Re: Shopify Bot Exploit – Add-to-Cart Abuse Is Corrupting Analytics & Shopify Refuses to Act at

Hey Jan 

Please send over those details when you have them!! Are you using Cloudflare as your WAF?

Yeah this is killing us as well. We’ve tried Blockify and other solutions and as you state it is not helping. This is something Shopify has power over, not us or a 3rd party app. We’re having to manually clean our customer lists all the time. Shopify is not lifting a finger other than giving us the runaround to more apps that “aren’t allowed to do much when it relates to carts creating accounts”. This is more than frustrating as it’s killing our marketing and analytics which are pretty much dead in the water. Sending Emails risks making it worse and advertising our Shopify site feels like a waste of money.

Someone else mentioned consulting a lawyer and I’m starting to think this is reaching that level at this point. How can they not take their customers marketing ability (which they pride themselves on) more seriously than low level support runarounds sending us to 3rd party apps?

Update: I identified most all variations that the bot uses to create bunk accounts in shopify. Since it is at a deeper level, I cannot prevent new accounts but I added flows to identify the patterns and delete the account automatically. This also works most of the time, for unsubscribing the accounts in our email list. Its important to make sure you are not sending emails to these fake accounts because it will mess with your deliverability and reputation.

1. Flow 1 - Start when: Customer Created; Step 2 - Check if: Customer first name is empty or Address is empty or customer last name is empty; Step 3 - Do this: Delete Customer. 
2. Flow 2 - Start When: Customer Created; Step 2 - Check it: Customer first name is empty; Step 3 - Do this - Delete Customer

These do similar thing. It is meant to catch what the first does not get. We require new customers to input a First and Last name or at a minimum an initial. 

3. Flow 3 - Start When: Customer Created; Step 2 - Check if: Address is equal to "House Number 43. Gray Colony;" Step 3- Delete Customer

4. Flow 4 -  Duplicated of Flow 3

5. Flow 5 - Start When: Customer Created; Step 2 - Check if: Address is equal to "23, Scottsdate, Happytown;" Step 3 - Delete Customer

I run redundancy because sometimes while one flow is working it could miss accounts so this set up catches 99.9% and deletes them. I don't need to do much now in Shopify. I just cannot trust our numbers. In addition to this we was able to segment my customers list and run flows on accounts that fit the spam bot criteria. I wiped out nearly 50,000 accounts.

Thanks so much for the Flows. I'm getting an error in the Customer Created trigger (for 2 of the 3 Flows I set up) that says, "Exception: Failed to query data for subsequent steps? Missing resource for customer." Any idea what this means, how to fix, or is it normal? It appears to be preventing the Flow from running. Thanks in advance  jeff@gfJules.com

I get that error occasionally. As long as it completes on some, that means it’s working. If it never completes, you’ll want to check your configuration to make sure it’s correct. I have had to modify flows to get them firing properly. 

Thanks. So 'Completed' is more indicative than the '1 error,' which just might mean it didn't come up with any results in that particular run? I don't know about you, but I created a flow just for > Location String (or whatever they call it) = Bellevue, WA United States AND '0 Orders.' That seems to be 90% of my bots. Zero orders in an ecommerce platform should be a dead giveaway, right, or am I missing something? Thanks again for your help!

You're right but you need to remove the comma between bellevue and wa. It only finds exact matches. Its not smart enough to omit the comma.

That’s a solid first step — I did the exact same thing in the beginning using Arigato Automations and Shopify Flow.

The next (and important) step is to push a custom “bot” metric into Klaviyo (or whatever email platform you’re using) and create a segment of those profiles. Be sure to exclude this segment from all automated flows. The reason is that the sync delay between Shopify/Arigato/Flow automation and Shopify-to-Klaviyo can still cause bot profiles to be pushed into your email lists. This is critical because maintaining your email sending reputation is key — if it drops, you’ll need to re-warm your list, which is a slow and painful process.

