Plagued by bots aaarrgghh!!

30 0 4

Hi folks

We're being plagued by bots posting customer feedback forms, around 20-30 e-mails per day (mainly from Russia for some reason).

We've now changed our contact form to an app that has recaptcha but think it was too late. 

Any ideas how we can stop these please? Will they just move on eventually?

Many thanks, any advice much appreciated. 

Sarah and Craig :-) 

Shopify Staff (Retired)
Shopify Staff (Retired)
21 0 1

Hey Sarah and Craig,

Alexis here from Shopify Support!

Sorry to hear you're being bothered by all those pesky bots! You definitely went the correct route by changing to an app that has a captcha function.

Built into our platform natively, there is a captcha that kicks in after a certain number of attempts to fill out the form from the same IP address within a short period. Unfortunately this system will not kick in if the attempts are from multiple IPs.

The app you added with the captcha should definitely help but aside from that, I'm afraid there isn't a lot that can be done. If you are much more strict with what traffic you allow to use your forms, you run the risk of blocking legitimate emails from your customers. 

That said, are you receiving bots through the contact form only? Or are you also receiving customer sign ups from bots? These will often show in the Customers tab of your Shopify admin as a bunch of random characters. If you notice many of these, please let us know so we can take a look!

Sometimes when you notice you're receiving a number of fake customer signups, our team is able to track where the traffic is coming from and block those IP addresses so that they no longer pose a problem for you. 

If you wanted to look into this, please let us know, either by replying here or contacting our support team(available 24/7) here.

Let me know if there’s anything else I can do for you and I’d be happy to help.

Warm regards,

Alexis | Shopify Guru

9 0 3

I just learned our USA site has been 'bot attacked' because all the customer records generated were migrated into my Mailchimp account. Following a mailing on Monday, we not surprisingly received a higher number of abuse reports for SPAM than allowed and Mailchimp have now suspended my account and deleted all addresses from my list! I now have 9 customer records from an original list of nearly 2,000.

When I contacted Mailchimp support via 'chat' when I was first alerted there was a warning, they advised the customer records had been created from abandoned carts. I found that odd because the Shopify customer record only had an e-mail address, confirmation the customer 'accepts marketing' and had a tag 'Prospect' and 'Newsletter'. There was also a long random number and letter code but no post mailing address details. 

Today when I contacted Shopify to clarify the origin of the customer records in question (hundreds of them), I was advised they were 'bot' generated. The support person advised me Shopify have recently implemented Captcha so this should not happen again.

Reading the above message, this does not appear to be entirely accurate. The support person I spoke to did not know when Captcha had been implemented but advised it was recently. Is this the case?

All the bot records seem to have been created in July - September 2016 but I have now since deleted them all from Shopify (the details are still in my Mailchimp campaign mailing details and all start with 57).

I think there are three possible ways a bot customer record can be created. A client setting up an account (optional for our store), ticking the box to sign up for our newsletter via the checkout page, or on our Home Page to subscribe to our updates.

How do I know where the bot got in?

I was genuinely surprised there was no protection in place until I looked on the Forums today and I had no idea all these fake accounts were in our store until yesterday. 

I'm also surprised that Mailchimp has no alert system in place to clean this data as it seems reasonably easy to identify the bot generated accounts from these long random number references. In addition if they were all generated from the same IP address this would be another way to identify them.

I am really annoyed my Mailchimp account has been suspended, infact they recently increased the monthly payment due to the increased number of subscribers! How ironic that I am paying a higher subscribers rate for bot generated e-mail addresses migrated from Shopify and then sent out, when I had no idea and I'm the one being penalised with an account suspension! 



19 0 5

Hello Shopify, 


ANY UPDATES? How did you implement a captcha?

4 0 4

Shopify support what has been done to cure this plague in the last 2 years?Screenshot_2019-10-22 1200s com ~ Customers ~ Shopify.png


New Member
16 0 0


You could use Shop Protector app for this. 

There are 2 products, broken up by plan type, for SP (Shop Protector). SP Basic focuses on form spam and fake account creation. 

SP+ has this functionality too but adds the ability to configure rules to protect against bot-based checkouts, customize risk analysis settings, how to handle auto-cancellation, bulk cancellations, and much more coming soon!