Your store's SECURITY AND TRAFFIC, is it real or a dream?

8 0 2

I'd love to know how many of you in the last year had an increase in traffic and had their sales drop to zero or never get off the ground?


I own two stores the first is called Spirit Wanderer and the other was called Hello Fashion Forever. Hello is now closed probably forever and it isn't a bad pun. Me and my partner have owned Spirit since Nov 2018 and between December trough to July 2019 we were getting a couple of sales. Of course we were advetising on Facebook, Pinterest, Instagram ect. 


From the end of June to the beginning of July the sales flat lined. We figured that with the summer holiday's people weren't really shopping. At the beginning of July the sessions online, impressions on social media ect just went up like a rocket out of Cape Canaveral going to the moon, GREAT WE THOUGHT,  people are shopping for fall season, back to school or back to work. Of course we spent more in advertising and yet it was all for nothing NO SALES AT ALL.


We started looking at the traffic and our native traffic had been entirely replaced by bots. We have had a load of problems the worst bot invasion are from amazon in one day this month it was  2000+ visits on an empty store with only one page left (home page) and a re direct on the home page to google search. That meant that all the traffic i have been logging has been BOTS OR HACKERS OR SCRAPER BOTS AND I'M SURE THE NEW KIND WORM BOTS. both of the stores suffered major spam and DDOS attacks. I have reported all this to Shopify and apparently for them this isn't a security concern. Well what I also reported to them after proving it is that the "friendly" bot from Google from my records are ALL FAKES !!!! Google bots operate on specific Ip adresses and none of the ones that I have logged, traced and investigated were n the right addresses.


Another thing our stores experienced was code defacement, we knew it from the external audits and report we were getting and we actually watched while Spirit was being destroyed. I saved a lot of theme files and after the first attack the sizes of the ZIP files had grown by 2 megs and change. I reported that and it still wasn't a security issue with Shopify. I'll tell you one thing the so called security package they supply us with has vulnerabilities in both BOOTSTRAP, JQUERY and JAVA. These fails are serious enough that a hacker managed to get in the stores back in July after by-passing my cable modem Firewall, Karine's Macbook Air firewall, going trough Cloudflare and finally trough the Firewall application we have on the site itself. From there he installed a backdoor somewhere where he now enters the store via the head.


People CHECK your customer accounts!! Remember I said earlier that I had an empty store with no human access to it? in that time period there were 5 accounts created by bots. One of the thing Alex (the developer from Shopify who cannot seem to be able to understand what i'm writing) offered me was to set up CAPTCHA well I was ahead of him and there was a captcha on the store. Of the five accounts the worst one was created with the email tlantrip@tkmidwest that has attacked 32 websites as of January 2nd 2020. After some research I came upon an article from the Sucuri site monitoring knowledge lab dated July 2019 that warns of bots being able to inject code to defeat CAPTCHA's. Humm July 2019 coincidance I think not.


If this ring a bell with anyone in the community, not necessarily the specifics but the symptoms get back to me The bot problem isn't new, here is a link to a post from 1983 on the subject. One of person that answered actually sent a solutin to Shopify to alleviate the problem, I have suggested a way to create a code to do the same and nothing has happened on the subject since 1983 to Jan 2020.  


Is seems to me that Shopify isn't in business as a marketing platform, they are more server rental and theme and app sales shop. I do believe there are more than a couple of misrepresentations in their sales packages.    


Ève Brassard for private messages 

Replies 3 (3)
Shopify Partner
39 0 13


Did you ever find any solution to this?


We have a similar issue, and we're getting nowhere with Shopify support. They are just telling me to look for a blocker in the app store, but all the ones I have tried have failed to block the bots before they have accessed the store. So the traffic still appear in our Shopify reports, and our Facebook Pixel is getting messed up and sending us more expensive traffic with lower quality. 

Our revenue plummeted with 40% or so from April to May, most likely related to this, since Facebook used to be our best traffic source.

Shopify Partner
13 0 1

We are on Shopify Plus & where told the same thing 

Fastly with PerimeterX can do it but Shopify will not let them unless your a top 50 store

I see that Sucuri is now offering a system they say works I will try it.

The fact they know the new IP's & Cname come with there own DNS that flatens  to just IP's (so you can use it for the & + whatever else like & if it will not they give your money back)

("Change your Hosting IP to have the value and delete any other Hosting IP your domain may have".)

& have been tested to work makes me feel they are the only choice ( they are good too)

FYI I tried to use My incapula account (no go same with fastly & cloudflare)

Shopify Partner
39 0 13

Hi Blueprint!

I was finally able to fix this myself a few days ago, by using Cloudflare and manually blocking every single ip from the Pinterest bot. And it works, as well as it allows caching of static objects which is something not possible to do in Shopify. This improves speed scores and security as well, and I would highly recommend checking out cloudflare. 

Just be careful with how you set up your DNS, as the proxied one made shopping cart abandonment links from CM Commerce give errors. In our case, all I had to do was change mail.ourdomain from proxied, to bypass.

Even the free plan of Cloudflare alone helped us take care of this issue, and improved our speed.