Now, if you’re running ads (Search, Shopping, etc.), make sure the data feeding into your ad platforms is also clean. This gets tricky, especially if you’re using Shopify’s Google & YouTube app. Since fake profiles still get created and your session count stays high while conversion rate drops, that low-quality data feeds into Google Ads. PMAx (Performance Max) then starts to assume your campaigns are underperforming and scales down your reach — making it hard to scale spend even if you want to.

One workaround is to switch to manual shopping campaigns and build your targeting around SEO-style keyword segmentation. Just be careful not to scale campaigns too aggressively — aim for no more than 25–30% increases at a time, with enough pause between changes to avoid triggering a fresh learning phase in Google Ads.

Finally, when syncing product feeds from Shopify to Google, I recommend using a first-party data tool as your primary source — especially since GA4 is likely inaccurate in this scenario too.

How did you do this?

---

The next (and important) step is to push a custom “bot” metric into Klaviyo (or whatever email platform you’re using) and create a segment of those profiles. Be sure to exclude this segment from all automated flows. The reason is that the sync delay between Shopify/Arigato/Flow automation and Shopify-to-Klaviyo can still cause bot profiles to be pushed into your email lists. This is critical because maintaining your email sending reputation is key — if it drops, you’ll need to re-warm your list, which is a slow and painful process.

Now, if you’re running ads (Search, Shopping, etc.), make sure the data feeding into your ad platforms is also clean. This gets tricky, especially if you’re using Shopify’s Google & YouTube app. Since fake profiles still get created and your session count stays high while conversion rate drops, that low-quality data feeds into Google Ads. PMAx (Performance Max) then starts to assume your campaigns are underperforming and scales down your reach — making it hard to scale spend even if you want to.

the klaviyo metric you can push with shopify flow.

The ads data is trickier and takes a bit. Remove Google & Youtube app (it sucks anyways), instead set up GTM (server-side is best) and serve GA and ads tags with that. Doing so you can filter out bot traffic (not all but most).

You need to set your own triggers. Best I could recommend is time spent on site. Set this to 3 sec for example (most bots are under a second) and check that visiting browser is not headless or flagged.

Here's some js variables examples that you could work off of in your GTM:

BotUserAgentBlock

function() {
  var ua = navigator.userAgent.toLowerCase();
  var knownBots = ['puppeteer', 'phantomjs', 'headless', 'python-requests', 'scrapy', 'curl', 'wget'];
  return knownBots.some(function(bot) {
    return ua.indexOf(bot) !== -1;
  }) ? false : true;
}

ReferrerCheck

function() {
  var ref = document.referrer;
  if (!ref) return false;
  var suspiciousPatterns = ['/?', '://localhost', '127.0.0.1'];
  return suspiciousPatterns.some(function(p) {
    return ref.indexOf(p) !== -1;
  }) ? false : true;
}

And add a simple bot blocker app that allows you to block by IP and ASN. I can get you with the list to block once you have that 😉

Thanks for this, we offer our entire product catalog on Google Merchant Center. Deleting the app will kill the listings, I think. That is not something that we are comfortable with. Couldn't we just keep it running and still filter the bad traffic?

Of course, before removing the Google app, you’ll need to create a new feed to Merchant Center — in my experience, simprosys is one of the best tools for that. Super flexible and gives you way more control over what gets pushed to Google.

For now (until a proper firewall solution is live), you could run a sort of hybrid setup:

• Keep the Google & YouTube app connected to Merchant Center to maintain your live product feed.
• Set up GTM separately to handle Google Analytics and Ads tags — just make sure to disconnect those parts from the Google app. This will let you filter traffic at the tag level and avoid polluting your Smart Bidding data.

That said, this isn’t a long-term solution — Google is rolling out an update that will force gtag firing through the app no matter what. So this hybrid model buys you time but eventually you’ll want to fully migrate GA and Ads tracking out of the native app and into GTM (ideally server-side).

Just to be clear: this is a hands-on workaround, not a clean fix. It’ll take a second to set up, and you need to be careful — keep a close eye on the GA and Ads data to make sure everything tracks properly and nothing breaks.

