Have obtained a php data post script which I then ran on our store. Sure enough, there was the customer.
However, after going to Settings -> Checkout -> Accounts are disabled, running the script again did not result in an account being created (because they are disabled).
If you do not want accounts, I would suggest doing that.
We, however, wish to allow customers the option of creating an account, so this solution is not for us.
Since a customer registration is just a form POST to Shopify, it is pretty simple to just disable this POST action. A Spam Bot will thus be unable to submit the form.
When a real customer fills in the form, you can tell they are a real customer by asking them to do a simple test. For example, if they are really human, ask them a question like what is 5+8 in a text box. If they answer 13, you pretty much know it is not a Bot. Or use a Captcha. Whatever. If they pass the human smell test, submit the form to Shopify.
Problem solved. Why the angst? This type of form process has been around pretty much as long as Bots... nothing new here.
For those more curious, the script I used can be found at http://stackoverflow.com/questions/1217824/post-to-another-page-within-a-php-script
All one needs to do is set the url [e.g. http://<yourshopurlhere>/account], and set the $fields array so it contains the values from the sign-up page:
"form_type" => "create_customer", "utf8" => "✓", "customer[first_name]" => "Secret", "customer[last_name]" => "Squirrel", "customer[email]" => "email@example.com", "customer[password]" => "dodgyemailaccounthere"
Then run the script and hey presto! A new customer account has just been created on your store.
There is apparently no referrer checking done anywhere in the account creation, and as far as I can tell, this is something only Shopify can do something about as it is not part of a :"theme".
DISCLALIMER: I post this information for education/awareness purposes only.
Bill, the math problem script does not work. I added it to my store and you were still able to register an account without answering the question. I read instructions on how to add this on an old post in this forum. If there is a new way to get this added that will actually work, PLEASE share instructions.
Cole, I absolutely want customers to be able to create an account, so disabling that feature is not an option. I just want them to create the account after the checkout process. What was the script you posted in your last reply? What does it do?
The script demonstrates how the bots are able to create accounts without the use of the account creation page on your (any other) Shopify site by sending data straight to the post URL. That's why putting captcha, maths problems, etc. on the account signup page is never going to work: the bots bypass it.
Thanks Cole. When I added a math problem to the sign up page, you could still create an account without even answering it, so that didn't work either. I understand what you're saying however. Even if the math problem worked, it still wouldn't stop the bot.
Still waiting for Bill's reply. He seems to have something that will work. Perhaps?
My store has started getting hit through the create account page, about 70 a day so far and building. I don't see how deleting the accounts is going to be a sustainable solution and I certainly don't want to turn off the the ability to create an account after checkout. We have heaps of returning customers who appreciate not having to re-enter the details each time they shop with us.
Talking shopify support at the moment, let's see what comes of it.
Cole makes a valid point. Anyone can quickly determine where to POST accounts simply through discovering the shop URL. At that point, all bets are off.
So you can turn off customer accounts from that URL. Replace the customer sign-up with one that POSTS to an App instead, allowing/forcing any new account to first flow through the App. The App can then create the customer using the API.
A wee bit of luxury would be a moderation queue built on top of this, allowing the merchant to add customers with a click after checking their account details out.
So every Shopify store should use an app (one which may or may not exist) to circumvent the dodgy customer registration system Shopify currently uses should they HunkyBill?
A platform maker is responsible for keeping that platform fit for purpose (which means secure, useable, non-hackable, etc) whether that platform be a desktop operating system, mobile phone operating system, satellite navigation, or eCommerce system (e.g. Shopify, Magento).
Shopify make this platform. They should fix it.
How about this: Shopify change the dodgy customer registration system to at least have some sort of url validation in the least (so a POST cannot come from just anywhere), implement a two-step system (where the before POSTing the data another page is shown which contains a captcha that a bot will not be able to solve), or some other non-App system for the benefit of all customers both current and future.
@Cole. I simply provided a solution for aggressive merchants to deal with the problem. I don't speak for Shopify, nor do I care what they should or should not do for merchants.
Please don't confuse my free advice that gets you from A->B regardless of what you think the real solution is, with me wishing anything on anybody.
I am sure if the obvious solution is easy to do, they would do it, and make my approach overkill/dumb.
So chill out man, relax, and don't try and drag me through this mud, as I have nothing to do with it.
I just offer solutions... for free, and lately with the crap I am taking from some people I feel like just walking away from doing this, leaving crickets chirping for all to listen to.
|an hour ago|
|2 hours ago|