Re: How can I stop a bot from placing abandoned orders on my ecommerce site?

elizaRAFTP · ‎02-07-2024

We have a bot placing abandoned orders in batches of 5 every 9 hours, for over a week. They are adding hidden/locked products they should not have access to with out an approved account/login. They create a customer profile that uses a fake name, email, address and phone number, and it is the same each time even if I delete the customer, they make a new one.

We have tried three different blocker apps and they did not work. We also tried changing product urls, ReCaptcha is enabled--none of this has worked. Shopify support told us there was nothing they could do. We are really worried about whether our store is vulnerable, or our customers information is somehow compromised if this bot has access to the backend of our store.

Can anyone help?

DRIVEAUTO · ‎07-23-2024

They are testing $7.57 and $15.95 on my store. Different names but same Street 10 Apt 2 as well.

404 · ‎07-12-2024

How did you do this?

RolandP · ‎07-10-2024

I have received many signups to my newsletter from the email domain "rtremail.com" which I suspect of being a bot and not a real email address. I've searched online for more information about rtremail and all I keep getting are links about Right to Represent documents from recruiters. Can someone please confirm that I can delete these @rtremail.com subscribers because they are not real?

404 · ‎07-12-2024

I just got off of a Live Chat with @Shopify . I gave them this link as well. This is a REAL issue that shopify needs to get control of. It is not our job to pay for IP blockers. They need to beef up their security on this platform.. This is not a SALES issues, this is Shopify being used for illegal activity outside the scope of us selling things on their platform.

dccheng · ‎08-14-2024

Glad I found this thread because this was driving me crazy. I am getting exactly the same thing here. Only in our abandoned carts, none had any credit card attempts. Talked to Shopify and like everyone else said, they don't seem to care or have any helpful suggestions.

Someone in Reddit r/shopify suggest I get adding Cloudfare. Anyone found a way to block these. No financial damage done so far but just annoying and a little worrisome.

Lbxs · ‎08-30-2024

One of those many attempts on my store was actually successful today. The order went through and now I am not sure what to do. Have been able to fix the problem?

immnul · ‎08-30-2024

cancel the order so you don't get a chargeback

404 · ‎08-30-2024

They targeted a specific item - I just got rid of it - POOF they stopped

If your being targeted you need to simply take away the bullseye. It was a random cheapo listing that I had that didn't sell really anyway.

khalo · ‎09-21-2024

I got rid of the specific item and now it targets another one

CDReiss · ‎11-03-2024

Have you found a solution for this? Because it's killin' me.

I wonder, do you use a separate domain for accounts? Like accounts.ElizaRAFTP.com? I do.

Could that be the issue?

FlameEng · ‎12-02-2024

We are experiencing the same... I'd love to know how to make it stop!

CDReiss · ‎12-02-2024

Do you have an account subdomain? It would be account.(yourstore).com. The
first thing I did was nuke that. If that slows things down but doesn’t stop
them then I will give you a couple of flows that I used.

CD Reiss
*New York Times Bestselling author of contemporary romance.*
www.cdreiss.com

New York Times bestseller Marriage Games at Apple Books
<>
Amazon
<>
Nook
<>
The Submission Series at Apple Books
<>
Amazon <> Nook
<>
The Edge Series at Apple Books
<>
Amazon
<>
Nook
<>
The Corruption Series at Apple Books
<>
Amazon
<>
Nook
<>

houseofsxn · ‎02-02-2025

Still experiencing this in 2025. Only way to make it stop if unlist one of the products being added to the cart or keep it sold out. After about a week the bot stops. Another one will come back weeks later though.

CloudMinion · ‎05-04-2025

Clearly they’ve figured this one out. We’re getting different products and 400 abandoned carts a day.

GarethAJ · ‎02-24-2025

Thank you for raising this. We feel silly not having come to the community before now, and thinking we were alone. For sure Shopify Support made us feel rather alone. Our issue is abandoned carts. Its been happening for about 4 months now. Its a different email address each time, well they do repeat but across a period of time. Some times 1- 2 in a day, other days like today there have been over 40. Mostly an annoying 10 or so - playing havoc with conversion stats and email metrics of flow success and spam rates. I's estimate 98% are undeliverable emails, but some address seem to land in inboxes and accounts remain subscribed for a while. So far never trying to actually purchase. Thanks to this feed we have tonight switch to the new Customer accounts (switching from legacy) and will be looking at a number of Apps. We installed a free version of Cloudflare, not worked. I will be writing to Shopify again tomorrow, as I agree this is not acceptable, and why should we have to pay for solutions to fend off these bots if they have a solutions that they are making available to ShopifyPlus. I'll update on the switch on customer accounts. Thank You

GarethAJ · ‎02-25-2025

I have spend rather a long time chatting with shopify support, they have recommended "Kedra Shield: Website Security. This has the rating for 4.8 stars by 42 Merchants"

I asked how often they recommend this app in a month, "Minimum 20 Merchants and they always have good experience with the app."