It would be great if Shopify could just block whatever is doing this... 

I just noted this enhanced measurement thing was activated the day our problems started. You can see how haywire the data got after that. I assume it's a coincidence, but I wonder if this is really necessary... 

@JanVeroti! Thanks for your advice so far, v. glad I came across this community thread as I'm having the same bot issues as everyone else on here, been driving me crazy. I'll give the Armex app a go, hopefully it helps so cheers for that.

`

You mentioned that the Shopify Google & Youtube app sucks – an Upworker we are working with just installed this on our Shopify store for us to try to fix our Google Ads / GA4 conversion tracking issues (we had loads of problems with GTM tags stopping working, and double conversion tracking from a stray tag) – they recommended it as the most durable and accurate solution for Google Ads tracking. What makes you say the Google and Youtube app sucks? Do you think there is a better alternative given we've had plenty of problems with GTM?

Thanks!

Reposting the same in this thread so people here can read as well (if they don't follow the other thread):

That’s a solid first step — I did the exact same thing in the beginning using Arigato Automations and Shopify Flow.

The next (and important) step is to push a custom “bot” metric into Klaviyo (or whatever email platform you’re using) and create a segment of those profiles. Be sure to exclude this segment from all automated flows. The reason is that the sync delay between Shopify/Arigato/Flow automation and Shopify-to-Klaviyo can still cause bot profiles to be pushed into your email lists. This is critical because maintaining your email sending reputation is key — if it drops, you’ll need to re-warm your list, which is a slow and painful process.

Now, if you’re running ads (Search, Shopping, etc.), make sure the data feeding into your ad platforms is also clean. This gets tricky, especially if you’re using Shopify’s Google & YouTube app. Since fake profiles still get created and your session count stays high while conversion rate drops, that low-quality data feeds into Google Ads. PMAx (Performance Max) then starts to assume your campaigns are underperforming and scales down your reach — making it hard to scale spend even if you want to.

One workaround is to switch to manual shopping campaigns and build your targeting around SEO-style keyword segmentation. Just be careful not to scale campaigns too aggressively — aim for no more than 25–30% increases at a time, with enough pause between changes to avoid triggering a fresh learning phase in Google Ads.

Finally, when syncing product feeds from Shopify to Google, I recommend using a first-party data tool as your primary source — especially since GA4 is likely inaccurate in this scenario too.

Hi there! I'm trying so hard to create a flow but it is not working, i even asked Shopify Help Center and they werent able to make it. I can't use the "Customer Created" because when a bot creates a customer it doesnt has an address, so i was using "Customer abandons checkout" but still. No success, can you provide an screenshot, pleasee

Here is the Flow we created to delete the bot info from Shopify. If you are trying to work with Klaviyo, they grab the info before Shopify can get it deleted. It does take a minute or two for the Flow to catch on, but when it does, it deletes the info. 

*The "Add Customer Tag" field is redundant as the info will ultimately be deleted, so the tag means nothing. I just have never taken it out. 🙂 I called this Flow "No Touchie" for a reason... lol 

Not given up yet, but damn p*ssed at Shopify for not fixing this. We’re still dead in the water on our Shopify based .com. If there was ever a reason they would lose the support of their core base, this is it. 😡

What problem could be worse than killing their customers ability to market? And how is this not solvable for the hosting provider (Shopify)?

---

@CloudMinion wrote:

What problem could be worse than killing their customers ability to market? And how is this not solvable for the hosting provider (Shopify)?

---

Kill their customers CUSTOMERS ability to even access the merchants website at all platform wide for millions of stores.

Economic disaster and tanking stock that's what's worse.

Re-reads OP description of the bot behavior. It's only going to get more sophisticated.

---

@JanVeroti wrote:

And the only “solution” Shopify might eventually support? Yep, new accounts.

