in liquid files.
Audit installed apps and remove anything you do not actively use. Every app is an attack surface. Most stores I audit are running ten or more apps where three are doing the actual work. Remove the rest. The fewer external scripts loading on your storefront, the smaller the malware exposure.
Then, and only then, work on SEO recovery. The redirect audit and canonical fixes I described above. Doing the SEO work before cleaning the security issue is wasted effort because Google will deprioritise a site flagged for malware faster than it will reward a site with clean redirects.
What I Tell Founders Considering a Migration in 2026
Migrations from WooCommerce to Shopify are still the right call for plenty of stores. Shopify’s hosted infrastructure, checkout, and tax handling solve real problems WooCommerce stores struggle with at scale. The migration itself is not the issue. The execution almost always is.
Before you sign with a migration agency, get specifics in writing on three things. The redirect map between every old URL and its new destination. The canonical strategy for product pages that exist in multiple collections. The post-migration security audit including theme provenance, app inventory, and GTM container review. If the agency cannot give you a clear answer on all three, they will not deliver a migration that holds up six months later.
And if you are already on the wrong side of a migration that did not go well, the recovery is doable. I have walked clients through this several times, and the pattern is consistent enough that I now treat it as a defined service rather than a one-off. If you want to discuss what that recovery would look like for your store, come find me at the next Ecommerce Camp UK. There is usually at least one founder in the room who has just been through it and another who is about to.