This starts to touch on the scale of how many merchants are raising this issue.

I am pushing to ask for the Shopify Plus solution to be released to all - if it indeed does fix the issue.

The App BeSure Checkout Rules came back to us to say "Unfortunately, this is not a feature of this app"

We have also emailed Negate ‑ Bot Protection and [HumanPresence] Shop Protector and waiting to hear.

We will install an App this week and see what happened.

We switched from Legacy to New Customer Account format. Very sad to say its made no difference - still we can offer store credit now , as part of this "new" feature.

15SG · ‎02-25-2025

We have Shopify Plus, have the same problem with Bots (we suspect they are scraping data) and have requested the Bot Prevention feature from Shopify Plus - they refused!

Now we are enquiring with Cloudflare. Apparently Cloudflare offers an upgraded service that will block the bots without the need of captcha. I'll update with our results.

GarethAJ · ‎02-25-2025

Hi. You have Shopify Plus and they Refused !!! We signed up for a free Cloudflare account, but yes .. I think it gives you very little without upgraded service. Please do let us know - I wish you all the best. I'm staggered they will not let you apply the Bot Prevention - what possible reason could they have? Stay well.

GarethAJ · ‎02-25-2025

Update on Apps:

The App BeSure Checkout Rules came back to us to say "Unfortunately, this is not a feature of this app"

The App [HumanPresence] Shop Protector replied to say - "our app doesn’t currently block bots that drive traffic or abandoned carts, but our App can help with:

Protects commonly targeted forms, including Customer Registration, Contact Us, and Newsletter signups on your store.
Protect against bot-generated orders.

So this App say they can help with Bot generated orders, but not bots that create abandoned carts.

I'm also trying to get a handle on these Bots journey through the site. On our Email provider's website (we use Drip) we can see "all activity" and the 1st active of these bots is always "Item checkout updated" normally it would be Visited your website .. Viewed a product

So how are they getting the product into the check out (my naivety no doubt)

If the "sign up to email" is pre-ticked then they are added to the mailing list and start the Welcome Flow, but often the Abandoned cart flow sends an email which is hard bounced and makes the email undeliverable and removes them from the newsletter.

We have checked the "customer" in Shopify - and they have not created an account

However we use Stamped as a reward App - and points are added to these emails for an account created - so I am investigating this too - because the trigger should be when a customer creates and account in Shopify.

eBeeLuv · ‎04-19-2025

the reason who are having issues is these bots are able to completely bypass all pages and directly enter your website via the checkout page. So it doesn't matter what IP blockers are installed, captcha, turning on 3 page checkout, all other security measures as all these apps monitor all the other pages and aren't allowed by Shopify to monitor bots entering directly onto the checkout page. The hackers have gotten way smarter than Shopify and this is a HUGE issue that Shopify continues to dismiss.

GarethAJ · ‎02-28-2025

Update on 28th Feb

The guys from Negate Bot Protection App and Human Prence.io App have been great, really responsive and really interested in the issue.

Both are either looking at ways to assist abandoned carts from BOTS, or perhaps close to having something - but require support from Shopify as access to the Checkout is required.

Things have slowed down since Monday 24th feb, which I think was our worst day since this began in Sept / Oct 2024. The only thing we have changed is switched to the new Shopify Customer Account profile. It most definitely didn't help on Tuesday 25th .. but has been much better. The weekends are often when we are hit - so lets see

Our last action is to try Kedra Shield: Website Security App but I hope the customer account change may negate this

Our BOTS 1st activity seems to be landing directly in the check out with product, they aren't viewing and adding. Using a preloaded checkout link that goes straight to checkout - as advised by Negate Support. They also wondered if the Bots were getting in via the site map and perhaps then heading straight to checkout. But of course we need a Site Map, so not sure if any fix can be found via that.

