First off, THANK YOU for offering this! Bear with me, I'm super duper nervous about editing code myself, so sorry for the sophomore questions.
I'm with you up until - "And Google Recaptcha Tag (and line of code)" - where exactly does that line of code go? Right underneath the code entered at top of page?
And for the final line of code, am I looking within the existing code that looks like what exactly - I've got Parallax if helpful?
And I'm replacing it with the 3rd piece of code you've offered?
Much appreciated again, and sorry for the questions.
Clarity is much appreciated, thank you.
I created a test store to try this out with a free theme, not working out as the theme doesn't have a customer registration that is easily accessible and I'm just too tired to keep banging this out. Can you recommend a developer I can hire to do this? Or should I just go with whoever Shopify recommends? Thanks again.
I'd be happy to help you solve this. I'm a Shopify partner, you can email me at firstname.lastname@example.org. (Shopify's partner backend makes it easy to give developers access to help) It's a relatively quick fix, but I would want to make sure there are no other vulnerabilities elsewhere on your site.
Stevo's solution is great if your FORM is being exploited, but my bot is posting directly to the endpoints circumventing the entire thing. I fail to see how there possibly could be an APP solution to this problem short of deleting the customers from Shopify after the fact.
Shopify needs to clean up this mess natively.
Since I've implemented these countermeasures, I've seen less spam on a high traffic sites, and there hasn't been any spam on low traffic sites. But some of my clients are now seeing bots circumvent the form and signing up via Shopify's API. We took the signup page down off the site for a day to see if there were still signups and there were several. It confirmed my suspicions and I think the only real solution to this problem is that Shopify will need to do a better job protecting their API's from bots. I've seen contact form API's being exploited as well. A new client came to me because she is getting all sorts of weird messages, but she has no contact form or email address posted anywhere on her website. The emails are usually mentioning things about stock levels and fake order info. Shopify needs to do something to stop this. It is costing my clients money because it increases the email subscribers, thus my clients get charged for having more subscribers on their mailing lists.
We shouldn't have to pay for apps to prevent spam through Shopify's own backend, that is what owners pay Shopify for.
Shopify, please fix this!
I installed the captcha and they are still able to register. But I've noticed that the first and last name are always identical. Is there a snippet of code I can add to make it so that the first and last name fields must have different values? Or will the bots be smart enough to get around that?
...We took the signup page down off the site for a day to see if there were still signups and there were several. It confirmed my suspicions and I think the only real solution to this problem is that Shopify will need to do a better job protecting their API's from bots...