How To Stop Spam Bot Registration??

Tourist
7 0 1

Stevo, 

First off, THANK YOU for offering this! Bear with me, I'm super duper nervous about editing code myself, so sorry for the sophomore questions.

I'm with you up until - "And Google Recaptcha Tag (and line of code)" - where exactly does that line of code go? Right underneath the code entered at top of page?

And for the final line of code, am I looking within the existing code that looks like what exactly - I've got Parallax if helpful?

And I'm replacing it with the 3rd piece of code you've offered?

Much appreciated again, and sorry for the questions.

0 Likes
Excursionist
30 2 20
Hey Emily,

I haven’t recently worked with that theme but see if this helps:
The first 2 segments of code are scripts, you can put them at the top of the “register.liquid” (best practice is to put them in the header but it will work just the same)

For the third part, yes you need to find the input field in the form and will need to leave the classes, if that input already has an ID tag, you will need to replace that tag in the first script you copied where it says “customerSubmit” if it doesn’t have an Id tag your all good. Make sure you add disabled to the end of that input so the reCaptcha activates when it’s supposed to and make sure you insert the reCaptcha div above the input.

If you aren’t familiar with html, css, etc.. I don’t recommend doing this yourself, if you do, make sure everything is working properly by creating an account and testing it in different browsers to make sure you haven’t disabled something.

Hope this helps
1 Like
Tourist
7 0 1

Clarity is much appreciated, thank you. 

I created a test store to try this out with a free theme, not working out as the theme doesn't have a customer registration that is easily accessible and I'm just too tired to keep banging this out. Can you recommend a developer I can hire to do this? Or should I just go with whoever Shopify recommends? Thanks again.

0 Likes
Excursionist
30 2 20

I'd be happy to help you solve this. I'm a Shopify partner, you can email me at stevehooddesign@gmail.com. (Shopify's partner backend makes it easy to give developers access to help) It's a relatively quick fix, but I would want to make sure there are no other vulnerabilities elsewhere on your site.

0 Likes
Tourist
8 0 0

Thank you for providing an actual solution to this problem, and for offering it freely. Much appreciated! Do you know what the secret key is for? Do I need to put that somewhere?

0 Likes
Excursionist
31 0 6

Stevo's solution is great if your FORM is being exploited, but my bot is posting directly to the endpoints circumventing the entire thing.  I fail to see how there possibly could be an APP solution to this problem short of deleting the customers from Shopify after the fact.

Shopify needs to clean up this mess natively.

0 Likes
Excursionist
30 2 20

Since I've implemented these countermeasures, I've seen less spam on a high traffic sites, and there hasn't been any spam on low traffic sites. But some of my clients are now seeing bots circumvent the form and signing up via Shopify's API. We took the signup page down off the site for a day to see if there were still signups and there were several. It confirmed my suspicions and I think the only real solution to this problem is that Shopify will need to do a better job protecting their API's from bots. I've seen contact form API's being exploited as well. A new client came to me because she is getting all sorts of weird messages, but she has no contact form or email address posted anywhere on her website. The emails are usually mentioning things about stock levels and fake order info. Shopify needs to do something to stop this. It is costing my clients money because it increases the email subscribers, thus my clients get charged for having more subscribers on their mailing lists.

 

We shouldn't have to pay for apps to prevent spam through Shopify's own backend, that is what owners pay Shopify for.

 

Shopify, please fix this!

2 Likes
Excursionist
31 0 6

It's insane that there's literally NO server-side validation on these endpoints.   

 

All my spam account emails have Russian domains and are posting first and last names that are nothing but random strings of characters (i.e. Mr. XIUWEJKSHJ, ASDJKDJWE).

You can't be serious, Shopify.

 

 

 

 

0 Likes
Tourist
8 0 0

I installed the captcha and they are still able to register. But I've noticed that the first and last name are always identical. Is there a snippet of code I can add to make it so that the first and last name fields must have different values? Or will the bots be smart enough to get around that?


@StevoHoodDesign wrote:

...We took the signup page down off the site for a day to see if there were still signups and there were several. It confirmed my suspicions and I think the only real solution to this problem is that Shopify will need to do a better job protecting their API's from bots...

0 Likes
Excursionist
30 2 20
- Any additional countermeasures you can take to prevent bots will help to some degree, but, unfortunately what I’m finding is that Shopify sites are getting more and more bot signups that are not even interacting with the page form. They have somehow figured out a way to bypass the page and go directly to the endpoints or the API and they are inputing submissions there. Shopify hasn’t solved this yet, i’ve been emailing them everyday to get updates, but we are kind of at their mercy. Until they make recaptcha a server requirement to sign up, bots will be able to get around it by going directly the endpoints and input data. :/
1 Like