404 · ‎02-25-2025

I have had ZERO issues since I removed the one item they were using.

khalo · ‎02-25-2025

my new bot (John Doe) orders numerous items

HelenRound · ‎03-21-2025

I get him too. Any luck with blocking him?

GarethAJ · ‎02-25-2025

As below - its numerous designs, numerous sizes (footwear) full price items - just abandoned - they don't appear to try and buy.

eBeeLuv · ‎04-19-2025

the bots will return and pick another item as that is what we did - eventually you'll have to remove all items, how is that going to work?

jwu703 · ‎02-28-2025

Sorry all for late reply, send me an email and I can share what app has been working. Its been a few weeks and app is working steady. We have NO affiliation to this app and just one we found that works. Also as a boost, and not sure if its related, we saw a 20% bump is sales back to how it was before this bot attack

info at fuseaudio d0t net

thanks!

Wildcat7 · ‎03-17-2025

Hi JWU703,

Sent you an email last week. Still dealing with 60 of these per day. Can you please let us know what worked for you?

HelenRound · ‎03-17-2025

Have you managed to resolve this? I am having the same problem and all shopify can suggest is apps... have tried a number of them and they do not work.

eBeeLuv · ‎04-15-2025

Also am having this same issue - the bot tried 2 different cards last night that were denied. Now today the bot continues to test the checkout area. We are told by our security apps that they are not able to scan the checkout page where this bot has direct access to - so no idea IP address, etc originating from. Shopify apps won't stop all these abandoned carts as there has to be a way to stop all this bot activity trying to place fraudulent orders!

Kurtis_Van_Kamp · ‎04-16-2025

go to settings, customer accounts and change your customer accounts to -> customer accounts vs. legacy.

All bots have stopped, and we havnt seen a negative effect on sales.

HelenRound · ‎04-16-2025

Yes, we have done that and sadly we are still having the same problem 😞

eBeeLuv · ‎04-16-2025

So you are stating to change to customer accounts vs. legacy. So then our customers would be emailed a one time passcode to login which sounds like an issue. Currently we have legacy selected. These bots don't seem to be your typical bots as they are able to completely bypass any settings and get into your admin directly from your checkout page.

Kurtis_Van_Kamp · ‎04-16-2025

You are speculating that a one time passcode would be a problem. We turned it on first thing monday morning, and have ZERO bot abandonded checkouts since 5:31 a.m. monday morning. And we have not seen any decreased order volumes either, and we have pretty consistant daily orders. I have personally seen other sites require the passcode in my own personal online activity, and it has not deterred me at all from shopping at a particular website either.

onlineretail_ · ‎04-16-2025

I've had it changed to customer accounts under settings for many months now. It has made no difference. Thousands of the bots are still coming through with fake emails, to the point that I recently received notification that certain email automations have been turned off due to bounce back.

Kurtis_Van_Kamp · ‎04-16-2025

Just stating what we have done and what we have seen in the past 2 days. If you have it on and customers need a passcode, i see no reason why you would still be having issues.

Kurtis_Van_Kamp · ‎04-16-2025

You can always add a honeypot trap as well. I havnt done this yet, but if they start back up on our site, i am certainly going to write one and put it in my theme code

eBeeLuv · ‎04-16-2025

How would I add this to the checkout page - any apps you know of out there??

onlineretail_ · ‎04-22-2025

Its still an issue, because these bots bypass the checkout page altogether. These bots are adding archived products to the abandoned checkout- some products that have not been available for over a year. So far they have created over 12,000 fake accounts on my Klaviyo account. I now filter them out so they don't count against my plan.

lazy3leather · ‎04-17-2025

Hi,
I am reading your reply about the bots. How did you set up a one time
passcode to help with the bots? Would you mind sharing the steps it took to
set that up.
Thank you,
Lucy

eBeeLuv · ‎04-18-2025

This won't help these types of bots that are directly entering the checkout page thus bypassing any and all security measures we try to put in place including an paid apps now available! Shopify prohibits apps from scanning the checkout page; however, Shopify does have an app they have for this very feature which is only used for the highest tier Shopify plan. This is something that should actually be used on ALL shopify plans as these bots are getting out of hand.

The reply I got from Shopify help was also the standard useless points that won't stop these bots that are entering the checkout page directly. So any and all security apps don't even see them enter your site as these apps can't monitor the checkout page.

