Re: Shopify Bot Exploit – Add-to-Cart Abuse Is Corrupting Analytics & Shopify Refuses to Act at

@JanVeroti I installed Armex: Block Checkout Bots and unfortunately, my domain and dns is on CloudFlare.
But -- I enabled the Armex Extension - and first impression is - SERIOUSLY?  There has not been a single bot profile added to Klaviyo since the Extension was activated. I am monitoring closely.
WHAT DID YOU BUILD?

In a prior discussion about WAF, it led me to believe WAF would interfere with so much...
But apparently not in this case?

I opened a ticket with app support to followup on CloudFlare.
This is very very very interesting!!!!

@JanVeroti the reason I said "I want to avoid WAF" is because in the other thread, you said:

Hi. Yes, I’ve been working with a third-party team on a custom setup to deal with this.

The solution we’ve integrated is essentially an O2O (origin-to-origin) CDN-layer addition that sits in front of Shopify — similar in concept to how Cloudflare works. Our WAF (Web Application Firewall) runs on Akamai and is specifically designed for bot mitigation. Since implementing it, we haven’t had a single bot-related issue.

That said, it’s important to understand the trade-offs. Once you adopt this type of solution, you can’t run another CDN in parallel — which means you lose out on services like asset delivery optimization, page speed boosts, DDoS protection, etc. So your site must be cleanly coded and optimized to pass Core Web Vitals without the help of a traditional CDN before going down this path.

There are some SEO considerations too. Since the checkout domain becomes custom (via DNS), clicking back to the site from checkout keeps the checkout. subdomain in the URL — which has on-site SEO implications. A fix via Checkout Extensibility is in the works, but for now, you can patch it by replacing the native logo with a custom image link, adjusting your robots.txt, and using proper rel attributes.

Also worth noting: since the WAF performs deep bot detection (evaluating IP, ASN, ISP, headers, device info, etc.), you might occasionally hit a frontend verification check if you’re doing lots of refreshes while working on the site. It’s not messy, just something to be aware of.

I’d love to share the contact info for the company behind this, but they’ve asked me not to for now. They’re planning to launch a Shopify app soon (mostly a UI for DNS onboarding + traffic reporting). I’ll update here when I get the green light to share more.

And I WANt the Shopify CDN and all the benefits from asset delivery optimization, page speed boosts, etc...
IS THIS APP doing this?

Thanks for posting on this a bunch.  I wanted to clarify what you wrote.

You initially wrote that you used Cloudfare and were setting that up to solve the issue, now you are posting about Armex: Block Checkout Bots .

Why the change?
Are you connected to this app?
What does this app actually do?

Yes, I’m a bit confused as well.

Does it look like a phishing post? Proposing a problem > Resonating with Shopify merchants troubled by it > Attracting attention with follow-up posts > Saying they are trying to solve this problem > Having a solution > The ultimate goal is to get you to download their recommended paid plugin. I even wondered if these companies that charge for plugins are the culprits behind Shopify being attacked in this way, with the ultimate goal of selling plugins

No.

We've been dealing with this issue as well and have reached out to Shopify Plus support multiple times. The "Bot Protection" with Shopify Plus doesn't seem to stop the bots. It's weird you have to contact Shopify to have this enabled even AFTER updating our plan to Shopify Plus. Support acknowledged the issue was impacting merchants across the platform and is being tracked by Shopify's internal product and engineering teams. According to Plus support, they are investigating broader solutions at the platform level. They also stated it is shopify's responsibility to protect the checkout and cart layers because these are hosted by Shopify.

WHY hasn't Shopify resolved this issue?! They know it is a problem for merchants and yet all they can do is recommend downloading a third party app that will NOT resolve the issue. This is unacceptable. 

I should mention that the Shopify "Bot Protection" will NOT resolve the issue.

It only runs for 60 minutes and you have to schedule the time when it does run.

We use cloudflare with our domain, so the full WAF offered by Armex doesn't work for us.

BUT, the lite version helps.

Added to that is the WAF that cloudflare offers, which does help.

Both together have dramatically cut the garbage from hitting our site.

I also added a FLOW that removes the customer accounts when it matches the address of the biggest offender.

That FLOW has stopped the junk from filling up our mailing lists.

Yes, it's sad that Shopify hasn't fixed the hole in their API, but with both of these solutions our sessions and traffic numbers are back to normal.