---

And I am 1000% certain this is happening on the "new customer account" stores too. I'm using new customer accounts because of the tigh integration for store credit in checkout. And my loyalty app supports store credit in checkout.
So hate to say it, but this does not appear to be related to new customer accounts.

You're probably right. Checkout is the same regardless of account types. As I said, too much coffee and to many hours spent trying to fix this.

@RS21 Any luck?

We ended up installing Armex: Block Checkout Bots, the app mentioned below. It seems to work pretty great with only the stray few bots coming though every once and a while. 

If your interested here is the Klayvio flow I just created to help with the profiles being created.

Trigger : Started Checkout 

Split: is on our primary email list? --> NO

Split: Has been active on site ever? ---> NO

Split: Has browsed products ever? --> NO

Split: First name is set? --> NO

Split: Last name is set --> NO

Add to Bots list

Then I have a segment I keep suppressing--> in Bots & can receive marketing (not supressed) 

Hope this help someone

Thanks for this. Shopify have now enabled this setting for us. No idea why they didn't suggest this when I first reached out?

Do you use the hCapture or reCapture method?

I have spent months and countless wasted hours with them trying to figure out a solution and not once did they suggest we turn it on. I had a guy live in our admin and checking our other settings and not once did they suggest it to me either. I had to straight out ask for it to be turned on. This leads me to believe they do not want us to know about this. 

We are currently using the reCAPTCHA since hCAPTCHA "comes with" the site (admin settings). Though I see it nowhere live on our actual website nor has it had any positive impact for us. Also, one of the things I've read over the last few months said that re is better than h.... ? So I went with that. 

I use reCaptcha and it does not stop the bots. I also use the email confirmation when signing up- that isn't stopping it either!

SO FRUSTRATING!!!!!

We're a Shopify Plus user and we've been waiting for Shopify to turn on their Bot Protection now for the last 2.5 weeks. They keep pushing other apps at us without any fix. Knowing that its Shopify causing this helps. We also use Cloudflare and installed  their WAF and it cut the attacks in half but we still have about 500 per day getting through.

It is strange that it is taking them so long to turn it on. Maybe it's me being a conspiracy theorist, but that leads me to further believe that they are actually aware of how massive of a problem this is and that they. don't. care.   

I was in the chat box of the Help Center Assistant and asked there. They did it live while I was waiting. Only took about two minutes. Make sure you are direct about it. I definitely spent too much time dancing around it and not strait out asking. "I am a Shopify Plus member and would like for you to turn on the Shopify provided Bot Protection for my store(s)."  You will see it in Settings. Ours is between Customer Accounts and Shipping and Delivery. 

I finally got it turned on by saying that we've held off running sales until it's activated. It was turned on in about one minute. The support person also kept mixing up Spam Protection with the Bot Protection. So I have a test run scheduled. I also added the suggested Flow options. We'll see which one works better.

Stupid question: is "Bot Protection" option only available to plus merchants?

I built a N8N workflow that kills off 99% of the bot profiles in Klaviyo, but it would be SO MUCH BETTER if Shopify just solved this at the source.
Is there a secret handshake or passcode that you used to get a Shopify rep to not tell you to "hire a dev" or install an app?

Yeah, you need to be a plus account holder.

But Armex Firewall offers a WAF tool.

https://apps.shopify.com/bora-ip-blocker-country-block

The have a "lite" version you can test for 7 days.

Not going to mess with WAF.
My "right now" solution is brute-force:

1. filter in Klaviyo for any profile without a first name (and not in the "back in stock" flow") - these profiles trigger a flow that deletes all profiles without a name set via webhook;
2. filter in Klaviyo for has name set, then either checkout started or added to cart, or added to list without a form completion, and other bot spammy tricks -- then these profiles get sent to my n8n VPS for filtering and a script I had GPT build for me -- then these profiles (ifBot) get deleted via API.
This is catching most of the bots... still refining the filters.
And yes, this is whack-a-mole.
But since I built the n8n server, I can easily edit the script.

Shopify really should just solve this.
Water is wet?