Now get this, Shopify does have an app that can do this BUT ONLY if you get the highest paid Shopify plan. This is totally unacceptable as security feature like this should be made available for ALL PLANS.

HelenRound · ‎04-18-2025

This seems incredibly unfair to me... anyone else think the same? If
everyone who has this problem responds to this thread it could possibly get
noticed??

Kurtis_Van_Kamp · ‎04-18-2025

We are on day 5. Not a single abandoned checkout so far. Again, as I stated, if we do see them start again, we will setup a honeypot trap which will stop them in their tracks. To create a honeypot trap, you simply create code to embed in your theme that includes a confirmation field. You have that field hidden, bots see it, humans dont. Bots fill out the field with junk as they have not way to know that the field is hidden. In your code, you specify that if the field is filled out, then you dont allow it.

eBeeLuv · ‎04-18-2025

Kurtis, do you mandate that your customers log in before buying (checking out). As enabling "settings, customer accounts and change your customer accounts to -> customer accounts vs. legacy" that mainly deals with customers who enter their acocunts.

The bots that are hitting us don't require any type of login of any type and simply checkout with bogus names, bogus addresses, etc. So I am assuming you require customers to 100% always log in to be able to buy from your store?

Changing from legacy to customer accounts only effects login to customer accounts - our bots are simply arriving directly via the checkout page bypassing any and all security measures.

Not great at coding so the honeypot coding would have to be part of the checkout page coding for it to work. I had read on another forum that these type of checkout bots get right around honey pot coding.

I'll look into it but I'm not a coder so will read more about it.

So I've looked into it and it won't work - I can't access any checkout files to add code to the checkout area. Any honeypot coding anywhere else is useless since the pots aren't visiting any other page(s) - if they were our security would stop them immediately.

onlineretail_ · ‎04-22-2025

Have you tried this "honeypot trap" before?

HelenRound · ‎04-22-2025

We are having the same problem. Here is the most recent reply from Shopify:

Hi Helen,

Trisha here from Shopify!

Thank you for your patience and for sharing your concerns regarding the persistent bot issues affecting your store's abandoned checkouts. It seems that you needed to step away during our previous conversation, and I wanted to follow up to ensure you receive the support you need.

From our conversation, it seems that the challenges you're facing stem from a specific bot exploiting vulnerabilities within the Shopify framework, which has been a concern for many merchants, as you've pointed out. While implementing measures like hCaptcha and monitoring your traffic are steps in the right direction, I appreciate your insight that these often fall short due to the evolving tactics of these bots.

As we discussed, there may not be a single solution to effectively block these bots at this moment. However, it’s important to know that we can explore the workarounds shared in the forums I mentioned. These community-driven insights are invaluable, and while they may not be foolproof, every bit of effort helps us to mitigate the impact.

These are the forums I am looking into:
1. Bot issues with fake abandoned checkouts and potential solution - Shopify Community
2. Re: How can I stop a bot from placing abandoned orders on my ecommerce site? - Page 2 - Shopify Comm...

I want to assure you that Shopify is continually working on strengthening our security measures and improving features to protect all merchants, regardless of their plan. Your feedback is crucial for us as we strive to enhance our platform and provide a secure environment for your business.

Please let me know at your earliest convenience if you still have any questions or issues to address. We want to make sure everything is sorted out for you.

If you have any further questions, we'll be happy to help! For any additional questions or urgent support, please visit https://help.shopify.com/en/questions#/login to access our chat and email support channels.

All the best,
Trisha
Shopify Support Advisor

eBeeLuv · ‎04-22-2025

this is basically a useless reply from Shopify and sounds like it's generic by AI. Shopify is actually clueless what to do as these bots are now entering the checkout area and absolutely no apps are allowed to monitor the checkout page so any and all things that we can do as merchants is useless.

Kurtis_Van_Kamp · ‎04-22-2025

https://youtu.be/ndWeqH6h15U?si=X0kfoTYj0VV0mxnF

This popped up today, looks like the problem is getting noticed

HelenRound · ‎04-25-2025

Spot on.... Shopify is NOT DOING ANYTHING to protect it's smaller members. If you upgrade to Shopify Plus, it stops so they do know how to sort it... why not roll it out across the whole of Shopify?

immnul · ‎04-25-2025

How about putting together a petition and sending it to Shopify leadership?