Steve

Hi everyone

I’ve been following the discussion around the Armex firewall and bot-related cart abuse, and I wanted to offer a clear and consolidated response for everyone asking what the firewall does—and doesn’t do.

What Armex Firewall Does:

• Acts as a Web Application Firewall (WAF) – It filters and blocks malicious or suspicious traffic before it reaches your Shopify storefront. This includes bot activity, known threat signatures, and other abuse vectors.
• IP and Geo-based Filtering – It allows you to block or challenge traffic based on IP address, location, or request pattern - helpful for dealing with spam, fake carting, or scraping.
• Reduces Bloat for Downstream Apps – By filtering out junk requests early, it helps lighten the load on your third-party tools (like analytics and chat) and prevents skewed reporting.

What Armex Firewall Does Not Do:

• It’s not a replacement for Shopify’s CDN – Shopify already uses a robust global CDN to deliver site assets. Armex doesn’t handle asset delivery - it’s focused on traffic filtering at the request layer.
• It won’t fix app-level issues – If you’re dealing with logic bugs, improper tracking setups, or app misuse, a firewall won’t help. That requires fixing the code or the app configuration itself.
• It doesn’t work passively – You need to actively configure DNS routing through the firewall. If you’re not ready to manage that layer, results will be limited.
• It won’t magically clean up analytics – It can stop new bad data from coming in, but it won’t fix past noise or cover every case, especially when bots behave like users at the JS level.

A Quick Note on Questions:

I appreciate the interest and engagement here, but I want to be honest - answering every individual post isn’t practical for me, especially when some of the questions show a lack of understanding around how CDNs, DNS, Shopify architecture, and third party apps work together.

If you’re new to these systems, I recommend taking time to understand how Shopify’s frontend stack operates and how external firewalls like Armex integrate into that flow.

To sumarize:

• Armex can be a powerful tool for merchants who understand how to implement and manage it.
• It’s not a "one click" solution, and it doesn’t replace fundamentals like proper tracking setup, UX best practices, or app performance tuning.
• If you’re clear on your traffic flows, DNS setup, and Shopify behavior, you’ll likely benefit from the added control and visibility.

Happy to provide guidance at a higher level if folks need help connecting the dots, but I do ask that we keep the conversation grounded in how these systems actually work together. That’ll help everyone get the most value.

@JanVeroti what is your, "Shopify Plus merchant's", association to the app being pushed?

Hi @PaulNewton

Honestly, I was expecting that question a while ago - so thank you for finally asking.

I have zero affiliation with the app being discussed.
I’m not connected to the vendor in any way, and I’m certainly not promoting it for personal gain.

I’m a senior Shopify developer with over a decade of experience in web development, specializing in performance, infrastructure, and technical SEO. Currently, I serve as CTO for a U.S.-based Shopify Plus brand, where I oversee all things related to frontend architecture, app integration, and scalable infrastructure.
My feedback here comes purely from hands-on implementation experience and a focus on what actually works in high-traffic, production environments.

No agenda - just sharing insights from the trenches.

We are dealing with the same issue on our storefront. The bot attacks you described have been constant and have seriously damaged both our analytics and operations.

We ended up using Armex as a workaround. It stopped the bot activity, but it created new problems. Our site became noticeably slower. We experienced server downtimes. In some cases, Chrome users could not access the site at all because of the firewall blocking real traffic.

The root issue remains unsolved. Only Shopify can fix this at the infrastructure level using Cloudflare WAF. App-based solutions do not work because they only act after the requests hit Shopify’s backend.

We fully support your call for Shopify to take responsibility and solve this. We would also stand behind legal action if that is what it takes. This has caused major disruptions to our business, and it affects far more merchants than just us.

If others are experiencing this, we are happy to connect. It is clear this cannot be ignored any longer.

@JanVeroti @kartik95 We’d love to join anny actions to get Shopify to fix this properly. I wonder if Armex could help notify all their users with this problem, as a way to more quickly get others on board with group action? If they won’t listen to our endless pleas to tech support not sure what else will get them to take this seriously. This is on them.

Second legal action to shopify if this still not being fixed. It has cause issue with mine to!

Why can't I find the app if I search for "Armex: Block Checkout Bots" in the Shopify app store? I've tried following your link and selecting install, but it says the site can't be reached. How can we install the app? Also, how does the app calculate access checks per month?

Their app isn't listed publicly on the app store. You can reach out to the support of their main app, they're very responsive and helpful with setup.